RubyGems - dawnscanner - Versions diffs - 1.6.9 → 2.0.0.rc1 - Mend

dawnscanner 1.6.9 → 2.0.0.rc1

Files changed (366) hide show

checksums.yaml +4 -4
data/.ruby-version +1 -1
data/Changelog.md +8 -0
data/LICENSE.txt +1 -1
data/Rakefile +6 -239
data/VERSION +1 -1
data/bin/dawn +6 -46
data/dawnscanner.gemspec +6 -1
data/doc/change.sh +13 -0
data/doc/knowledge_base.rb +650 -0
data/lib/dawn/cli/dawn_cli.rb +103 -0
data/lib/dawn/engine.rb +9 -11
data/lib/dawn/gemfile_lock.rb +2 -2
data/lib/dawn/kb/basic_check.rb +1 -0
data/lib/dawn/kb/combo_check.rb +1 -1
data/lib/dawn/kb/dependency_check.rb +1 -1
data/lib/dawn/kb/pattern_match_check.rb +1 -1
data/lib/dawn/kb/ruby_version_check.rb +11 -10
data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
data/lib/dawn/kb/version_check.rb +25 -25
data/lib/dawn/knowledge_base.rb +211 -588
data/lib/dawn/utils.rb +5 -2
data/lib/dawn/version.rb +5 -5
data/lib/dawnscanner.rb +4 -3
metadata +23 -450
data/lib/dawn/kb/cve_2004_0755.rb +0 -33
data/lib/dawn/kb/cve_2004_0983.rb +0 -31
data/lib/dawn/kb/cve_2005_1992.rb +0 -31
data/lib/dawn/kb/cve_2005_2337.rb +0 -33
data/lib/dawn/kb/cve_2006_1931.rb +0 -30
data/lib/dawn/kb/cve_2006_2582.rb +0 -28
data/lib/dawn/kb/cve_2006_3694.rb +0 -31
data/lib/dawn/kb/cve_2006_4112.rb +0 -27
data/lib/dawn/kb/cve_2006_5467.rb +0 -28
data/lib/dawn/kb/cve_2006_6303.rb +0 -28
data/lib/dawn/kb/cve_2006_6852.rb +0 -27
data/lib/dawn/kb/cve_2006_6979.rb +0 -29
data/lib/dawn/kb/cve_2007_0469.rb +0 -29
data/lib/dawn/kb/cve_2007_5162.rb +0 -28
data/lib/dawn/kb/cve_2007_5379.rb +0 -27
data/lib/dawn/kb/cve_2007_5380.rb +0 -29
data/lib/dawn/kb/cve_2007_5770.rb +0 -30
data/lib/dawn/kb/cve_2007_6077.rb +0 -31
data/lib/dawn/kb/cve_2007_6612.rb +0 -30
data/lib/dawn/kb/cve_2008_1145.rb +0 -38
data/lib/dawn/kb/cve_2008_1891.rb +0 -38
data/lib/dawn/kb/cve_2008_2376.rb +0 -30
data/lib/dawn/kb/cve_2008_2662.rb +0 -33
data/lib/dawn/kb/cve_2008_2663.rb +0 -32
data/lib/dawn/kb/cve_2008_2664.rb +0 -33
data/lib/dawn/kb/cve_2008_2725.rb +0 -31
data/lib/dawn/kb/cve_2008_3655.rb +0 -37
data/lib/dawn/kb/cve_2008_3657.rb +0 -37
data/lib/dawn/kb/cve_2008_3790.rb +0 -30
data/lib/dawn/kb/cve_2008_3905.rb +0 -36
data/lib/dawn/kb/cve_2008_4094.rb +0 -27
data/lib/dawn/kb/cve_2008_4310.rb +0 -100
data/lib/dawn/kb/cve_2008_5189.rb +0 -27
data/lib/dawn/kb/cve_2008_7248.rb +0 -27
data/lib/dawn/kb/cve_2009_4078.rb +0 -29
data/lib/dawn/kb/cve_2009_4124.rb +0 -30
data/lib/dawn/kb/cve_2009_4214.rb +0 -27
data/lib/dawn/kb/cve_2010_1330.rb +0 -28
data/lib/dawn/kb/cve_2010_2489.rb +0 -60
data/lib/dawn/kb/cve_2010_3933.rb +0 -27
data/lib/dawn/kb/cve_2011_0188.rb +0 -67
