dawnscanner 1.6.8 → 2.0.0.rc4

data/docs/CNAME

@@ -0,0 +1 @@
+www.dawnscanner.org

data/docs/_config.yml

@@ -0,0 +1 @@
+theme: jekyll-theme-cayman

data/lib/dawn/cli/dawn_cli.rb

@@ -0,0 +1,139 @@
+require 'thor'
+require 'dawn/utils'
+
+module Dawn
+  module Cli
+    # This class is responsible for the "dawn kb" command and related
+    # subcommands.
+    class Kb < Thor
+      package_name "dawnscanner"
+      desc "find", "Searches the knowledge base for a given security test"
+      def find(string)
+        kb = Dawn::KnowledgeBase.instance
+        kb.find(string)
+      end
+
+      desc "lint", "Checks knowledge base content for correcteness"
+      def lint
+        kb = Dawn::KnowledgeBase.instance
+        kb.load(true)
+      end
+
+      desc "unpack", "Unpacks security checks in KB library path"
+      def unpack
+        $logger.helo APPNAME, Dawn::VERSION
+        kb = Dawn::KnowledgeBase.instance
+        kb.unpack
+        $logger.bye
+        Kernel.exit(0)
+      end
+
+      desc "status", "Checks the status of the knowledge base"
+      def status
+        $logger.helo APPNAME, Dawn::VERSION
+        Dawn::KnowledgeBase.enabled_checks=[:bulletin, :generic_check]
+        kb = Dawn::KnowledgeBase.instance
+        kb.load
+        if kb.security_checks.empty?
+          $logger.error(kb.error)
+        end
+        $logger.info("" + kb.security_checks.count.to_s + " security checks loaded")
+        if kb.is_packed?
+          $logger.error "The knowledge base is packed. It must be unpacked with the 'unpack' command before it can be used"
+        end
+        $logger.bye
+        Kernel.exit(0)
+      end
+    end
+
+    class DawnCli < Thor
+      package_name "dawnscanner"
+      class_option :verbose, :type=>:boolean
+      class_option :debug, :type=>:boolean
+
+      map %w[--version -v] => :__print_version
+
+      desc "--version, -v", "Prints the dawnscanner version"
+      def __print_version
+        puts Dawn::VERSION
+        Kernel.exit(0)
+      end
+
+      desc "kb SUBCOMMAND ... ARGS", "Interacts with the knowledge base"
+      subcommand "kb", Dawn::Cli::Kb
+
+      desc "scan", "scans a ruby written web application for security issues"
+      method_option :config_file,   :type=>:string,   :default=>"",     :aliases => "-c", :desc=>"tells dawn to load configuration from filename"
+      method_option :gemfile,       :type=>:boolean,  :default=>true,   :aliases => "-G", :desc => "uses Gemfile.lock to detect MVC"
+      method_option :skip,          :type=>:array,                      :aliases => "-S", :desc => "specify a list of security checks to be skipped"
+      method_option :report_format, :type=>:string,                     :aliases => "-F", :desc=>"specify the report format (text, html, json). Default is plain text files."
+      method_option :exit_on_warn,  :type=>:boolean,  :default=>false,  :aliases => "-z", :desc =>"return number of found vulnerabilities as exit code"
+      method_option :count,         :type=>:boolean,  :default=>false,  :aliases => "-C", :desc=>"count vulnerabilities (useful for scripts)"
+      method_option :output,        :type=>:string,                     :aliases => "-O", :desc=>"write output to a file with the name specified by the parameter"
+      method_option :dependencies,  :type=>:boolean,  :default=>false,  :aliases => "-d", :desc=>"scan only for vulnerabilities affecting dependencies in Gemfile.lock"
+
+      def scan(target)
+        $logger.helo APPNAME, Dawn::VERSION
+        trap("INT") { $logger.die('[INTERRUPTED]') }
+
+        $logger.die("invalid directory (#{target})") unless Dawn::Core.is_good_target?(target)
+
+        $debug = true if options[:debug]
+        $verbose = true if options[:verbose]
+        checks_to_be_skipped = []
+        checks_to_be_skipped = options[:skip] unless options[:skip].nil?
+
+        debug_me("scanning #{target}")
+
+        $config_file= Dawn::Core.find_conf(true) if options[:config_file].nil?
+        $config = Dawn::Core.read_conf($config_file)
+
+        debug_me($config)
+
+        $telemetry_url = $config[:telemetry][:endpoint] if $config[:telemetry][:enabled]
+        debug_me("telemetry url is " + $telemetry_url) unless @telemetry_url.nil?
+
+        $telemetry_id = $config[:telemetry][:id] if $config[:telemetry][:enabled]
+        debug_me("telemetry id is " + $telemetry_id) unless @telemetry_id.nil?
+
+        debug_me("telemetry is disabled in config file") unless $config[:telemetry][:enabled]
+
+        engine = Dawn::Core.detect_mvc(target) unless options[:gemfile]
+        engine = Dawn::GemfileLock.new(target) if options[:gemfile]
+
+        if engine.nil?
+          $logger.error("MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues")
+          $logger.die('ruby framework auto detect failed.')
+        end
+
+        if options[:exit_on_warn]
+          Kernel.at_exit do
+            if engine.count_vulnerabilities != 0
+              Kernel.exit(engine.count_vulnerabilities)
+            end
+          end
+        end
+
+
+        engine.load_knowledge_base
+
+        ret = engine.apply_all(checks_to_be_skipped)
+
+
+        if options[:report_format] and options[:report_format].eql? "json"
+          STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
+          $logger.bye
+          Kernel.exit(0)
+        end
+
+        $logger.info("#{engine.count_vulnerabilities} issues found")
+
+        Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret}).report
+        $logger.bye
+
+        Kernel.exit(0)
+
+      end
+    end
+  end
+end

