dawnscanner 1.6.8 → 2.0.0.rc4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (387) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.ruby-version +1 -1
  4. data/Changelog.md +27 -1
  5. data/LICENSE.txt +1 -1
  6. data/README.md +59 -57
  7. data/Rakefile +10 -242
  8. data/Roadmap.md +15 -23
  9. data/VERSION +1 -1
  10. data/bin/dawn +17 -273
  11. data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
  12. data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
  13. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  14. data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
  15. data/dawnscanner.gemspec +10 -9
  16. data/doc/change.sh +13 -0
  17. data/doc/kickstart_kb.tar.gz +0 -0
  18. data/doc/knowledge_base.rb +650 -0
  19. data/docs/.placeholder +0 -0
  20. data/docs/CNAME +1 -0
  21. data/docs/_config.yml +1 -0
  22. data/lib/dawn/cli/dawn_cli.rb +139 -0
  23. data/lib/dawn/core.rb +8 -7
  24. data/lib/dawn/engine.rb +93 -34
  25. data/lib/dawn/gemfile_lock.rb +2 -2
  26. data/lib/dawn/kb/basic_check.rb +1 -2
  27. data/lib/dawn/kb/combo_check.rb +1 -1
  28. data/lib/dawn/kb/dependency_check.rb +1 -1
  29. data/lib/dawn/kb/operating_system_check.rb +1 -1
  30. data/lib/dawn/kb/pattern_match_check.rb +10 -9
  31. data/lib/dawn/kb/ruby_version_check.rb +11 -10
  32. data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
  33. data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
  34. data/lib/dawn/kb/version_check.rb +41 -24
  35. data/lib/dawn/knowledge_base.rb +259 -595
  36. data/lib/dawn/reporter.rb +2 -1
  37. data/lib/dawn/utils.rb +5 -2
  38. data/lib/dawn/version.rb +5 -5
  39. data/lib/dawnscanner.rb +7 -6
  40. data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
  41. data/spec/lib/kb/dependency_check.yml +29 -0
  42. metadata +30 -496
  43. checksums.yaml.gz.sig +0 -0
  44. data.tar.gz.sig +0 -0
  45. data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
  46. data/lib/dawn/kb/cve_2004_0755.rb +0 -33
  47. data/lib/dawn/kb/cve_2004_0983.rb +0 -31
  48. data/lib/dawn/kb/cve_2005_1992.rb +0 -31
  49. data/lib/dawn/kb/cve_2005_2337.rb +0 -33
  50. data/lib/dawn/kb/cve_2006_1931.rb +0 -30
  51. data/lib/dawn/kb/cve_2006_2582.rb +0 -28
  52. data/lib/dawn/kb/cve_2006_3694.rb +0 -31
  53. data/lib/dawn/kb/cve_2006_4112.rb +0 -27
  54. data/lib/dawn/kb/cve_2006_5467.rb +0 -28
  55. data/lib/dawn/kb/cve_2006_6303.rb +0 -28
  56. data/lib/dawn/kb/cve_2006_6852.rb +0 -27
  57. data/lib/dawn/kb/cve_2006_6979.rb +0 -29
  58. data/lib/dawn/kb/cve_2007_0469.rb +0 -29
  59. data/lib/dawn/kb/cve_2007_5162.rb +0 -28
  60. data/lib/dawn/kb/cve_2007_5379.rb +0 -27
  61. data/lib/dawn/kb/cve_2007_5380.rb +0 -29
  62. data/lib/dawn/kb/cve_2007_5770.rb +0 -30
  63. data/lib/dawn/kb/cve_2007_6077.rb +0 -31
  64. data/lib/dawn/kb/cve_2007_6612.rb +0 -30
  65. data/lib/dawn/kb/cve_2008_1145.rb +0 -38
  66. data/lib/dawn/kb/cve_2008_1891.rb +0 -38
  67. data/lib/dawn/kb/cve_2008_2376.rb +0 -30
  68. data/lib/dawn/kb/cve_2008_2662.rb +0 -33
  69. data/lib/dawn/kb/cve_2008_2663.rb +0 -32
  70. data/lib/dawn/kb/cve_2008_2664.rb +0 -33
  71. data/lib/dawn/kb/cve_2008_2725.rb +0 -31
  72. data/lib/dawn/kb/cve_2008_3655.rb +0 -37
  73. data/lib/dawn/kb/cve_2008_3657.rb +0 -37
  74. data/lib/dawn/kb/cve_2008_3790.rb +0 -30
  75. data/lib/dawn/kb/cve_2008_3905.rb +0 -36
  76. data/lib/dawn/kb/cve_2008_4094.rb +0 -27
  77. data/lib/dawn/kb/cve_2008_4310.rb +0 -100
  78. data/lib/dawn/kb/cve_2008_5189.rb +0 -27
  79. data/lib/dawn/kb/cve_2008_7248.rb +0 -27
  80. data/lib/dawn/kb/cve_2009_4078.rb +0 -29
  81. data/lib/dawn/kb/cve_2009_4124.rb +0 -30
  82. data/lib/dawn/kb/cve_2009_4214.rb +0 -27
  83. data/lib/dawn/kb/cve_2010_1330.rb +0 -28
  84. data/lib/dawn/kb/cve_2010_2489.rb +0 -60
  85. data/lib/dawn/kb/cve_2010_3933.rb +0 -27
  86. data/lib/dawn/kb/cve_2011_0188.rb +0 -67
  87. data/lib/dawn/kb/cve_2011_0446.rb +0 -28
  88. data/lib/dawn/kb/cve_2011_0447.rb +0 -28
  89. data/lib/dawn/kb/cve_2011_0739.rb +0 -28
  90. data/lib/dawn/kb/cve_2011_0995.rb +0 -61
  91. data/lib/dawn/kb/cve_2011_1004.rb +0 -34
  92. data/lib/dawn/kb/cve_2011_1005.rb +0 -31
  93. data/lib/dawn/kb/cve_2011_2197.rb +0 -27
  94. data/lib/dawn/kb/cve_2011_2686.rb +0 -29
  95. data/lib/dawn/kb/cve_2011_2705.rb +0 -32
  96. data/lib/dawn/kb/cve_2011_2929.rb +0 -27
  97. data/lib/dawn/kb/cve_2011_2930.rb +0 -28
  98. data/lib/dawn/kb/cve_2011_2931.rb +0 -30
  99. data/lib/dawn/kb/cve_2011_2932.rb +0 -27
  100. data/lib/dawn/kb/cve_2011_3009.rb +0 -28
  101. data/lib/dawn/kb/cve_2011_3186.rb +0 -29
  102. data/lib/dawn/kb/cve_2011_3187.rb +0 -29
  103. data/lib/dawn/kb/cve_2011_4319.rb +0 -30
  104. data/lib/dawn/kb/cve_2011_4815.rb +0 -28
  105. data/lib/dawn/kb/cve_2011_5036.rb +0 -26
  106. data/lib/dawn/kb/cve_2012_1098.rb +0 -30
  107. data/lib/dawn/kb/cve_2012_1099.rb +0 -27
  108. data/lib/dawn/kb/cve_2012_1241.rb +0 -27
  109. data/lib/dawn/kb/cve_2012_2139.rb +0 -26
  110. data/lib/dawn/kb/cve_2012_2140.rb +0 -27
  111. data/lib/dawn/kb/cve_2012_2660.rb +0 -28
  112. data/lib/dawn/kb/cve_2012_2661.rb +0 -27
  113. data/lib/dawn/kb/cve_2012_2671.rb +0 -28
  114. data/lib/dawn/kb/cve_2012_2694.rb +0 -30
  115. data/lib/dawn/kb/cve_2012_2695.rb +0 -27
  116. data/lib/dawn/kb/cve_2012_3424.rb +0 -29
  117. data/lib/dawn/kb/cve_2012_3463.rb +0 -27
  118. data/lib/dawn/kb/cve_2012_3464.rb +0 -27
  119. data/lib/dawn/kb/cve_2012_3465.rb +0 -26
  120. data/lib/dawn/kb/cve_2012_4464.rb +0 -27
  121. data/lib/dawn/kb/cve_2012_4466.rb +0 -27
  122. data/lib/dawn/kb/cve_2012_4481.rb +0 -26
  123. data/lib/dawn/kb/cve_2012_4522.rb +0 -27
  124. data/lib/dawn/kb/cve_2012_5370.rb +0 -27
  125. data/lib/dawn/kb/cve_2012_5371.rb +0 -27