data/lib/dawn/kb/cve_2011_0446.rb +0 -28
data/lib/dawn/kb/cve_2011_0447.rb +0 -28
data/lib/dawn/kb/cve_2011_0739.rb +0 -28
data/lib/dawn/kb/cve_2011_0995.rb +0 -61
data/lib/dawn/kb/cve_2011_1004.rb +0 -34
data/lib/dawn/kb/cve_2011_1005.rb +0 -31
data/lib/dawn/kb/cve_2011_2197.rb +0 -27
data/lib/dawn/kb/cve_2011_2686.rb +0 -29
data/lib/dawn/kb/cve_2011_2705.rb +0 -32
data/lib/dawn/kb/cve_2011_2929.rb +0 -27
data/lib/dawn/kb/cve_2011_2930.rb +0 -28
data/lib/dawn/kb/cve_2011_2931.rb +0 -30
data/lib/dawn/kb/cve_2011_2932.rb +0 -27
data/lib/dawn/kb/cve_2011_3009.rb +0 -28
data/lib/dawn/kb/cve_2011_3186.rb +0 -29
data/lib/dawn/kb/cve_2011_3187.rb +0 -29
data/lib/dawn/kb/cve_2011_4319.rb +0 -30
data/lib/dawn/kb/cve_2011_4815.rb +0 -28
data/lib/dawn/kb/cve_2011_5036.rb +0 -26
data/lib/dawn/kb/cve_2012_1098.rb +0 -30
data/lib/dawn/kb/cve_2012_1099.rb +0 -27
data/lib/dawn/kb/cve_2012_1241.rb +0 -27
data/lib/dawn/kb/cve_2012_2139.rb +0 -26
data/lib/dawn/kb/cve_2012_2140.rb +0 -27
data/lib/dawn/kb/cve_2012_2660.rb +0 -28
data/lib/dawn/kb/cve_2012_2661.rb +0 -27
data/lib/dawn/kb/cve_2012_2671.rb +0 -28
data/lib/dawn/kb/cve_2012_2694.rb +0 -30
data/lib/dawn/kb/cve_2012_2695.rb +0 -27
data/lib/dawn/kb/cve_2012_3424.rb +0 -29
data/lib/dawn/kb/cve_2012_3463.rb +0 -27
data/lib/dawn/kb/cve_2012_3464.rb +0 -27
data/lib/dawn/kb/cve_2012_3465.rb +0 -26
data/lib/dawn/kb/cve_2012_4464.rb +0 -27
data/lib/dawn/kb/cve_2012_4466.rb +0 -27
data/lib/dawn/kb/cve_2012_4481.rb +0 -26
data/lib/dawn/kb/cve_2012_4522.rb +0 -27
data/lib/dawn/kb/cve_2012_5370.rb +0 -27
data/lib/dawn/kb/cve_2012_5371.rb +0 -27
data/lib/dawn/kb/cve_2012_5380.rb +0 -28
data/lib/dawn/kb/cve_2012_6109.rb +0 -25
data/lib/dawn/kb/cve_2012_6134.rb +0 -27
data/lib/dawn/kb/cve_2012_6496.rb +0 -28
data/lib/dawn/kb/cve_2012_6497.rb +0 -28
data/lib/dawn/kb/cve_2012_6684.rb +0 -28
data/lib/dawn/kb/cve_2013_0155.rb +0 -29
data/lib/dawn/kb/cve_2013_0156.rb +0 -27
data/lib/dawn/kb/cve_2013_0162.rb +0 -28
data/lib/dawn/kb/cve_2013_0175.rb +0 -27
data/lib/dawn/kb/cve_2013_0183.rb +0 -25
data/lib/dawn/kb/cve_2013_0184.rb +0 -25
data/lib/dawn/kb/cve_2013_0233.rb +0 -26
data/lib/dawn/kb/cve_2013_0256.rb +0 -59
data/lib/dawn/kb/cve_2013_0262.rb +0 -26
data/lib/dawn/kb/cve_2013_0263.rb +0 -26
data/lib/dawn/kb/cve_2013_0269.rb +0 -27
data/lib/dawn/kb/cve_2013_0276.rb +0 -28
data/lib/dawn/kb/cve_2013_0277.rb +0 -25
data/lib/dawn/kb/cve_2013_0284.rb +0 -27
data/lib/dawn/kb/cve_2013_0285.rb +0 -27
data/lib/dawn/kb/cve_2013_0333.rb +0 -28
data/lib/dawn/kb/cve_2013_0334.rb +0 -25
data/lib/dawn/kb/cve_2013_1607.rb +0 -25
data/lib/dawn/kb/cve_2013_1655.rb +0 -65
