dawnscanner 1.6.1 → 1.6.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.ruby-version +1 -1
- data/.travis.yml +2 -0
- data/Changelog.md +10 -1
- data/KnowledgeBase.md +10 -4
- data/README.md +1 -1
- data/Rakefile +12 -8
- data/VERSION +1 -1
- data/checksum/dawnscanner-1.6.1.gem.sha1 +1 -0
- data/lib/dawn/kb/cve_2016_2097.rb +35 -0
- data/lib/dawn/kb/cve_2016_2098.rb +34 -0
- data/lib/dawn/knowledge_base.rb +4 -0
- data/lib/dawn/version.rb +4 -4
- data/spec/lib/dawn/codesake_core_spec.rb +1 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +451 -441
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +11 -11
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +2 -2
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +36 -36
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +6 -6
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +7 -7
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +10 -10
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +11 -11
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +4 -4
- data/spec/lib/kb/codesake_version_check_spec.rb +42 -42
- data/spec/lib/kb/cve_2011_2705_spec.rb +7 -7
- data/spec/lib/kb/cve_2011_2930_spec.rb +6 -6
- data/spec/lib/kb/cve_2011_3009_spec.rb +4 -4
- data/spec/lib/kb/cve_2011_3187_spec.rb +4 -4
- data/spec/lib/kb/cve_2011_4319_spec.rb +9 -9
- data/spec/lib/kb/cve_2011_5036_spec.rb +21 -21
- data/spec/lib/kb/cve_2012_1098_spec.rb +7 -7
- data/spec/lib/kb/cve_2012_2139_spec.rb +3 -3
- data/spec/lib/kb/cve_2012_2671_spec.rb +4 -4
- data/spec/lib/kb/cve_2012_6109_spec.rb +25 -25
- data/spec/lib/kb/cve_2012_6684_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_0162_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_0183_spec.rb +11 -11
- data/spec/lib/kb/cve_2013_0184_spec.rb +26 -26
- data/spec/lib/kb/cve_2013_0256_spec.rb +6 -6
- data/spec/lib/kb/cve_2013_0262_spec.rb +9 -9
- data/spec/lib/kb/cve_2013_0263_spec.rb +1 -1
- data/spec/lib/kb/cve_2013_1607_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_1655_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_1756_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_2090_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2105_spec.rb +1 -1
- data/spec/lib/kb/cve_2013_2119_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_2512_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2513_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2516_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4203_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4413_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4489_spec.rb +11 -11
- data/spec/lib/kb/cve_2013_4491_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_4593_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_5647_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_5671_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_6416_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_6459_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_7086_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_0036_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_0080_spec.rb +5 -5
- data/spec/lib/kb/cve_2014_0081_spec.rb +10 -10
- data/spec/lib/kb/cve_2014_0082_spec.rb +8 -8
- data/spec/lib/kb/cve_2014_0130_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_1233_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_1234_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_2322_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_2538_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_3482_spec.rb +2 -2
- data/spec/lib/kb/cve_2014_3483_spec.rb +5 -5
- data/spec/lib/kb/cve_2014_7818_spec.rb +8 -8
- data/spec/lib/kb/cve_2014_7819_spec.rb +32 -32
- data/spec/lib/kb/cve_2014_7829_spec.rb +10 -10
- data/spec/lib/kb/cve_2014_9490_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_1819_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_1840_spec.rb +7 -7
