RubyGems - dawnscanner - Versions diffs - 1.6.8 → 2.0.0.rc4 - Mend

dawnscanner 1.6.8 → 2.0.0.rc4

Files changed (387) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.ruby-version +1 -1
data/Changelog.md +27 -1
data/LICENSE.txt +1 -1
data/README.md +59 -57
data/Rakefile +10 -242
data/Roadmap.md +15 -23
data/VERSION +1 -1
data/bin/dawn +17 -273
data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
data/dawnscanner.gemspec +10 -9
data/doc/change.sh +13 -0
data/doc/kickstart_kb.tar.gz +0 -0
data/doc/knowledge_base.rb +650 -0
data/docs/.placeholder +0 -0
data/docs/CNAME +1 -0
data/docs/_config.yml +1 -0
data/lib/dawn/cli/dawn_cli.rb +139 -0
data/lib/dawn/core.rb +8 -7
data/lib/dawn/engine.rb +93 -34
data/lib/dawn/gemfile_lock.rb +2 -2
data/lib/dawn/kb/basic_check.rb +1 -2
data/lib/dawn/kb/combo_check.rb +1 -1
data/lib/dawn/kb/dependency_check.rb +1 -1
data/lib/dawn/kb/operating_system_check.rb +1 -1
data/lib/dawn/kb/pattern_match_check.rb +10 -9
data/lib/dawn/kb/ruby_version_check.rb +11 -10
data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
data/lib/dawn/kb/version_check.rb +41 -24
data/lib/dawn/knowledge_base.rb +259 -595
data/lib/dawn/reporter.rb +2 -1
data/lib/dawn/utils.rb +5 -2
data/lib/dawn/version.rb +5 -5
data/lib/dawnscanner.rb +7 -6
data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
data/spec/lib/kb/dependency_check.yml +29 -0
metadata +30 -496
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
data/lib/dawn/kb/cve_2004_0755.rb +0 -33
data/lib/dawn/kb/cve_2004_0983.rb +0 -31
data/lib/dawn/kb/cve_2005_1992.rb +0 -31
data/lib/dawn/kb/cve_2005_2337.rb +0 -33
data/lib/dawn/kb/cve_2006_1931.rb +0 -30
data/lib/dawn/kb/cve_2006_2582.rb +0 -28
data/lib/dawn/kb/cve_2006_3694.rb +0 -31
data/lib/dawn/kb/cve_2006_4112.rb +0 -27
data/lib/dawn/kb/cve_2006_5467.rb +0 -28
data/lib/dawn/kb/cve_2006_6303.rb +0 -28
data/lib/dawn/kb/cve_2006_6852.rb +0 -27
data/lib/dawn/kb/cve_2006_6979.rb +0 -29
data/lib/dawn/kb/cve_2007_0469.rb +0 -29
data/lib/dawn/kb/cve_2007_5162.rb +0 -28
data/lib/dawn/kb/cve_2007_5379.rb +0 -27
data/lib/dawn/kb/cve_2007_5380.rb +0 -29
data/lib/dawn/kb/cve_2007_5770.rb +0 -30
data/lib/dawn/kb/cve_2007_6077.rb +0 -31
data/lib/dawn/kb/cve_2007_6612.rb +0 -30
data/lib/dawn/kb/cve_2008_1145.rb +0 -38
data/lib/dawn/kb/cve_2008_1891.rb +0 -38
data/lib/dawn/kb/cve_2008_2376.rb +0 -30
data/lib/dawn/kb/cve_2008_2662.rb +0 -33
data/lib/dawn/kb/cve_2008_2663.rb +0 -32
data/lib/dawn/kb/cve_2008_2664.rb +0 -33
data/lib/dawn/kb/cve_2008_2725.rb +0 -31
data/lib/dawn/kb/cve_2008_3655.rb +0 -37
data/lib/dawn/kb/cve_2008_3657.rb +0 -37
data/lib/dawn/kb/cve_2008_3790.rb +0 -30
data/lib/dawn/kb/cve_2008_3905.rb +0 -36
data/lib/dawn/kb/cve_2008_4094.rb +0 -27