data/lib/dawn/kb/cve_2013_1656.rb +0 -28
data/lib/dawn/kb/cve_2013_1756.rb +0 -26
data/lib/dawn/kb/cve_2013_1800.rb +0 -26
data/lib/dawn/kb/cve_2013_1801.rb +0 -27
data/lib/dawn/kb/cve_2013_1802.rb +0 -27
data/lib/dawn/kb/cve_2013_1812.rb +0 -27
data/lib/dawn/kb/cve_2013_1821.rb +0 -28
data/lib/dawn/kb/cve_2013_1854.rb +0 -26
data/lib/dawn/kb/cve_2013_1855.rb +0 -25
data/lib/dawn/kb/cve_2013_1856.rb +0 -26
data/lib/dawn/kb/cve_2013_1857.rb +0 -27
data/lib/dawn/kb/cve_2013_1875.rb +0 -27
data/lib/dawn/kb/cve_2013_1898.rb +0 -27
data/lib/dawn/kb/cve_2013_1911.rb +0 -28
data/lib/dawn/kb/cve_2013_1933.rb +0 -27
data/lib/dawn/kb/cve_2013_1947.rb +0 -27
data/lib/dawn/kb/cve_2013_1948.rb +0 -27
data/lib/dawn/kb/cve_2013_2065.rb +0 -29
data/lib/dawn/kb/cve_2013_2090.rb +0 -28
data/lib/dawn/kb/cve_2013_2105.rb +0 -26
data/lib/dawn/kb/cve_2013_2119.rb +0 -27
data/lib/dawn/kb/cve_2013_2512.rb +0 -26
data/lib/dawn/kb/cve_2013_2513.rb +0 -25
data/lib/dawn/kb/cve_2013_2516.rb +0 -26
data/lib/dawn/kb/cve_2013_2615.rb +0 -27
data/lib/dawn/kb/cve_2013_2616.rb +0 -27
data/lib/dawn/kb/cve_2013_2617.rb +0 -28
data/lib/dawn/kb/cve_2013_3221.rb +0 -27
data/lib/dawn/kb/cve_2013_4164.rb +0 -30
data/lib/dawn/kb/cve_2013_4203.rb +0 -25
data/lib/dawn/kb/cve_2013_4389.rb +0 -26
data/lib/dawn/kb/cve_2013_4413.rb +0 -27
data/lib/dawn/kb/cve_2013_4457.rb +0 -29
data/lib/dawn/kb/cve_2013_4478.rb +0 -26
data/lib/dawn/kb/cve_2013_4479.rb +0 -26
data/lib/dawn/kb/cve_2013_4489.rb +0 -28
data/lib/dawn/kb/cve_2013_4491.rb +0 -29
data/lib/dawn/kb/cve_2013_4492.rb +0 -29
data/lib/dawn/kb/cve_2013_4562.rb +0 -27
data/lib/dawn/kb/cve_2013_4593.rb +0 -27
data/lib/dawn/kb/cve_2013_5647.rb +0 -29
data/lib/dawn/kb/cve_2013_5671.rb +0 -26
data/lib/dawn/kb/cve_2013_6414.rb +0 -30
data/lib/dawn/kb/cve_2013_6415.rb +0 -29
data/lib/dawn/kb/cve_2013_6416.rb +0 -29
data/lib/dawn/kb/cve_2013_6417.rb +0 -30
data/lib/dawn/kb/cve_2013_6421.rb +0 -28
data/lib/dawn/kb/cve_2013_6459.rb +0 -28
data/lib/dawn/kb/cve_2013_6460.rb +0 -53
data/lib/dawn/kb/cve_2013_6461.rb +0 -57
data/lib/dawn/kb/cve_2013_7086.rb +0 -27
data/lib/dawn/kb/cve_2014_0036.rb +0 -27
data/lib/dawn/kb/cve_2014_0080.rb +0 -29
data/lib/dawn/kb/cve_2014_0081.rb +0 -27
data/lib/dawn/kb/cve_2014_0082.rb +0 -27
data/lib/dawn/kb/cve_2014_0130.rb +0 -27
data/lib/dawn/kb/cve_2014_1233.rb +0 -27
data/lib/dawn/kb/cve_2014_1234.rb +0 -26
data/lib/dawn/kb/cve_2014_2322.rb +0 -28
data/lib/dawn/kb/cve_2014_2525.rb +0 -59
data/lib/dawn/kb/cve_2014_2538.rb +0 -26
data/lib/dawn/kb/cve_2014_3482.rb +0 -28
data/lib/dawn/kb/cve_2014_3483.rb +0 -28
data/lib/dawn/kb/cve_2014_3916.rb +0 -29
data/lib/dawn/kb/cve_2014_4975.rb +0 -28