  126. data/lib/dawn/kb/cve_2012_5380.rb +0 -28
  127. data/lib/dawn/kb/cve_2012_6109.rb +0 -25
  128. data/lib/dawn/kb/cve_2012_6134.rb +0 -27
  129. data/lib/dawn/kb/cve_2012_6496.rb +0 -28
  130. data/lib/dawn/kb/cve_2012_6497.rb +0 -28
  131. data/lib/dawn/kb/cve_2012_6684.rb +0 -28
  132. data/lib/dawn/kb/cve_2013_0155.rb +0 -29
  133. data/lib/dawn/kb/cve_2013_0156.rb +0 -27
  134. data/lib/dawn/kb/cve_2013_0162.rb +0 -28
  135. data/lib/dawn/kb/cve_2013_0175.rb +0 -27
  136. data/lib/dawn/kb/cve_2013_0183.rb +0 -25
  137. data/lib/dawn/kb/cve_2013_0184.rb +0 -25
  138. data/lib/dawn/kb/cve_2013_0233.rb +0 -26
  139. data/lib/dawn/kb/cve_2013_0256.rb +0 -59
  140. data/lib/dawn/kb/cve_2013_0262.rb +0 -26
  141. data/lib/dawn/kb/cve_2013_0263.rb +0 -26
  142. data/lib/dawn/kb/cve_2013_0269.rb +0 -27
  143. data/lib/dawn/kb/cve_2013_0276.rb +0 -28
  144. data/lib/dawn/kb/cve_2013_0277.rb +0 -25
  145. data/lib/dawn/kb/cve_2013_0284.rb +0 -27
  146. data/lib/dawn/kb/cve_2013_0285.rb +0 -27
  147. data/lib/dawn/kb/cve_2013_0333.rb +0 -28
  148. data/lib/dawn/kb/cve_2013_0334.rb +0 -25
  149. data/lib/dawn/kb/cve_2013_1607.rb +0 -25
  150. data/lib/dawn/kb/cve_2013_1655.rb +0 -65
  151. data/lib/dawn/kb/cve_2013_1656.rb +0 -28
  152. data/lib/dawn/kb/cve_2013_1756.rb +0 -26
  153. data/lib/dawn/kb/cve_2013_1800.rb +0 -26
  154. data/lib/dawn/kb/cve_2013_1801.rb +0 -27
  155. data/lib/dawn/kb/cve_2013_1802.rb +0 -27
  156. data/lib/dawn/kb/cve_2013_1812.rb +0 -27
  157. data/lib/dawn/kb/cve_2013_1821.rb +0 -28
  158. data/lib/dawn/kb/cve_2013_1854.rb +0 -26
  159. data/lib/dawn/kb/cve_2013_1855.rb +0 -25
  160. data/lib/dawn/kb/cve_2013_1856.rb +0 -26
  161. data/lib/dawn/kb/cve_2013_1857.rb +0 -27
  162. data/lib/dawn/kb/cve_2013_1875.rb +0 -27
  163. data/lib/dawn/kb/cve_2013_1898.rb +0 -27
  164. data/lib/dawn/kb/cve_2013_1911.rb +0 -28
  165. data/lib/dawn/kb/cve_2013_1933.rb +0 -27
  166. data/lib/dawn/kb/cve_2013_1947.rb +0 -27
  167. data/lib/dawn/kb/cve_2013_1948.rb +0 -27
  168. data/lib/dawn/kb/cve_2013_2065.rb +0 -29
  169. data/lib/dawn/kb/cve_2013_2090.rb +0 -28
  170. data/lib/dawn/kb/cve_2013_2105.rb +0 -26
  171. data/lib/dawn/kb/cve_2013_2119.rb +0 -27
  172. data/lib/dawn/kb/cve_2013_2512.rb +0 -26
  173. data/lib/dawn/kb/cve_2013_2513.rb +0 -25
  174. data/lib/dawn/kb/cve_2013_2516.rb +0 -26
  175. data/lib/dawn/kb/cve_2013_2615.rb +0 -27
  176. data/lib/dawn/kb/cve_2013_2616.rb +0 -27
  177. data/lib/dawn/kb/cve_2013_2617.rb +0 -28
  178. data/lib/dawn/kb/cve_2013_3221.rb +0 -27
  179. data/lib/dawn/kb/cve_2013_4164.rb +0 -30
  180. data/lib/dawn/kb/cve_2013_4203.rb +0 -25
  181. data/lib/dawn/kb/cve_2013_4389.rb +0 -26
  182. data/lib/dawn/kb/cve_2013_4413.rb +0 -27
  183. data/lib/dawn/kb/cve_2013_4457.rb +0 -29
  184. data/lib/dawn/kb/cve_2013_4478.rb +0 -26
  185. data/lib/dawn/kb/cve_2013_4479.rb +0 -26
  186. data/lib/dawn/kb/cve_2013_4489.rb +0 -28
  187. data/lib/dawn/kb/cve_2013_4491.rb +0 -29
  188. data/lib/dawn/kb/cve_2013_4492.rb +0 -29
  189. data/lib/dawn/kb/cve_2013_4562.rb +0 -27
  190. data/lib/dawn/kb/cve_2013_4593.rb +0 -27
  191. data/lib/dawn/kb/cve_2013_5647.rb +0 -29
  192. data/lib/dawn/kb/cve_2013_5671.rb +0 -26
  193. data/lib/dawn/kb/cve_2013_6414.rb +0 -30
  194. data/lib/dawn/kb/cve_2013_6415.rb +0 -29
  195. data/lib/dawn/kb/cve_2013_6416.rb +0 -29
  196. data/lib/dawn/kb/cve_2013_6417.rb +0 -30
  197. data/lib/dawn/kb/cve_2013_6421.rb +0 -28
  198. data/lib/dawn/kb/cve_2013_6459.rb +0 -28
  199. data/lib/dawn/kb/cve_2013_6460.rb +0 -53
  200. data/lib/dawn/kb/cve_2013_6461.rb +0 -57
  201. data/lib/dawn/kb/cve_2013_7086.rb +0 -27
  202. data/lib/dawn/kb/cve_2014_0036.rb +0 -27
  203. data/lib/dawn/kb/cve_2014_0080.rb +0 -29
  204. data/lib/dawn/kb/cve_2014_0081.rb +0 -27
  205. data/lib/dawn/kb/cve_2014_0082.rb +0 -27
  206. data/lib/dawn/kb/cve_2014_0130.rb +0 -27
  207. data/lib/dawn/kb/cve_2014_1233.rb +0 -27
  208. data/lib/dawn/kb/cve_2014_1234.rb +0 -26
  209. data/lib/dawn/kb/cve_2014_2322.rb +0 -28
  210. data/lib/dawn/kb/cve_2014_2525.rb +0 -59
  211. data/lib/dawn/kb/cve_2014_2538.rb +0 -26
  212. data/lib/dawn/kb/cve_2014_3482.rb +0 -28
  213. data/lib/dawn/kb/cve_2014_3483.rb +0 -28
  214. data/lib/dawn/kb/cve_2014_3916.rb +0 -29
  215. data/lib/dawn/kb/cve_2014_4975.rb +0 -28
  216. data/lib/dawn/kb/cve_2014_7818.rb +0 -27
  217. data/lib/dawn/kb/cve_2014_7819.rb +0 -31
  218. data/lib/dawn/kb/cve_2014_7829.rb +0 -30
  219. data/lib/dawn/kb/cve_2014_8090.rb +0 -30
  220. data/lib/dawn/kb/cve_2014_9490.rb +0 -29
  221. data/lib/dawn/kb/cve_2015_1819.rb +0 -34
  222. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
  223. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
  224. data/lib/dawn/kb/cve_2015_2963.rb +0 -27
  225. data/lib/dawn/kb/cve_2015_3224.rb +0 -26
  226. data/lib/dawn/kb/cve_2015_3225.rb +0 -28
  227. data/lib/dawn/kb/cve_2015_3226.rb +0 -27
  228. data/lib/dawn/kb/cve_2015_3227.rb +0 -28
  229. data/lib/dawn/kb/cve_2015_3448.rb +0 -29
  230. data/lib/dawn/kb/cve_2015_4020.rb +0 -34
  231. data/lib/dawn/kb/cve_2015_5312.rb +0 -30
  232. data/lib/dawn/kb/cve_2015_7497.rb +0 -32
  233. data/lib/dawn/kb/cve_2015_7498.rb +0 -32
  234. data/lib/dawn/kb/cve_2015_7499.rb +0 -32
  235. data/lib/dawn/kb/cve_2015_7500.rb +0 -32
  236. data/lib/dawn/kb/cve_2015_7519.rb +0 -31
  237. data/lib/dawn/kb/cve_2015_7541.rb +0 -31
  238. data/lib/dawn/kb/cve_2015_7576.rb +0 -35
  239. data/lib/dawn/kb/cve_2015_7577.rb +0 -34
  240. data/lib/dawn/kb/cve_2015_7578.rb +0 -30
  241. data/lib/dawn/kb/cve_2015_7579.rb +0 -30
  242. data/lib/dawn/kb/cve_2015_7581.rb +0 -33
  243. data/lib/dawn/kb/cve_2015_8241.rb +0 -32
