dawnscanner 1.6.3 → 1.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 33c6d0a08fb962b05e2bbaaef34304fcc515d532
-  data.tar.gz: d717d82436f1e27eb7b45d6e8a69c9c9123b7361
+  metadata.gz: 1770d53c5bcc2080977c8b8f7521992f44476e3d
+  data.tar.gz: 88228854cf954cbfc41987386911f8e4a0676f56
 SHA512:
-  metadata.gz: 8860de757761b8caee9ae1c72fc6fc20242ad8e4a510e345bc9b444e2e25951bbb5fc2e5fbc9db2bc9ac1bde28f393d45c99fbf23d6ddd7e3509f9681f3f928f
-  data.tar.gz: 92a9113bb0af039a98f822b6fc74936fb2f581e1a2e4ca7775c7483a6ee68b39c1f543c144d0ac7c12aecd4e07e3c953f3d7bf36211e65836ff48437cc3472d3
+  metadata.gz: 2d2178017f290351bd071b625a21ca3459acae8af3d9bd535f53cbd2a16d7fca2bcebfb47c224f14d495257b6f99ee27f304c9c8c407826fcc4a730f5085d284
+  data.tar.gz: 73a7d4485773cfb82e8b8a09a5eacd1c985c4d36fc359d86d5a6773f1ebba0be4c01af2927dc398bbec3f0177e44a440daa21ea69b1594434005c73f94e5db82

data/CONTRIBUTING.md

@@ -0,0 +1,94 @@
+# Contribute to dawnscannerscanner
+
+We love pull requests from everyone. By participating in this project, you
+agree to abide by the latest version of the [Contributor Covenant Code of
+Conduct](http://contributor-covenant.org/version/1/4/).
+
+Are you still interested in contributing to
+[dawnscanner](https://dawnscanner.org) project? Great, here is some very basic
+rules in order to make rocking pull requests.
+
+First of all, I use the branching model described in [this
+post](http://nvie.com/posts/a-successful-git-branching-model/). There are two
+major branches:
+
+* master: it contains in every moment the code for the latest dawnscanner
+  released gem. You can't make branches from here unless you're working on a
+  bugfix.
+* development: it contains the unstable code that is going to be the next
+  dawnscanner realease. You start from here. Pick a task on the Roadmap.md
+  and create a separated branch to work on your feature to. When you're ready
+  (remember to include also spec files), submit your pull request. If the code
+  will be fine, it will be merged into the development tree ready to be include
+  in upcoming gem version.
+
+Create your own copy of the repository, by forking and cloning it with the
+following command:
+
+``` git clone git@github.com:your-username/dawnscanner.git ```
+
+You can now work either on implementing a new feature, adding a security check or fixing a bug.
+
+## Implementing a new feature
+
+Go on the [Issue
+pane](https://github.com/thesp0nge/dawnscanner/issues?q=is%3Aissue+is%3Aopen+label%3Aenhancement)
+and filter for opened issue marked as enhancement.
+
+Now, create a branch, from the **development** branch, named with the issue
+you're working on (e.g.  issue_202_false_positive_of_protect_from_forgery).
+
+Code, write the necessary tests and document the commit with the issue number
+in the commit message and some description about you solved the enhancement.
+
+Please don't forget to edit also Changelog file.
+
+Then push to your fork and create [a pull
+request](https://github.com/thesp0nge/dawnscanner/compare/).
+
+## Adding a security check
+
+If you want to add a new CVE bulletin or a new security check, than you have to
+open [an issue](https://github.com/thesp0nge/dawnscanner/issues) describing the
+check and assigning to your self.
+
+Now, create a branch, from the **master** branch, named with the issue
+you're working on (e.g.  issue_202_false_positive_of_protect_from_forgery).
+
+You can create a generic security check with the command ```rake check[name]```
+or you can create a new CVE bulletin with ```rake cve[name]```. Please note
+that you will be guided in which files are created and which one you have to
+modify, in order to include the check.
+
+You will have to write your check and the relevant rspec file from scratch.
+Than you must include the new class implementing the security check, in the
+tool [knowledge
+base](https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/lib/dawn/knowledge_base.rb),
+adding it also in the [knowledge base rspect
+file](https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/spec/lib/dawn/codesake_knowledgebase_spec.rb).
+
+Please don't forget to edit also Changelog file.
+
+Then push to your fork and create [a pull
+request](https://github.com/thesp0nge/dawnscanner/compare/).
+
+## Fixing a bug
+
+Go on the [Issue
+pane](https://github.com/thesp0nge/dawnscanner/issues?q=is%3Aissue+is%3Aopen+label%3Abug)
+and filter for opened issue marked as bug.
+
+Now, create a branch, from the **master** branch, named with the issue
+you're working on (e.g.  issue_202_false_positive_of_protect_from_forgery).
+
+Code, write the necessary tests and document the commit with the issue number
+in the commit message and some description about you solved the enhancement.
+
+Please don't forget to edit also Changelog file.
+
+Then push to your fork and create [a pull
+request](https://github.com/thesp0nge/dawnscanner/compare/).
+
+Enjoy it!
+
+Last update: _Tue Sep 27 22:44:01 CEST 2016_