data/lib/dawn/kb/cve_2014_7818.rb +0 -27
data/lib/dawn/kb/cve_2014_7819.rb +0 -31
data/lib/dawn/kb/cve_2014_7829.rb +0 -30
data/lib/dawn/kb/cve_2014_8090.rb +0 -30
data/lib/dawn/kb/cve_2014_9490.rb +0 -29
data/lib/dawn/kb/cve_2015_1819.rb +0 -34
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
data/lib/dawn/kb/cve_2015_2963.rb +0 -27
data/lib/dawn/kb/cve_2015_3224.rb +0 -26
data/lib/dawn/kb/cve_2015_3225.rb +0 -28
data/lib/dawn/kb/cve_2015_3226.rb +0 -27
data/lib/dawn/kb/cve_2015_3227.rb +0 -28
data/lib/dawn/kb/cve_2015_3448.rb +0 -29
data/lib/dawn/kb/cve_2015_4020.rb +0 -34
data/lib/dawn/kb/cve_2015_5312.rb +0 -30
data/lib/dawn/kb/cve_2015_7497.rb +0 -32
data/lib/dawn/kb/cve_2015_7498.rb +0 -32
data/lib/dawn/kb/cve_2015_7499.rb +0 -32
data/lib/dawn/kb/cve_2015_7500.rb +0 -32
data/lib/dawn/kb/cve_2015_7519.rb +0 -31
data/lib/dawn/kb/cve_2015_7541.rb +0 -31
data/lib/dawn/kb/cve_2015_7576.rb +0 -35
data/lib/dawn/kb/cve_2015_7577.rb +0 -34
data/lib/dawn/kb/cve_2015_7578.rb +0 -30
data/lib/dawn/kb/cve_2015_7579.rb +0 -30
data/lib/dawn/kb/cve_2015_7581.rb +0 -33
data/lib/dawn/kb/cve_2015_8241.rb +0 -32
data/lib/dawn/kb/cve_2015_8242.rb +0 -32
data/lib/dawn/kb/cve_2015_8317.rb +0 -32
data/lib/dawn/kb/cve_2016_0751.rb +0 -32
data/lib/dawn/kb/cve_2016_0752.rb +0 -35
data/lib/dawn/kb/cve_2016_0753.rb +0 -31
data/lib/dawn/kb/cve_2016_2097.rb +0 -35
data/lib/dawn/kb/cve_2016_2098.rb +0 -35
data/lib/dawn/kb/cve_2016_5697.rb +0 -30
data/lib/dawn/kb/cve_2016_6316.rb +0 -33
data/lib/dawn/kb/cve_2016_6317.rb +0 -32
data/lib/dawn/kb/cve_2016_6582.rb +0 -43
data/lib/dawn/kb/not_revised_code.rb +0 -22
data/lib/dawn/kb/osvdb_105971.rb +0 -29
data/lib/dawn/kb/osvdb_108530.rb +0 -27
data/lib/dawn/kb/osvdb_108563.rb +0 -28
data/lib/dawn/kb/osvdb_108569.rb +0 -28
data/lib/dawn/kb/osvdb_108570.rb +0 -27
data/lib/dawn/kb/osvdb_115654.rb +0 -33
data/lib/dawn/kb/osvdb_116010.rb +0 -30
data/lib/dawn/kb/osvdb_117903.rb +0 -30
data/lib/dawn/kb/osvdb_118579.rb +0 -31
data/lib/dawn/kb/osvdb_118830.rb +0 -32
data/lib/dawn/kb/osvdb_118954.rb +0 -33
data/lib/dawn/kb/osvdb_119878.rb +0 -32
data/lib/dawn/kb/osvdb_119927.rb +0 -33
data/lib/dawn/kb/osvdb_120415.rb +0 -31
data/lib/dawn/kb/osvdb_120857.rb +0 -34
data/lib/dawn/kb/osvdb_121701.rb +0 -30
data/lib/dawn/kb/osvdb_132234.rb +0 -34
data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
data/lib/dawn/knowledge_base_experimental.rb +0 -245
data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
data/spec/lib/kb/cve_2016_2098_spec.rb +0 -59
data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
data/spec/lib/kb/osvdb_132234_spec.rb +0 -15