  244. data/lib/dawn/kb/cve_2015_8242.rb +0 -32
  245. data/lib/dawn/kb/cve_2015_8317.rb +0 -32
  246. data/lib/dawn/kb/cve_2016_0751.rb +0 -32
  247. data/lib/dawn/kb/cve_2016_0752.rb +0 -35
  248. data/lib/dawn/kb/cve_2016_0753.rb +0 -31
  249. data/lib/dawn/kb/cve_2016_2097.rb +0 -35
  250. data/lib/dawn/kb/cve_2016_2098.rb +0 -35
  251. data/lib/dawn/kb/cve_2016_5697.rb +0 -30
  252. data/lib/dawn/kb/cve_2016_6316.rb +0 -33
  253. data/lib/dawn/kb/cve_2016_6317.rb +0 -32
  254. data/lib/dawn/kb/cve_2016_6582.rb +0 -43
  255. data/lib/dawn/kb/not_revised_code.rb +0 -22
  256. data/lib/dawn/kb/osvdb_105971.rb +0 -29
  257. data/lib/dawn/kb/osvdb_108530.rb +0 -27
  258. data/lib/dawn/kb/osvdb_108563.rb +0 -28
  259. data/lib/dawn/kb/osvdb_108569.rb +0 -28
  260. data/lib/dawn/kb/osvdb_108570.rb +0 -27
  261. data/lib/dawn/kb/osvdb_115654.rb +0 -33
  262. data/lib/dawn/kb/osvdb_116010.rb +0 -30
  263. data/lib/dawn/kb/osvdb_117903.rb +0 -30
  264. data/lib/dawn/kb/osvdb_118579.rb +0 -31
  265. data/lib/dawn/kb/osvdb_118830.rb +0 -32
  266. data/lib/dawn/kb/osvdb_118954.rb +0 -33
  267. data/lib/dawn/kb/osvdb_119878.rb +0 -32
  268. data/lib/dawn/kb/osvdb_119927.rb +0 -33
  269. data/lib/dawn/kb/osvdb_120415.rb +0 -31
  270. data/lib/dawn/kb/osvdb_120857.rb +0 -34
  271. data/lib/dawn/kb/osvdb_121701.rb +0 -30
  272. data/lib/dawn/kb/osvdb_132234.rb +0 -34
  273. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
  274. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
  275. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
  276. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
  277. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
  278. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
  279. data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
  280. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
  281. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
  282. data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
  283. data/lib/dawn/knowledge_base_experimental.rb +0 -245
  284. data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
  285. data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
  286. data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
  287. data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
  288. data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
  289. data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
  290. data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
  291. data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
  292. data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
  293. data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
  294. data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
  295. data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
  296. data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
  297. data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
  298. data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
  299. data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
  300. data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
  301. data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
  302. data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
  303. data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
  304. data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
  305. data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
  306. data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
  307. data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
  308. data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
  309. data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
  310. data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
  311. data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
  312. data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
  313. data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
  314. data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
  315. data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
  316. data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
  317. data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
  318. data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
  319. data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
  320. data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
  321. data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
  322. data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
  323. data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
  324. data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
  325. data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
  326. data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
  327. data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
  328. data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
  329. data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
  330. data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
  331. data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
  332. data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
  333. data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
  334. data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
  335. data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
  336. data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
  337. data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
  338. data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
  339. data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