data/Changelog.md

@@ -5,7 +5,12 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Tue Mar  1 23:11:10 CET 2016_
+_latest update: Tue Sep 27 23:32:32 CEST 2016_
+
+## Version 1.6.4 - codename: Tow Mater (2016-09-27)
+
+* Issue #199 - CVE-2015-4020 seems to give the wrong Solution
+* Issue #168 - Dawn fails for many CVEs that rails 3.2.22 is not vulnerable to
 
 ## Version 1.6.3 - codename: Tow Mater (2016-09-06)
 

data/README.md

@@ -305,31 +305,10 @@ Thank you.
 
 [Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
 
-## Contribute to dawnscannerscanner
-
-Are you interested in contributing to dawnscanner project? Great, here is
-some very basic rules in order to make rocking pull requests.
-
-First of all, I use the branching model described in [this
-post](http://nvie.com/posts/a-successful-git-branching-model/). There are two
-major branches:
-
-* master: it contains in every moment the code for the latest dawnscanner
-  released gem. You can't make branches from here unless you're working on a
-  bugfix.
-* development: it contains the unstable code that is going to be the next
-  dawnscanner realease. You start from here. Pick a task on the Roadmap.md
-  and create a separated branch to work on your feature to. When you're ready
-  (remember to include also spec files), submit your pull request. If the code
-  will be fine, it will be merged into the development tree ready to be include
-  in upcoming gem version.
-
-No branch from master it would be analyzed unless they are related to bugfix.
-In this case, the branch name must be something like _issue\_#xx\_description_
 
 ## LICENSE
 
-Copyright (c) 2013-2015 Paolo Perego <paolo@dawnscanner.org>
+Copyright (c) 2013-2016 Paolo Perego <paolo@dawnscanner.org>
 
 MIT License
 

data/VERSION

@@ -12,4 +12,4 @@
 # |   "Guido"       |  x.x.0  |
 # |   "Luigi"       |  x.x.0  |
 # | "Doc Hudson"    |  x.x.0  |
-1.6.3 - Tow Mater
+1.6.4 - Tow Mater

data/checksum/dawnscanner-1.6.3.gem.sha1

@@ -0,0 +1 @@
+215029cb2ef08b4eb3196580e5639efbfe35225d

data/code_of_conduct.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/lib/dawn/kb/cve_2013_6414.rb

@@ -22,6 +22,7 @@
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
+          self.save_major = true
 
 				end
 			end

data/lib/dawn/kb/cve_2013_6415.rb

@@ -20,6 +20,7 @@
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
+          self.save_major = true
 
 
 				end

data/lib/dawn/kb/cve_2013_6417.rb

@@ -22,6 +22,7 @@
 
           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
 
+          self.save_major = true
 
 				end
 			end

data/lib/dawn/kb/cve_2014_0080.rb

@@ -21,6 +21,7 @@
             :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/Wu96YkTUR6s/pPLBMZrlwvYJ"]
            })
            self.safe_dependencies = [{:name=>"rails", :version=>['4.0.3', '4.1.0.beta2']}]
+          self.save_major = true
 
         end
       end

data/lib/dawn/kb/cve_2014_0081.rb

@@ -19,7 +19,8 @@
             :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/tfp6gZCtzr4/j8LUHmu7fIEJ"]
            })
 
-           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.17', '4.0.3', '4.1.0.beta2', '3.1.99999', '3.0.99999', '2.99999.99999', '1.99999.99999']}]
+           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.17', '4.0.3', '4.1.0.beta2', '3.1.99999', '3.0.99999']}]
+          self.save_major = true
 				end
 			end
 		end

data/lib/dawn/kb/cve_2014_0130.rb

@@ -20,6 +20,7 @@
           })
           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.0.5', '4.1.1']}]
 