- data/spec/lib/kb/cve_2015_2963_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_3224_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_3225_spec.rb +5 -5
- data/spec/lib/kb/cve_2015_3226_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_3227_spec.rb +5 -5
- data/spec/lib/kb/cve_2015_3448_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_4020_spec.rb +4 -4
- data/spec/lib/kb/cve_2015_5312_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7497_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7498_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7499_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7500_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_7519_spec.rb +4 -4
- data/spec/lib/kb/cve_2015_7541_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_7576_spec.rb +11 -11
- data/spec/lib/kb/cve_2015_7577_spec.rb +11 -11
- data/spec/lib/kb/cve_2015_7578_spec.rb +2 -2
- data/spec/lib/kb/cve_2015_7579_spec.rb +4 -4
- data/spec/lib/kb/cve_2015_7581_spec.rb +11 -11
- data/spec/lib/kb/cve_2015_8241_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_8242_spec.rb +6 -6
- data/spec/lib/kb/cve_2015_8317_spec.rb +6 -6
- data/spec/lib/kb/cve_2016_0751_spec.rb +11 -11
- data/spec/lib/kb/cve_2016_0752_spec.rb +11 -11
- data/spec/lib/kb/cve_2016_0753_spec.rb +11 -11
- data/spec/lib/kb/cve_2016_2097_spec.rb +35 -0
- data/spec/lib/kb/cve_2016_2098_spec.rb +39 -0
- data/spec/lib/kb/osvdb_105971_spec.rb +2 -2
- data/spec/lib/kb/osvdb_108530_spec.rb +3 -3
- data/spec/lib/kb/osvdb_108563_spec.rb +2 -2
- data/spec/lib/kb/osvdb_108569_spec.rb +2 -2
- data/spec/lib/kb/osvdb_108570_spec.rb +2 -2
- data/spec/lib/kb/osvdb_115654_spec.rb +2 -2
- data/spec/lib/kb/osvdb_116010_spec.rb +2 -2
- data/spec/lib/kb/osvdb_117903_spec.rb +4 -4
- data/spec/lib/kb/osvdb_118830_spec.rb +2 -2
- data/spec/lib/kb/osvdb_118954_spec.rb +3 -3
- data/spec/lib/kb/osvdb_119878_spec.rb +21 -21
- data/spec/lib/kb/osvdb_119927_spec.rb +2 -2
- data/spec/lib/kb/osvdb_120415_spec.rb +2 -2
- data/spec/lib/kb/osvdb_120857_spec.rb +6 -6
- data/spec/lib/kb/osvdb_121701_spec.rb +2 -2
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +10 -10
- metadata +9 -2
- metadata.gz.sig +0 -0
|
@@ -6,10 +6,10 @@ describe "The OSVDB_105971 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable version it has been found (0.4.14)" do
|
|
8
8
|
@check.dependencies = [{:name=>"sfpagent", :version=>"0.4.14"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a safe version it has been found (0.4.15)" do
|
|
12
12
|
@check.dependencies = [{:name=>"sfpagent", :version=>"0.4.15"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -6,15 +6,15 @@ describe "The OSVDB-108530 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable version it has been found (1.0.3.rc2)" do
|
|
8
8
|
@check.dependencies = [{:name=>"kajam", :version=>"1.0.3.rc2"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a safe version it has been found (1.0.3)" do
|
|
12
12
|
@check.dependencies = [{:name=>"kajam", :version=>"1.0.3"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
it "is not reported when a safe version it has been found (1.0.4)" do
|
|
16
16
|
@check.dependencies = [{:name=>"kajam", :version=>"1.0.4"}]
|
|
17
|
-
@check.vuln
|
|
17
|
+
expect(@check.vuln?).to eq(false)
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
it "must be filled with CVE identifier"
|
|
@@ -7,11 +7,11 @@ describe "The OSVDB-108563 vulnerability" do
|
|
|
7
7
|
|
|
8
8
|
it "is reported when a vulnerable version it has been found (1.0.0)" do
|
|
9
9
|
@check.dependencies = [{:name=>"gyazo", :version=>"1.0.0"}]
|
|
10
|
-
@check.vuln
|
|
10
|
+
expect(@check.vuln?).to eq(true)
|
|
11
11
|
end
|
|
12
12
|
it "is not reported when a safe version it has been found (0.4.15)" do
|
|
13
13
|
@check.dependencies = [{:name=>"gyazo", :version=>"1.0.1"}]
|
|
14
|
-
@check.vuln