data/lib/dawn/core.rb

@@ -24,9 +24,6 @@ module Dawn
       puts "\t$ dawn -C --json a_sinatra_webapp_directory"
       puts "\t$ dawn --ascii-tabular-report my_rails_blog_ecommerce"
       puts "\t$ dawn --html -F my_report.html my_rails_blog_ecommerce"
-      printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application (DEPRECATED)"
-      printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application (DEPRECATED)"
-      printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application (DEPRECATED)"
       printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)"
       printf "\n   -d, --dependencies\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
       printf "\n\nReporting\n"
@@ -115,6 +112,7 @@ module Dawn
         fn = p + conf_name if p.start_with?('/')
         # if outside $HOME the config file must be hidden
         fn = File.expand_path(p) + '/.'+conf_name if ! p.start_with?('/')
+        debug_me("found a config file: " + fn) if File.exist?(fn)
         return fn if File.exist?(fn)
       end
 
@@ -125,7 +123,7 @@ module Dawn
 
       # If create_if_none flag is set to true, than I'll create a config file
       # on the current directory with the default configuration.
-      conf = {"config"=>{:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}}
+      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES, :telemetry=>{:enabled=>false, :endpoint=>"", :id=>""}}
 
       # Calculate the conf file path
       conf_path = File.expand_path('~') +'/.'+conf_name
@@ -134,13 +132,15 @@ module Dawn
       File.open(conf_path, 'w') do |f|
         rv = f.write(YAML.dump(conf))
       end
+      debug_me(conf_path)
 
       conf_path
     end
 
     def self.read_conf(file=nil)
-      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
+      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES, :telemetry=>{:enabled=>false, :endpoint=>"", :id=>""}}
       begin
+        debug_me("returning a default config") if file.nil? or ! File.exist?(file)
         return conf if file.nil?
         file = file.chop if (not file.nil? and file.end_with? '/')
         return conf if ! File.exist?(file)
@@ -149,9 +149,9 @@ module Dawn
         return conf
       end
 
-      c = YAML.load_file(file)
+      cf = YAML.load_file(file)
 
-      cf = c["config"]
+      tm = cf[:telemetry]
       cc = cf[:enabled_checks]
 
       # TODO
@@ -160,6 +160,7 @@ module Dawn
       conf[:debug] = cf["debug"] unless cf["debug"].nil?
       conf[:output] = cf["output"] unless cf["output"].nil?
       conf[:enabled_checks] = cc unless cc.nil?
+      conf[:telemetry] = tm unless tm.nil?
 
       return conf
     end

data/lib/dawn/engine.rb

@@ -1,9 +1,11 @@
+require 'net/http'
+require 'json'
+require 'socket'
 # Statistics stuff
 # require 'code_metrics/statistics'
 
 module Dawn
   module Engine
-    include Dawn::Utils
 
     attr_reader :target
     attr_reader :name
@@ -37,7 +39,7 @@ module Dawn
     attr_reader :controllers
 
     # Models I don't know right now. Let them initialized as Array... we
-    # will see later 
+    # will see later
     attr_reader :models
 
     attr_accessor :debug
@@ -61,15 +63,16 @@ module Dawn
       @applied = []
       @reflected_xss = []
       @engine_error = false
-      @debug = false
-      @debug = options[:debug] unless options[:debug].nil?
       @applied_checks = 0
       @skipped_checks = 0
       @gemfile_lock_sudo = false
 
       set_target(dir) unless dir.nil?
+
+
+
       @ruby_version = get_ruby_version if dir.nil?
-      @gemfile_lock = options[:gemfile_name] unless options[:gemfile_name].nil? 
+      @gemfile_lock = options[:gemfile_name] unless options[:gemfile_name].nil?
 
