dawnscanner 2.0.0.rc4 → 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b9ae4a53a59b132a6ce6c85407f0d4fddd88eda75958474a1aee0ce2369b4cf4
4
- data.tar.gz: '01479eaa5129162d83ddcce897f74f250b5fe4b0cbe5e7c5e3bb2444b9cffce8'
3
+ metadata.gz: cd4bbcfe33df2cf77a454baf00629653a49480c6606e8ed20c06ded4313c3dfb
4
+ data.tar.gz: 0a0e41109d47d2f634f2ecafc1b68c1b2596156054594c6221a9ddabd04dbc23
5
5
  SHA512:
6
- metadata.gz: b2ddc397e425922f848612c1244b8e0ace964a766673b9a6f70317e441c00dd35c2687de1040fcfa0ef5203c5f7304d274e4a9091637670a8b5c3ccefec33804
7
- data.tar.gz: '0345397057005fcd021910298c1befb282eddfcad7e13f876e5d36a8715579d71990dd18bcb9cd3ca3f8387fe99e962ad8e97224d5060dad1f711f49a82e62d2'
6
+ metadata.gz: 40fb06e99f9cd958a0b5e1c95b52593d250a7aabb6cfd6623cb82561a88b250f1815a7ac6b81a1c4a9a1c2c3b5781d59225070adb0a776b31d0377efd33e7cc7
7
+ data.tar.gz: d1a37d012779435d7d8ef91161911126bdf3e0fcccb28ad113276a3036bf2cb6590d32757cccb240a845979e7667f2f8045f24a261bd8dcacabef6a81dbe0534
data/.ruby-version CHANGED
@@ -1 +1 @@
1
- 3
1
+ 3.1
data/Changelog.md CHANGED
@@ -5,16 +5,15 @@ It supports [Sinatra](http://www.sinatrarb.com),
5
5
  [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
6
6
  frameworks.
7
7
 
8
- _latest update: mer 28 nov 2018, 11.03.53, CET_
8
+ _latest update: mer 29 mar 2023, 18:32:56, CEST_
9
9
 
10
- ## Version 2.0.0 - codename: Finn McMissile (2019-xx-xx)
10
+ ## Version 2.0.0
11
11
 
12
12
  * New knowledge base, YAML based and distributed separately from the ruby gem.
13
13
  * New CLI based on Thor library. Please read README.md file to know how to
14
14
  invoke dawn the right way or use the 'dawn help' command
15
15
  * Added a new debug\_verbosely API for engines and checks
16
16
  * Removed rake osvdb[name] and rake cve[name] tasks
17
- * Adding telemetry
18
17
  * Dawn::Utils include refactory. Now it's available application wide
19
18
  * debug information refactory.
20
19
  * engine class, apply_all method now accepts an optional parameter containing a
@@ -22,6 +21,10 @@ _latest update: mer 28 nov 2018, 11.03.53, CET_
22
21
  * Fix issue #244. Now the KB path is no more hardcoded but it is relative to
23
22
  $HOME and 'dawnscanner' folder where results are stored.
24
23
  * Fix issue #245. Pattern matching check is skipped on empty files.
24
+ * Fix issue #250. Require missing fileutils, thanks to @lukaszsliwa
25
+ * Fix issue #252. File.exists was removed in newer interpreter versions
26
+ * Dropping codenames
27
+ * Class names must be declared before loading YAML files
25
28
 
26
29
  ## Version 1.6.9 - codename: Tow Mater (2018-11-28)
27
30
 
data/README.md CHANGED
@@ -1,36 +1,15 @@
1
1
  # Dawnscanner - The raising security scanner for ruby web applications
2
2
 
3
- dawnscanner is a source code scanner designed to review your web applications for
3
+ dawn is a source code scanner designed to review your web applications for
4
4
  security issues.
5
5
 
6
- dawnscanner is able to scan web applications written in Ruby and it supports all
6
+ The tool is able to scan web applications written in Ruby and it supports all
7
7
  major MVC (Model View Controller) frameworks, out of the box:
8
8
 
9
9
  * [Ruby on Rails](http://rubyonrails.org)
10
10
  * [Sinatra](http://www.sinatrarb.com)
11
11
  * [Padrino](http://www.padrinorb.com)
12
12
 