  340. data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
  341. data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
  342. data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
  343. data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
  344. data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
  345. data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
  346. data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
  347. data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
  348. data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
  349. data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
  350. data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
  351. data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
  352. data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
  353. data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
  354. data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
  355. data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
  356. data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
  357. data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
  358. data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
  359. data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
  360. data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
  361. data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
  362. data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
  363. data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
  364. data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
  365. data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
  366. data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
  367. data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
  368. data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
  369. data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
  370. data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
  371. data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
  372. data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
  373. data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
  374. data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
  375. data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
  376. data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
  377. data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
  378. data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
  379. data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
  380. data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
  381. data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
  382. data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
  383. data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
  384. data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
  385. data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
  386. data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
  387. metadata.gz.sig +0 -0
Binary file
@@ -0,0 +1,650 @@
1
+ require 'date'
2
+ # Core KB
3
+ require "dawn/kb/basic_check"
4
+ require "dawn/kb/pattern_match_check"
5
+ require "dawn/kb/dependency_check"
6
+ require "dawn/kb/ruby_version_check"
7
+ require "dawn/kb/operating_system_check"
8
+ require "dawn/kb/combo_check"
9
+ require "dawn/kb/version_check"
10
+ require "dawn/kb/deprecation_check"
11
+ require "dawn/kb/gem_check"
12
+
13
+ # Q&A related checks
14
+ ## Not revised code
15
+ require "dawn/kb/not_revised_code"
16
+
17
+ ## Owasp ROR Cheatsheet
18
+ require 'dawn/kb/owasp_ror_cheatsheet/command_injection'
19
+ require 'dawn/kb/owasp_ror_cheatsheet/csrf'
20
+ require 'dawn/kb/owasp_ror_cheatsheet/session_stored_in_database'
21
+ require 'dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model'
22
+ require 'dawn/kb/owasp_ror_cheatsheet/security_related_headers'
23
+ require 'dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward'
24
+ require 'dawn/kb/owasp_ror_cheatsheet/sensitive_files'
25
+
26
+ # Security checks with no or pending CVE
27
+
28
+ # A XSS issue on Simple Form gem reported by Rafael Mendonça França on
29
+ # November, 29 2013
30
+ #
31
+ # https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE
32
+ require "dawn/kb/simpleform_xss_20131129"
33
+
34
+ # CVE - 2004
35
+ require "dawn/kb/cve_2004_0755"
36
+ require "dawn/kb/cve_2004_0983"
37
+
38
+ # CVE - 2005
39
+ require "dawn/kb/cve_2005_1992"
40
+ require "dawn/kb/cve_2005_2337"
41
+
42
+ # CVE - 2006
43
+ require "dawn/kb/cve_2006_1931"
44
+ require "dawn/kb/cve_2006_2582"
45
+ require "dawn/kb/cve_2006_3694"
46
+ require "dawn/kb/cve_2006_4112"
47
+ require "dawn/kb/cve_2006_5467"
48
+ require "dawn/kb/cve_2006_6303"
49
+ require "dawn/kb/cve_2006_6852"
50
+ require "dawn/kb/cve_2006_6979"
51
+
52
+ # CVE - 2007
53
+ require "dawn/kb/cve_2007_0469"
54
+ require "dawn/kb/cve_2007_5162"
55
+ require "dawn/kb/cve_2007_5379"
56
+ require "dawn/kb/cve_2007_5380"
57
+ require "dawn/kb/cve_2007_5770"
58
+ require "dawn/kb/cve_2007_6077"
59
+ require "dawn/kb/cve_2007_6612"
60
+
61
+ # CVE - 2008
62
+
63
+ require "dawn/kb/cve_2008_1145"
64
+ require "dawn/kb/cve_2008_1891"
65
+ require "dawn/kb/cve_2008_2376"
66
+ require "dawn/kb/cve_2008_2662"
67
+ require "dawn/kb/cve_2008_2663"
68
+ require "dawn/kb/cve_2008_2664"
69
+ require "dawn/kb/cve_2008_2725"
70
+ require "dawn/kb/cve_2008_3655"
71
+ require "dawn/kb/cve_2008_3657"
72
+ require "dawn/kb/cve_2008_3790"
73
+ require "dawn/kb/cve_2008_3905"
74
+ require "dawn/kb/cve_2008_4094"
75
+ require "dawn/kb/cve_2008_4310"
76
+ require "dawn/kb/cve_2008_5189"
77
+ require "dawn/kb/cve_2008_7248"
78
+