data/lib/dawn/kb/cve_2008_4310.rb +0 -100
data/lib/dawn/kb/cve_2008_5189.rb +0 -27
data/lib/dawn/kb/cve_2008_7248.rb +0 -27
data/lib/dawn/kb/cve_2009_4078.rb +0 -29
data/lib/dawn/kb/cve_2009_4124.rb +0 -30
data/lib/dawn/kb/cve_2009_4214.rb +0 -27
data/lib/dawn/kb/cve_2010_1330.rb +0 -28
data/lib/dawn/kb/cve_2010_2489.rb +0 -60
data/lib/dawn/kb/cve_2010_3933.rb +0 -27
data/lib/dawn/kb/cve_2011_0188.rb +0 -67
data/lib/dawn/kb/cve_2011_0446.rb +0 -28
data/lib/dawn/kb/cve_2011_0447.rb +0 -28
data/lib/dawn/kb/cve_2011_0739.rb +0 -28
data/lib/dawn/kb/cve_2011_0995.rb +0 -61
data/lib/dawn/kb/cve_2011_1004.rb +0 -34
data/lib/dawn/kb/cve_2011_1005.rb +0 -31
data/lib/dawn/kb/cve_2011_2197.rb +0 -27
data/lib/dawn/kb/cve_2011_2686.rb +0 -29
data/lib/dawn/kb/cve_2011_2705.rb +0 -32
data/lib/dawn/kb/cve_2011_2929.rb +0 -27
data/lib/dawn/kb/cve_2011_2930.rb +0 -28
data/lib/dawn/kb/cve_2011_2931.rb +0 -30
data/lib/dawn/kb/cve_2011_2932.rb +0 -27
data/lib/dawn/kb/cve_2011_3009.rb +0 -28
data/lib/dawn/kb/cve_2011_3186.rb +0 -29
data/lib/dawn/kb/cve_2011_3187.rb +0 -29
data/lib/dawn/kb/cve_2011_4319.rb +0 -30
data/lib/dawn/kb/cve_2011_4815.rb +0 -28
data/lib/dawn/kb/cve_2011_5036.rb +0 -26
data/lib/dawn/kb/cve_2012_1098.rb +0 -30
data/lib/dawn/kb/cve_2012_1099.rb +0 -27
data/lib/dawn/kb/cve_2012_1241.rb +0 -27
data/lib/dawn/kb/cve_2012_2139.rb +0 -26
data/lib/dawn/kb/cve_2012_2140.rb +0 -27
data/lib/dawn/kb/cve_2012_2660.rb +0 -28
data/lib/dawn/kb/cve_2012_2661.rb +0 -27
data/lib/dawn/kb/cve_2012_2671.rb +0 -28
data/lib/dawn/kb/cve_2012_2694.rb +0 -30
data/lib/dawn/kb/cve_2012_2695.rb +0 -27
data/lib/dawn/kb/cve_2012_3424.rb +0 -29
data/lib/dawn/kb/cve_2012_3463.rb +0 -27
data/lib/dawn/kb/cve_2012_3464.rb +0 -27
data/lib/dawn/kb/cve_2012_3465.rb +0 -26
data/lib/dawn/kb/cve_2012_4464.rb +0 -27
data/lib/dawn/kb/cve_2012_4466.rb +0 -27
data/lib/dawn/kb/cve_2012_4481.rb +0 -26
data/lib/dawn/kb/cve_2012_4522.rb +0 -27
data/lib/dawn/kb/cve_2012_5370.rb +0 -27
data/lib/dawn/kb/cve_2012_5371.rb +0 -27
data/lib/dawn/kb/cve_2012_5380.rb +0 -28
data/lib/dawn/kb/cve_2012_6109.rb +0 -25
data/lib/dawn/kb/cve_2012_6134.rb +0 -27
data/lib/dawn/kb/cve_2012_6496.rb +0 -28
data/lib/dawn/kb/cve_2012_6497.rb +0 -28
data/lib/dawn/kb/cve_2012_6684.rb +0 -28
data/lib/dawn/kb/cve_2013_0155.rb +0 -29
data/lib/dawn/kb/cve_2013_0156.rb +0 -27
data/lib/dawn/kb/cve_2013_0162.rb +0 -28
data/lib/dawn/kb/cve_2013_0175.rb +0 -27
data/lib/dawn/kb/cve_2013_0183.rb +0 -25
data/lib/dawn/kb/cve_2013_0184.rb +0 -25
data/lib/dawn/kb/cve_2013_0233.rb +0 -26
data/lib/dawn/kb/cve_2013_0256.rb +0 -59
data/lib/dawn/kb/cve_2013_0262.rb +0 -26
data/lib/dawn/kb/cve_2013_0263.rb +0 -26
data/lib/dawn/kb/cve_2013_0269.rb +0 -27
data/lib/dawn/kb/cve_2013_0276.rb +0 -28
