dawnscanner 2.0.0.rc2 → 2.0.0.rc3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/Changelog.md +2 -0
  3. data/README.md +2 -2
  4. data/VERSION +1 -1
  5. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  6. data/lib/dawn/cli/dawn_cli.rb +11 -4
  7. data/lib/dawn/engine.rb +16 -15
  8. data/lib/dawn/version.rb +5 -5
  9. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2b6bee4d3b7a5f1fd9189a556dccfe88631e1eed526de637cc0d74dbecea9a71
4
- data.tar.gz: f8ad2cf91ce1e212abcfd9732534512aa54794512853f8a200a6d8d0396d5c53
3
+ metadata.gz: 72552d751163f1b0a97daa602bf4251d879e66155cb213aaecb0e7b4e9654af1
4
+ data.tar.gz: 2f50331bf792286959cd79efb3fc36f106548e11f7c338318b84779b5cb3aa4a
5
5
  SHA512:
6
- metadata.gz: 547d98cc3af2c146a7ad987e98c9b67f1f6f7237a669ed509dc08bbbc885d4c4638598b683624ce9efd627e70c6500d42f5d11204caa45a9c3f916a44c863ac5
7
- data.tar.gz: b75df8fc99cee42cba08919c7a56ff4eb41e1b0c234502f779d5957ab40efde8f4bbd5ef1c562cc113dee4489d8c718fccb615dc2bf3688526b832c2c6bc9e28
6
+ metadata.gz: 4e1d78d9d5e1b8c407b560a5199d0a3536382e13ce09bda3de2e98a9bffde2e8a0b472acb90a18b16e252355bbfbdde35180072c034500388389613dabd8497a
7
+ data.tar.gz: 600b924b3801499ef17e75fbfd5b9e01f9973394f7a76d34828f2702ae76ad4b0364b75403fc0c12820089f9b56a55ec1d2c42a8b7c8c57d5e434f96dac621f1
data/Changelog.md CHANGED
@@ -17,6 +17,8 @@ _latest update: mer 28 nov 2018, 11.03.53, CET_
17
17
  * Adding telemetry
18
18
  * Dawn::Utils include refactory. Now it's available application wide
19
19
  * debug information refactory.
20
+ * engine class, apply_all method now accepts an optional parameter containing a
21
+ list of security checks to be excluded (issue #230).
20
22
 
21
23
  ## Version 1.6.9 - codename: Tow Mater (2018-11-28)
22
24
 
data/README.md CHANGED
@@ -1,7 +1,7 @@
1
1
  # Dawnscanner - The raising security scanner for ruby web applications
2
2
 
3
- dawnscanner is a source code scanner designed to review your ruby code for security
4
- issues.
3
+ dawnscanner is a source code scanner designed to review your ruby code for
4
+ security issues.
5
5
 
6
6
  dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but
7
7
  all its features are unleashed when dealing with web applications source code.
data/VERSION CHANGED
@@ -12,4 +12,4 @@
12
12
  # | "Guido" | x.x.0 |
13
13
  # | "Luigi" | x.x.0 |
14
14
  # | "Doc Hudson" | x.x.0 |
15
- 2.0.0.rc2 - Finn McMissile
15
+ 2.0.0.rc3 - Finn McMissile
data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 ADDED
@@ -0,0 +1 @@
1
+ 1c96f786d3683b79311855a14b8ef7d7ebe7b13d
data/lib/dawn/cli/dawn_cli.rb CHANGED
@@ -50,11 +50,13 @@ module Dawn
50
50
  desc "kb SUBCOMMAND ... ARGS", "Interacts with the knowledge base"
51
51
  subcommand "kb", Dawn::Cli::Kb
52
52
 
53
- desc "scan", "scans a folder for security issues"
53
+ desc "scan", "scans a ruby written application for security issues"
54
54
  option :config_file
55
- option :gemfile, :type=>:boolean
55
+ method_option :gemfile, :type=>:boolean, :default=>true, :aliases => "-G", :desc => "uses Gemfile.lock to detect MVC"
56
+ method_option :skip, :type=>:array, :aliases => "-S", :desc => "specify a list of security checks to be skipped"
56
57
  option :exit_on_warn, :type=>:boolean
57
58
  option :count, :type=>:boolean
59
+ option :s
58
60
  option :output
59
61
 