|
|
14
|
+
expect(@check.vuln?).to eq(false)
|
|
15
15
|
end
|
|
16
16
|
it "must be filled with CVE identifier"
|
|
17
17
|
it "must be filled with CVSS information"
|
|
@@ -6,11 +6,11 @@ describe "The OSVDB-108569 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable backup_checksum gem version it has been found (3.0.23)" do
|
|
8
8
|
@check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.23"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a safe backup_checksum gem version it has been found (3.0.24)" do
|
|
12
12
|
@check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.24"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
it "must be filled with CVE identifier"
|
|
16
16
|
it "must be filled with CVSS information"
|
|
@@ -6,11 +6,11 @@ describe "The OSVDB-108570 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable version it has been found (3.0.23)" do
|
|
8
8
|
@check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.23"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a safe version it has been found (0.4.15)" do
|
|
12
12
|
@check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.24"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
it "must be filled with CVE identifier"
|
|
16
16
|
it "must be filled with CVSS information"
|
|
@@ -6,10 +6,10 @@ describe "The OSVDB_115654 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"raven-ruby", :version=>"0.12.1"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a fixed release is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"raven-ruby", :version=>"0.12.2"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -6,10 +6,10 @@ describe "The OSVDB_116010 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"doorkeeper", :version=>"1.4.0"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a fixed release is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"doorkeeper", :version=>"1.4.1"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -6,18 +6,18 @@ describe "The OSVDB_117903 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"ruby-saml", :version=>"0.7.2"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is reported when the vulnerable gem is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"ruby-saml", :version=>"0.8.1"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(true)
|
|
14
14
|
end
|
|
15
15
|
it "is not reported when a fixed release is detected" do
|
|
16
16
|
@check.dependencies = [{:name=>"ruby-saml", :version=>"0.7.3"}]
|
|
17
|
-
@check.vuln
|
|
17
|
+
expect(@check.vuln?).to eq(false)
|
|
18
18
|
end
|
|
19
19
|
it "is not reported when a fixed release is detected" do
|
|
20
20
|
@check.dependencies = [{:name=>"ruby-saml", :version=>"0.8.2"}]
|
|
21
|
-
@check.vuln
|
|
21
|
+
expect(@check.vuln?).to eq(false)
|
|
22
22
|
end
|
|
23
23
|
end
|
|
@@ -6,11 +6,11 @@ describe "The OSVDB_118830 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable version it has been found (2.1.1)" do
|
|
8
8
|
@check.dependencies = [{:name=>"doorkeeper", :version=>"2.1.1"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a safe version it has been found (2.1.2)" do
|
|
12
12
|
@check.dependencies = [{:name=>"doorkeepr", :version=>"2.1.2"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
end
|
|
@@ -6,15 +6,15 @@ describe "The OSVDB_118954 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"rails", :version=>"4.2.0"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a fixed release is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"rails", :version=>"4.2.1.rc3"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
it "is not reported when a fixed release is detected" do
|
|
16
16
|
@check.dependencies = [{:name=>"rails", :version=>"4.0.3"}]
|
|
17
|
-
@check.vuln
|
|
17
|
+
expect(@check.vuln?).to eq(false)
|
|
18
18
|
end
|
|
19
19
|
|
|
20
20
|
end
|
|