data/lib/dawn/kb/cve_2013_0277.rb +0 -25
data/lib/dawn/kb/cve_2013_0284.rb +0 -27
data/lib/dawn/kb/cve_2013_0285.rb +0 -27
data/lib/dawn/kb/cve_2013_0333.rb +0 -28
data/lib/dawn/kb/cve_2013_0334.rb +0 -25
data/lib/dawn/kb/cve_2013_1607.rb +0 -25
data/lib/dawn/kb/cve_2013_1655.rb +0 -65
data/lib/dawn/kb/cve_2013_1656.rb +0 -28
data/lib/dawn/kb/cve_2013_1756.rb +0 -26
data/lib/dawn/kb/cve_2013_1800.rb +0 -26
data/lib/dawn/kb/cve_2013_1801.rb +0 -27
data/lib/dawn/kb/cve_2013_1802.rb +0 -27
data/lib/dawn/kb/cve_2013_1812.rb +0 -27
data/lib/dawn/kb/cve_2013_1821.rb +0 -28
data/lib/dawn/kb/cve_2013_1854.rb +0 -26
data/lib/dawn/kb/cve_2013_1855.rb +0 -25
data/lib/dawn/kb/cve_2013_1856.rb +0 -26
data/lib/dawn/kb/cve_2013_1857.rb +0 -27
data/lib/dawn/kb/cve_2013_1875.rb +0 -27
data/lib/dawn/kb/cve_2013_1898.rb +0 -27
data/lib/dawn/kb/cve_2013_1911.rb +0 -28
data/lib/dawn/kb/cve_2013_1933.rb +0 -27
data/lib/dawn/kb/cve_2013_1947.rb +0 -27
data/lib/dawn/kb/cve_2013_1948.rb +0 -27
data/lib/dawn/kb/cve_2013_2065.rb +0 -29
data/lib/dawn/kb/cve_2013_2090.rb +0 -28
data/lib/dawn/kb/cve_2013_2105.rb +0 -26
data/lib/dawn/kb/cve_2013_2119.rb +0 -27
data/lib/dawn/kb/cve_2013_2512.rb +0 -26
data/lib/dawn/kb/cve_2013_2513.rb +0 -25
data/lib/dawn/kb/cve_2013_2516.rb +0 -26
data/lib/dawn/kb/cve_2013_2615.rb +0 -27
data/lib/dawn/kb/cve_2013_2616.rb +0 -27
data/lib/dawn/kb/cve_2013_2617.rb +0 -28
data/lib/dawn/kb/cve_2013_3221.rb +0 -27
data/lib/dawn/kb/cve_2013_4164.rb +0 -30
data/lib/dawn/kb/cve_2013_4203.rb +0 -25
data/lib/dawn/kb/cve_2013_4389.rb +0 -26
data/lib/dawn/kb/cve_2013_4413.rb +0 -27
data/lib/dawn/kb/cve_2013_4457.rb +0 -29
data/lib/dawn/kb/cve_2013_4478.rb +0 -26
data/lib/dawn/kb/cve_2013_4479.rb +0 -26
data/lib/dawn/kb/cve_2013_4489.rb +0 -28
data/lib/dawn/kb/cve_2013_4491.rb +0 -29
data/lib/dawn/kb/cve_2013_4492.rb +0 -29
data/lib/dawn/kb/cve_2013_4562.rb +0 -27
data/lib/dawn/kb/cve_2013_4593.rb +0 -27
data/lib/dawn/kb/cve_2013_5647.rb +0 -29
data/lib/dawn/kb/cve_2013_5671.rb +0 -26
data/lib/dawn/kb/cve_2013_6414.rb +0 -30
data/lib/dawn/kb/cve_2013_6415.rb +0 -29
data/lib/dawn/kb/cve_2013_6416.rb +0 -29
data/lib/dawn/kb/cve_2013_6417.rb +0 -30
data/lib/dawn/kb/cve_2013_6421.rb +0 -28
data/lib/dawn/kb/cve_2013_6459.rb +0 -28
data/lib/dawn/kb/cve_2013_6460.rb +0 -53
data/lib/dawn/kb/cve_2013_6461.rb +0 -57
data/lib/dawn/kb/cve_2013_7086.rb +0 -27
data/lib/dawn/kb/cve_2014_0036.rb +0 -27
data/lib/dawn/kb/cve_2014_0080.rb +0 -29
data/lib/dawn/kb/cve_2014_0081.rb +0 -27
data/lib/dawn/kb/cve_2014_0082.rb +0 -27
data/lib/dawn/kb/cve_2014_0130.rb +0 -27
data/lib/dawn/kb/cve_2014_1233.rb +0 -27
data/lib/dawn/kb/cve_2014_1234.rb +0 -26
data/lib/dawn/kb/cve_2014_2322.rb +0 -28