data/lib/dawn/kb/cve_2016_2098.rb DELETED

@@ -1,35 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2016-03-01
-			class CVE_2016_2098
-				# Include the testing skeleton for this CVE
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          message = "There is a possible remote code execution vulnerability in Action Pack. Applications that pass unverified user input to the render method in a
-controller or a view may be vulnerable to a code injection."
-          title = "Possible remote code execution vulnerability in Action Pack"
-          super({
-            :title=>title,
-            :name=> "CVE-2016-2098",
-            :cve=>"2016-2098",
-            :osvdb=>"",
-            :cvss=>"",
-            :release_date => Date.new(2016, 2, 29),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade actionpack gem to version 3.2.22.2, 4.1.14.2, 4.2.5.2, 5.0.0 or later.",
-            :aux_links=>['https://groups.google.com/forum/message/raw?msg=rubyonrails-security/ly-IH-fxr_Q/WLoOhcMZIAAJ']
-           })
-          self.safe_dependencies = [{:name=>"actionpack", :version=>['3.2.22.2', '4.0.9999', '4.1.14.2', '4.2.5.2']}]
-          self.not_affected = {:name=>"actionpack", :version=>['5.0.x']}
-				end
-			end
-		end
-end

data/lib/dawn/kb/cve_2016_5697.rb DELETED

@@ -1,30 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2016-10-02
-    class CVE_2016_5697
-      include DependencyCheck
-      def initialize
-        title   = "XML signature wrapping attack"
-        message = "ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack in the specific scenario where there was a signature that referenced at the same time 2 elements (but past the scheme validator process since 1 of the element was inside the encrypted assertion)."
-        super({
-          :title=>title,
-          :name=> "CVE-2016-5697",
-          :cve=>"2016-5697",
-          :osvdb=>"",
-          :cvss=>"",
-          :release_date => Date.new(2016, 6, 24),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rails", "sinatra", "padrino"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"Please upgrade ruby-saml gem to version 1.3.0 which implements 3 extra validations to mitigate this kind of attack.",
-          :aux_links=>['https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995']
-        })
-        self.safe_dependencies = [{:name=>"ruby-saml", :version=>['1.3.0']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/cve_2016_6316.rb DELETED