@@ -6,87 +6,87 @@ describe "The OSVDB_119878 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable version it has been found (1.6.1.a)" do
|
|
8
8
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.1.a"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is reported when a vulnerable version it has been found (1.6.1)" do
|
|
12
12
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.1"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(true)
|
|
14
14
|
end
|
|
15
15
|
it "is reported when a vulnerable version it has been found (1.6.2" do
|
|
16
16
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.2"}]
|
|
17
|
-
@check.vuln
|
|
17
|
+
expect(@check.vuln?).to eq(true)
|
|
18
18
|
end
|
|
19
19
|
it "is reported when a vulnerable version it has been found (1.6.2.a" do
|
|
20
20
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.2.a"}]
|
|
21
|
-
@check.vuln
|
|
21
|
+
expect(@check.vuln?).to eq(true)
|
|
22
22
|
end
|
|
23
23
|
it "is reported when a vulnerable version it has been found (1.6.3)" do
|
|
24
24
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.3"}]
|
|
25
|
-
@check.vuln
|
|
25
|
+
expect(@check.vuln?).to eq(true)
|
|
26
26
|
end
|
|
27
27
|
it "is reported when a vulnerable version it has been found (1.6.4)" do
|
|
28
28
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.4"}]
|
|
29
|
-
@check.vuln
|
|
29
|
+
expect(@check.vuln?).to eq(true)
|
|
30
30
|
end
|
|
31
31
|
it "is reported when a vulnerable version it has been found (1.6.5)" do
|
|
32
32
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.5"}]
|
|
33
|
-
@check.vuln
|
|
33
|
+
expect(@check.vuln?).to eq(true)
|
|
34
34
|
end
|
|
35
35
|
it "is reported when a vulnerable version it has been found (1.6.6)" do
|
|
36
36
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.6"}]
|
|
37
|
-
@check.vuln
|
|
37
|
+
expect(@check.vuln?).to eq(true)
|
|
38
38
|
end
|
|
39
39
|
it "is reported when a vulnerable version it has been found (1.6.7)" do
|
|
40
40
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.7"}]
|
|
41
|
-
@check.vuln
|
|
41
|
+
expect(@check.vuln?).to eq(true)
|
|
42
42
|
end
|
|
43
43
|
it "is reported when a vulnerable version it has been found (1.6.8)" do
|
|
44
44
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.8"}]
|
|
45
|
-
@check.vuln
|
|
45
|
+
expect(@check.vuln?).to eq(true)
|
|
46
46
|
end
|
|
47
47
|
it "is reported when a vulnerable version it has been found (1.6.8.rc1)" do
|
|
48
48
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.8.rc1"}]
|
|
49
|
-
@check.vuln
|
|
49
|
+
expect(@check.vuln?).to eq(true)
|
|
50
50
|
end
|
|
51
51
|
it "is reported when a vulnerable version it has been found (1.6.9)" do
|
|
52
52
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.9"}]
|
|
53
|
-
@check.vuln
|
|
53
|
+
expect(@check.vuln?).to eq(true)
|
|
54
54
|
end
|
|
55
55
|
it "is reported when a vulnerable version it has been found (1.7.0.rc1)" do
|
|
56
56
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.0.rc1"}]
|
|
57
|
-
@check.vuln
|
|
57
|
+
expect(@check.vuln?).to eq(true)
|
|
58
58
|
end
|
|
59
59
|
it "is reported when a vulnerable version it has been found (1.7.0)" do
|
|
60
60
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.0"}]
|
|
61
|
-
@check.vuln
|
|
61
|
+
expect(@check.vuln?).to eq(true)
|
|
62
62
|
end
|
|
63
63
|
it "is reported when a vulnerable version it has been found (1.7.1)" do
|
|
64
64
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.1"}]
|
|
65
|
-
@check.vuln
|
|
65
|
+
expect(@check.vuln?).to eq(true)
|
|
66
66
|
end
|
|
67
67
|
it "is reported when a vulnerable version it has been found (1.7.2)" do
|
|
68
68
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.2"}]
|
|
69
|
-
@check.vuln
|
|
69
|
+
expect(@check.vuln?).to eq(true)
|
|
70
70
|
end
|
|
71
71
|
it "is reported when a vulnerable version it has been found (1.7.2.rc1)" do
|
|
72
72
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.2.rc1"}]
|
|
