dawnscanner 1.6.1 → 1.6.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.ruby-version +1 -1
- data/.travis.yml +2 -0
- data/Changelog.md +10 -1
- data/KnowledgeBase.md +10 -4
- data/README.md +1 -1
- data/Rakefile +12 -8
- data/VERSION +1 -1
- data/checksum/dawnscanner-1.6.1.gem.sha1 +1 -0
- data/lib/dawn/kb/cve_2016_2097.rb +35 -0
- data/lib/dawn/kb/cve_2016_2098.rb +34 -0
- data/lib/dawn/knowledge_base.rb +4 -0
- data/lib/dawn/version.rb +4 -4
- data/spec/lib/dawn/codesake_core_spec.rb +1 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +451 -441
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +11 -11
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +2 -2
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +36 -36
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +6 -6
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +7 -7
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +10 -10
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +11 -11
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +4 -4
- data/spec/lib/kb/codesake_version_check_spec.rb +42 -42
- data/spec/lib/kb/cve_2011_2705_spec.rb +7 -7
- data/spec/lib/kb/cve_2011_2930_spec.rb +6 -6
- data/spec/lib/kb/cve_2011_3009_spec.rb +4 -4
- data/spec/lib/kb/cve_2011_3187_spec.rb +4 -4
- data/spec/lib/kb/cve_2011_4319_spec.rb +9 -9
- data/spec/lib/kb/cve_2011_5036_spec.rb +21 -21
- data/spec/lib/kb/cve_2012_1098_spec.rb +7 -7
- data/spec/lib/kb/cve_2012_2139_spec.rb +3 -3
- data/spec/lib/kb/cve_2012_2671_spec.rb +4 -4
- data/spec/lib/kb/cve_2012_6109_spec.rb +25 -25
- data/spec/lib/kb/cve_2012_6684_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_0162_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_0183_spec.rb +11 -11
- data/spec/lib/kb/cve_2013_0184_spec.rb +26 -26
- data/spec/lib/kb/cve_2013_0256_spec.rb +6 -6
- data/spec/lib/kb/cve_2013_0262_spec.rb +9 -9
- data/spec/lib/kb/cve_2013_0263_spec.rb +1 -1
- data/spec/lib/kb/cve_2013_1607_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_1655_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_1756_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_2090_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2105_spec.rb +1 -1
- data/spec/lib/kb/cve_2013_2119_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_2512_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2513_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2516_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4203_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4413_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4489_spec.rb +11 -11
- data/spec/lib/kb/cve_2013_4491_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4593_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_5647_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_5671_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_6416_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_6459_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_7086_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_0036_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_0080_spec.rb +5 -5
- data/spec/lib/kb/cve_2014_0081_spec.rb +10 -10
- data/spec/lib/kb/cve_2014_0082_spec.rb +8 -8
- data/spec/lib/kb/cve_2014_0130_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_1233_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_1234_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_2322_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_2538_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_3482_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_3483_spec.rb +5 -5
- data/spec/lib/kb/cve_2014_7818_spec.rb +8 -8
- data/spec/lib/kb/cve_2014_7819_spec.rb +32 -32
- data/spec/lib/kb/cve_2014_7829_spec.rb +10 -10
- data/spec/lib/kb/cve_2014_9490_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_1819_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_1840_spec.rb +7 -7
- data/spec/lib/kb/cve_2015_2963_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_3224_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_3225_spec.rb +5 -5
- data/spec/lib/kb/cve_2015_3226_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_3227_spec.rb +5 -5
- data/spec/lib/kb/cve_2015_3448_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_4020_spec.rb +4 -4
- data/spec/lib/kb/cve_2015_5312_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7497_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7498_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7499_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7500_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7519_spec.rb +4 -4
- data/spec/lib/kb/cve_2015_7541_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_7576_spec.rb +11 -11
- data/spec/lib/kb/cve_2015_7577_spec.rb +11 -11
- data/spec/lib/kb/cve_2015_7578_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_7579_spec.rb +4 -4
- data/spec/lib/kb/cve_2015_7581_spec.rb +11 -11
- data/spec/lib/kb/cve_2015_8241_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_8242_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_8317_spec.rb +6 -6
- data/spec/lib/kb/cve_2016_0751_spec.rb +11 -11
- data/spec/lib/kb/cve_2016_0752_spec.rb +11 -11
- data/spec/lib/kb/cve_2016_0753_spec.rb +11 -11
- data/spec/lib/kb/cve_2016_2097_spec.rb +35 -0
- data/spec/lib/kb/cve_2016_2098_spec.rb +39 -0
- data/spec/lib/kb/osvdb_105971_spec.rb +2 -2
- data/spec/lib/kb/osvdb_108530_spec.rb +3 -3
- data/spec/lib/kb/osvdb_108563_spec.rb +2 -2
- data/spec/lib/kb/osvdb_108569_spec.rb +2 -2
- data/spec/lib/kb/osvdb_108570_spec.rb +2 -2
- data/spec/lib/kb/osvdb_115654_spec.rb +2 -2
- data/spec/lib/kb/osvdb_116010_spec.rb +2 -2
- data/spec/lib/kb/osvdb_117903_spec.rb +4 -4
- data/spec/lib/kb/osvdb_118830_spec.rb +2 -2
- data/spec/lib/kb/osvdb_118954_spec.rb +3 -3
- data/spec/lib/kb/osvdb_119878_spec.rb +21 -21
- data/spec/lib/kb/osvdb_119927_spec.rb +2 -2
- data/spec/lib/kb/osvdb_120415_spec.rb +2 -2
- data/spec/lib/kb/osvdb_120857_spec.rb +6 -6
- data/spec/lib/kb/osvdb_121701_spec.rb +2 -2
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +10 -10
- metadata +9 -2
- metadata.gz.sig +0 -0
@@ -8,33 +8,33 @@ describe "The Dawn engine for padrino applications" do
|
|
8
8
|
|
9
9
|
|
10
10
|
it "has a proper name" do
|
11
|
-
@engine.name.