@@ -1,33 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2016-10-02
-    class CVE_2016_6316
-      include DependencyCheck
-      def initialize
-        title   = "Possible XSS Vulnerability in Action View"
-        message = "Text declared as \"HTML safe\" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack."
-        super({
-          :title=>title,
-          :name=> "CVE-2016-6316",
-          :cve=>"2016-6316",
-          :osvdb=>"",
-          :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
-          :release_date => Date.new(2016, 8, 11),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rails", "sinatra", "padrino"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"Please upgrade actionview gem to version 3.2.22.3, 4.2.7.1, 5.0.0.1 or install latest version.",
-          :aux_links=>['https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk']
-        })
-        self.safe_dependencies = [{:name=>"actionview", :version=>['3.2.22.3', '4.2.7.1', '5.0.0.1']}]
-        self.not_affected = {:name=>"actionview", :version=>['1.x.x', '2.x.x']}
-        self.save_minor=true
-        self.save_major=true
-      end
-    end
-  end
-end

data/lib/dawn/kb/cve_2016_6317.rb DELETED

@@ -1,32 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2016-10-02
-    class CVE_2016_6317
-      include DependencyCheck
-      def initialize
-        title   = "Unsafe Query Generation Risk in Active Record"
-        message = "Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it."
-        super({
-          :title=>title,
-          :name=> "CVE-2016-6317",
-          :cve=>"2016-6317",
-          :osvdb=>"",
-          :cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
-          :release_date => Date.new(2016, 8, 11),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rails", "sinatra", "padrino"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"Please upgrade activerecord gem to version 4.2.7.1. Please note that versions 5.0.0 or later are not affected.",
-          :aux_links=>['https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s']
-        })
-        self.safe_dependencies = [{:name=>"activerecord", :version=>['4.2.7.1']}]
-        self.not_affected = {:name=>"activerecord", :version=>['1.x.x', '2.x.x', '3.x.x', '4.0.x', '4.1.x', '5.0.x']}
-      end
-    end
-  end
-end

data/lib/dawn/kb/cve_2016_6582.rb DELETED

@@ -1,43 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2016-10-02
-    class CVE_2016_6582
-      # Include the testing skeleton for this CVE
-      # include PatternMatchCheck
-      include DependencyCheck
-      # include RubyVersionCheck
-      def initialize
-        title   = "Doorkeeper gem does not revoke tokens & uses wrong auth/auth method"
-        message = "Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the following ways:
-Public clients making valid, unauthenticated calls to revoke a token would not have their token revoked
-Requests were not properly authenticating the client credentials but were, instead, looking at the access token in a second location
-Because of 2, the requests were also not authorizing confidential clients’ ability to revoke a given token. It should only revoke tokens that belong to it.
-The security implication is: OAuth 2.0 clients who \"log out\" a user expect to have the corresponding access & refresh tokens revoked, preventing an attacker who may have already hijacked the session from continuing to impersonate the victim. Because of the bug described above, this is not the case. As far as OWASP is concerned, this counts as broken authentication design.
-MITRE has assigned CVE-2016-6582 due to the security issues raised. An attacker, thanks to 1, can replay a hijacked session after a victim logs out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a compromised confidential client could \"grief\" other clients by revoking their tokens (albeit this is an exceptionally narrow attack with little value)."
-        super({
-          :title=>title,
-          :name=> "CVE-2016-6582",
-          :cve=>"",
-          :osvdb=>"",
-          :cvss=>"",
-          :release_date => Date.new(2016, 8, 18),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rails", "sinatra", "padrino"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"Please upgrade doorkeeper gem to version 4.2.0 or later.",
-          :aux_links=>['http://www.openwall.com/lists/oss-security/2016/08/19/2']
-        })
-        self.safe_dependencies = [{:name=>"doorkeeper", :version=>['4.2.0']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/not_revised_code.rb DELETED