73
|
-
@check.vuln
|
|
73
|
+
expect(@check.vuln?).to eq(true)
|
|
74
74
|
end
|
|
75
75
|
it "is reported when a vulnerable version it has been found (1.7.3)" do
|
|
76
76
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.3"}]
|
|
77
|
-
@check.vuln
|
|
77
|
+
expect(@check.vuln?).to eq(true)
|
|
78
78
|
end
|
|
79
79
|
it "is not reported when a safe version it has been found (1.8.0)" do
|
|
80
80
|
@check.dependencies = [{:name=>"rest-client", :version=>"1.8.0"}]
|
|
81
|
-
@check.vuln
|
|
81
|
+
expect(@check.vuln?).to eq(false)
|
|
82
82
|
end
|
|
83
83
|
it "is not reported when a safe version it has been found (2.0.0.rc1)" do
|
|
84
84
|
@check.dependencies = [{:name=>"rest-client", :version=>"2.0.0.rc1"}]
|
|
85
|
-
@check.vuln
|
|
85
|
+
expect(@check.vuln?).to eq(false)
|
|
86
86
|
end
|
|
87
87
|
it "is not reported when a safe version it has been found (2.0.0.rc2)" do
|
|
88
88
|
@check.dependencies = [{:name=>"rest-client", :version=>"2.0.0.rc2"}]
|
|
89
|
-
@check.vuln
|
|
89
|
+
expect(@check.vuln?).to eq(false)
|
|
90
90
|
end
|
|
91
91
|
|
|
92
92
|
end
|
|
@@ -6,11 +6,11 @@ describe "The OSVDB_119927 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when a vulnerable version it has been found (0.7.3)" do
|
|
8
8
|
@check.dependencies = [{:name=>"http", :version=>"0.7.3"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a safe version it has been found (0.8.0)" do
|
|
12
12
|
@check.dependencies = [{:name=>"http", :version=>"0.8.0"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
end
|
|
@@ -6,11 +6,11 @@ describe "The OSVDB_120415 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"redcarpet", :version=>"3.2.2"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a fixed release is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"redcarpet", :version=>"3.2.3"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
|
|
16
16
|
end
|
|
@@ -6,27 +6,27 @@ describe "The OSVDB_120857 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"refile", :version=>"0.5.2"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a fixed release is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"refile", :version=>"0.5.4"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
it "is not reported when a fixed release is detected" do
|
|
16
16
|
@check.dependencies = [{:name=>"refile", :version=>"0.4.4"}]
|
|
17
|
-
@check.vuln
|
|
17
|
+
expect(@check.vuln?).to eq(false)
|
|
18
18
|
end
|
|
19
19
|
it "is not reported when a fixed release is detected" do
|
|
20
20
|
@check.dependencies = [{:name=>"refile", :version=>"0.3.4"}]
|
|
21
|
-
@check.vuln
|
|
21
|
+
expect(@check.vuln?).to eq(false)
|
|
22
22
|
end
|
|
23
23
|
it "is not reported when a fixed release is detected" do
|
|
24
24
|
@check.dependencies = [{:name=>"refile", :version=>"0.2.4"}]
|
|
25
|
-
@check.vuln
|
|
25
|
+
expect(@check.vuln?).to eq(false)
|
|
26
26
|
end
|
|
27
27
|
it "is not reported when a fixed release is detected" do
|
|
28
28
|
@check.dependencies = [{:name=>"refile", :version=>"0.1.4"}]
|
|
29
|
-
@check.vuln
|
|
29
|
+
expect(@check.vuln?).to eq(false)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
end
|
|
@@ -6,10 +6,10 @@ describe "The OSVDB_121701 vulnerability" do
|
|
|
6
6
|
end
|
|
7
7
|
it "is reported when the vulnerable gem is detected" do
|
|
8
8
|
@check.dependencies = [{:name=>"open-uri-cached", :version=>"0.0.4"}]
|
|
9
|
-
@check.vuln
|
|
9
|
+
expect(@check.vuln?).to eq(true)
|
|
10
10
|
end
|
|
11
11
|
it "is not reported when a fixed release is detected" do
|
|
12
12
|
@check.dependencies = [{:name=>"open-uri-cached", :version=>"0.0.5"}]
|
|
13
|
-
@check.vuln
|
|
13
|
+
expect(@check.vuln?).to eq(false)
|
|
14
14
|
end
|
|
15
15
|
end
|
|
@@ -11,43 +11,43 @@ describe "The OWASP Ruby on Rails cheatsheet" do
|
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
it "is correctly applied" do
|
|
14
|
-
@applied.