79
+ # CVE - 2009
80
+ require "dawn/kb/cve_2009_4078"
81
+ require "dawn/kb/cve_2009_4124"
82
+ require "dawn/kb/cve_2009_4214"
83
+
84
+ # CVE - 2010
85
+ require "dawn/kb/cve_2010_1330"
86
+ require "dawn/kb/cve_2010_2489"
87
+ require "dawn/kb/cve_2010_3933"
88
+
89
+ # CVE - 2011
90
+ require "dawn/kb/cve_2011_0188"
91
+ require "dawn/kb/cve_2011_0446"
92
+ require "dawn/kb/cve_2011_0447"
93
+ require "dawn/kb/cve_2011_0739"
94
+ require "dawn/kb/cve_2011_0995"
95
+ require "dawn/kb/cve_2011_1004"
96
+ require "dawn/kb/cve_2011_1005"
97
+ require "dawn/kb/cve_2011_2197"
98
+ require "dawn/kb/cve_2011_2686"
99
+ require "dawn/kb/cve_2011_2705"
100
+ require "dawn/kb/cve_2011_2929"
101
+ require "dawn/kb/cve_2011_2930"
102
+ require "dawn/kb/cve_2011_2931"
103
+ require "dawn/kb/cve_2011_2932"
104
+ require "dawn/kb/cve_2011_3009"
105
+ require "dawn/kb/cve_2011_3186"
106
+ require "dawn/kb/cve_2011_3187"
107
+ require "dawn/kb/cve_2011_4319"
108
+ require "dawn/kb/cve_2011_4815"
109
+ require "dawn/kb/cve_2011_5036"
110
+
111
+ # CVE - 2012
112
+ require "dawn/kb/cve_2012_1098"
113
+ require "dawn/kb/cve_2012_1099"
114
+ require "dawn/kb/cve_2012_1241"
115
+ require "dawn/kb/cve_2012_2139"
116
+ require "dawn/kb/cve_2012_2140"
117
+ require "dawn/kb/cve_2012_2660"
118
+ require "dawn/kb/cve_2012_2661"
119
+ require "dawn/kb/cve_2012_2671"
120
+ require "dawn/kb/cve_2012_2694"
121
+ require "dawn/kb/cve_2012_2695"
122
+ require "dawn/kb/cve_2012_3424"
123
+ require "dawn/kb/cve_2012_3463"
124
+ require "dawn/kb/cve_2012_3464"
125
+ require "dawn/kb/cve_2012_3465"
126
+ require "dawn/kb/cve_2012_4464"
127
+ require "dawn/kb/cve_2012_4466"
128
+ require "dawn/kb/cve_2012_4481"
129
+ require "dawn/kb/cve_2012_4522"
130
+ require "dawn/kb/cve_2012_5370"
131
+ require "dawn/kb/cve_2012_5371"
132
+ require "dawn/kb/cve_2012_5380"
133
+ require "dawn/kb/cve_2012_6109"
134
+ require "dawn/kb/cve_2012_6134"
135
+ require "dawn/kb/cve_2012_6496"
136
+ require "dawn/kb/cve_2012_6497"
137
+ require "dawn/kb/cve_2012_6684"
138
+
139
+ # CVE - 2013
140
+ require "dawn/kb/cve_2013_0155"
141
+ require "dawn/kb/cve_2013_0156"
142
+ require "dawn/kb/cve_2013_0162"
143
+ require "dawn/kb/cve_2013_0175"
144
+ require "dawn/kb/cve_2013_0183"
145
+ require "dawn/kb/cve_2013_0184"
146
+ require "dawn/kb/cve_2013_0233"
147
+ require "dawn/kb/cve_2013_0256"
148
+ require "dawn/kb/cve_2013_0262"
149
+ require "dawn/kb/cve_2013_0263"
150
+ require "dawn/kb/cve_2013_0269"
151
+ require "dawn/kb/cve_2013_0276"
152
+ require "dawn/kb/cve_2013_0277"
153
+ require "dawn/kb/cve_2013_0284"
154
+ require "dawn/kb/cve_2013_0285"
155
+ require "dawn/kb/cve_2013_0333"
156
+ require "dawn/kb/cve_2013_0334"
157
+ require "dawn/kb/cve_2013_1607"
158
+ require "dawn/kb/cve_2013_1655"
159
+ require "dawn/kb/cve_2013_1656"
160
+ require "dawn/kb/cve_2013_1756"
161
+ require "dawn/kb/cve_2013_1800"
162
+ require "dawn/kb/cve_2013_1801"
163
+ require "dawn/kb/cve_2013_1802"
164
+ require "dawn/kb/cve_2013_1812"
165
+ require "dawn/kb/cve_2013_1821"
166
+ require "dawn/kb/cve_2013_1854"
167
+ require "dawn/kb/cve_2013_1855"
168
+ require "dawn/kb/cve_2013_1856"
169
+ require "dawn/kb/cve_2013_1857"
170
+ require "dawn/kb/cve_2013_1875"
171
+ require "dawn/kb/cve_2013_1898"
172
+ require "dawn/kb/cve_2013_1911"
173
+ require "dawn/kb/cve_2013_1933"
174
+ require "dawn/kb/cve_2013_1947"
175
+ require "dawn/kb/cve_2013_1948"
176
+ require "dawn/kb/cve_2013_2065"
177
+ require "dawn/kb/cve_2013_2090"
178
+ require "dawn/kb/cve_2013_2105"
179
+ require "dawn/kb/cve_2013_2119"
180
+ require "dawn/kb/cve_2013_2512"
181
+ require "dawn/kb/cve_2013_2513"
182
+ require "dawn/kb/cve_2013_2516"
183
+ require "dawn/kb/cve_2013_2615"
184
+ require "dawn/kb/cve_2013_2616"
185
+ require "dawn/kb/cve_2013_2617"
186
+ require "dawn/kb/cve_2013_3221"
187
+ require "dawn/kb/cve_2013_4164"
188
+ require "dawn/kb/cve_2013_4203"
189
+ require "dawn/kb/cve_2013_4389"
190
+ require "dawn/kb/cve_2013_4413"
191
+ require "dawn/kb/cve_2013_4457"
192
+ require "dawn/kb/cve_2013_4478"
193
+ require "dawn/kb/cve_2013_4479"
194
+ require "dawn/kb/cve_2013_4489"
195
+ require "dawn/kb/cve_2013_4491"
196
+ require "dawn/kb/cve_2013_4492"
197
+ require "dawn/kb/cve_2013_4562"
198
+ require "dawn/kb/cve_2013_4593"
199
+ require "dawn/kb/cve_2013_5647"
200
+ require "dawn/kb/cve_2013_5671"
201
+ require "dawn/kb/cve_2013_6414"
202
+ require "dawn/kb/cve_2013_6415"
203
+ require "dawn/kb/cve_2013_6416"
204
+ require "dawn/kb/cve_2013_6417"
205
+ require "dawn/kb/cve_2013_6421"
206
+ require "dawn/kb/cve_2013_6459"
207
+ require "dawn/kb/cve_2013_6460"
208
+ require "dawn/kb/cve_2013_6461"
209
+ require "dawn/kb/cve_2013_7086"
210
+
211
+ # CVE - 2014
212
+
213
+ require "dawn/kb/cve_2014_0036"
214
+ require "dawn/kb/cve_2014_0080"
215
+ require "dawn/kb/cve_2014_0081"
216
+ require "dawn/kb/cve_2014_0082"
217
+ require "dawn/kb/cve_2014_0130"
218
+ require "dawn/kb/cve_2014_1233"
219
+ require "dawn/kb/cve_2014_1234"
220
+ require "dawn/kb/cve_2014_2322"
221
+ require "dawn/kb/cve_2014_2525"
222
+ require "dawn/kb/cve_2014_2538"
223
+ require "dawn/kb/cve_2014_3482"
224
+ require "dawn/kb/cve_2014_3483"
225
+ require "dawn/kb/cve_2014_3916"
226
+ require "dawn/kb/cve_2014_4975"
227
+ require "dawn/kb/cve_2014_7818"
228
+ require "dawn/kb/cve_2014_7819"
229
+ require "dawn/kb/cve_2014_7829"
230
+ require "dawn/kb/cve_2014_8090"
231
+ require "dawn/kb/cve_2014_9490"
232
+
233
+ # CVE - 2015
234
+
235
+
236
+ require "dawn/kb/cve_2015_1819"
237
+ # CVE-2015-1840 is spread in two classes because a single CVE is assigned to a
238
+ # vulnerability affecting two differents but related gems.