|
11
|
+
expect(@engine.name).to eq("padrino")
|
12
12
|
end
|
13
13
|
|
14
14
|
it "has a valid target" do
|
15
|
-
@engine.target.
|
16
|
-
@engine.target_is_dir
|
15
|
+
expect(@engine.target).to eq("./spec/support/hello_world_padrino")
|
16
|
+
expect(@engine.target_is_dir?).to be_truthy
|
17
17
|
end
|
18
18
|
|
19
19
|
it "detects the applications declared in config/apps.rb" do
|
20
|
-
@engine.
|
21
|
-
@engine.apps.
|
22
|
-
@engine.apps.count.
|
20
|
+
expect(@engine).to respond_to(:detect_apps)
|
21
|
+
expect(@engine.apps).not_to be_nil
|
22
|
+
expect(@engine.apps.count).to eq(3)
|
23
23
|
end
|
24
24
|
|
25
25
|
it "creates a valid pool of Sinatra engines" do
|
26
|
-
@engine.apps[0].mount_point.
|
27
|
-
@engine.apps[1].mount_point.
|
28
|
-
@engine.apps[2].mount_point.
|
26
|
+
expect(@engine.apps[0].mount_point).to eq("/")
|
27
|
+
expect(@engine.apps[1].mount_point).to eq("/log")
|
28
|
+
expect(@engine.apps[2].mount_point).to eq("/dispatcher")
|
29
29
|
end
|
30
30
|
|
31
31
|
|
32
32
|
it "has a good Gemfile.lock" do
|
33
|
-
@engine.has_gemfile_lock
|
33
|
+
expect(@engine.has_gemfile_lock?).to be_truthy
|
34
34
|
end
|
35
35
|
|
36
36
|
it "detects padrino v0.11.2" do
|
37
|
-
@engine.mvc_version.
|
37
|
+
expect(@engine.mvc_version).to eq("0.11.2")
|
38
38
|
end
|
39
39
|
|
40
40
|
|
@@ -5,8 +5,8 @@ describe "The Dawn engine for rails applications" do
|
|
5
5
|
|
6
6
|
it "detects the version used in the hello_world_3.1.0 application" do
|
7
7
|
@engine.set_target("./spec/support/hello_world_3.1.0")
|
8
|
-
@engine.ruby_version[:version].
|
9
|
-
@engine.ruby_version[:patchlevel].
|
8
|
+
expect(@engine.ruby_version[:version]).to eq(RUBY_VERSION)
|
9
|
+
expect(@engine.ruby_version[:patchlevel]).to eq("p#{RUBY_PATCHLEVEL}")
|
10
10
|
end
|
11
11
|
|
12
12
|
end
|
@@ -4,124 +4,124 @@ describe "The Dawn engine for sinatra applications" do
|
|
4
4
|
before(:all) {@engine= Dawn::Sinatra.new('./spec/support/sinatra-safe')}
|
5
5
|
|
6
6
|
it "has a proper name" do
|
7
|
-
@engine.name.
|
7
|
+
expect(@engine.name).to eq("sinatra")
|
8
8
|
end
|
9
9
|
|
10
10
|
it "detects the default application name" do
|
11
|
-
@engine.appname.
|
11
|
+
expect(@engine.appname).to eq("application.rb")
|
12
12
|
end
|
13
13
|
it "has a valid target" do
|
14
|
-
@engine.target.
|
15
|
-
@engine.target_is_dir
|
14
|
+
expect(@engine.target).to eq("./spec/support/sinatra-safe")
|
15
|
+
expect(@engine.target_is_dir?).to be_truthy
|
16
16
|
end
|
17
17
|
|
18
18
|
it "has a good Gemfile.lock" do
|
19
|
-
@engine.has_gemfile_lock
|
19
|
+
expect(@engine.has_gemfile_lock?).to be_truthy
|
20
20
|
end
|
21
21
|
|
22
22
|
it "detects a sinatra 1.4.4" do
|
23
|
-
@engine.mvc_version.
|
23
|
+
expect(@engine.mvc_version).to eq("1.4.4")
|
24
24
|
end
|
25
25
|
|
26
26
|
it "detects 2 views" do
|
27
|
-
@engine.views.
|
27
|
+
expect(@engine.views).to eq([{:filename=>"./spec/support/sinatra-safe/views/layout.haml", :language=>:haml}, {:filename=>"./spec/support/sinatra-safe/views/root.haml", :language=>:haml}])
|
28
28
|
end
|
29
29
|
it "detects views are written using HAML" do
|
30
|
-
@engine.views[0][:language].
|
31
|
-
@engine.views[1][:language].