+          self.save_major = true
 				end
 			end
 		end

data/lib/dawn/kb/cve_2014_7818.rb

@@ -20,6 +20,7 @@ module Dawn
            })
 
            self.safe_dependencies = [{:name=>"rails", :version=>['3.2.20', '4.0.11', '4.1.7', '4.2.0.beta3']}]
+          self.save_major = true
 				end
 			end
 		end

data/lib/dawn/kb/cve_2014_7829.rb

@@ -21,6 +21,7 @@ module Dawn
            })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.21', '4.0.12', '4.1.8', '4.2.0.beta4']}]
+          self.save_major = true
 
 				end
 			end

data/lib/dawn/kb/cve_2015_3227.rb

@@ -21,6 +21,7 @@ module Dawn
            })
           self.save_minor = true
           self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3']}]
+          self.save_major = true
 				end
 			end
 		end

data/lib/dawn/kb/cve_2015_4020.rb

@@ -23,7 +23,7 @@ module Dawn
             :applies=>["rails", "sinatra", "padrino"],
             :kind=>Dawn::KnowledgeBase::GEM_CHECK,
             :message=>message,
-            :mitigation=>"Please upgrade redcarpet gem to version 3.2.3 or later.",
+            :mitigation=>"Please upgrade rubygem to version 3.2.3 or later.",
             :aux_links=>[""]
            })
 

data/lib/dawn/version.rb

@@ -1,7 +1,7 @@
 module Dawn
-    VERSION = "1.6.3"
+    VERSION = "1.6.4"
     CODENAME = "Tow Mater"
-    RELEASE = "20160906"
-    BUILD = "15"
-    COMMIT = "g16d339b"
+    RELEASE = "20160927"
+    BUILD = "9"
+    COMMIT = "gbd3c8ff"
 end

data/spec/lib/kb/cve_2013_6414_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe "The CVE-2013-6414 vulnerability" do
+  before(:all) do 
+    @check = Dawn::Kb::CVE_2013_6414.new
+    # @check.debug = true
+  end
+  it "is detected if vulnerable version of rails rubygem is detected" do
+    @check.dependencies=[{:name=>"rails", :version=>'4.0.1'}]
+    expect(@check.vuln?).to   eq(true)
+  end
+  it "is ignored if rails version is 3.2.x" do 
+    @check.dependencies=[{:name=>"rails", :version=>'3.2.22'}]
+    expect(@check.vuln?).to   eq(false)
+  end
+
+  it "is ignored if rails version is 3.1.x" do 
+    @check.dependencies=[{:name=>"rails", :version=>'3.1.16'}]
+    expect(@check.vuln?).to   eq(true)
+  end
+  it "is ignored if rails version is 3.0.x" do 
+    @check.dependencies=[{:name=>"rails", :version=>'3.0.16'}]
+    expect(@check.vuln?).to   eq(true)
+  end
+
+end

data/spec/lib/kb/cve_2014_0080_spec.rb

@@ -25,4 +25,9 @@ describe "The CVE-2014-0080 vulnerability" do
     @check.dependencies = [{:name=>"rails", :version=>'4.0.3'}]
     expect(@check.vuln?).to eq(false)
   end
+  it "doesn't affect version 3.2.22" do 
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.22'}]
+    expect(@check.vuln?).to eq(false)
+  end
+
 end

data/spec/lib/kb/cve_2014_0081_spec.rb

@@ -38,31 +38,13 @@ describe "The CVE-2014-0081 vulnerability" do
     @check.dependencies = [{:name=>"rails", :version=>version}]
     expect(@check.vuln?).to eq(true)
   end
-  it "affects version 2.x.y" do
-    require 'securerandom'
-    rand_min = SecureRandom.random_number(9999)
-    rand_patch = SecureRandom.random_number(9999)
-    version = "2.#{rand_min}.#{rand_patch}"
-
-    @check.dependencies = [{:name=>"rails", :version=>version}]
-    expect(@check.vuln?).to eq(true)
-  end
-  it "affects version 1.x.y" do
-    require 'securerandom'
-    rand_min = SecureRandom.random_number(9999)
-    rand_patch = SecureRandom.random_number(9999)
-    version = "1.#{rand_min}.#{rand_patch}"
-
-    @check.dependencies = [{:name=>"rails", :version=>version}]
-    expect(@check.vuln?).to eq(true)
-  end
 
   it "doesn't affect version 4.0.3" do 
     @check.dependencies = [{:name=>"rails", :version=>'4.0.3'}]
     expect(@check.vuln?).to eq(false)
   end
-  it "doesn't affect version 3.2.17" do 
-    @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
+  it "doesn't affect version 3.2.22" do 
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.22'}]
     expect(@check.vuln?).to eq(false)
   end
 end

data/spec/lib/kb/cve_2014_0130_spec.rb

@@ -12,8 +12,8 @@ describe "The CVE-2014-0130 vulnerability" do
     @check.dependencies = [{:name=>"rails", :version=>'4.0.4'}]
     expect(@check.vuln?).to   eq(true)
   end
-  it "is reported when rails 3.2.17 is detected" do
-    @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
-    expect(@check.vuln?).to   eq(true)
+  it "is reported when rails 3.2.22 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.22'}]
+    expect(@check.vuln?).to   eq(false)
   end
 end

data/spec/lib/kb/cve_2015_3226_spec.rb

@@ -30,4 +30,6 @@ describe "The CVE-2015-3226 vulnerability" do
     expect(@check.vuln?).to   eq(false)
   end
 