13
- ## Quick update from April, 2019
14
-
15
- We just released version 2.0.0 release candidate 1 with a YAML powered revamped
16
- knowledge base. Please note that dawnscanner will include a telemetry facility
17
- sending a POST on https://dawnscanner.org/telemetry with an application id and
18
- some information about version and knowledge base.
19
-
20
- We won't now and ever collect your source code on our side.
21
-
22
- ## Quick update from November, 2018
23
-
24
- As you can see dawnscanner is on hold since more then an year. Sorry for that.
25
- It's life. I was overwhelmed by tons of stuff and I dedicated free time to
26
- Offensive Security certifications. True to be told, I'm starting OSCE journey
27
- really soon.
28
-
29
- The dawnscanner project will be updated soon with new security checks and
30
- kickstarted again.
31
-
32
- Paolo
33
-
34
13
  ---
35
14
 
36
15
  [![Gem Version](https://badge.fury.io/rb/dawnscanner.png)](http://badge.fury.io/rb/dawnscanner)
@@ -42,13 +21,13 @@ Paolo
42
21
 
43
22
  ---
44
23
 
45
- dawnscanner version 1.6.6 has 235 security checks loaded in its knowledge
46
- base. Most of them are CVE bulletins applying to gems or the ruby interpreter
47
- itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
24
+ dawn version 2.0 has 680+ security checks loaded in its knowledge base
25
+ which is weekly updated from the [National Vulnerability
26
+ Database](https://nvd.nist.gov/) by NIST.
48
27
 
49
- ## An overall introduction
28
+ ## A brief "how it works"
50
29
 
51
- When you run dawnscanner on your code it parses your project Gemfile.lock
30
+ When you run dawn on your code it parses your project Gemfile.lock
52
31
  looking for the gems used and it tries to detect the ruby interpreter version
53
32
  you are using or you declared in your ruby version management tool you like
54
33
  most (RVM, rbenv, ...).
@@ -57,244 +36,93 @@ Then the tool tries to detect the MVC framework your web application uses and
57
36
  it applies the security check accordingly. There checks designed to match rails
58
37
  application or checks that are appliable to any ruby code.
59
38
 
60
- dawnscanner can also understand the code in your views and to backtrack
39
+ dawn can also understand the code in your views and to backtrack
61
40
  sinks to spot cross site scripting and sql injections introduced by the code
62
- you actually wrote. In the project roadmap this is the code most of the future
63
- development effort will be focused on.
41
+ you actually wrote **(in the project roadmap this is the code most of the future
42
+ development effort will be focused on).**
64
43
 
65
- dawnscanner security scan result is a list of vulnerabilities with some
44
+ dawn security scan result is a list of vulnerabilities with some
66
45
  mitigation actions you want to follow in order to build a stronger web
67
46
  application.
68
47
 
69
48
  ## Installation
70
49
 
71
- You can install latest dawnscanner version, fetching it from
50
+ You can install latest dawn version, fetching it from
72
51
  [Rubygems](https://rubygems.org) by typing:
73
52
 
74
53
  ```
75
- $ gem install dawnscanner
76
- ```
77
-
78
- If you want to add dawn to your project Gemfile, you must add the following:
79
-
80
- group :development do
81
- gem 'dawnscanner', :require=>false
82
- end
83
-
84
- And then upgrade your bundle
85
-
86
- $ bundle install
87
-
88
- You may want to build it from source, so you have to check it out from github first:
89
-
90
- $ git clone https://github.com/thesp0nge/dawnscanner.git
91
- $ cd dawnscanner
92
- $ bundle install
93
- $ rake install
94
-
95
- And the dawnscanner gem will be built in a pkg directory and then installed
96
- on your system. Please note that you have to manage dependencies on your own
97
- this way. It makes sense only if you want to hack the code or something like
98
- that.
99
-
100
- ## Usage
101
-
102
- You can start your code review with dawnscanner very easily. Simply tell the tool
103
- where the project root directory.
104
-
105
- Underlying MVC framework is autodetected by dawnscanner using target Gemfile.lock
106
- file. If autodetect fails for some reason, the tool will complain about it and
107
- you have to specify if it's a rails, sinatra or padrino web application by
108
- hand.
109
-
110
- Basic usage is to specify some optional command line option to fit best your
111
- needs, and to specify the target directory where your code is stored.
112
-
113
- ```
114
- $ dawn [options] target
54
+ $ gem install dawnscanner
115
55
  ```
116
56
 