data/lib/dawn/kb/cve_2014_2525.rb +0 -59
data/lib/dawn/kb/cve_2014_2538.rb +0 -26
data/lib/dawn/kb/cve_2014_3482.rb +0 -28
data/lib/dawn/kb/cve_2014_3483.rb +0 -28
data/lib/dawn/kb/cve_2014_3916.rb +0 -29
data/lib/dawn/kb/cve_2014_4975.rb +0 -28
data/lib/dawn/kb/cve_2014_7818.rb +0 -27
data/lib/dawn/kb/cve_2014_7819.rb +0 -31
data/lib/dawn/kb/cve_2014_7829.rb +0 -30
data/lib/dawn/kb/cve_2014_8090.rb +0 -30
data/lib/dawn/kb/cve_2014_9490.rb +0 -29
data/lib/dawn/kb/cve_2015_1819.rb +0 -34
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
data/lib/dawn/kb/cve_2015_2963.rb +0 -27
data/lib/dawn/kb/cve_2015_3224.rb +0 -26
data/lib/dawn/kb/cve_2015_3225.rb +0 -28
data/lib/dawn/kb/cve_2015_3226.rb +0 -27
data/lib/dawn/kb/cve_2015_3227.rb +0 -28
data/lib/dawn/kb/cve_2015_3448.rb +0 -29
data/lib/dawn/kb/cve_2015_4020.rb +0 -34
data/lib/dawn/kb/cve_2015_5312.rb +0 -30
data/lib/dawn/kb/cve_2015_7497.rb +0 -32
data/lib/dawn/kb/cve_2015_7498.rb +0 -32
data/lib/dawn/kb/cve_2015_7499.rb +0 -32
data/lib/dawn/kb/cve_2015_7500.rb +0 -32
data/lib/dawn/kb/cve_2015_7519.rb +0 -31
data/lib/dawn/kb/cve_2015_7541.rb +0 -31
data/lib/dawn/kb/cve_2015_7576.rb +0 -35
data/lib/dawn/kb/cve_2015_7577.rb +0 -34
data/lib/dawn/kb/cve_2015_7578.rb +0 -30
data/lib/dawn/kb/cve_2015_7579.rb +0 -30
data/lib/dawn/kb/cve_2015_7581.rb +0 -33
data/lib/dawn/kb/cve_2015_8241.rb +0 -32
data/lib/dawn/kb/cve_2015_8242.rb +0 -32
data/lib/dawn/kb/cve_2015_8317.rb +0 -32
data/lib/dawn/kb/cve_2016_0751.rb +0 -32
data/lib/dawn/kb/cve_2016_0752.rb +0 -35
data/lib/dawn/kb/cve_2016_0753.rb +0 -31
data/lib/dawn/kb/cve_2016_2097.rb +0 -35
data/lib/dawn/kb/cve_2016_2098.rb +0 -35
data/lib/dawn/kb/cve_2016_5697.rb +0 -30
data/lib/dawn/kb/cve_2016_6316.rb +0 -33
data/lib/dawn/kb/cve_2016_6317.rb +0 -32
data/lib/dawn/kb/cve_2016_6582.rb +0 -43
data/lib/dawn/kb/not_revised_code.rb +0 -22
data/lib/dawn/kb/osvdb_105971.rb +0 -29
data/lib/dawn/kb/osvdb_108530.rb +0 -27
data/lib/dawn/kb/osvdb_108563.rb +0 -28
data/lib/dawn/kb/osvdb_108569.rb +0 -28
data/lib/dawn/kb/osvdb_108570.rb +0 -27
data/lib/dawn/kb/osvdb_115654.rb +0 -33
data/lib/dawn/kb/osvdb_116010.rb +0 -30
data/lib/dawn/kb/osvdb_117903.rb +0 -30
data/lib/dawn/kb/osvdb_118579.rb +0 -31
data/lib/dawn/kb/osvdb_118830.rb +0 -32
data/lib/dawn/kb/osvdb_118954.rb +0 -33
data/lib/dawn/kb/osvdb_119878.rb +0 -32
data/lib/dawn/kb/osvdb_119927.rb +0 -33
data/lib/dawn/kb/osvdb_120415.rb +0 -31
data/lib/dawn/kb/osvdb_120857.rb +0 -34
data/lib/dawn/kb/osvdb_121701.rb +0 -30
data/lib/dawn/kb/osvdb_132234.rb +0 -34
data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
data/lib/dawn/knowledge_base_experimental.rb +0 -245
data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
metadata.gz.sig +0 -0

