RubyGems - dawnscanner - Versions diffs - 1.6.8 → 2.0.0.rc4 - Mend

dawnscanner 1.6.8 → 2.0.0.rc4

Files changed (387) hide show

checksums.yaml +5 -5
data/.gitignore +1 -0
data/.ruby-version +1 -1
data/Changelog.md +27 -1
data/LICENSE.txt +1 -1
data/README.md +59 -57
data/Rakefile +10 -242
data/Roadmap.md +15 -23
data/VERSION +1 -1
data/bin/dawn +17 -273
data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
data/dawnscanner.gemspec +10 -9
data/doc/change.sh +13 -0
data/doc/kickstart_kb.tar.gz +0 -0
data/doc/knowledge_base.rb +650 -0
data/docs/.placeholder +0 -0
data/docs/CNAME +1 -0
data/docs/_config.yml +1 -0
data/lib/dawn/cli/dawn_cli.rb +139 -0
data/lib/dawn/core.rb +8 -7
data/lib/dawn/engine.rb +93 -34
data/lib/dawn/gemfile_lock.rb +2 -2
data/lib/dawn/kb/basic_check.rb +1 -2
data/lib/dawn/kb/combo_check.rb +1 -1
data/lib/dawn/kb/dependency_check.rb +1 -1
data/lib/dawn/kb/operating_system_check.rb +1 -1
data/lib/dawn/kb/pattern_match_check.rb +10 -9
data/lib/dawn/kb/ruby_version_check.rb +11 -10
data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
data/lib/dawn/kb/version_check.rb +41 -24
data/lib/dawn/knowledge_base.rb +259 -595
data/lib/dawn/reporter.rb +2 -1
data/lib/dawn/utils.rb +5 -2
data/lib/dawn/version.rb +5 -5
data/lib/dawnscanner.rb +7 -6
data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
data/spec/lib/kb/dependency_check.yml +29 -0
metadata +30 -496
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
data/lib/dawn/kb/cve_2004_0755.rb +0 -33
data/lib/dawn/kb/cve_2004_0983.rb +0 -31
data/lib/dawn/kb/cve_2005_1992.rb +0 -31
data/lib/dawn/kb/cve_2005_2337.rb +0 -33
data/lib/dawn/kb/cve_2006_1931.rb +0 -30
data/lib/dawn/kb/cve_2006_2582.rb +0 -28
data/lib/dawn/kb/cve_2006_3694.rb +0 -31
data/lib/dawn/kb/cve_2006_4112.rb +0 -27
data/lib/dawn/kb/cve_2006_5467.rb +0 -28
data/lib/dawn/kb/cve_2006_6303.rb +0 -28
data/lib/dawn/kb/cve_2006_6852.rb +0 -27
data/lib/dawn/kb/cve_2006_6979.rb +0 -29
data/lib/dawn/kb/cve_2007_0469.rb +0 -29
data/lib/dawn/kb/cve_2007_5162.rb +0 -28
data/lib/dawn/kb/cve_2007_5379.rb +0 -27
data/lib/dawn/kb/cve_2007_5380.rb +0 -29
data/lib/dawn/kb/cve_2007_5770.rb +0 -30
data/lib/dawn/kb/cve_2007_6077.rb +0 -31
data/lib/dawn/kb/cve_2007_6612.rb +0 -30
data/lib/dawn/kb/cve_2008_1145.rb +0 -38
data/lib/dawn/kb/cve_2008_1891.rb +0 -38
data/lib/dawn/kb/cve_2008_2376.rb +0 -30
data/lib/dawn/kb/cve_2008_2662.rb +0 -33
data/lib/dawn/kb/cve_2008_2663.rb +0 -32
data/lib/dawn/kb/cve_2008_2664.rb +0 -33
data/lib/dawn/kb/cve_2008_2725.rb +0 -31
data/lib/dawn/kb/cve_2008_3655.rb +0 -37
data/lib/dawn/kb/cve_2008_3657.rb +0 -37
data/lib/dawn/kb/cve_2008_3790.rb +0 -30
data/lib/dawn/kb/cve_2008_3905.rb +0 -36
data/lib/dawn/kb/cve_2008_4094.rb +0 -27