|
30
|
+
expect(@engine.views[0][:language]).to eq(:haml)
|
31
|
+
expect(@engine.views[1][:language]).to eq(:haml)
|
32
32
|
end
|
33
33
|
|
34
34
|
it "has some check in the knowledge base" do
|
35
|
-
@engine.checks.
|
36
|
-
@engine.checks.
|
35
|
+
expect(@engine.checks).not_to be_nil
|
36
|
+
expect(@engine.checks).not_to be_empty
|
37
37
|
end
|
38
38
|
it "has check for CVE-2013-1800" do
|
39
|
-
Dawn::KnowledgeBase.find(@engine.checks, "CVE-2013-1800").
|
39
|
+
expect(Dawn::KnowledgeBase.find(@engine.checks, "CVE-2013-1800")).not_to be_nil
|
40
40
|
end
|
41
41
|
|
42
42
|
it "applies all checks" do
|
43
|
-
@engine.apply_all.
|
43
|
+
expect(@engine.apply_all).to be_truthy
|
44
44
|
end
|
45
45
|
it "applies check for CVE-2013-1800" do
|
46
|
-
@engine.apply("CVE-2013-1800").
|
46
|
+
expect(@engine.apply("CVE-2013-1800")).to be_truthy
|
47
47
|
end
|
48
48
|
|
49
49
|
it "applies check for \"Not revised code\"" do
|
50
|
-
@engine.apply("Not revised code").
|
50
|
+
expect(@engine.apply("Not revised code")).to be_truthy
|
51
51
|
end
|
52
52
|
|
53
53
|
describe "applied to sinatra-safe application" do
|
54
54
|
it "reports it's not vulnerable to CVE-2013-1800" do
|
55
|
-
@engine.is_vulnerable_to?("CVE-2013-1800").
|
55
|
+
expect(@engine.is_vulnerable_to?("CVE-2013-1800")).to be_falsey
|
56
56
|
end
|
57
57
|
|
58
58
|
it "reports it's not vulnerable to \"Not revised code\"" do
|
59
|
-
@engine.is_vulnerable_to?("Not revised code").
|
59
|
+
expect(@engine.is_vulnerable_to?("Not revised code")).to be_falsey
|
60
60
|
end
|
61
61
|
|
62
62
|
it "reports it has no vulnerabilities" do
|
63
63
|
puts @engine.vulnerabilities
|
64
|
-
@engine.vulnerabilities.
|
64
|
+
expect(@engine.vulnerabilities).to be_empty
|
65
65
|
end
|
66
66
|
end
|
67
67
|
|
68
68
|
describe "applied do the sinatra-vulnerable application" do
|
69
69
|
before (:all) {@engine= Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')}
|
70
70
|
it "has a valid target" do
|
71
|
-
@engine.target.
|
72
|
-
@engine.target_is_dir
|
71
|
+
expect(@engine.target).to eq("./spec/support/sinatra-vulnerable")
|
72
|
+
expect(@engine.target_is_dir?).to be_truthy
|
73
73
|
end
|
74
74
|
|
75
75
|
it "detects running ruby as the one to be checked against" do
|
76
|
-
@engine.ruby_version[:version].
|
76
|
+
expect(@engine.ruby_version[:version]).to eq(RUBY_VERSION)
|
77
77
|
end
|
78
78
|
|
79
79
|
it "reports it's vulnerable to CVE-2013-1800" do
|
80
|
-
@engine.is_vulnerable_to?("CVE-2013-1800").
|
80
|
+
expect(@engine.is_vulnerable_to?("CVE-2013-1800")).to be_truthy
|
81
81
|
end
|
82
82
|
|
83
83
|
it "reports it's vulnerable to \"Not revised code\"" do
|
84
|
-
@engine.is_vulnerable_to?("Not revised code").
|
84
|
+
expect(@engine.is_vulnerable_to?("Not revised code")).to be_truthy
|
85
85
|
end
|
86
86
|
|
87
87
|
it "reports it has vulnerabilities" do
|
88
|
-
@engine.vulnerabilities.
|
88
|
+
expect(@engine.vulnerabilities).not_to be_empty
|
89
89
|
end
|
90
90
|
|
91
91
|
it "applies automagically all the tests if no test has been applied" do
|
92
92
|
e2 = Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')
|
93
|
-
e2.vulnerabilities.
|
93
|
+
expect(e2.vulnerabilities).not_to be_empty
|
94
94
|
end
|
95
95
|
|
96
96
|
context "when scanning for XSS" do
|
97
97
|
it "detects 3 views" do
|
98
|
-
@engine.views.
|
98
|
+
expect(@engine.views).to eq([
|
99
99
|
{:filename=>"./spec/support/sinatra-vulnerable/views/layout.haml", :language=>:haml},
|
100
100
|
{:filename=>"./spec/support/sinatra-vulnerable/views/root.haml", :language=>:haml},
|
101
101
|
{:filename=>"./spec/support/sinatra-vulnerable/views/xss.haml", :language=>:haml}
|
102
|
-
]
|
102
|
+
])
|
103
103
|
end
|
104
104
|
it "detects views are written using HAML" do
|
105
|
-
@engine.views[0][:language].
|
106
|
-
@engine.views[1][:language].
|
107
|
-
@engine.views[2][:language].