       # @stats        = gather_statistics
 
@@ -83,16 +86,15 @@ module Dawn
         require 'logger'
         $logger = Logger.new(STDOUT)
         $logger.helo "dawn-engine", Dawn::VERSION
-
       end
       $logger.warn "pattern matching security checks are disabled for Gemfile.lock scan" if @name == "Gemfile.lock"
       $logger.warn "combo security checks are disabled for Gemfile.lock scan" if @name == "Gemfile.lock"
-      debug_me "engine is in debug mode" 
+      debug_me "engine is in debug mode"
 
       if @name == "Gemfile.lock" && ! options[:guessed_mvc].nil?
         # since all checks relies on @name a Gemfile.lock engine must
         # impersonificate the engine for the mvc it was detected
-        debug_me "now I'm switching my name from #{@name} to #{options[:guessed_mvc][:name]}" 
+        debug_me "now I'm switching my name from #{@name} to #{options[:guessed_mvc][:name]}"
         $logger.err "there are no connected gems... it seems Gemfile.lock parsing failed" if options[:guessed_mvc][:connected_gems].empty?
         @name = options[:guessed_mvc][:name]
         @mvc_version = options[:guessed_mvc][:version]
@@ -109,6 +111,8 @@ module Dawn
       # load_knowledge_base
     end
 
+
+
     def detect_views
       []
     end
@@ -121,10 +125,10 @@ module Dawn
 
     def build_view_array(dir)
 
-      return [] unless File.exist?(dir) and File.directory?(dir) 
+      return [] unless File.exist?(dir) and File.directory?(dir)
 
       ret = []
-      Dir.glob(File.join("#{dir}", "*")).each do |filename| 
+      Dir.glob(File.join("#{dir}", "*")).each do |filename|
         ret << {:filename=>filename, :language=>:haml} if File.extname(filename) == ".haml"
       end
 
@@ -147,9 +151,9 @@ module Dawn
         # does the target use rvm?
         ver = get_rvm_ruby_ver if  ver[:version].empty? && ver[:patchlevel].empty?
         # take the running ruby otherwise
-        ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"} if ver[:version].empty? && ver[:patchlevel].empty? 
+        ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"} if ver[:version].empty? && ver[:patchlevel].empty?
       else
-        ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"} 
+        ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"}
 
       end
 
@@ -169,13 +173,11 @@ module Dawn
 
     def load_knowledge_base(enabled_checks=[])
       debug_me("load_knowledge_base called. Enabled checks are: #{enabled_checks}")
-      if @name == "Gemfile.lock"
-        @checks = Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all if @force.empty?
-        @checks = Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@force) unless @force.empty? 
-      else
-        @checks = Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@name) 
 
-      end
+      Dawn::KnowledgeBase.enabled_checks=[:bulletin, :generic_check]
+      kb = Dawn::KnowledgeBase.instance
+
+      @checks=kb.load
       debug_me("#{@checks.count} checks loaded")
       @checks
     end
@@ -188,13 +190,13 @@ module Dawn
       return ver unless has_gemfile_lock?
 
       my_dir = Dir.pwd
-      Dir.chdir(@target) 
+      Dir.chdir(@target)
       lockfile = Bundler::LockfileParser.new(Bundler.read_file("Gemfile.lock"))
       lockfile.specs.each do |s|
         # detecting MVC version using @name in case of sinatra, padrino or rails engine
-        ver= s.version.to_s if s.name == @name && @name != "Gemfile.lock" 
+        ver= s.version.to_s if s.name == @name && @name != "Gemfile.lock"
         # detecting MVC version using @force in case of Gemfile.lock engine
-        ver= s.version.to_s if s.name == @force.to_s && @name == "Gemfile.lock" 
+        ver= s.version.to_s if s.name == @force.to_s && @name == "Gemfile.lock"
         @connected_gems << {:name=>s.name, :version=>s.version.to_s}
       end
       Dir.chdir(my_dir)
@@ -267,6 +269,8 @@ module Dawn
     # otherwise
     def apply(name)
 
+      telemetry
+
       # FIXME.20140325
       # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
       # Reason is simple, load_knowledge_base now needs enabled check array
@@ -288,31 +292,85 @@ module Dawn
       false
     end
 