+
+
 end

data/spec/lib/kb/cve_2015_3227_spec.rb

@@ -2,7 +2,6 @@ require 'spec_helper'
 describe "The CVE-2015-3227 vulnerability" do
 	before(:all) do
 		@check = Dawn::Kb::CVE_2015_3227.new
-		@check.debug = true
 	end
   it "is reported when vulnerable active_support gem is used (4.1.11)" do
     @check.dependencies = [{:name=>"activesupport", :version=>'4.1.11'}]
@@ -24,4 +23,9 @@ describe "The CVE-2015-3227 vulnerability" do
     @check.dependencies = [{:name=>"activesupport", :version=>'4.2.3'}]
     expect(@check.vuln?).to   eq(false)
   end
+  it "is not reported when safe active_support gem is used (3.2.22)" do
+    @check.dependencies = [{:name=>"activesupport", :version=>'3.2.22'}]
+    expect(@check.vuln?).to   eq(false)
+  end
+
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 1.6.3
+  version: 1.6.4
 platform: ruby
 authors:
 - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
   jm6Bw8fGx65GCWIdgMhH/P0icixcnyrnotnnOrEcmPudIlgEN9qaUYcguOfFBhTH
   1sGpM7KzrYHU8qJJPrdaX0ezIDL4cN/kA/DxYTfUiMw=
   -----END CERTIFICATE-----
-date: 2016-09-06 00:00:00.000000000 Z
+date: 2016-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cvss
@@ -286,6 +286,7 @@ files:
 - ".ruby-gemset"
 - ".ruby-version"
 - ".travis.yml"
+- CONTRIBUTING.md
 - Changelog.md
 - Gemfile
 - KnowledgeBase.md
@@ -317,6 +318,8 @@ files:
 - checksum/dawnscanner-1.6.0.gem.sha1
 - checksum/dawnscanner-1.6.1.gem.sha1
 - checksum/dawnscanner-1.6.2.gem.sha1
+- checksum/dawnscanner-1.6.3.gem.sha1
+- code_of_conduct.md
 - dawnscanner.gemspec
 - doc/dawn_1_0_announcement.md
 - doc/dawn_1_1_announcement.md
@@ -631,6 +634,7 @@ files:
 - spec/lib/kb/cve_2013_4593_spec.rb
 - spec/lib/kb/cve_2013_5647_spec.rb
 - spec/lib/kb/cve_2013_5671_spec.rb
+- spec/lib/kb/cve_2013_6414_spec.rb
 - spec/lib/kb/cve_2013_6416_spec.rb
 - spec/lib/kb/cve_2013_6459_spec.rb
 - spec/lib/kb/cve_2013_7086_spec.rb
@@ -776,6 +780,7 @@ test_files:
 - spec/lib/kb/cve_2013_4593_spec.rb
 - spec/lib/kb/cve_2013_5647_spec.rb
 - spec/lib/kb/cve_2013_5671_spec.rb
+- spec/lib/kb/cve_2013_6414_spec.rb
 - spec/lib/kb/cve_2013_6416_spec.rb
 - spec/lib/kb/cve_2013_6459_spec.rb
 - spec/lib/kb/cve_2013_7086_spec.rb

metadata.gz.sig

@@ -1,2 +1 @@
-��8Y���!iE�^F��f��˶3�=.�����S"ń!�L��d\.��ɽ�05��棘0QǏ\�L�z���n��O�
�#���o�!�Ҫ���D�4�ܝ����sƲn��C�1S��^~ގ��N���D��9Iw�
-���b��S�1���`$�<	e�L�$!?��`��eg߆u#��d�~���.
1������e��'�Y�R|����-������&�cP�}V��K�vA�������^*��H ���n�
+��������%��y��j���7)��� w���\6��>J�����>�!�E���N�>rHQ��11M�s?�nU1Q��<��~[3.y�dw���)��
��i�t����.�|���<�R��|�-����O�����F��(���k��2�I��ꤥ�/3]� ��o�R�TuH"#�ep1���M.a��j���U���Pv�vY���
Ê�䃸����	`]���87����wp�|�����2�0�g