data/lib/dawn/kb/cve_2008_4310.rb +0 -100
data/lib/dawn/kb/cve_2008_5189.rb +0 -27
data/lib/dawn/kb/cve_2008_7248.rb +0 -27
data/lib/dawn/kb/cve_2009_4078.rb +0 -29
data/lib/dawn/kb/cve_2009_4124.rb +0 -30
data/lib/dawn/kb/cve_2009_4214.rb +0 -27
data/lib/dawn/kb/cve_2010_1330.rb +0 -28
data/lib/dawn/kb/cve_2010_2489.rb +0 -60
data/lib/dawn/kb/cve_2010_3933.rb +0 -27
data/lib/dawn/kb/cve_2011_0188.rb +0 -67
data/lib/dawn/kb/cve_2011_0446.rb +0 -28
data/lib/dawn/kb/cve_2011_0447.rb +0 -28
data/lib/dawn/kb/cve_2011_0739.rb +0 -28
data/lib/dawn/kb/cve_2011_0995.rb +0 -61
data/lib/dawn/kb/cve_2011_1004.rb +0 -34
data/lib/dawn/kb/cve_2011_1005.rb +0 -31
data/lib/dawn/kb/cve_2011_2197.rb +0 -27
data/lib/dawn/kb/cve_2011_2686.rb +0 -29
data/lib/dawn/kb/cve_2011_2705.rb +0 -32
data/lib/dawn/kb/cve_2011_2929.rb +0 -27
data/lib/dawn/kb/cve_2011_2930.rb +0 -28
data/lib/dawn/kb/cve_2011_2931.rb +0 -30
data/lib/dawn/kb/cve_2011_2932.rb +0 -27
data/lib/dawn/kb/cve_2011_3009.rb +0 -28
data/lib/dawn/kb/cve_2011_3186.rb +0 -29
data/lib/dawn/kb/cve_2011_3187.rb +0 -29
data/lib/dawn/kb/cve_2011_4319.rb +0 -30
data/lib/dawn/kb/cve_2011_4815.rb +0 -28
data/lib/dawn/kb/cve_2011_5036.rb +0 -26
data/lib/dawn/kb/cve_2012_1098.rb +0 -30
data/lib/dawn/kb/cve_2012_1099.rb +0 -27
data/lib/dawn/kb/cve_2012_1241.rb +0 -27
data/lib/dawn/kb/cve_2012_2139.rb +0 -26
data/lib/dawn/kb/cve_2012_2140.rb +0 -27
data/lib/dawn/kb/cve_2012_2660.rb +0 -28
data/lib/dawn/kb/cve_2012_2661.rb +0 -27
data/lib/dawn/kb/cve_2012_2671.rb +0 -28
data/lib/dawn/kb/cve_2012_2694.rb +0 -30
data/lib/dawn/kb/cve_2012_2695.rb +0 -27
data/lib/dawn/kb/cve_2012_3424.rb +0 -29
data/lib/dawn/kb/cve_2012_3463.rb +0 -27
data/lib/dawn/kb/cve_2012_3464.rb +0 -27
data/lib/dawn/kb/cve_2012_3465.rb +0 -26
data/lib/dawn/kb/cve_2012_4464.rb +0 -27
data/lib/dawn/kb/cve_2012_4466.rb +0 -27
data/lib/dawn/kb/cve_2012_4481.rb +0 -26
data/lib/dawn/kb/cve_2012_4522.rb +0 -27
data/lib/dawn/kb/cve_2012_5370.rb +0 -27
data/lib/dawn/kb/cve_2012_5371.rb +0 -27
data/lib/dawn/kb/cve_2012_5380.rb +0 -28
data/lib/dawn/kb/cve_2012_6109.rb +0 -25
data/lib/dawn/kb/cve_2012_6134.rb +0 -27
data/lib/dawn/kb/cve_2012_6496.rb +0 -28
data/lib/dawn/kb/cve_2012_6497.rb +0 -28
data/lib/dawn/kb/cve_2012_6684.rb +0 -28
data/lib/dawn/kb/cve_2013_0155.rb +0 -29
data/lib/dawn/kb/cve_2013_0156.rb +0 -27
data/lib/dawn/kb/cve_2013_0162.rb +0 -28
data/lib/dawn/kb/cve_2013_0175.rb +0 -27
data/lib/dawn/kb/cve_2013_0183.rb +0 -25
data/lib/dawn/kb/cve_2013_0184.rb +0 -25
data/lib/dawn/kb/cve_2013_0233.rb +0 -26
data/lib/dawn/kb/cve_2013_0256.rb +0 -59
data/lib/dawn/kb/cve_2013_0262.rb +0 -26
data/lib/dawn/kb/cve_2013_0263.rb +0 -26
data/lib/dawn/kb/cve_2013_0269.rb +0 -27
data/lib/dawn/kb/cve_2013_0276.rb +0 -28