|
|
14
|
+
expect(@applied).to eq(true)
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
it "fires up vulnerabilities" do
|
|
18
|
-
@engine.is_vulnerable_to?("Owasp Ror Cheatsheet").
|
|
18
|
+
expect(@engine.is_vulnerable_to?("Owasp Ror Cheatsheet")).to eq(true)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
it "says that running operating system commands from a ruby app can be dangerous" do
|
|
22
22
|
ev = @engine.vulnerabilities[0][:vulnerable_checks][0].evidences
|
|
23
|
-
@engine.vulnerabilities[0][:vulnerable_checks][0].
|
|
24
|
-
ev[0][:filename].
|
|
25
|
-
ev[0][:matches].count.
|
|
26
|
-
ev[0][:matches].
|
|
23
|
+
expect(@engine.vulnerabilities[0][:vulnerable_checks][0]).to be_an_instance_of(Dawn::Kb::OwaspRorCheatSheet::CommandInjection)
|
|
24
|
+
expect(ev[0][:filename]).to eq("./spec/support/hello_world_3.2.13/app/helpers/application_helper.rb")
|
|
25
|
+
expect(ev[0][:matches].count).to eq(4)
|
|
26
|
+
expect(ev[0][:matches]).to match_array([{:match=>" eval(command)\n", :line=>4}, {:match=>" System(command)\n", :line=>5}, {:match=>" `\#{command}`\n", :line=>6}, {:match=>" Kernel.exec(command)\n", :line=>7}])
|
|
27
27
|
end
|
|
28
28
|
|
|
29
29
|
it "says that methods fetching data must validate parameters form request"
|
|
30
30
|
it "says that applications must filter data to avoid XSS"
|
|
31
31
|
it "says that applications must tune session cookies to have them to expire or to store them in a database" do
|
|
32
32
|
sessions = Dawn::Kb::ComboCheck.find_vulnerable_checks_by_class(@vc, Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase)
|
|
33
|
-
sessions.
|
|
33
|
+
expect(sessions).to be_nil
|
|
34
34
|
end
|
|
35
35
|
it "says that applications must tune devise parameters"
|
|
36
36
|
it "says that you have to implement some access control to your REST code (e.g. using cancan)"
|
|
37
37
|
it "says that protect_from_forgery must be enabled" do
|
|
38
38
|
forgery = Dawn::Kb::ComboCheck.find_vulnerable_checks_by_class(@vc, Dawn::Kb::OwaspRorCheatSheet::Csrf)
|
|
39
|
-
forgery.
|
|
39
|
+
expect(forgery).to be_nil
|
|
40
40
|
end
|
|
41
41
|
it "says that your models must take care about not declaring attr_accessor fields to avoid mass assignements" do
|
|
42
42
|
mass_assignment = Dawn::Kb::ComboCheck.find_vulnerable_checks_by_class(@vc, Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel)
|
|
43
|
-
mass_assignment.
|
|
43
|
+
expect(mass_assignment).not_to be_nil
|
|
44
44
|
end
|
|
45
45
|
it "says redirect_to calls in your code must use only_path=true param that lets your code to be safe against forceful browsing"
|
|
46
46
|
it "says that pages passed to render call must not under the user control"
|
|
47
47
|
it "says that applications must implement the same-origin control when handling data"
|
|
48
48
|
it "says that applications must use HTTP headers designed for security" do
|
|
49
49
|
headers = Dawn::Kb::ComboCheck.find_vulnerable_checks_by_class(@vc, Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders)
|
|
50
|
-
headers.
|
|
50
|
+
expect(headers).not_to be_nil
|
|
51
51
|
end
|
|
52
52
|
it "says that you have to perform code reviews to avoid business logic faults. Using codesake dawn is great :-)"
|
|
53
53
|
it "says that you have to manually check your routes to avoid a widespread attack surface."