|
105
|
+
expect(@engine.views[0][:language]).to eq(:haml)
|
106
|
+
expect(@engine.views[1][:language]).to eq(:haml)
|
107
|
+
expect(@engine.views[2][:language]).to eq(:haml)
|
108
108
|
end
|
109
109
|
|
110
110
|
it "detects a sink on application.rb" do
|
111
111
|
sink = @engine.detect_sinks("application.rb")
|
112
|
-
sink.
|
112
|
+
expect(sink).to eq([
|
113
113
|
{:sink_name=>"@xss_param", :sink_kind=>:params, :sink_line=>26, :sink_source=>"name", :sink_file=>"application.rb", :sink_evidence=>" @xss_param = params['name']"},
|
114
114
|
{:sink_name=>"@my_arr", :sink_kind=>:params, :sink_line=>27, :sink_source=>"second", :sink_file=>"application.rb", :sink_evidence=>" @my_arr[0] = params['second']"}
|
115
|
-
]
|
115
|
+
])
|
116
116
|
end
|
117
117
|
|
118
118
|
it "detects reflected ones in HAML views" do
|
119
119
|
reflected_xss= @engine.detect_reflected_xss
|
120
|
-
@engine.reflected_xss.
|
121
|
-
@engine.reflected_xss.
|
122
|
-
@engine.reflected_xss.
|
120
|
+
expect(@engine.reflected_xss).not_to be_nil
|
121
|
+
expect(@engine.reflected_xss).not_to be_empty
|
122
|
+
expect(@engine.reflected_xss).to eq([
|
123
123
|
{:sink_name=>"@xss_param", :sink_kind=>:params, :sink_line=>26, :sink_source=>"name", :sink_file=>"application.rb", :sink_evidence=>" @xss_param = params['name']", :sink_view=>"./spec/support/sinatra-vulnerable/views/xss.haml"}
|
124
|
-
]
|
124
|
+
])
|
125
125
|
end
|
126
126
|
end
|
127
127
|
end
|
@@ -3,7 +3,7 @@ require 'spec_helper'
|
|
3
3
|
describe "CVE-2013-0175 security check" do
|
4
4
|
let (:check) {Dawn::Kb::CVE_2013_0175.new}
|
5
5
|
it "knows its name" do
|
6
|
-
check.name.
|
6
|
+
expect(check.name).to eq("CVE-2013-0175")
|
7
7
|
end
|
8
8
|
it "has a 7.5 cvss score" do
|
9
9
|
check.cvss_score == 7.5
|
@@ -11,24 +11,24 @@ describe "CVE-2013-0175 security check" do
|
|
11
11
|
|
12
12
|
it "fires when multi_xml vulnerable gem it has been found" do
|
13
13
|
check.dependencies = [{:name=>"multi_xml", :version=>"0.5.2"}]
|
14
|
-
check.vuln
|
14
|
+
expect(check.vuln?).to eq(true)
|
15
15
|
end
|
16
16
|
it "fires when Grape vulnerable gem it has been found" do
|
17
17
|
check.dependencies = [{:name=>"grape", :version=>"0.2.5"}]
|
18
|
-
check.vuln
|
18
|
+
expect(check.vuln?).to eq(true)
|
19
19
|
end
|
20
20
|
it "fires when multi_xml gem is not vulnerable but Grape is" do
|
21
21
|
check.dependencies = [{:name=>"grape", :version=>"0.2.5"}, {:name=>"multi_xml", :version=>"0.5.3"}]
|
22
|
-
check.vuln
|
22
|
+
expect(check.vuln?).to eq(true)
|
23
23
|
end
|
24
24
|
it "fires when multi_xml gem is vulnerable but Grape is not" do
|
25
25
|
check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.2"}]
|
26
|
-
check.vuln
|
26
|
+
expect(check.vuln?).to eq(true)
|
27
27
|
end
|
28
28
|
|
29
29
|
it "doesn't fire when no vulnerabilities were found" do
|
30
30
|
check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.3"}]
|
31
|
-
check.vuln
|
31
|
+
expect(check.vuln?).to eq(false)
|
32
32
|
end
|
33
33
|
|
34
34
|
|
@@ -7,33 +7,33 @@ describe "The CVE-2013-4457 vulnerability" do
|
|
7
7
|
end
|
8
8
|
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
9
9
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.4.0'}]
|
10
|
-
@check.vuln
|
10
|
+
expect(@check.vuln?).to eq(true)
|
11
11
|
end
|
12
12
|
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
13
13
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.4.1'}]
|
14
|
-
@check.vuln
|
14
|
+
expect(@check.vuln?).to eq(true)
|
15
15
|
end
|
16
16
|
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
17
17
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.4.2'}]
|
18
|
-
@check.vuln
|
18
|
+
expect(@check.vuln?).to eq(true)
|
19
19
|
end
|
20
20
|
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
21
21
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.5.0'}]
|
22
|
-
@check.vuln
|
22
|
+
expect(@check.vuln?).to eq(true)
|
23
23
|
end
|
24
24
|
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
25
25
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.5.1'}]
|
26
|
-
@check.vuln
|
26
|
+
expect(@check.vuln?).to eq(true)
|
27
27
|
end
|
28
28
|
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
29
29
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.5.2'}]
|
30
|
-
@check.vuln
|
30
|
+
expect(@check.vuln?).to eq(true)
|
31
31
|
end
|
32
32
|
|
33
33
|
it "is skipped if non vulnerable version of cocaine rubygem is detected" do
|
34
34
|
@check.dependencies=[{:name=>"cocaine", :version=>'0.3.2'}]
|
35
35
|
# @check.debug = true
|
36
|
-
@check.vuln
|
36
|
+
expect(@check.vuln?).to eq(false)
|
37
37
|
end
|
38
38
|
|
39
39
|
|
@@ -25,50 +25,50 @@ describe "The security check for gem dependency should" do
|
|
25
25
|
# let (:check) {Mockup.new}
|
26
26
|
|
27
27
|
it "gives an unkown priority value" do
|
28
|
-
@check.priority.