data/lib/dawn/kb/cve_2013_0277.rb +0 -25
data/lib/dawn/kb/cve_2013_0284.rb +0 -27
data/lib/dawn/kb/cve_2013_0285.rb +0 -27
data/lib/dawn/kb/cve_2013_0333.rb +0 -28
data/lib/dawn/kb/cve_2013_0334.rb +0 -25
data/lib/dawn/kb/cve_2013_1607.rb +0 -25
data/lib/dawn/kb/cve_2013_1655.rb +0 -65
data/lib/dawn/kb/cve_2013_1656.rb +0 -28
data/lib/dawn/kb/cve_2013_1756.rb +0 -26
data/lib/dawn/kb/cve_2013_1800.rb +0 -26
data/lib/dawn/kb/cve_2013_1801.rb +0 -27
data/lib/dawn/kb/cve_2013_1802.rb +0 -27
data/lib/dawn/kb/cve_2013_1812.rb +0 -27
data/lib/dawn/kb/cve_2013_1821.rb +0 -28
data/lib/dawn/kb/cve_2013_1854.rb +0 -26
data/lib/dawn/kb/cve_2013_1855.rb +0 -25
data/lib/dawn/kb/cve_2013_1856.rb +0 -26
data/lib/dawn/kb/cve_2013_1857.rb +0 -27
data/lib/dawn/kb/cve_2013_1875.rb +0 -27
data/lib/dawn/kb/cve_2013_1898.rb +0 -27
data/lib/dawn/kb/cve_2013_1911.rb +0 -28
data/lib/dawn/kb/cve_2013_1933.rb +0 -27
data/lib/dawn/kb/cve_2013_1947.rb +0 -27
data/lib/dawn/kb/cve_2013_1948.rb +0 -27
data/lib/dawn/kb/cve_2013_2065.rb +0 -29
data/lib/dawn/kb/cve_2013_2090.rb +0 -28
data/lib/dawn/kb/cve_2013_2105.rb +0 -26
data/lib/dawn/kb/cve_2013_2119.rb +0 -27
data/lib/dawn/kb/cve_2013_2512.rb +0 -26
data/lib/dawn/kb/cve_2013_2513.rb +0 -25
data/lib/dawn/kb/cve_2013_2516.rb +0 -26
data/lib/dawn/kb/cve_2013_2615.rb +0 -27
data/lib/dawn/kb/cve_2013_2616.rb +0 -27
data/lib/dawn/kb/cve_2013_2617.rb +0 -28
data/lib/dawn/kb/cve_2013_3221.rb +0 -27
data/lib/dawn/kb/cve_2013_4164.rb +0 -30
data/lib/dawn/kb/cve_2013_4203.rb +0 -25
data/lib/dawn/kb/cve_2013_4389.rb +0 -26
data/lib/dawn/kb/cve_2013_4413.rb +0 -27
data/lib/dawn/kb/cve_2013_4457.rb +0 -29
data/lib/dawn/kb/cve_2013_4478.rb +0 -26
data/lib/dawn/kb/cve_2013_4479.rb +0 -26
data/lib/dawn/kb/cve_2013_4489.rb +0 -28
data/lib/dawn/kb/cve_2013_4491.rb +0 -29
data/lib/dawn/kb/cve_2013_4492.rb +0 -29
data/lib/dawn/kb/cve_2013_4562.rb +0 -27
data/lib/dawn/kb/cve_2013_4593.rb +0 -27
data/lib/dawn/kb/cve_2013_5647.rb +0 -29
data/lib/dawn/kb/cve_2013_5671.rb +0 -26
data/lib/dawn/kb/cve_2013_6414.rb +0 -30
data/lib/dawn/kb/cve_2013_6415.rb +0 -29
data/lib/dawn/kb/cve_2013_6416.rb +0 -29
data/lib/dawn/kb/cve_2013_6417.rb +0 -30
data/lib/dawn/kb/cve_2013_6421.rb +0 -28
data/lib/dawn/kb/cve_2013_6459.rb +0 -28
data/lib/dawn/kb/cve_2013_6460.rb +0 -53
data/lib/dawn/kb/cve_2013_6461.rb +0 -57
data/lib/dawn/kb/cve_2013_7086.rb +0 -27
data/lib/dawn/kb/cve_2014_0036.rb +0 -27
data/lib/dawn/kb/cve_2014_0080.rb +0 -29
data/lib/dawn/kb/cve_2014_0081.rb +0 -27
data/lib/dawn/kb/cve_2014_0082.rb +0 -27
data/lib/dawn/kb/cve_2014_0130.rb +0 -27
data/lib/dawn/kb/cve_2014_1233.rb +0 -27
data/lib/dawn/kb/cve_2014_1234.rb +0 -26
data/lib/dawn/kb/cve_2014_2322.rb +0 -28