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dawnscanner
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paolo Perego
|
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
|
30
30
|
jm6Bw8fGx65GCWIdgMhH/P0icixcnyrnotnnOrEcmPudIlgEN9qaUYcguOfFBhTH
|
|
31
31
|
1sGpM7KzrYHU8qJJPrdaX0ezIDL4cN/kA/DxYTfUiMw=
|
|
32
32
|
-----END CERTIFICATE-----
|
|
33
|
-
date: 2016-
|
|
33
|
+
date: 2016-03-01 00:00:00.000000000 Z
|
|
34
34
|
dependencies:
|
|
35
35
|
- !ruby/object:Gem::Dependency
|
|
36
36
|
name: cvss
|
|
@@ -315,6 +315,7 @@ files:
|
|
|
315
315
|
- checksum/dawnscanner-1.5.1.gem.sha1
|
|
316
316
|
- checksum/dawnscanner-1.5.2.gem.sha1
|
|
317
317
|
- checksum/dawnscanner-1.6.0.gem.sha1
|
|
318
|
+
- checksum/dawnscanner-1.6.1.gem.sha1
|
|
318
319
|
- dawnscanner.gemspec
|
|
319
320
|
- doc/dawn_1_0_announcement.md
|
|
320
321
|
- doc/dawn_1_1_announcement.md
|
|
@@ -534,6 +535,8 @@ files:
|
|
|
534
535
|
- lib/dawn/kb/cve_2016_0751.rb
|
|
535
536
|
- lib/dawn/kb/cve_2016_0752.rb
|
|
536
537
|
- lib/dawn/kb/cve_2016_0753.rb
|
|
538
|
+
- lib/dawn/kb/cve_2016_2097.rb
|
|
539
|
+
- lib/dawn/kb/cve_2016_2098.rb
|
|
537
540
|
- lib/dawn/kb/dependency_check.rb
|
|
538
541
|
- lib/dawn/kb/deprecation_check.rb
|
|
539
542
|
- lib/dawn/kb/gem_check.rb
|
|
@@ -670,6 +673,8 @@ files:
|
|
|
670
673
|
- spec/lib/kb/cve_2016_0751_spec.rb
|
|
671
674
|
- spec/lib/kb/cve_2016_0752_spec.rb
|
|
672
675
|
- spec/lib/kb/cve_2016_0753_spec.rb
|
|
676
|
+
- spec/lib/kb/cve_2016_2097_spec.rb
|
|
677
|
+
- spec/lib/kb/cve_2016_2098_spec.rb
|
|
673
678
|
- spec/lib/kb/osvdb_105971_spec.rb
|
|
674
679
|
- spec/lib/kb/osvdb_108530_spec.rb
|
|
675
680
|
- spec/lib/kb/osvdb_108563_spec.rb
|
|
@@ -812,6 +817,8 @@ test_files:
|
|
|
812
817
|
- spec/lib/kb/cve_2016_0751_spec.rb
|
|
813
818
|
- spec/lib/kb/cve_2016_0752_spec.rb
|
|
814
819
|
- spec/lib/kb/cve_2016_0753_spec.rb
|
|
820
|
+
- spec/lib/kb/cve_2016_2097_spec.rb
|
|
821
|
+
- spec/lib/kb/cve_2016_2098_spec.rb
|
|
815
822
|
- spec/lib/kb/osvdb_105971_spec.rb
|
|
816
823
|
- spec/lib/kb/osvdb_108530_spec.rb
|
|
817
824
|
- spec/lib/kb/osvdb_108563_spec.rb
|