|
28
|
+
expect(@check.priority).to eq("unknown")
|
29
29
|
end
|
30
30
|
|
31
31
|
it "gives the assigned priority value" do
|
32
32
|
@check.priority = :critical
|
33
|
-
@check.priority.
|
33
|
+
expect(@check.priority).to eq("critical")
|
34
34
|
end
|
35
35
|
it "gives an unknown severity since no CVSS is provided and no severity is given" do
|
36
|
-
@check.severity.
|
36
|
+
expect(@check.severity).to eq("unknown")
|
37
37
|
end
|
38
38
|
|
39
39
|
it "gives the severity level provided. No CVSS is here" do
|
40
40
|
@check.severity = :critical
|
41
|
-
@check.severity.
|
41
|
+
expect(@check.severity).to eq("critical")
|
42
42
|
end
|
43
43
|
|
44
44
|
it "fires if vulnerable 0.2.9 version is detected" do
|
45
45
|
@check.dependencies = [{:name=>"this_gem", :version=>'0.2.9'}]
|
46
|
-
@check.vuln
|
46
|
+
expect(@check.vuln?).to eq(true)
|
47
47
|
end
|
48
48
|
it "doesn't fire if not vulnerable 0.4.0 version is found" do
|
49
49
|
@check.dependencies = [{:name=>"this_gem", :version=>'0.4.0'}]
|
50
|
-
@check.vuln
|
50
|
+
expect(@check.vuln?).to eq(false)
|
51
51
|
end
|
52
52
|
|
53
53
|
it "fires if vulnerable 1.3.2 version is found" do
|
54
54
|
@check.dependencies = [{:name=>"this_gem", :version=>'1.3.2'}]
|
55
|
-
@check.vuln
|
55
|
+
expect(@check.vuln?).to eq(true)
|
56
56
|
end
|
57
57
|
|
58
58
|
it "doesn't fire if not vulnerable 1.4.2 version is found" do
|
59
59
|
@check.dependencies = [{:name=>"this_gem", :version=>'1.4.2'}]
|
60
|
-
@check.vuln
|
60
|
+
expect(@check.vuln?).to eq(false)
|
61
61
|
end
|
62
62
|
|
63
63
|
it "doesn't fires when a non vulnerable version is found and there is a fixed version with higher minor release but I asked to honor the minor version (useful with rails gem)" do
|
64
64
|
@check.dependencies = [{:name=>"this_gem", :version=>'2.3.3'}]
|
65
65
|
@check.save_minor = true
|
66
|
-
@check.vuln
|
66
|
+
expect(@check.vuln?).to eq(false)
|
67
67
|
end
|
68
68
|
it "fires when a vulnerable version (2.3.2) is found even if I asked to save minors..." do
|
69
69
|
@check.dependencies = [{:name=>"this_gem", :version=>'2.3.2'}]
|
70
70
|
@check.save_minor = true
|
71
|
-
@check.vuln
|
71
|
+
expect(@check.vuln?).to eq(true)
|
72
72
|
|
73
73
|
end
|
74
74
|
|
@@ -11,46 +11,46 @@ describe "The deprecation check for Ruby and MVC" do
|
|
11
11
|
############################################################################
|
12
12
|
it "should mark a random 1.1.x ruby version as deprecated" do
|
13
13
|
@check.detected = {:gem=>"ruby", :version=>"1.1.#{give_a_number}"}
|
14
|
-
@check.vuln
|
14
|
+
expect(@check.vuln?).to eq(true)
|
15
15
|
end
|
16
16
|
it "should mark a random 1.2.x ruby version as deprecated" do
|
17
17
|
@check.detected = {:gem=>"ruby", :version=>"1.2.#{give_a_number}"}
|
18
|
-
@check.vuln
|
18
|
+
expect(@check.vuln?).to eq(true)
|
19
19
|
end
|
20
20
|
it "should mark a random 1.3.x ruby version as deprecated" do
|
21
21
|
@check.detected = {:gem=>"ruby", :version=>"1.3.#{give_a_number}"}
|
22
|
-
@check.vuln
|
22
|
+
expect(@check.vuln?).to eq(true)
|
23
23
|
end
|
24
24
|
it "should mark a random 1.4.x ruby version as deprecated" do
|
25
25
|
@check.detected = {:gem=>"ruby", :version=>"1.4.#{give_a_number}"}
|
26
|
-
@check.vuln
|
26
|
+
expect(@check.vuln?).to eq(true)
|
27
27
|
end
|
28
28
|
it "should mark a random 1.5.x ruby version as deprecated" do
|
29
29
|
@check.detected = {:gem=>"ruby", :version=>"1.5.#{give_a_number}"}
|
30
|
-
@check.vuln
|
30
|
+
expect(@check.vuln?).to eq(true)
|
31
31
|
end
|
32
32
|
it "should mark a random 1.6.x ruby version as deprecated" do
|
33
33
|
@check.detected = {:gem=>"ruby", :version=>"1.6.#{give_a_number}"}
|
34
|
-
@check.vuln
|
34
|
+
expect(@check.vuln?).to eq(true)
|
35
35
|
end
|
36
36
|
it "should mark a random 1.7.x ruby version as deprecated" do
|
37
37
|