@@ -1,22 +0,0 @@
-  module Dawn
-    module Kb
-      class NotRevisedCode
-        include PatternMatchCheck
-        def initialize
-          super({:name=>"Not revised code",
-                :cvss=>"",
-                :release_date=>nil,
-                :cwe=>"",
-                :owasp=>"",
-                :applies=>["sinatra", "rails", "padrino"],
-                :kind=>Dawn::KnowledgeBase::PATTERN_MATCH_CHECK,
-                :message=>"Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.\nThis check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME",
-                :mitigation=>"Please review the file fixing the issue.",
-                :attack_pattern => ["XXX", "TO_CHECK", "CHECKME", "CHECK", "FIXME"]
-          })
-        end
-      end
-    end
-  end

data/lib/dawn/kb/osvdb_105971.rb DELETED

@@ -1,29 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2014-04-17
-    class OSVDB_105971
-      include DependencyCheck
-      def initialize
-        message = "sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands."
-        super({
-          :name=> "OSVDB-105971",
-          :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
-          :cve=>"2014-2888",
-          :osvdb=> "105971",
-          :release_date => Date.new(2014, 4, 16),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rack", "sinatra", "padrino", "rails"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"Please upgrade sfpagent version at least to 0.4.15. As a general rule, using the latest stable version is recommended.",
-          :aux_links=>["http://seclists.org/oss-sec/2014/q2/118"]
-        })
-        self.safe_dependencies = [{:name=>"sfpagent", :version=>['0.4.15']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/osvdb_108530.rb DELETED

@@ -1,27 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2014-07-04
-    class OSVDB_108530
-      include DependencyCheck
-      def initialize
-        message = "kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
-        super({
-          :name=> "OSVDB-108530",
-          :cvss=>"",
-          :osvdb=>"108530",
-          :release_date => Date.new(2014, 6, 30),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rack", "sinatra", "padrino", "rails"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"We are not currently aware of a solution for this vulnerability. Keep track on kajam gem updates",
-          :aux_links=>["http://www.vapid.dhs.org/advisories/kajam-1.0.3.rc2-2nd-vuln.html"]
-        })
-        self.safe_dependencies = [{:name=>"kajam", :version=>['1.0.3.rc3']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/osvdb_108563.rb DELETED

@@ -1,28 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2014-07-04
-    class OSVDB_108563
-      include DependencyCheck
-      def initialize
-        message = "gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
-        super({
-          :name=> "OSVDB-108563",
-          :cvss=>"",
-          :cve=>"",
-          :osvdb=>"108563",
-          :release_date => Date.new(2014, 6, 30),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rack", "sinatra", "padrino", "rails"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check gyazo rubygem for updates and apply them as soon as possible",
-          :aux_links=>["http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html"],
-        })
-        self.safe_dependencies = [{:name=>"gyazo", :version=>['1.0.1']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/osvdb_108569.rb DELETED

@@ -1,28 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2014-07-04
-    class OSVDB_108569
-      include DependencyCheck
-      def initialize
-        message = "backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information."
-        super({
-          :name=> "OSVDB-108569",
-          :osvdb=> "108569",
-          :cvss=>"",
-          :release_date => Date.new(2014, 6, 30),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rack", "sinatra", "padrino", "rails"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check backup_checksum gem for security updates.",
-          :aux_links=>["http://www.vapid.dhs.org/advisories/backup_checksum-3.0.23.html"]
-        })
-        self.safe_dependencies = [{:name=>"backup_checksum", :version=>['3.0.24']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/osvdb_108570.rb DELETED