-    def apply_all
+    def have_a_telemetry_id?
+      debug_me ($telemetry_id != ""  and ! $telemetry_id.nil?)
+      return ($telemetry_id != ""  and ! $telemetry_id.nil?)
+
+    end
+
+    def get_a_telemetry_id
+      return "" if ($telemetry_url == "" or $telemetry_url.nil?)
+      debug_me("T: " + $telemetry_url)
+
+      url = URI.parse($telemetry_url+"/new")
+      res = Net::HTTP.get_response(url)
+
+      return "" unless res.code.to_i == 200
+      return JSON.parse(res.body)["uuid"]
+    end
+
+    def telemetry
+      unless $config[:telemetry][:enabled]
+        debug_me("telemetry is disabled")
+        return false
+      end
+
+      unless have_a_telemetry_id?
+        $telemetry_id = get_a_telemetry_id
+        $config[:telemetry][:id] = $telemetry_id
+        debug_me($config)
+        debug_me("saving config to " + $config_name)
+        File.open($config_name, 'w') { |f| f.write $config.to_yaml }
+      end
+
+      debug_me("Telemetry ID is: " + $telemetry_id)
+
+      uri=URI.parse($telemetry_url+"/"+$telemetry_id)
+      header = {'Content-Type': 'text/json'}
+      tele = { "kb_version" => Dawn::KnowledgeBase::VERSION ,
+               "ip" => Socket.ip_address_list.detect{|intf| intf.ipv4_private?}.ip_address,
+               "message"=> Dawn::KnowledgeBase
+            }
+      http = Net::HTTP.new(uri.host, uri.port)
+      request = Net::HTTP::Post.new(uri.request_uri, header)
+      request.body = tele.to_json
+
+      begin
+        response=http.request(request)
+        debug_me(response.inspect)
+        return true
+      rescue => e
+        $logger.error "telemetry: #{e.message}"
+        return false
+      end
+    end
+
+    def apply_all(checks_to_be_skipped=[])
       @scan_start = Time.now
+      debug_me("I'm asked to skip those checks #{checks_to_be_skipped}")
       debug_me("SCAN STARTED: #{@scan_start}")
 
-      # FIXME.20140325
-      # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
-      # Reason is simple, load_knowledge_base now needs enabled check array
-      # and I don't want to pollute engine API to propagate this value. It's
-      # a param to load_knowledge_base and then bin/dawn calls it
-      # accordingly.
-      # load_knowledge_base if @checks.nil?
+      telemetry
+
       if @checks.nil?
-        $logger.err "you must load knowledge base before trying to apply security checks"
+        $logger.error "you must load knowledge base before trying to apply security checks"
         @scan_stop = Time.now
         debug_me("SCAN STOPPED: #{@scan_stop}")
         return false
       end
       if @checks.empty?
+        $logger.warn "no security checks found. This is strange"
         @scan_stop = Time.now
         debug_me("SCAN STOPPED: #{@scan_stop}")
         return false
       end
 
       @checks.each do |check|
-        _do_apply(check)
+        if checks_to_be_skipped.include?(check.name)
+          $logger.info("skipping security check #{check.name}")
+        else
+          _do_apply(check)
+        end
       end
 
       @scan_stop = Time.now
@@ -373,18 +431,19 @@ module Dawn
     def get_rvm_ruby_ver
       return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".ruby-version"))
       hash = File.read(File.join(@target, '.ruby-version')).split('-')
-      return {:version=>hash[0], :patchlevel=>hash[1]}
+      return {:version=>hash[0].chop, :patchlevel=>hash[1]}
     end
     def _do_apply(check)
       unless ((check.kind == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK || check.kind == Dawn::KnowledgeBase::COMBO_CHECK ) && @gemfile_lock_sudo)
 
         @applied << { :name => name }
-        debug_me "applying check #{check.name}"
+        debug_me "applying check #{check.name} - #{check.kind}"
         @applied_checks += 1
 
         check.ruby_version  = @ruby_version[:version]
         check.detected_ruby = @ruby_version                           if check.kind == Dawn::KnowledgeBase::RUBY_VERSION_CHECK
-        check.dependencies  = self.connected_gems                     if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK
+        check.dependencies  = self.connected_gems                     if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK or
+                                                                          check.kind == Dawn::KnowledgeBase::UNSAFE_DEPENDENCY_CHECK
         check.root_dir      = self.target                             if check.kind == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
         check.options       = {:detected_ruby => self.ruby_version,
                                :dependencies => self.connected_gems,