@check.detected = {:gem=>"ruby", :version=>"1.7.#{give_a_number}"}
|
38
|
-
@check.vuln
|
38
|
+
expect(@check.vuln?).to eq(true)
|
39
39
|
end
|
40
40
|
it "should mark ruby version 1.8.7 as deprecated" do
|
41
41
|
@check.detected = {:gem=>"ruby", :version=>"1.8.7"}
|
42
|
-
@check.vuln
|
42
|
+
expect(@check.vuln?).to eq(true)
|
43
43
|
end
|
44
44
|
it "should mark a random 1.9.x ruby version as non deprecated" do
|
45
45
|
@check.detected = {:gem=>"ruby", :version=>"1.9.#{give_a_number}"}
|
46
|
-
@check.vuln
|
46
|
+
expect(@check.vuln?).to eq(false)
|
47
47
|
end
|
48
48
|
it "should mark ruby version 2.0.0 as non deprecated" do
|
49
49
|
@check.detected = {:gem=>"ruby", :version=>"2.0.0"}
|
50
|
-
@check.vuln
|
50
|
+
expect(@check.vuln?).to eq(false)
|
51
51
|
end
|
52
52
|
it "should mark ruby version 2.1.0 as non deprecated" do
|
53
53
|
@check.detected = {:gem=>"ruby", :version=>"2.1.0"}
|
54
|
-
@check.vuln
|
54
|
+
expect(@check.vuln?).to eq(false)
|
55
55
|
end
|
56
56
|
end
|
@@ -21,20 +21,20 @@ describe "The security check for Ruby interpreter version" do
|
|
21
21
|
|
22
22
|
it "fires if ruby version is vulnerable" do
|
23
23
|
check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
|
24
|
-
check.vuln
|
24
|
+
expect(check.vuln?).to eq(true)
|
25
25
|
end
|
26
26
|
it "doesn't fire if ruby version is not vulnerable and patchlevel is not vulnerable" do
|
27
27
|
check.detected_ruby = {:version=>"1.9.4", :patchlevel=>"p10000"}
|
28
|
-
check.vuln
|
28
|
+
expect(check.vuln?).to eq(false)
|
29
29
|
end
|
30
30
|
|
31
31
|
it "doesn't fire if ruby version is vulnerable and patchlevel is not vulnerable" do
|
32
32
|
check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p10000"}
|
33
|
-
check.vuln
|
33
|
+
expect(check.vuln?).to eq(false)
|
34
34
|
end
|
35
35
|
|
36
36
|
it "fires if ruby version is vulnerable and patchlevel is vulnerable" do
|
37
37
|
check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p391"}
|
38
|
-
check.vuln
|
38
|
+
expect(check.vuln?).to eq(true)
|
39
39
|
end
|
40
40
|
end
|
@@ -13,153 +13,153 @@ describe "The version check should" do
|
|
13
13
|
context "without some beta versions to handle" do
|
14
14
|
|
15
15
|
it "reports when a version is vulnerable" do
|
16
|
-
@check.is_vulnerable_version?('2.3.0', '2.2.9').
|
16
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.2.9')).to eq(true)
|
17
17
|
end
|
18
18
|
|
19
19
|
it "reports when a version is not vulnerable (equals)" do
|
20
|
-
@check.is_vulnerable_version?('2.3.0', '2.3.0').
|
20
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.3.0')).to eq(false)
|
21
21
|
end
|
22
22
|
|
23
23
|
it "reports when a version is not vulnerable" do
|
24
|
-
@check.is_vulnerable_version?('2.3.0', '2.3.1').
|
24
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.3.1')).to eq(false)
|
25
25
|
end
|
26
26
|
it "reports when a version is not vulnerable" do
|
27
|
-
@check.is_vulnerable_version?('2.3.0', '2.4.1').
|
27
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.4.1')).to eq(false)
|
28
28
|
end
|
29
29
|
it "reports when a version is not vulnerable" do
|
30
|
-
@check.is_vulnerable_version?('2.3.0', '4.4.1').
|
30
|
+
expect(@check.is_vulnerable_version?('2.3.0', '4.4.1')).to eq(false)
|
31
31
|
end
|
32
32
|
it "reports when a version is not vulnerable" do
|
33
|
-
@check.is_vulnerable_version?('2.3.0', '4.1.1').
|
33
|
+
expect(@check.is_vulnerable_version?('2.3.0', '4.1.1')).to eq(false)
|
34
34
|
end
|
35
35
|
|
36
36
|
# check for x character support
|
37
37
|
|
38
38
|
it "reports when a version is not vulnerable" do
|
39
|
-
@check.is_vulnerable_version?('2.x', '4.1.1').
|
39
|
+
expect(@check.is_vulnerable_version?('2.x', '4.1.1')).to eq(false)
|
40
40
|
end
|
41
41
|
it "reports when a version is not vulnerable" do
|
42
|
-
@check.is_vulnerable_version?('2.x', '4.4.1').