60
62
  def scan(target)
@@ -65,6 +67,10 @@ module Dawn
65
67
 
66
68
  $debug = true if options[:debug]
67
69
  $verbose = true if options[:verbose]
70
+ checks_to_be_skipped = []
71
+ checks_to_be_skipped = options[:skip] unless options[:skip].nil?
72
+
73
+ $logger.error("#{options[:skip]}")
68
74
 
69
75
  debug_me("scanning #{target}")
70
76
 
@@ -73,9 +79,10 @@ module Dawn
73
79
 
74
80
  $telemetry_url = $config[:telemetry][:endpoint] if $config[:telemetry][:enabled]
75
81
  debug_me("telemetry url is " + $telemetry_url) unless @telemetry_url.nil?
82
+
76
83
  $telemetry_id = $config[:telemetry][:id] if $config[:telemetry][:enabled]
77
-
78
84
  debug_me("telemetry id is " + $telemetry_id) unless @telemetry_id.nil?
85
+
79
86
  $logger.info("telemetry is disabled in config file") unless $config[:telemetry][:enabled]
80
87
 
81
88
  engine = Dawn::Core.detect_mvc(target) unless options[:gemfile]
@@ -97,7 +104,7 @@ module Dawn
97
104
 
98
105
  engine.load_knowledge_base
99
106
 
100
- ret = engine.apply_all
107
+ ret = engine.apply_all(checks_to_be_skipped)
101
108
  if options[:output]
102
109
  STDERR.puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
103
110
  STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json if options[:output] == "json"
data/lib/dawn/engine.rb CHANGED
@@ -332,28 +332,25 @@ module Dawn
332
332
  request = Net::HTTP::Post.new(uri.request_uri, header)
333
333
  request.body = tele.to_json
334
334
 
335
- response=http.request(request)
336
- debug_me(response.inspect)
337
-
338
- return true
339
-
335
+ begin
336
+ response=http.request(request)
337
+ debug_me(response.inspect)
338
+ return true
339
+ rescue => e
340
+ $logger.error "telemetry: #{e.message}"
341
+ return false
342
+ end
340
343
  end
341
344
 
342
- def apply_all
345
+ def apply_all(checks_to_be_skipped=[])
343
346
  @scan_start = Time.now
347
+ debug_me("I'm asked to skip those checks #{checks_to_be_skipped}")
344
348
  debug_me("SCAN STARTED: #{@scan_start}")
345
349
 
346
350
  telemetry
347
351
 
348
- # FIXME.20140325
349
- # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
350
- # Reason is simple, load_knowledge_base now needs enabled check array
351
- # and I don't want to pollute engine API to propagate this value. It's
352
- # a param to load_knowledge_base and then bin/dawn calls it
353
- # accordingly.
354
- # load_knowledge_base if @checks.nil?
355
352
  if @checks.nil?
356
- $logger.err "you must load knowledge base before trying to apply security checks"
353
+ $logger.error "you must load knowledge base before trying to apply security checks"
357
354
  @scan_stop = Time.now
358
355
  debug_me("SCAN STOPPED: #{@scan_stop}")
359
356
  return false
@@ -366,7 +363,11 @@ module Dawn
366
363
  end
367
364
 
368
365
  @checks.each do |check|
369
- _do_apply(check)
366
+ if checks_to_be_skipped.include?(check.name)
367
+ $logger.info("skipping security check #{check.name}")
368
+ else
369
+ _do_apply(check)
370
+ end
370
371
  end
371
372
 
372
373
  @scan_stop = Time.now
data/lib/dawn/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module Dawn
2
- VERSION = "2.0.0.rc2"
3
- CODENAME = "Finn McMissile"
4
- RELEASE = "(development)"
5
- BUILD = "4"
6
- COMMIT = "g95c13be"
2
+ VERSION = "2.0.0.rc3"
3
+ CODENAME = "Finn McMissile"
4
+ RELEASE = "(development)"
5
+ BUILD = "2"
6
+ COMMIT = "g8c963e9"
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dawnscanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.0.rc2
4
+ version: 2.0.0.rc3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-04-16 00:00:00.000000000 Z
11
+ date: 2019-05-07 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: cvss
@@ -288,6 +288,7 @@ files:
288
288
  - checksum/dawnscanner-1.6.7.gem.sha1
289
289
  - checksum/dawnscanner-1.6.8.gem.sha1
290
290
  - checksum/dawnscanner-2.0.0.rc1.gem.sha1
291
+ - checksum/dawnscanner-2.0.0.rc2.gem.sha1
291
292
  - code_of_conduct.md
292
293
  - dawnscanner.gemspec
293
294
  - doc/change.sh