data/lib/dawn/kb/cve_2014_2525.rb +0 -59
data/lib/dawn/kb/cve_2014_2538.rb +0 -26
data/lib/dawn/kb/cve_2014_3482.rb +0 -28
data/lib/dawn/kb/cve_2014_3483.rb +0 -28
data/lib/dawn/kb/cve_2014_3916.rb +0 -29
data/lib/dawn/kb/cve_2014_4975.rb +0 -28
data/lib/dawn/kb/cve_2014_7818.rb +0 -27
data/lib/dawn/kb/cve_2014_7819.rb +0 -31
data/lib/dawn/kb/cve_2014_7829.rb +0 -30
data/lib/dawn/kb/cve_2014_8090.rb +0 -30
data/lib/dawn/kb/cve_2014_9490.rb +0 -29
data/lib/dawn/kb/cve_2015_1819.rb +0 -34
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
data/lib/dawn/kb/cve_2015_2963.rb +0 -27
data/lib/dawn/kb/cve_2015_3224.rb +0 -26
data/lib/dawn/kb/cve_2015_3225.rb +0 -28
data/lib/dawn/kb/cve_2015_3226.rb +0 -27
data/lib/dawn/kb/cve_2015_3227.rb +0 -28
data/lib/dawn/kb/cve_2015_3448.rb +0 -29
data/lib/dawn/kb/cve_2015_4020.rb +0 -34
data/lib/dawn/kb/cve_2015_5312.rb +0 -30
data/lib/dawn/kb/cve_2015_7497.rb +0 -32
data/lib/dawn/kb/cve_2015_7498.rb +0 -32
data/lib/dawn/kb/cve_2015_7499.rb +0 -32
data/lib/dawn/kb/cve_2015_7500.rb +0 -32
data/lib/dawn/kb/cve_2015_7519.rb +0 -31
data/lib/dawn/kb/cve_2015_7541.rb +0 -31
data/lib/dawn/kb/cve_2015_7576.rb +0 -35
data/lib/dawn/kb/cve_2015_7577.rb +0 -34
data/lib/dawn/kb/cve_2015_7578.rb +0 -30
data/lib/dawn/kb/cve_2015_7579.rb +0 -30
data/lib/dawn/kb/cve_2015_7581.rb +0 -33
data/lib/dawn/kb/cve_2015_8241.rb +0 -32
data/lib/dawn/kb/cve_2015_8242.rb +0 -32
data/lib/dawn/kb/cve_2015_8317.rb +0 -32
data/lib/dawn/kb/cve_2016_0751.rb +0 -32
data/lib/dawn/kb/cve_2016_0752.rb +0 -35
data/lib/dawn/kb/cve_2016_0753.rb +0 -31
data/lib/dawn/kb/cve_2016_2097.rb +0 -35
data/lib/dawn/kb/cve_2016_2098.rb +0 -35
data/lib/dawn/kb/cve_2016_5697.rb +0 -30
data/lib/dawn/kb/cve_2016_6316.rb +0 -33
data/lib/dawn/kb/cve_2016_6317.rb +0 -32
data/lib/dawn/kb/cve_2016_6582.rb +0 -43
data/lib/dawn/kb/not_revised_code.rb +0 -22
data/lib/dawn/kb/osvdb_105971.rb +0 -29
data/lib/dawn/kb/osvdb_108530.rb +0 -27
data/lib/dawn/kb/osvdb_108563.rb +0 -28
data/lib/dawn/kb/osvdb_108569.rb +0 -28
data/lib/dawn/kb/osvdb_108570.rb +0 -27
data/lib/dawn/kb/osvdb_115654.rb +0 -33
data/lib/dawn/kb/osvdb_116010.rb +0 -30
data/lib/dawn/kb/osvdb_117903.rb +0 -30
data/lib/dawn/kb/osvdb_118579.rb +0 -31
data/lib/dawn/kb/osvdb_118830.rb +0 -32
data/lib/dawn/kb/osvdb_118954.rb +0 -33
data/lib/dawn/kb/osvdb_119878.rb +0 -32
data/lib/dawn/kb/osvdb_119927.rb +0 -33
data/lib/dawn/kb/osvdb_120415.rb +0 -31
data/lib/dawn/kb/osvdb_120857.rb +0 -34
data/lib/dawn/kb/osvdb_121701.rb +0 -30
data/lib/dawn/kb/osvdb_132234.rb +0 -34
data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
data/lib/dawn/knowledge_base_experimental.rb +0 -245
data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
metadata.gz.sig +0 -0