data/Roadmap.md CHANGED Viewed

@@ -11,12 +11,24 @@ The document is _dynamic_ and feature schedule may vary. If you do need a
 feature to be included sooner, please open an [issue on
 github](https://github.com/thesp0nge/dawnscanner/issues/new)
-_latest update: Thu Dec  3 18:29:11 CET 2015_
+_latest update: mar 7 mag 2019, 17:48:53, CEST_
-## Version 1.5.5 (est. Jan 2016)
+* Add Hanami support
+* Add node.js support
+* Add Maven support (this will lead of creating the skeleton of a
+  dawnscanner-java gem. I will decide later if it will stay with the core or if
+  it will be a separted gem plugging into dawnscanner as plugin).
+* Add support for pure Rack applications
+* Add basic support for Javascript. At the beginning, it will be a signature
+  based support. dawnscanner will try to detect the js library version by using
+  SHA hashing functions, comparing it with fingerprint of vulnerable libraies.
+  Of course, this will lead to false negatives if a user tamper the original
+  JS. We must consider also minified versions and we're not able to deal with
+  obfuscated code.
-* close all issues on github markedsfor milestone 1.5.5
 * Issue #131 - Adding a check for OSVDB 119927 : http Gem for Ruby SSL Certificate Validation MitM Spoofing
 * Issue #119 - Adding a check for OSVDB 114641 : Ruby lib/rexml/entity.rb NULL String Handling Recursive XML External Entity (XXE) Expansion Resource Consumption Remote DoS
 * Issue #118 - Adding a check for OSVDB 113965 : Sprockets Gem for Ruby Unspecified Request Handling File Enumeration
@@ -39,24 +51,6 @@ _latest update: Thu Dec  3 18:29:11 CET 2015_
 * adding test for CVE-2011-4969  XSS in jquery < 1.6.2
-## Version 2.0.0 (est. June 2016)
-### New supported frameworks
-* Add Lotus support
-* Add Maven support (this will lead of creating the skeleton of a
-  dawnscanner-java gem. I will decide later if it will stay with the core or if
-  it will be a separted gem plugging into dawnscanner as plugin).
-* Add support for pure Rack applications
-* Add basic support for Javascript. At the beginning, it will be a signature
-  based support. dawnscanner will try to detect the js library version by using
-  SHA hashing functions, comparing it with fingerprint of vulnerable libraies.
-  Of course, this will lead to false negatives if a user tamper the original
-  JS. We must consider also minified versions and we're not able to deal with
-  obfuscated code.
-### New checks
 * Add a language check. It will handle a ruby script as input and a
   ruby\_parser line as unsafe pattern. It will compile the ruby and look for
   the unsafe pattern
@@ -67,7 +61,6 @@ _latest update: Thu Dec  3 18:29:11 CET 2015_
   dawnscanner the proper way. This is a dynamic tests that it must be run in a
   static way, looking for the public directory for old and backup files
   pattern.
-* Security checks for vulnerabilities out until 31 May 2016.
 ### New features
@@ -115,7 +108,6 @@ _latest update: Thu Dec  3 18:29:11 CET 2015_
 ## Version 2.5.0 (est. December 2016)
 * Add automatic mitigation patch generation for Ruby
-* Add node.js support
 * Add Opal support
 ## Long term Roadmap

data/VERSION CHANGED Viewed

@@ -12,4 +12,4 @@
 # |   "Guido"       |  x.x.0  |
 # |   "Luigi"       |  x.x.0  |
 # | "Doc Hudson"    |  x.x.0  |
-1.6.8 - Tow Mater
+2.0.0.rc4 - Finn McMissile