|
42
|
+
expect(@check.is_vulnerable_version?('2.x', '4.4.1')).to eq(false)
|
43
43
|
end
|
44
44
|
it "reports when a version is not vulnerable" do
|
45
|
-
@check.is_vulnerable_version?('2.x', '4.4.1').
|
45
|
+
expect(@check.is_vulnerable_version?('2.x', '4.4.1')).to eq(false)
|
46
46
|
end
|
47
47
|
it "reports when a version is vulnerable" do
|
48
|
-
@check.is_vulnerable_version?('2.x', '1.4.1').
|
48
|
+
expect(@check.is_vulnerable_version?('2.x', '1.4.1')).to eq(true)
|
49
49
|
end
|
50
50
|
|
51
51
|
|
52
52
|
end
|
53
53
|
context "with some beta versions to handle" do
|
54
54
|
it "reports when a beta version is vulnerable" do
|
55
|
-
@check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta1').
|
55
|
+
expect(@check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta1')).to eq(true)
|
56
56
|
end
|
57
57
|
it "reports when a beta version is not vulnerable" do
|
58
|
-
@check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta5').
|
58
|
+
expect(@check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta5')).to eq(false)
|
59
59
|
end
|
60
60
|
it "reports when a beta version is not vulnerable (equals)" do
|
61
|
-
@check.is_vulnerable_version?('2.3.0.beta5', '2.3.0.beta5').
|
61
|
+
expect(@check.is_vulnerable_version?('2.3.0.beta5', '2.3.0.beta5')).to eq(false)
|
62
62
|
end
|
63
63
|
it "reports a vulnerability when a stable version is safe and beta is detected" do
|
64
|
-
@check.is_vulnerable_version?('2.3.0', '2.3.0.beta9').
|
64
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.3.0.beta9')).to eq(true)
|
65
65
|
end
|
66
66
|
it "reports a safe condition when a beta version is safe and the stable version is detected" do
|
67
|
-
@check.is_vulnerable_version?('2.3.0.beta9', '2.3.0').
|
67
|
+
expect(@check.is_vulnerable_version?('2.3.0.beta9', '2.3.0')).to eq(false)
|
68
68
|
end
|
69
69
|
it "reports a vulnerability when a previous beta version is detected" do
|
70
|
-
@check.is_vulnerable_version?('2.3.0', '2.2.10.beta2').
|
70
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.2.10.beta2')).to eq(true)
|
71
71
|
end
|
72
72
|
it "reports a safe condition when a beta version is detected but the safe version was released earlier (same major, same minor)" do
|
73
|
-
@check.is_vulnerable_version?('2.2.0', '2.2.10.beta2').
|
73
|
+
expect(@check.is_vulnerable_version?('2.2.0', '2.2.10.beta2')).to eq(false)
|
74
74
|
end
|
75
75
|
it "reports a safe condition when a beta version is detected but the safe version was released earlier (same major)" do
|
76
|
-
@check.is_vulnerable_version?('2.2.0', '2.4.10.beta2').
|
76
|
+
expect(@check.is_vulnerable_version?('2.2.0', '2.4.10.beta2')).to eq(false)
|
77
77
|
end
|
78
78
|
it "reports a safe condition when a beta version is detected but the safe version was released earlier" do
|
79
|
-
@check.is_vulnerable_version?('2.2.0', '3.4.10.beta2').
|
79
|
+
expect(@check.is_vulnerable_version?('2.2.0', '3.4.10.beta2')).to eq(false)
|
80
80
|
end
|
81
81
|
end
|
82
82
|
|
83
83
|
context "with some rc versions to handle" do
|
84
84
|
it "reports when a rc version is vulnerable" do
|
85
|
-
@check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc1').
|
85
|
+
expect(@check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc1')).to eq(true)
|
86
86
|
end
|
87
87
|
it "reports when a rc version is not vulnerable" do
|
88
|
-
@check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc5').
|
88
|
+
expect(@check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc5')).to eq(false)
|
89
89
|
end
|
90
90
|
it "reports when a rc version is not vulnerable (equals)" do
|
91
|
-
@check.is_vulnerable_version?('2.3.0.rc5', '2.3.0.rc5').
|
91
|
+
expect(@check.is_vulnerable_version?('2.3.0.rc5', '2.3.0.rc5')).to eq(false)
|
92
92
|
end
|
93
93
|
it "reports a vulnerability when a stable version is safe and rc is detected" do
|
94
|
-
@check.is_vulnerable_version?('2.3.0', '2.3.0.rc9').
|
94
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.3.0.rc9')).to eq(true)
|
95
95
|
end
|
96
96
|
it "reports a safe condition when a rc version is safe and the stable version is detected" do
|
97
|
-
@check.is_vulnerable_version?('2.3.0.rc9', '2.3.0').
|
97
|
+
expect(@check.is_vulnerable_version?('2.3.0.rc9', '2.3.0')).to eq(false)
|
98
98
|
end
|
99
99
|
it "reports a vulnerability when a previous rc version is detected" do
|
100
|
-
@check.is_vulnerable_version?('2.3.0', '2.2.10.rc2').
|
100
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.2.10.rc2')).to eq(true)
|
101
101
|
end
|
102
102
|
it "reports a safe condition when a rc version is detected but the safe version was released earlier (same major, same minor)" do
|
103
|
-
@check.is_vulnerable_version?('2.2.0', '2.2.10.rc2').