239
+ require "dawn/kb/cve_2015_1840/cve_2015_1840_a"
240
+ require "dawn/kb/cve_2015_1840/cve_2015_1840_b"
241
+ require "dawn/kb/cve_2015_2963"
242
+ require "dawn/kb/cve_2015_3224"
243
+ require "dawn/kb/cve_2015_3225"
244
+ require "dawn/kb/cve_2015_3226"
245
+ require "dawn/kb/cve_2015_3227"
246
+ require "dawn/kb/cve_2015_3448"
247
+ require "dawn/kb/cve_2015_4020"
248
+ require "dawn/kb/cve_2015_5312"
249
+ require "dawn/kb/cve_2015_7497"
250
+ require "dawn/kb/cve_2015_7498"
251
+ require "dawn/kb/cve_2015_7499"
252
+ require "dawn/kb/cve_2015_7500"
253
+ require "dawn/kb/cve_2015_7519"
254
+ require "dawn/kb/cve_2015_7541"
255
+ require "dawn/kb/cve_2015_7576"
256
+ require "dawn/kb/cve_2015_7577"
257
+ require "dawn/kb/cve_2015_7578"
258
+ require "dawn/kb/cve_2015_7579"
259
+ require "dawn/kb/cve_2015_7581"
260
+ require "dawn/kb/cve_2015_8241"
261
+ require "dawn/kb/cve_2015_8242"
262
+ require "dawn/kb/cve_2015_8317"
263
+
264
+ # CVE - 2016
265
+
266
+ require "dawn/kb/cve_2016_0751"
267
+ require "dawn/kb/cve_2016_0752"
268
+ require "dawn/kb/cve_2016_0753"
269
+ require "dawn/kb/cve_2016_2097"
270
+ require "dawn/kb/cve_2016_2098"
271
+ require "dawn/kb/cve_2016_5697"
272
+ require "dawn/kb/cve_2016_6316"
273
+ require "dawn/kb/cve_2016_6317"
274
+ require "dawn/kb/cve_2016_6582"
275
+
276
+ # OSVDB
277
+
278
+ require "dawn/kb/osvdb_105971"
279
+ require "dawn/kb/osvdb_108569"
280
+ require "dawn/kb/osvdb_108570"
281
+ require "dawn/kb/osvdb_108530"
282
+ require "dawn/kb/osvdb_108563"
283
+ require "dawn/kb/osvdb_115654"
284
+ require "dawn/kb/osvdb_116010"
285
+ require "dawn/kb/osvdb_117903"
286
+ require "dawn/kb/osvdb_118579"
287
+ require "dawn/kb/osvdb_118830"
288
+ require "dawn/kb/osvdb_118954"
289
+ require "dawn/kb/osvdb_119878"
290
+ require "dawn/kb/osvdb_119927"
291
+ require "dawn/kb/osvdb_120415"
292
+ require "dawn/kb/osvdb_120857"
293
+ require "dawn/kb/osvdb_121701"
294
+ require "dawn/kb/osvdb_132234"
295
+
296
+
297
+
298
+ module Dawn
299
+ # XXX: Check if it best using a singleton here
300
+ class KnowledgeBase
301
+
302
+ include Dawn::Utils
303
+
304
+ GEM_CHECK = :rubygem_check
305
+ DEPENDENCY_CHECK = :dependency_check
306
+ PATTERN_MATCH_CHECK = :pattern_match_check
307
+ RUBY_VERSION_CHECK = :ruby_version_check
308
+ OS_CHECK = :os_check
309
+ COMBO_CHECK = :combo_check
310
+ CUSTOM_CHECK = :custom_check
311
+
312
+ def initialize(options={})
313
+ @enabled_checks = Dawn::Kb::BasicCheck::ALLOWED_FAMILIES
314
+ @enabled_checks = options[:enabled_checks] unless options[:enabled_checks].nil?
315
+
316
+ @security_checks = load_security_checks
317
+ end
318
+
319
+ def self.find(checks=nil, name)
320
+ return nil if name.nil? or name.empty?
321
+ checks = Dawn::KnowledgeBase.new.load_security_checks if checks.nil?
322
+
323
+ checks.each do |sc|
324
+ return sc if sc.name == name
325
+ end
326
+ nil
327
+ end
328
+
329
+ def find(name)
330
+ Dawn::KnowledgeBase.find(@security_checks, name)
331
+ end
332
+
333
+ def all
334
+ @security_checks
335
+ end
336
+
337
+ # TODO - next big refactoring will include also a change in this API.
338
+ #
339
+ # So to match Semantic Version, it must bring to a major version bump.
340
+ # MVC name should be passed as constructor option, so the all_by_mvc can
341
+ #
342
+ # be called without parameter, having a nice-to-read code.
343
+ # @checks = Dawn::KnowledgeBase.new({:enabled_checks=>@enabled_checks}).all_by_mvc(@name)
344
+ def all_by_mvc(mvc)
345
+ ret = []
346
+ @security_checks.each do |sc|
347
+ ret << sc if sc.applies_to?(mvc)
348
+ end
349
+ ret
350
+ end
351
+
352
+ def all_sinatra_checks
353
+ self.all_by_mvc("sinatra")
354
+ end
355
+
356
+ def all_rails_checks
357
+ self.all_by_mvc("rails")
358
+ end
359
+
360
+ def all_padrino_checks
361
+ self.all_by_mvc("padrino")
362
+ end
363
+
364
+ def all_rack_checks
365
+ self.all_by_mvc("rack")
366
+ end
367
+
368
+ def load_security_checks
369
+
370
+ # START @cve_security_checks array
371
+ @cve_security_checks =
372
+ [
373
+ Dawn::Kb::CVE_2004_0755.new,
374
+ Dawn::Kb::CVE_2004_0983.new,
375
+ Dawn::Kb::CVE_2005_1992.new,
376
+ Dawn::Kb::CVE_2005_2337.new,
377
+ Dawn::Kb::CVE_2006_1931.new,
378
+ Dawn::Kb::CVE_2006_2582.new,
379
+ Dawn::Kb::CVE_2006_3694.new,
380
+ Dawn::Kb::CVE_2006_4112.new,
381
+ Dawn::Kb::CVE_2006_5467.new,
382
+ Dawn::Kb::CVE_2006_6303.new,
383
+ Dawn::Kb::CVE_2006_6852.new,
384
+ Dawn::Kb::CVE_2006_6979.new,
385
+ Dawn::Kb::CVE_2007_0469.new,
386
+ Dawn::Kb::CVE_2007_5162.new,