data/bin/dawn CHANGED Viewed

@@ -1,7 +1,6 @@
 #!/usr/bin/env ruby
 require 'bundler'
-require 'getoptlong'
 require 'json'
 require 'terminal-table'
 require 'justify'
@@ -9,289 +8,34 @@ require 'justify'
 require 'dawnscanner'
 APPNAME = File.basename($0)
 LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 # Datamapper stuff
-DataMapper.setup(:default, "sqlite3://#{Dawn::Core.registry_db_name}")
-DataMapper::Logger.new(Dawn::Core.sql_log_name, :debug)
-DataMapper.finalize
-DataMapper.auto_upgrade!
+#DataMapper.setup(:default, "sqlite3://#{Dawn::Core.registry_db_name}")
+#DataMapper::Logger.new(Dawn::Core.sql_log_name, :debug)
+#DataMapper.finalize
+#DataMapper.auto_upgrade!
 require 'logger'
 $logger = Logger.new(STDOUT)
-$logger.datetime_format = '%Y-%m-%d %H:%M:%S'
-opts    = GetoptLong.new(
-  # report formatting options
-  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
-  [ '--tabular',                '-T',   GetoptLong::NO_ARGUMENT],
-  [ '--json',                   '-j',   GetoptLong::NO_ARGUMENT],
-  [ '--html',                   '-H',   GetoptLong::NO_ARGUMENT],
-  [ '--console',                '-K',   GetoptLong::NO_ARGUMENT],
-  # MVC forcing
-  # Deprecated in 1.5.x
-  # To be removed in 2.0.0
-  [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
-  [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
-  [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
-  [ '--gem-lock',               '-G',   GetoptLong::REQUIRED_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
-  [ '--dependencies',           '-d',   GetoptLong::REQUIRED_ARGUMENT],
-  [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
-  [ '--exit-on-warn',           '-z',   GetoptLong::NO_ARGUMENT],
-  # Disable checks by family type
-  [ '--disable-cve-bulletins',          GetoptLong::NO_ARGUMENT],
-  [ '--disable-code-quality',           GetoptLong::NO_ARGUMENT],
-  [ '--disable-code-style',             GetoptLong::NO_ARGUMENT],
-  [ '--disable-owasp-ror-cheatsheet',   GetoptLong::NO_ARGUMENT],
-  [ '--disable-owasp-top-10',           GetoptLong::NO_ARGUMENT],
-  # Search knowledge base
-  [ '--search-knowledge-base',  '-S',   GetoptLong::REQUIRED_ARGUMENT],
-  # List stuff
-  [ '--list-knowledge-base',            GetoptLong::NO_ARGUMENT],
-  [ '--list-known-framework',           GetoptLong::NO_ARGUMENT],
-  [ '--list-known-families',            GetoptLong::NO_ARGUMENT],
-  [ '--list-scan-registry',             GetoptLong::NO_ARGUMENT],
-  # please save output to file
-  [ '--file',                   '-F',   GetoptLong::REQUIRED_ARGUMENT],
-  # specify an alternate config file
-  [ '--config-file',            '-c',   GetoptLong::REQUIRED_ARGUMENT],
-  # service options
-  [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
-  [ '--debug',                  '-D',   GetoptLong::NO_ARGUMENT],
-  [ '--version',                '-v',   GetoptLong::NO_ARGUMENT],
-  [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
-)
-opts.quiet=true
-engine  = nil
-options = Dawn::Core.read_conf(Dawn::Core.find_conf(true))
-check = ""
-guess = {:name=>"", :version=>"", :connected_gems=>[]}
-###############################################################################
-# CLI argument start.
-#
-# Refactoring is necessary here
-###############################################################################
-begin
-opts.each do |opt, val|
-  case opt
-  when '--version'
-    puts "#{Dawn::VERSION} [#{Dawn::CODENAME}]"
-    Kernel.exit(0)
-  when '--config-file'
-    options = Dawn::Core.read_conf(val)
-  when '--disable-cve-bulletins'
-    options[:enabled_checks].delete(:bulletin)
-  when '--disable-code-quality'
-    options[:enabled_checks].delete(:code_quality)
-  when '--disable-code-style'
-    options[:enabled_checks].delete(:code_style)
-  when '--disable-owasp-ror-cheatsheet'
-    options[:enabled_checks].delete(:owasp_ror_cheatsheet)
-  when '--disable-owasp-top-10'
-    options[:enabled_checks].delete(:owasp_top_10_1)
-    options[:enabled_checks].delete(:owasp_top_10_2)
-    options[:enabled_checks].delete(:owasp_top_10_3)
-    options[:enabled_checks].delete(:owasp_top_10_4)
-    options[:enabled_checks].delete(:owasp_top_10_5)
-    options[:enabled_checks].delete(:owasp_top_10_6)
-    options[:enabled_checks].delete(:owasp_top_10_7)
-    options[:enabled_checks].delete(:owasp_top_10_8)
-    options[:enabled_checks].delete(:owasp_top_10_9)
-    options[:enabled_checks].delete(:owasp_top_10_10)
-  when '--list-known-families'
-    printf "Dawn supports following check families:\n\n"
-    puts Dawn::Kb::BasicCheck.families
-    Kernel.exit(0)
-  when '--json'
-    options[:output] = "json"
-  when '--console'
-    options[:output] = "console"
-  when '--tabular'
-    options[:output] = "tabular"
-  when '--ascii-tabular-report'
-    $logger.warn "--ascii-tabular-report' it has been deprecated. It will be removed in version 2.0.0. Please use '--tabular' instead"
-    options[:output] = "tabular"
-  when '--html'
-    options[:output] = "html"
-  when '--rails'
-    options[:mvc]=:rails
-  when '--sinatra'
-    options[:mvc]=:sinatra
-  when '--padrino'
-    options[:mvc]=:padrino
-  when '--file'
-    options[:filename] = val
-  when '--gem-lock'
-    options[:gemfile_scan] = true
-    $logger.warn "--gem-lock flag it has been deprecated. It will be removed in version 2.0.0. Please use '--dependencies' instead"
-    unless val.empty?
-      options[:gemfile_name] = val
-      guess = Dawn::Core.guess_mvc(val)
-    end
-  when '--dependencies'
-    options[:gemfile_scan] = true
-    unless val.empty?
-      options[:gemfile_name] = val