117
- In case of need, there is a quick command line option reference running
118
- ```dawn -h``` at your OS prompt.
119
-
120
- ```
121
- $ dawn -h
122
- Usage: dawn [options] target_directory
123
-
124
- Examples:
125
- $ dawn a_sinatra_webapp_directory
126
- $ dawn -C the_rails_blog_engine
127
- $ dawn -C --json a_sinatra_webapp_directory
128
- $ dawn --ascii-tabular-report my_rails_blog_ecommerce
129
- $ dawn --html -F my_report.html my_rails_blog_ecommerce
130
-
131
- -G, --gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)
132
- -d, --dependencies force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
133
-
134
- Reporting
135
-
136
- -a, --ascii-tabular-report cause dawn to format findings using tables in ascii art (DEPRECATED)
137
- -j, --json cause dawn to format findings using json
138
- -K, --console cause dawn to format findings using plain ascii text
139
- -C, --count-only dawn will only count vulnerabilities (useful for scripts)
140
- -z, --exit-on-warn dawn will return number of found vulnerabilities as exit code
141
- -F, --file filename tells dawn to write output to filename
142
- -c, --config-file filename tells dawn to load configuration from filename
143
-
144
- Disable security check family
145
-
146
- --disable-cve-bulletins disable all CVE security checks
147
- --disable-code-quality disable all code quality checks
148
- --disable-code-style disable all code style checks
149
- --disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks
150
- --disable-owasp-top-10 disable all Owasp Top 10 checks
151
-
152
- Flags useful to query Dawn
153
-
154
- -S, --search-knowledge-base [check_name] search check_name in the knowledge base
155
- --list-knowledge-base list knowledge-base content
156
- --list-known-families list security check families contained in dawn's knowledge base
157
- --list-known-framework list ruby MVC frameworks supported by dawn
158
- --list-scan-registry list past scan informations stored in scan registry
159
-
160
- Service flags
161
-
162
- -D, --debug enters dawn debug mode
163
- -V, --verbose the output will be more verbose
164
- -v, --version show version information
165
- -h, --help show this help
166
- ```
57
+ After that, you need to download the [knowledge
58
+ base](https://github.com/thesp0nge/dawn_knowledge_base/releases) from
59
+ Github and unpack the archive to ```$HOME/dawnscanner/kb``` directory.
167
60
 
168
- ### Rake task
169
-
170
- To include dawnscanner in your rake task list, you simply have to put this line in
171
- your ```Rakefile```
61
+ A typical kb directory layout is similar to this:
172
62
 
173
63
  ```
174
- require 'dawn/tasks'
64
+ $ ll ~/dawnscanner/kb
65
+ total 56K
66
+ drwxr-xr-x 2 thesp0nge users 28K 29 mar 18.27 bulletin
67
+ drwxr-xr-x 2 thesp0nge users 72 7 lug 2021 generic_check
68
+ -rw-r--r-- 1 thesp0nge users 65 29 mar 17.06 kb.yaml
69
+ -rw-r--r-- 1 thesp0nge users 74 29 mar 17.06 kb.yaml.sig
70
+ drwxr-xr-x 2 thesp0nge users 4,0K 7 lug 2021 owasp_ror_cheatsheet
175
71
  ```
176
72
 
177
- Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to
178
- execute.
73
+ The knowledge base is structured this way:
74
+ * bulletin is the folder where all CVE downloaded from NIST are stored.
75
+ * generic_check is the folder with all custom checks for your code
76
+ * owasp_ror_cheatsheet is for the Owasp Ruby on Rails cheatsheet
77
+ recomendations
179
78
 
180
- ```
181
- $ rake -T
182
- ...
183
- rake dawn:run # Execute dawnscanner on the current directory
184
- ...
185
- ```
186
-
187
- ### Interacting with the knowledge base
188
-
189
- You can dump all security checks in the knowledge base this way
190
-
191
- ```
192
- $ dawn --list-knowledge-base
193
- ```
194
-
195
- Useful in scripts, you can use ```--search-knowledge-base``` or ```-S``` with
196
- as parameter the check name you want to see if it's implemented as a security
197
- control or not.
198
-
199
- ```
200
- $ dawn -S CVE-2013-6421
201
- 07:59:30 [*] dawn v1.1.0 is starting up
202
- CVE-2013-6421 found in knowledgebase.
203
-
204
- $ dawn -S this_test_does_not_exist
205
- 08:02:17 [*] dawn v1.1.0 is starting up
206
- this_test_does_not_exist not found in knowledgebase
207
- ```
208
-
209
- ### dawnscanner security scan in action
79
+ ## Usage
210