data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb DELETED Viewed

@@ -1,29 +0,0 @@
-module Dawn
-  module Kb
-    module OwaspRorCheatSheet
-      class Csrf
-        include PatternMatchCheck
-        def initialize
-          message = "Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request."
-          super({
-            :name=>"Owasp Ror CheatSheet: Cross Site Request Forgery",
-            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-            :applies=>["rails"],
-            :glob=>"application_controller.rb",
-            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-            :message=>message,
-            :attack_pattern => ["protect_from_forgery"],
-            :negative_search=>true,
-            :mitigation=>"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb",
-            :severity=>:info,
-            :check_family=>:owasp_ror_cheatsheet
-          })
-          # @debug = true
-        end
-      end
-    end
-  end
-end

data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb DELETED Viewed

@@ -1,33 +0,0 @@
-module Dawn
-  module Kb
-    module OwaspRorCheatSheet
-      class MassAssignmentInModel
-        include PatternMatchCheck
-        def initialize
-          message = "Although the major issue with Mass Assignment has been fixed by default in base Rails specifically when generating new projects, it still applies to older and upgraded projects so it is important to understand the issue and to ensure that only attributes that are intended to be modifiable are exposed."
-          super({
-            :name=>"Owasp Ror CheatSheet: Mass Assignement in model",
-            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-            :applies=>["rails"],
-            :glob=>"**/model/*.rb",
-            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-            :message=>message,
-            :attack_pattern => ["attr_accessor"],
-            :negative_search=>false,
-            :avoid_comments=>true,
-            :check_family=>:owasp_ror_cheatsheet,
-            :severity=>:info,
-            :evidences=>["In one or more of your models, you use attr_accessor attribute modifier. This is risky since it exposes you to a massive assignment vulnerability. You have to carefully handle how your model receive data by setting all attribute to attr_reader and using a setter method validating input before saving to database."],
-            :mitigation=>"Avoid attr_accessor attribute modifier in your models. You must use attr_reader as modifier and carefully filter your inputs before passing to the database layer."
-          })
-          # @debug = true
-        end
-      end
-    end
-  end
-end