-      guess = Dawn::Core.guess_mvc(val)
-    end
-  when '--verbose'
-    options[:verbose]=true
-  when '--count-only'
-    options[:output] = "count"
-  when '--debug'
-    options[:debug] = true
-  when '--exit-on-warn'
-    options[:exit_on_warn] = true
-  when '--search-knowledge-base'
-    found = Dawn::KnowledgeBase.find(nil, val)
-    puts "#{val} found in knowledgebase." if found
-    puts "#{val} not found in knowledgebase" if ! found
-    Kernel.exit(0)
-  when '--list-scan-registry'
-    puts "#{APPNAME} scan registry\n\n"
-    Dawn::Registry.dump
-    Kernel.exit(0)
-  when '--list-knowledge-base'
-    Dawn::KnowledgeBase.dump(options[:verbose])
-    Kernel.exit(0)
-  when '--list-known-framework'
-    puts "Ruby MVC framework supported by #{APPNAME}:"
-    LIST_KNOWN_FRAMEWORK.each do |mvc|
-      puts "* #{mvc}"
-    end
-    Kernel.exit(0)
-  when '--help'
-    Kernel.exit(Dawn::Core.help)
-  end
-end
-rescue GetoptLong::InvalidOption => e
-  $logger.helo APPNAME, Dawn::VERSION
-  $logger.error e.message
-  Kernel.exit(Dawn::Core.help)
-end
-###############################################################################
-# CLI argument stop
-###############################################################################
-target=ARGV.shift
-target = File.expand_path(".") if target == "."
-$logger.helo APPNAME, Dawn::VERSION
-r = Dawn::Registry.new
-unless Dir.exist?(Dawn::Core.registry_db_folder)
-  FileUtils.mkdir_p(Dawn::Core.registry_db_folder)
-  $logger.info "#{Dawn::Core.registry_db_folder} created" if Dir.exist?(Dawn::Core.registry_db_folder)
-end
-trap("INT") { $logger.die('[INTERRUPTED]') }
-$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
-$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty?  &&! Dawn::Core.is_good_target?(target)
-$logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
-$logger.debug("security check enabled: #{options[:enabled_checks]}") if options[:debug]
-# MVC flag deprecation warnings
-$logger.warn("the --rails is deprecated and it will be removed in version 2.0.0")   if options[:mvc] == :rails
-$logger.warn("the --sinatra is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :sinatra
-$logger.warn("the --padrino is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :padrino
-## MVC auto detect.
-# Skipping MVC autodetect if it's already been done by guess_mvc when choosing
-# Gemfile.lock scan
-unless options[:gemfile_scan]
-  begin
-    if options[:mvc].empty?
-      engine = Dawn::Core.detect_mvc(target)
-      $logger.debug("using #{engine.class.name} engine via autodect") if options[:debug]
+$logger.formatter = proc do |severity, datetime, progname, msg|
+    date_format = datetime.strftime("%Y-%m-%d %H:%M:%S")
+    if severity == "INFO" or severity == "WARN"
+        "[#{date_format}] #{severity}  (dawn): #{msg}\n"
     else
-      engine = Dawn::Rails.new(target)      if options[:mvc] == :rails
-      engine = Dawn::Sinatra.new(target)    if options[:mvc] == :sinatra
-      engine = Dawn::Padrino.new(target)    if options[:mvc] == :padrino
-    end
-  rescue ArgumentError => e
-    r.do_save({:target=>File.basename(target), :scan_started=>DateTime.now, :scan_duration => 0, :issues_found=> -1, :output_dir=> "", :message=>e.message, :scan_status=>:failed})
-    $logger.die(e.message)
-  end
-else
-  engine = Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
-end
-if engine.nil?
-  $logger.error("MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues")
-  r.do_save({:target=>File.basename(target), :message=>"MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues", :scan_status=>:failed})
-  $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags")
-end
-## end MVC auto detect.
-if options[:exit_on_warn]
-  Kernel.at_exit do
-    if engine.count_vulnerabilities != 0
-      r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
-      Kernel.exit(engine.count_vulnerabilities)
+        "[#{date_format}] #{severity} (dawn): #{msg}\n"
     end
-  end
-end
-if options[:debug]
-  $logger.warn "putting engine in debug mode"
-  engine.debug = true
 end
-$logger.warn "this is a development Dawn version" if Dawn::RELEASE == "(development)"
-if engine.nil?
-  r.do_save({:target=>File.basename(target), :message=>"missing target framework option", :scan_status=>:failed})
-  $logger.die "missing target framework option"
-end
-if ! options[:gemfile_scan] && ! engine.can_apply?
-  r.do_save({:target=>File.basename(target), :message=>"nothing to do on #{target}", :scan_status=>:failed})
-  $logger.die "nothing to do on #{target}"
-end
-engine.load_knowledge_base(options[:enabled_checks])
-ret = engine.apply_all
+engine  = nil
+$debug=false
+$verbose=false
-if options[:output] == "count"
-  STDERR.puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
-  STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json if options[:output] == "json"
-  r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
-  $logger.bye
-  Kernel.exit(0)
-end
+check = ""
+guess = {:name=>"", :version=>"", :connected_gems=>[]}
-Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
-if (r.do_save({:target=>File.basename(engine.target),
-           :scan_started=>engine.scan_start,
-           :scan_duration => engine.scan_time.round(3),
-           :issues_found=>engine.vulnerabilities.count,
-           :output_dir=>engine.output_dir_name,
-           :scan_status=>:completed}))
-  $logger.info "#{Dawn::Core.registry_db_name} updated with scan infos"
-else
-  r.errors.each do |error|
-    $logger.error error
-  end
-end
-$logger.bye
+Dawn::Cli::DawnCli.start
+Kernel.exit(0)