80
 
211
- As output, dawnscanner will put all security checks that are failed during the scan.
81
+ Starting from version 2.0, the tool uses subcommands to start specific tasks,
82
+ each of them with specific help messages.
212
83
 
213
- This the result of Codedake::dawnscanner running against a
214
- [Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
215
- delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
84
+ ### Scanning a project
216
85
 
217
- As you may see, dawnscanner first detects MVC running the application by
218
- looking at Gemfile.lock, than it discards all security checks not appliable to
219
- Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
220
- Rails) and it applies them.
86
+ The scan subcommand tells dawn to scan the specified target for security
87
+ issues.
221
88
 
222
89
  ```
223
- $ dawn ~/src/hacking/railsberry2013
224
- 18:40:27 [*] dawn v1.1.0 is starting up
225
- 18:40:27 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013
226
- 18:40:27 [$] dawn: sinatra v1.4.2 detected
227
- 18:40:27 [$] dawn: applying all security checks
228
- 18:40:27 [$] dawn: 109 security checks applied - 0 security checks skipped
229
- 18:40:27 [$] dawn: 1 vulnerabilities found
230
- 18:40:27 [!] dawn: CVE-2013-1800 check failed
231
- 18:40:27 [$] dawn: Severity: high
232
- 18:40:27 [$] dawn: Priority: unknown
233
- 18:40:27 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
234
- 18:40:27 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
235
- 18:40:27 [$] dawn: Evidence:
236
- 18:40:27 [$] dawn: Vulnerable crack gem version found: 0.3.1
237
- 18:40:27 [*] dawn is leaving
90
+ $ dawn scan target
238
91
  ```
239
92
 
240
- ---
93
+ At the moment results are available in text format only and they are stored in
94
+ a directory named with the scan timestamp, under
95
+ $HOME/dawnscanner/results/target, where target is the name of the application
96
+ being analyzed.
241
97
 
242
- When you run dawnscanner on a web application with up to date dependencies,
243
- it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
244
- working that way!
98
+ ### Querying the knowledge base
245
99
 
246
- This is dawnscanner running against a Padrino web application I wrote for [a
247
- scorecard quiz game about application security](http://scorecard.armoredcode.com).
248
- Italian language only. Sorry.
100
+ Is it possible, with the kb subcommand, to query the knowledge base.
249
101
 
250
102
  ```
251
- 18:42:39 [*] dawn v1.1.0 is starting up
252
- 18:42:39 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard
253
- 18:42:39 [$] dawn: padrino v0.11.2 detected
254
- 18:42:39 [$] dawn: applying all security checks
255
- 18:42:39 [$] dawn: 109 security checks applied - 0 security checks skipped
256
- 18:42:39 [*] dawn: no vulnerabilities found.
257
- 18:42:39 [*] dawn is leaving
103
+ dawn kb find # Searches the knowledge base for a given security test
104
+ dawn kb help [COMMAND] # Describe subcommands or one specific subcommand
105
+ dawn kb lint # Checks knowledge base content for correcteness
106
+ dawn kb status # Checks the status of the knowledge base
107
+ dawn kb unpack # Unpacks security checks in KB library path
258
108
  ```
259
109
 
260
- If you need a fancy HTML report about your scan, just ask it to dawnscanner
261
- with the ```--html``` flag used with the ```--file``` since I wanto to save the
262
- HTML to disk.
263
-
264
- ```
265
- $ dawn /Users/thesp0nge/src/hacking/rt_first_app --html --file report.html
266
-
267
- 09:00:54 [*] dawn v1.1.0 is starting up
268
- 09:00:54 [*] dawn: report.html created (2952 bytes)
269
- 09:00:54 [*] dawn is leaving
270
- ```
271
-
272
- ---
273
-
274
110
  ## Useful links
275
111
 
276
- Project homepage: [http://dawnscanner.org](http://dawnscanner.org)
277
-
278
112
  Twitter profile: [@dawnscanner](https://twitter.com/dawnscanner)
279
-
280
113
  Github repository: [https://github.com/thesp0nge/dawnscanner](https://github.com/thesp0nge/dawnscanner)
281
114
 
282
- Mailing list: [https://groups.google.com/forum/#!forum/dawnscanner](https://groups.google.com/forum/#!forum/dawnscanner)
283
115
 
284
116
  ## Support us
285
117
 
286
118
  Feedbacks are great and we really love to hear your voice.
287
119
 
288