@@ -1,27 +0,0 @@
-module Dawn
-  module Kb
-    # Automatically created with rake on 2014-07-04
-    class OSVDB_108570
-      include DependencyCheck
-      def initialize
-        message = "backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
-        super({
-          :name=> "OSVDB-108570",
-          :cvss=>"",
-          :osvdb=> "108570",
-          :release_date => Date.new(2014, 6, 30),
-          :cwe=>"",
-          :owasp=>"A9",
-          :applies=>["rack", "sinatra", "padrino", "rails"],
-          :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-          :message=>message,
-          :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check backup_checksum rubygem for upgrades",
-          :aux_links=>["http://www.vapid.dhs.org/advisories/backup_checksum-3.0.23.html"]
-        })
-        self.safe_dependencies = [{:name=>"backup_checksum", :version=>['3.0.24']}]
-      end
-    end
-  end
-end

data/lib/dawn/kb/osvdb_115654.rb DELETED

@@ -1,33 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-12-02
-			class OSVDB_115654
-				# Include the testing skeleton for this Security Check
-				# include PatternMatchCheck
-				include DependencyCheck
-				# include RubyVersionCheck
-				def initialize
-          title = "Sentry raven-ruby lib/raven/okjson.rb Exponent / Scientific Notation Value Handling Resource Consumption DoS"
-          message = "Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service."
-          super({
-            :title=>title,
-            :name=> "OSVDB_115654",
-            :cve=>"CVE-2014-9490",
-            :osvdb=>"115654",
-            :cvss=>"",
-            :release_date => Date.new(2015, 1, 20),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade raven-ruby gem to version 0.12.2 or later.",
-            :aux_links=>[""]
-           })
-          self.safe_dependencies = [{:name=>"raven-ruby", :version=>['0.12.2']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_116010.rb DELETED

@@ -1,30 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-12-03
-			class OSVDB_116010
-				include DependencyCheck
-				def initialize
-          title = "Doorkeeper Gem for Ruby access_token Disclosure CSRF"
-          message = "Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorization code via unknown vectors."
-          super({
-            :title=>title,
-            :name=> "OSVDB_116010",
-            :cve=>"CVE-2014-8144",
-            :osvdb=>"116010",
-            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
-            :release_date => Date.new(2014, 12, 31),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade doorkeeper gem to version 1.4.1 or later.",
-            :aux_links=>[""]
-           })
-          self.safe_dependencies = [{:name=>"doorkeeper", :version=>['1.4.1']}]
-				end
-			end
-		end
-end

data/lib/dawn/kb/osvdb_117903.rb DELETED

@@ -1,30 +0,0 @@
-module Dawn
-		module Kb
-			# Automatically created with rake on 2015-12-02
-			class OSVDB_117903
-				include DependencyCheck
-				def initialize
-          title = "ruby-saml URI SAML Response Handling Remote Command Execution"
-          message = "ruby-saml contains a flaw that is triggered as the URI value of a SAML response is not properly sanitized through a prepared statement. This may allow a remote attacker to execute arbitrary shell commands on the host machine."
-           super({
-            :title=>title,
-            :name=> "OSVDB_117903",
-            :cve=>"",
-            :osvdb=>"117903",
-            :cvss=>"",
-            :release_date => Date.new(2015, 1, 7),
-            :cwe=>"",
-            :owasp=>"A9",
-            :applies=>["rails", "sinatra", "padrino"],
-            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
-            :message=>message,
-            :mitigation=>"Please upgrade ruby-saml gem to version 0.8.2 or later.",
-            :aux_links=>["https://security.dxw.com/advisories/publicly-exploitable-command-injection-in-ruby-saml-0-7-2-library-can-root-the-host/"]
-           })
-           self.safe_dependencies = [{:name=>"ruby-saml", :version=>['0.8.2', '0.7.3']}]
-				end
-			end
-		end
-end