data/checksum/dawnscanner-1.6.8.gem.sha1 ADDED Viewed

	@@ -0,0 +1 @@
1	+ 7f56617eeab5f897c910d9bfbfd54425c4856fc1

data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 ADDED Viewed

	@@ -0,0 +1 @@
1	+ 04dc5b15006b4ee5912b789160756c57b4c9036a

data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 ADDED Viewed

	@@ -0,0 +1 @@
1	+ 1c96f786d3683b79311855a14b8ef7d7ebe7b13d

data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 ADDED Viewed

	@@ -0,0 +1 @@
1	+ 55641656f0a1979b283c10ac526f00f5fc449d89

data/dawnscanner.gemspec CHANGED Viewed

@@ -10,17 +10,14 @@ Gem::Specification.new do |gem|
   gem.email         = ["paolo@dawnscanner.org"]
   gem.description   = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
   gem.summary       = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
-  gem.homepage      = "http://dawnscanner.org"
+  gem.homepage      = "https://dawnscanner.org"
   gem.files         = `git ls-files`.split($/)
   gem.license       = "MIT"
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
-  gem.cert_chain  = ['certs/paolo_at_dawnscanner_dot_org.pem']
-  gem.signing_key = File.expand_path("~/.ssh/paolo_at_dawnscanner_dot_org_private_key.pem") if $0 =~ /gem\z/
-  gem.required_ruby_version = '>= 1.9.3'
+  gem.required_ruby_version = '>= 2.3.0'
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'
@@ -30,11 +27,15 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'justify'
   gem.add_dependency 'logger-colors'
   gem.add_dependency 'ptools'
-  gem.add_dependency 'sqlite3'
-  gem.add_dependency 'dm-sqlite-adapter'
-  gem.add_dependency 'data_mapper'
+  gem.add_dependency 'psych'
+  # For CLI we will use thor
+  gem.add_dependency 'thor'
+  # gem.add_dependency 'sqlite3'
+  # gem.add_dependency 'datamapper'
+  # gem.add_dependency 'dm-sqlite-adapter'
-  # Dependencies for code stats
   # To be added back in 1.5.5
   # gem.add_dependency 'code_metrics'
   # gem.add_dependency 'metric_fu-Saikuro'

data/doc/change.sh ADDED Viewed

@@ -0,0 +1,13 @@
+LIST=`ls *.yml | sort`
+TOCHANGE=$1
+if [ -z $TOCHANGE ]; then
+  echo "an argument is required"
+  exit 1
+fi
+for i in $LIST
+do
+  sed -i 's/object:Dawn::Kb::'`basename $i .yml`'/object:Dawn::Kb::'$TOCHANGE'/g' $i
+done