data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb DELETED Viewed

@@ -1,35 +0,0 @@
-  module Dawn
-    module Kb
-      module OwaspRorCheatSheet
-        class SecurityRelatedHeaders
-          include PatternMatchCheck
-          def initialize
-            message = "To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the \"default_headers\" functionality that will automatically apply the values supplied. This works for most headers in almost all cases."
-            super({
-              :name=>"Owasp Ror CheatSheet: Security Related Headers",
-              :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-              :applies=>["rails"],
-              :glob=>"**/controllers/*.rb",
-              :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-              :message=>message,
-              :attack_pattern => [
-                "response.headers\\['X-Frame-Options'\\] = 'DENY'",
-                "response.headers\\['X-Content-Type-Options'\\] = 'nosniff'",
-                "response.headers\\['X-XSS-Protection'\\] = '1'",
-                "ActionDispatch::Response.default_headers = {
-                    'X-Frame-Options' => 'DENY',
-                    'X-Content-Type-Options' => 'nosniff',
-                    'X-XSS-Protection' => '1;'
-                  }"],
-              :negative_search=>true,
-              :check_family=>:owasp_ror_cheatsheet,
-              :severity=>:info,
-              :mitigation=>"Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project."
-            })
-          end
-        end
-      end
-    end
-  end

data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb DELETED Viewed

@@ -1,29 +0,0 @@
-module Dawn
-  module Kb
-    module OwaspRorCheatSheet
-      class SensitiveFiles
-        include PatternMatchCheck
-        def initialize
-          message = "Many Ruby on Rails apps are open source and hosted on publicly available source code repositories. Whether that is the case or the code is committed to a corporate source control system, there are certain files that should be either excluded or carefully managed."
-          super({
-            :name=>"Owasp Ror CheatSheet: Sensitive Files",
-            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-            :applies=>["rails"],
-            :glob=>".gitignore",
-            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-            :message=>message,
-            :check_family=>:owasp_ror_cheatsheet,
-            :severity=>:info,
-            :attack_pattern => ["/config/database.yml", "/config/initializers/secret_token.rb", "/db/seeds.rb", "/db/*.sqlite3"],
-            :mitigation=>"Put sensitive files in your repository gitignore file"
-          })
-          # @debug = true
-        end
-      end
-    end
-  end
-end

data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb DELETED Viewed

@@ -1,31 +0,0 @@
-module Dawn
-  module Kb
-    module OwaspRorCheatSheet
-      class SessionStoredInDatabase
-        include PatternMatchCheck
-        def initialize
-          message = "By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session."
-          super({
-            :name=>"Owasp Ror CheatSheet: Session management",
-            :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-            :applies=>["rails"],
-            :glob=>"session_store.rb",
-            :aux_links=>["https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet"],
-            :message=>message,
-            :attack_pattern => ["Application.config.session_store :active_record_store", "Rails.application.config.session_store ActionDispatch::Session::CacheStore"],
-            :negative_search=>true,
-            :avoid_comments=>true,
-            :check_family=>:owasp_ror_cheatsheet,
-            :severity=>:info,
-            :evidences=>["In your session_store.rb file you are not using ActiveRecord to store session data. This will let rails to use a cookie based session and it can expose your web application to a session replay attack."],
-            :mitigation=>"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."
-          })
-          # @debug = true
-        end
-      end
-    end
-  end
-end

data/lib/dawn/kb/simpleform_xss_20131129.rb DELETED Viewed

@@ -1,28 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2013-12-11
-    class SimpleForm_Xss_20131129
-      include DependencyCheck
-      def initialize
-        message = "There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe."
-        super({
-          :name=>"Simple Form XSS - 20131129",
-          :cvss=>"none",
-          :release_date => Date.new(2013, 11, 29),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rails", "padrino", "sinatra"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"Please upgrade Simple Form the 3.0.1 and 2.1.1 releases are available at the normal locations.",
-          :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE"]
-        })
-        self.safe_dependencies = [{:name=>"simple_form", :version=>['3.0.1', '2.1.1']}]
-      end
-    end
-  end
-end