387
+ Dawn::Kb::CVE_2007_5379.new,
388
+ Dawn::Kb::CVE_2007_5380.new,
389
+ Dawn::Kb::CVE_2007_5770.new,
390
+ Dawn::Kb::CVE_2007_6077.new,
391
+ Dawn::Kb::CVE_2007_6612.new,
392
+ Dawn::Kb::CVE_2008_1145.new,
393
+ Dawn::Kb::CVE_2008_1891.new,
394
+ Dawn::Kb::CVE_2008_2376.new,
395
+ Dawn::Kb::CVE_2008_2662.new,
396
+ Dawn::Kb::CVE_2008_2663.new,
397
+ Dawn::Kb::CVE_2008_2664.new,
398
+ Dawn::Kb::CVE_2008_2725.new,
399
+ Dawn::Kb::CVE_2008_3655.new,
400
+ Dawn::Kb::CVE_2008_3657.new,
401
+ Dawn::Kb::CVE_2008_3790.new,
402
+ Dawn::Kb::CVE_2008_3905.new,
403
+ Dawn::Kb::CVE_2008_4094.new,
404
+ Dawn::Kb::CVE_2008_4310.new,
405
+ Dawn::Kb::CVE_2008_5189.new,
406
+ Dawn::Kb::CVE_2008_7248.new,
407
+ Dawn::Kb::CVE_2009_4078.new,
408
+ Dawn::Kb::CVE_2009_4124.new,
409
+ Dawn::Kb::CVE_2009_4214.new,
410
+ Dawn::Kb::CVE_2010_1330.new,
411
+ Dawn::Kb::CVE_2010_2489.new,
412
+ Dawn::Kb::CVE_2010_3933.new,
413
+ Dawn::Kb::CVE_2011_0188.new,
414
+ Dawn::Kb::CVE_2011_0446.new,
415
+ Dawn::Kb::CVE_2011_0447.new,
416
+ Dawn::Kb::CVE_2011_0739.new,
417
+ Dawn::Kb::CVE_2011_0995.new,
418
+ Dawn::Kb::CVE_2011_1004.new,
419
+ Dawn::Kb::CVE_2011_1005.new,
420
+ Dawn::Kb::CVE_2011_2197.new,
421
+ Dawn::Kb::CVE_2011_2686.new,
422
+ Dawn::Kb::CVE_2011_2705.new,
423
+ Dawn::Kb::CVE_2011_2929.new,
424
+ Dawn::Kb::CVE_2011_2930.new,
425
+ Dawn::Kb::CVE_2011_2931.new,
426
+ Dawn::Kb::CVE_2011_2932.new,
427
+ Dawn::Kb::CVE_2011_3009.new,
428
+ Dawn::Kb::CVE_2011_3186.new,
429
+ Dawn::Kb::CVE_2011_3187.new,
430
+ Dawn::Kb::CVE_2011_4319.new,
431
+ Dawn::Kb::CVE_2011_4815.new,
432
+ Dawn::Kb::CVE_2011_5036.new,
433
+ Dawn::Kb::CVE_2012_1098.new,
434
+ Dawn::Kb::CVE_2012_1099.new,
435
+ Dawn::Kb::CVE_2012_1241.new,
436
+ Dawn::Kb::CVE_2012_2139.new,
437
+ Dawn::Kb::CVE_2012_2140.new,
438
+ Dawn::Kb::CVE_2012_2660.new,
439
+ Dawn::Kb::CVE_2012_2661.new,
440
+ Dawn::Kb::CVE_2012_2671.new,
441
+ Dawn::Kb::CVE_2012_2694.new,
442
+ Dawn::Kb::CVE_2012_2695.new,
443
+ Dawn::Kb::CVE_2012_3424.new,
444
+ Dawn::Kb::CVE_2012_3463.new,
445
+ Dawn::Kb::CVE_2012_3464.new,
446
+ Dawn::Kb::CVE_2012_3465.new,
447
+ Dawn::Kb::CVE_2012_4464.new,
448
+ Dawn::Kb::CVE_2012_4466.new,
449
+ Dawn::Kb::CVE_2012_4481.new,
450
+ Dawn::Kb::CVE_2012_4522.new,
451
+ Dawn::Kb::CVE_2012_5370.new,
452
+ Dawn::Kb::CVE_2012_5371.new,
453
+ Dawn::Kb::CVE_2012_5380.new,
454
+ Dawn::Kb::CVE_2012_6109.new,
455
+ Dawn::Kb::CVE_2012_6134.new,
456
+ Dawn::Kb::CVE_2012_6496.new,
457
+ Dawn::Kb::CVE_2012_6497.new,
458
+ Dawn::Kb::CVE_2012_6684.new,
459
+ Dawn::Kb::CVE_2013_0155.new,
460
+ Dawn::Kb::CVE_2013_0156.new,
461
+ Dawn::Kb::CVE_2013_0162.new,
462
+ Dawn::Kb::CVE_2013_0175.new,
463
+ Dawn::Kb::CVE_2013_0183.new,
464
+ Dawn::Kb::CVE_2013_0184.new,
465
+ Dawn::Kb::CVE_2013_0233.new,
466
+ Dawn::Kb::CVE_2013_0256.new,
467
+ Dawn::Kb::CVE_2013_0262.new,
468
+ Dawn::Kb::CVE_2013_0263.new,
469
+ Dawn::Kb::CVE_2013_0269.new,
470
+ Dawn::Kb::CVE_2013_0276.new,
471
+ Dawn::Kb::CVE_2013_0277.new,
472
+ Dawn::Kb::CVE_2013_0284.new,
473
+ Dawn::Kb::CVE_2013_0285.new,
474
+ Dawn::Kb::CVE_2013_0333.new,
475
+ Dawn::Kb::CVE_2013_0334.new,
476
+ Dawn::Kb::CVE_2013_1607.new,
477
+ Dawn::Kb::CVE_2013_1655.new,
478
+ Dawn::Kb::CVE_2013_1656.new,
479
+ Dawn::Kb::CVE_2013_1756.new,
480
+ Dawn::Kb::CVE_2013_1800.new,
481
+ Dawn::Kb::CVE_2013_1801.new,
482
+ Dawn::Kb::CVE_2013_1802.new,
483
+ Dawn::Kb::CVE_2013_1812.new,
484
+ Dawn::Kb::CVE_2013_1821.new,
485
+ Dawn::Kb::CVE_2013_1854.new,
486
+ Dawn::Kb::CVE_2013_1855.new,
487
+ Dawn::Kb::CVE_2013_1856.new,
488
+ Dawn::Kb::CVE_2013_1857.new,
489
+ Dawn::Kb::CVE_2013_1875.new,
490
+ Dawn::Kb::CVE_2013_1898.new,
491
+ Dawn::Kb::CVE_2013_1911.new,
492
+ Dawn::Kb::CVE_2013_1933.new,
493
+ Dawn::Kb::CVE_2013_1947.new,
494
+ Dawn::Kb::CVE_2013_1948.new,
495
+ Dawn::Kb::CVE_2013_2065.new,
496
+ Dawn::Kb::CVE_2013_2090.new,
497
+ Dawn::Kb::CVE_2013_2105.new,
498
+ Dawn::Kb::CVE_2013_2119.new,
499
+ Dawn::Kb::CVE_2013_2512.new,
500
+ Dawn::Kb::CVE_2013_2513.new,
501
+ Dawn::Kb::CVE_2013_2516.new,
502
+ Dawn::Kb::CVE_2013_2615.new,
503
+ Dawn::Kb::CVE_2013_2616.new,
504
+ Dawn::Kb::CVE_2013_2617.new,
505
+ Dawn::Kb::CVE_2013_3221.new,
506
+ Dawn::Kb::CVE_2013_4164.new,
507
+ Dawn::Kb::CVE_2013_4203.new,
508
+ Dawn::Kb::CVE_2013_4389.new,
509
+ Dawn::Kb::CVE_2013_4413.new,
510
+ Dawn::Kb::CVE_2013_4457.new,
511
+ Dawn::Kb::CVE_2013_4478.new,
512
+ Dawn::Kb::CVE_2013_4479.new,
513
+ Dawn::Kb::CVE_2013_4489.new,
514
+ Dawn::Kb::CVE_2013_4491.new,
515
+ Dawn::Kb::CVE_2013_4492.new,