|
103
|
+
expect(@check.is_vulnerable_version?('2.2.0', '2.2.10.rc2')).to eq(false)
|
104
104
|
end
|
105
105
|
it "reports a safe condition when a rc version is detected but the safe version was released earlier (same major)" do
|
106
|
-
@check.is_vulnerable_version?('2.2.0', '2.4.10.rc2').
|
106
|
+
expect(@check.is_vulnerable_version?('2.2.0', '2.4.10.rc2')).to eq(false)
|
107
107
|
end
|
108
108
|
it "reports a safe condition when a rc version is detected but the safe version was released earlier" do
|
109
|
-
@check.is_vulnerable_version?('2.2.0', '3.4.10.rc2').
|
109
|
+
expect(@check.is_vulnerable_version?('2.2.0', '3.4.10.rc2')).to eq(false)
|
110
110
|
end
|
111
111
|
end
|
112
112
|
|
113
113
|
context "with some pre versions to handle" do
|
114
114
|
it "reports when a pre version is vulnerable" do
|
115
|
-
@check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre1').
|
115
|
+
expect(@check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre1')).to eq(true)
|
116
116
|
end
|
117
117
|
it "reports when a pre version is not vulnerable" do
|
118
|
-
@check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre5').
|
118
|
+
expect(@check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre5')).to eq(false)
|
119
119
|
end
|
120
120
|
it "reports when a pre version is not vulnerable (equals)" do
|
121
|
-
@check.is_vulnerable_version?('2.3.0.pre5', '2.3.0.pre5').
|
121
|
+
expect(@check.is_vulnerable_version?('2.3.0.pre5', '2.3.0.pre5')).to eq(false)
|
122
122
|
end
|
123
123
|
it "reports a vulnerability when a stable version is safe and pre is detected" do
|
124
|
-
@check.is_vulnerable_version?('2.3.0', '2.3.0.pre9').
|
124
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.3.0.pre9')).to eq(true)
|
125
125
|
end
|
126
126
|
it "reports a safe condition when a pre version is safe and the stable version is detected" do
|
127
|
-
@check.is_vulnerable_version?('2.3.0.pre9', '2.3.0').
|
127
|
+
expect(@check.is_vulnerable_version?('2.3.0.pre9', '2.3.0')).to eq(false)
|
128
128
|
end
|
129
129
|
it "reports a vulnerability when a previous pre version is detected" do
|
130
|
-
@check.is_vulnerable_version?('2.3.0', '2.2.10.pre2').
|
130
|
+
expect(@check.is_vulnerable_version?('2.3.0', '2.2.10.pre2')).to eq(true)
|
131
131
|
end
|
132
132
|
it "reports a safe condition when a pre version is detected but the safe version was released earlier (same major, same minor)" do
|
133
|
-
@check.is_vulnerable_version?('2.2.0', '2.2.10.pre2').
|
133
|
+
expect(@check.is_vulnerable_version?('2.2.0', '2.2.10.pre2')).to eq(false)
|
134
134
|
end
|
135
135
|
it "reports a safe condition when a pre version is detected but the safe version was released earlier (same major)" do
|
136
|
-
@check.is_vulnerable_version?('2.2.0', '2.4.10.pre2').
|
136
|
+
expect(@check.is_vulnerable_version?('2.2.0', '2.4.10.pre2')).to eq(false)
|
137
137
|
end
|
138
138
|
it "reports a safe condition when a pre version is detected but the safe version was released earlier" do
|
139
|
-
@check.is_vulnerable_version?('2.2.0', '3.4.10.pre2').
|
139
|
+
expect(@check.is_vulnerable_version?('2.2.0', '3.4.10.pre2')).to eq(false)
|
140
140
|
end
|
141
141
|
end
|
142
142
|
# deprecation check
|
143
143
|
it "reports nonsense deprecation" do
|
144
144
|
nonsense = Dawn::Kb::VersionCheck.new
|
145
145
|
nonsense.deprecated = ['x.0.0']
|
146
|
-
nonsense.is_deprecated?('2.2.3').
|
146
|
+
expect(nonsense.is_deprecated?('2.2.3')).to eq(true)
|
147
147
|
end
|
148
148
|
|
149
149
|
it "tells 1.1.12 is deprecated" do
|
150
|
-
@check.is_deprecated?('1.1.12').
|
150
|
+
expect(@check.is_deprecated?('1.1.12')).to eq(true)
|
151
151
|
end
|
152
152
|
it "tells 0.1.12 is deprecated" do
|
153
|
-
@check.is_deprecated?('0.1.12').
|
153
|
+
expect(@check.is_deprecated?('0.1.12')).to eq(true)
|
154
154
|
end
|
155
155
|
it "tells 0.4.12 is not deprecated" do
|
156
|
-
@check.is_deprecated?('0.4.12').
|
156
|
+
expect(@check.is_deprecated?('0.4.12')).to eq(false)
|
157
157
|
end
|
158
158
|
context "applied as it should be" do
|
159
159
|
it "says a version 0.4.6 is safe" do
|
160
160
|
@check.detected = '0.4.6'
|
161
161
|
@check.save_minor = true
|
162
|
-
@check.vuln
|
162
|
+
expect(@check.vuln?).to eq(false)
|
163
163
|
end
|
164
164
|
end
|
165
165
|
end
|