data/lib/dawn/knowledge_base_experimental.rb DELETED Viewed

@@ -1,245 +0,0 @@
-require 'singleton'
-# For HTTPS communication to check for KB updates and to fetch them
-require 'net/http'
-require 'uri'
-require 'yaml'
-require 'digest'
-module Dawn
-  # This is the YAML powered experimental knowledge base
-  #
-  # When the old KB format, using Ruby classes will be marked as deprecated,
-  # than this one will be the official.
-  #
-  # Dawnscanner KB will be a bunch of YAML file, stored in a hierachy of
-  # directories resembling security checks family. A digital signature will be
-  # also available to prevent KB tampering.
-  #
-  # This class will be accountable for:
-  #   + check for KB upgrade
-  #   + fetching the KB file from the Internet
-  #   + verifying the database signature
-  #   + reading YAML file, creating the security check array
-  #
-  # Another big change will be the MVC passed as constructor parameter, so only
-  # the checks regarding the particular app, will be loaded in the security
-  # check array. This should speed up BasicCheck internal routines.
-  #
-  # Class usage will be very simple. After getting the singleton instance, you
-  # will load the KB content. The load method will be also responsible about
-  # all relevant checks.
-  #
-  # Example
-  #
-  # require "dawn/knowledge_base_experimental"
-  #
-  # ...
-  #
-  # d = Dawn::KnowledgeBaseExperimental.instance
-  # d.update if d.update?
-  # d.load
-  #
-  # Last update: Fri Oct  7 08:03:43 CEST 2016
-  class KnowledgeBaseExperimental
-    include Dawn::Utils
-    include Singleton
-    GEM_CHECK           = :rubygem_check
-    DEPENDENCY_CHECK    = :dependency_check
-    PATTERN_MATCH_CHECK = :pattern_match_check
-    RUBY_VERSION_CHECK  = :ruby_version_check
-    OS_CHECK            = :os_check
-    COMBO_CHECK         = :combo_check
-    CUSTOM_CHECK        = :custom_check
-    REMOTE_KB_URL_PREFIX  = "https://dawnscanner.org/data/"
-    FILES = %w(kb.yaml bulletin.tar.gz generic_check.tar.gz owasp_ror_cheatsheet.tar.gz code_style.tar.gz code_quality.tar.gz owasp_top_10.tar.gz signatures.tar.gz)
-    attr_reader :security_checks
-    attr_reader :descriptor
-    attr_reader :path
-    def initialize(options={})
-      if $logger.nil?
-        require 'dawn/logger'
-        $logger = Logger.new(STDOUT)
-        $logger.helo "knowledge-base-experimental", Dawn::VERSION
-      end
-    end
-    def find(name)
-    end
-    def self.kb_descriptor
-      {:kb=>{:version=>"0.0.1", :revision=>Time.now.strftime("%Y%m%d"), :api=>Dawn::VERSION}}.to_yaml
-    end
-    def update?
-      FileUtils.mkdir_p("tmp")
-      begin
-        response = Net::HTTP.get URI(REMOTE_KB_URL_PREFIX + "kb.yaml")
-        open("tmp/kb.yaml", "w") do |f|
-          f.puts(response)
-        end
-        response = Net::HTTP.get URI(REMOTE_KB_URL_PREFIX + "kb.yaml.sig")
-        open("tmp/kb.yaml.sig", "w") do |f|
-          f.puts(response)
-        end
-      rescue Exception => e
-        $logger.error e.to_s
-        return false
-      end
-      # Verify kb.yaml signature
-      YAML.load(response)
-    end
-    def all
-      @security_checks
-    end
-    # Load security checks from db/ folder.
-    #
-    # options - The list of the options to be passed to KB. It can contain:
-    #   + enabled_checks: an array of security checks that must be enabled
-    #      [:generic_check, :code_quality, :bulletin, :code_style, :owasp_ror_cheatsheet, :owasp_top_10]
-    #   + mvc: the mvc name for the target application, in order for the KB to
-    #          deselect all security checks that don't fit the code to be
-    #          reviewed.
-    #   + path: the path for the KB root folder. Please note that #{Dir.pwd}/db
-    #           is the default location.
-    #
-    # Returns an array of security checks, matching the mvc to be reviewed and
-    # the enabled check list or an empty array if an error occured.
-    def load(options={})
-      @security_checks = []
-      $path = File.join(Dir.pwd, "db")
-      enabled_checks  = options[:enabled_checks]  unless options[:enabled_checks].nil?
-      mvc             = options[:mvc]             unless options[:mvc].nil?
-      $path           = options[:path]            unless options[:path].nil?
-      unless __valid?
-        $logger.error "An invalid library it has been found. Please use --recovery flag to force fresh install from dawnscanner.org"
-        return []
-      end
-      unless __load?
-        $logger.error "The library must be consumed with dawnscanner up to v#{$descriptor["kb"]["api"]}. You are using dawnscanner v#{Dawn::VERSION}"
-        return []
-      end
-      # TODO: untar and unzip from here (look for it in Google)
-      if __packed?
-        $logger.info "a packed knowledge base it has been found. Unpacking it"
-        __unpack
-      end
-      enabled_checks.each do |d|
-        dir = File.join($path, d)
-        # Please note that if we enter in this branch, it means someone
-        # tampered the KB between the previous __valid? check and this point.
-        # Of course this is a very rare situation, but we must handle it.
-        unless Dir.exists?(dir)
-          $logger.critical "Missing check directory #{dir}"
-          $logger.error "An invalid library it has been found. Please use --recovery flag to force fresh install from dawnscanner.org"
-          return []
-        end
-        # Enumerate all YAML file in the give dir
-      end
-    end
-    def dump(verbose=false)
-      puts "Security checks currently supported:"
-      i=0
-      KnowledgeBaseExperimental.instance.all.each do |check|
-        i+=1
-        if verbose
-          puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
-          puts "Description\n#{check.message}"
-          puts "Remediation\n#{check.remediation}\n\n"
-        else
-          puts "#{check.name}"
-        end
-      end
-      puts "-----\nTotal: #{i}"
-    end
-    private
-    def __verify_hash(original, computed)
-      t=original.split(' ')
-      return false if t.length != 2
-      return (t[0] == computed)
-    end
-    def __valid?
-      lines = ""
-      unless File.exists?(File.join($path, "kb.yaml"))
-        $logger.error  "Missing kb.yaml in #{path}. Giving up"
-        return false
-      end
-      unless File.exists?(File.join($path, "kb.yaml.sig"))
-        $logger.error  "Missing kb.yaml signature in #{path}. Giving up"
-        return false
-      end
-      lines = File.read(File.join($path, "kb.yaml"))
-      hash_file = Digest::SHA256.hexdigest lines
-      hash_orig = File.read(File.join($path, "kb.yaml.sig"))
-      v = __verify_hash(hash_orig, hash_file)
-      if v
-        $logger.info("good kb.yaml file found. Reading knowledge base descriptor")
-        @descriptor = YAML.load(lines)
-      else
-        $logger.error("kb.yaml signature mismatch. Found #{hash_file} while expecting #{hash_orig}. Giving up")
-        return false
-      end
-      return true
-    end
-    # Check if the local KB is packet or not.
-    #
-    # Returns true if at least one KB tarball file it has been found in the
-    # local DB path
-    def __packed?
-      FILES.each do |fn|
-        return true if fn.end_with? 'tar.gz' and File.exists?(File.join($path, fn))
-      end
-      return false
-    end
-    def __unpack
-    end
-    def __load?
-      api = $descriptor["kb"]["api"]
-      v = Dawn::VERSION
-      require "dawn/kb/version_check"
-      vc = VersionCheck.new
-      return true if vc.is_higher?(api, v) # => true if v > api
-      return false
-    end
-  end
-end