516
+ Dawn::Kb::CVE_2013_4562.new,
517
+ Dawn::Kb::CVE_2013_4593.new,
518
+ Dawn::Kb::CVE_2013_5647.new,
519
+ Dawn::Kb::CVE_2013_5671.new,
520
+ Dawn::Kb::CVE_2013_6414.new,
521
+ Dawn::Kb::CVE_2013_6415.new,
522
+ Dawn::Kb::CVE_2013_6416.new,
523
+ Dawn::Kb::CVE_2013_6417.new,
524
+ Dawn::Kb::CVE_2013_6421.new,
525
+ Dawn::Kb::CVE_2013_6459.new,
526
+ Dawn::Kb::CVE_2013_6460.new,
527
+ Dawn::Kb::CVE_2013_6461.new,
528
+ Dawn::Kb::CVE_2013_7086.new,
529
+ Dawn::Kb::CVE_2014_0036.new,
530
+ Dawn::Kb::CVE_2014_0080.new,
531
+ Dawn::Kb::CVE_2014_0081.new,
532
+ Dawn::Kb::CVE_2014_0082.new,
533
+ Dawn::Kb::CVE_2014_0130.new,
534
+ Dawn::Kb::CVE_2014_1233.new,
535
+ Dawn::Kb::CVE_2014_1234.new,
536
+ Dawn::Kb::CVE_2014_2322.new,
537
+ Dawn::Kb::CVE_2014_2525.new,
538
+ Dawn::Kb::CVE_2014_2538.new,
539
+ Dawn::Kb::CVE_2014_3482.new,
540
+ Dawn::Kb::CVE_2014_3483.new,
541
+ Dawn::Kb::CVE_2014_3916.new,
542
+ Dawn::Kb::CVE_2014_4975.new,
543
+ Dawn::Kb::CVE_2014_7818.new,
544
+ Dawn::Kb::CVE_2014_7819.new,
545
+ Dawn::Kb::CVE_2014_7829.new,
546
+ Dawn::Kb::CVE_2014_8090.new,
547
+ Dawn::Kb::CVE_2014_9490.new,
548
+ Dawn::Kb::CVE_2015_1819.new,
549
+ Dawn::Kb::CVE_2015_1840_a.new,
550
+ Dawn::Kb::CVE_2015_1840_b.new,
551
+ Dawn::Kb::CVE_2015_2963.new,
552
+ Dawn::Kb::CVE_2015_3224.new,
553
+ Dawn::Kb::CVE_2015_3225.new,
554
+ Dawn::Kb::CVE_2015_3226.new,
555
+ Dawn::Kb::CVE_2015_3227.new,
556
+ Dawn::Kb::CVE_2015_3448.new,
557
+ Dawn::Kb::CVE_2015_4020.new,
558
+ Dawn::Kb::CVE_2015_5312.new,
559
+ Dawn::Kb::CVE_2015_7497.new,
560
+ Dawn::Kb::CVE_2015_7498.new,
561
+ Dawn::Kb::CVE_2015_7499.new,
562
+ Dawn::Kb::CVE_2015_7500.new,
563
+ Dawn::Kb::CVE_2015_7519.new,
564
+ Dawn::Kb::CVE_2015_7541.new,
565
+ Dawn::Kb::CVE_2015_7576.new,
566
+ Dawn::Kb::CVE_2015_7577.new,
567
+ Dawn::Kb::CVE_2015_7578.new,
568
+ Dawn::Kb::CVE_2015_7579.new,
569
+ Dawn::Kb::CVE_2015_7581.new,
570
+ Dawn::Kb::CVE_2015_8241.new,
571
+ Dawn::Kb::CVE_2015_8242.new,
572
+ Dawn::Kb::CVE_2015_8317.new,
573
+ Dawn::Kb::CVE_2016_0751.new,
574
+ Dawn::Kb::CVE_2016_0752.new,
575
+ Dawn::Kb::CVE_2016_0753.new,
576
+ Dawn::Kb::CVE_2016_2097.new,
577
+ Dawn::Kb::CVE_2016_2098.new,
578
+ Dawn::Kb::CVE_2016_5697.new,
579
+ Dawn::Kb::CVE_2016_6316.new,
580
+ Dawn::Kb::CVE_2016_6317.new,
581
+ Dawn::Kb::CVE_2016_6582.new,
582
+
583
+
584
+ # OSVDB Checks are still here since are all about dependencies
585
+ Dawn::Kb::OSVDB_105971.new,
586
+ Dawn::Kb::OSVDB_108569.new,
587
+ Dawn::Kb::OSVDB_108570.new,
588
+ Dawn::Kb::OSVDB_108530.new,
589
+ Dawn::Kb::OSVDB_108563.new,
590
+ Dawn::Kb::OSVDB_115654.new,
591
+ Dawn::Kb::OSVDB_116010.new,
592
+ Dawn::Kb::OSVDB_117903.new,
593
+ Dawn::Kb::OSVDB_118579.new,
594
+ Dawn::Kb::OSVDB_118830.new,
595
+ Dawn::Kb::OSVDB_118954.new,
596
+ Dawn::Kb::OSVDB_119878.new,
597
+ Dawn::Kb::OSVDB_119927.new,
598
+ Dawn::Kb::OSVDB_120415.new,
599
+ Dawn::Kb::OSVDB_120857.new,
600
+ Dawn::Kb::OSVDB_121701.new,
601
+ Dawn::Kb::OSVDB_132234.new,
602
+ ]
603
+ # END @cve_security_checks array
604
+ # START @owasp_ror_cheatsheet_checks array
605
+ @owasp_ror_cheatsheet_checks = [
606
+ Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
607
+ Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
608
+ Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
609
+ Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new,
610
+ Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new,
611
+ Dawn::Kb::OwaspRorCheatSheet::CheckForSafeRedirectAndForward.new,
612
+ Dawn::Kb::OwaspRorCheatSheet::SensitiveFiles.new,
613
+ ]
614
+ # END @owasp_ror_cheatsheet_checks array
615
+ @code_quality_checks = [
616
+ Dawn::Kb::NotRevisedCode.new,
617
+ ]
618
+ @aux_checks =
619
+ [
620
+ Dawn::Kb::SimpleForm_Xss_20131129.new,
621
+ ]
622
+
623
+ ret = []
624
+ ret += @aux_checks
625
+ ret += @cve_security_checks if @enabled_checks.include?(:bulletin)
626
+ ret += @owasp_ror_cheatsheet_checks if @enabled_checks.include?(:owasp_ror_cheatsheet)
627
+ ret += @code_quality_checks if @enabled_checks.include?(:code_quality)
628
+
629
+ ret
630
+ end
631
+
632
+ def self.dump(verbose=false)
633
+ puts "Security checks currently supported:"
634
+ i=0
635
+ self.new.all.each do |check|
636
+ i+=1
637
+ if verbose
638
+ puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
639
+ puts "Description\n#{check.message}"
640
+ puts "Remediation\n#{check.remediation}\n\n"
641
+ else
642
+ puts "#{check.name}"
643
+ end
644
+ end
645
+ puts "-----\nTotal: #{i}"
646
+
647
+ end
648
+ end
649
+
650
+ end