data/spec/lib/kb/cve_2011_2705_spec.rb DELETED Viewed

@@ -1,35 +0,0 @@
-require 'spec_helper'
-describe "The CVE-2011-2705 vulnerability" do
-	before(:all) do
-		@check = Dawn::Kb::CVE_2011_2705.new
-		# @check.debug = true
-	end
-  it "fires when ruby 1.8.7-p351 is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p351"}
-    expect(@check.vuln?).to eq(true)
-  end
-  it "fires when ruby 1.9.0 any patchlevel is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p351"}
-    expect(@check.vuln?).to eq(true)
-  end
-  it "fires when ruby 1.9.1 any patchlevel is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p351"}
-    expect(@check.vuln?).to eq(true)
-  end
-  it "fires when ruby 1.9.2-p289 is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p289"}
-    expect(@check.vuln?).to eq(true)
-  end
-  it "doesn't fire when ruby 1.8.7-p352 is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p352"}
-    expect(@check.vuln?).to eq(false)
-  end
-  it "doesn't fire when ruby 1.9.2-p290 is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p290"}
-    expect(@check.vuln?).to eq(false)
-  end
-  it "doesn't fire when ruby 1.9.3-p290 is detected" do
-    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p290"}
-    expect(@check.vuln?).to eq(false)
-  end
-end