- If you're a proud dawnscanner user, if you find it useful, if you integrated
120
+ If you're a proud dawn user, if you find it useful, if you integrated
289
121
  it in your release process and if you want to openly support the project you
290
122
  can put your reference here. Just open an
291
123
  [issue](https://github.com/thesp0nge/dawnscanner/issues/new) with a statement saying
292
124
  how do you feel the tool and your company logo if any.
293
125
 
294
- More easily you can drop an email to
295
- [paolo@dawnscanner.org](mailto:paolo@dawnscanner.org) sending a statement about your
296
- success story and I'll put on the website.
297
-
298
126
  Thank you.
299
127
 
300
128
  ## Thanks to
@@ -310,7 +138,7 @@ Thank you.
310
138
 
311
139
  ## LICENSE
312
140
 
313
- Copyright (c) 2013-2016 Paolo Perego <paolo@dawnscanner.org>
141
+ Copyright (c) 2013-2023 Paolo Perego <paolo@armoredcode.com>
314
142
 
315
143
  MIT License
316
144
 
@@ -332,7 +160,3 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
332
160
  LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
333
161
  OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
334
162
  WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
335
-
336
-
337
-
338
-
data/Rakefile CHANGED
@@ -37,7 +37,6 @@ namespace :version do
37
37
  a = f.readlines
38
38
  end
39
39
  version = a[a.length - 1].split('-')[0]# .chomp
40
- codename = a[a.length - 1].split('-')[1]
41
40
 
42
41
  File.open("./lib/dawn/version.rb", "w") do |f|
43
42
 
@@ -47,12 +46,9 @@ namespace :version do
47
46
  if branch_name != "main"
48
47
  av = version.split('.')
49
48
  f.puts " VERSION = \"#{av[0]}.#{av[1]}.#{commit_hash.chop}\""
50
- f.puts " CODENAME = \"#{codename.lstrip!.chop}\""
51
49
  f.puts " RELEASE = \"(development)\""
52
50
  else
53
- puts "here"
54
51
  f.puts " VERSION = \"#{version.rstrip!}\""
55
- f.puts " CODENAME = \"#{codename.lstrip!.chop}\""
56
52
  f.puts " RELEASE = \"#{release}\""
57
53
  end
58
54
  f.puts " BUILD = \"#{build_number.chop}\""
data/VERSION CHANGED
@@ -1,15 +1,3 @@
1
- # Each dawnscanner major release will have a Disney Pixar Cars / Cars2
2
- # character as codename. My son Daniele loves those films and since I love
3
- # him too, this is a kinda sort of tribute of my son's passion.
4
- #
5
- # Future releases
6
- #
7
- # | Character | Release |
8
- # |-----------------|---------|
9
- # | "Finn McMissile"| 2.0.0 |
10
- # | "Fillmore" | x.x.0 |
11
- # |"Holly Shiftwell"| x.x.0 |
12
- # | "Guido" | x.x.0 |
13
- # | "Luigi" | x.x.0 |
14
- # | "Doc Hudson" | x.x.0 |
15
- 2.0.0.rc4 - Finn McMissile
1
+ # I removed codenames :-)
2
+ # Code review is fun
3
+ 2.0.0
@@ -0,0 +1 @@
1
+ a3c19b2d55316c328e45c0f316216b56397f4ef3
data/code_of_conduct.md CHANGED
@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
55
55
  ## Enforcement
56
56
 
57
57
  Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
- reported by contacting the project team at paolo@dawnscanner.org. All
58
+ reported by contacting the project team at paolo@armoredcode.com. All
59
59
  complaints will be reviewed and investigated and will result in a response that
60
60
  is deemed necessary and appropriate to the circumstances. The project team is
61
61
  obligated to maintain confidentiality with regard to the reporter of an incident.
data/dawnscanner.gemspec CHANGED
@@ -1,7 +1,5 @@
1
1
  # -*- encoding: utf-8 -*-
2
- lib = File.expand_path('../lib', __FILE__)
3
- $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
- require 'dawn/version'
2
+ require_relative 'lib/dawn/version'
5
3
 
6
4
  Gem::Specification.new do |gem|
7
5
  gem.name = "dawnscanner"
@@ -52,10 +50,9 @@ Gem::Specification.new do |gem|
52
50
  # Marked to be unused right now
53
51
  # gem.add_dependency 'parser'
54
52
 
55
- gem.add_development_dependency ('coveralls')
56
- gem.add_development_dependency 'rake'
57
- gem.add_development_dependency 'rspec'
53
+ gem.add_development_dependency('coveralls')
54
+ gem.add_development_dependency('rake')
55
+ gem.add_development_dependency('rspec')
58
56
  gem.add_development_dependency('tomdoc')
59
57
  gem.add_development_dependency('aruba')
60
- gem.add_development_dependency('simplecov')
61
58
  end
@@ -90,14 +90,6 @@ module Dawn
90
90
 
91
91
  debug_me($config)
92
92
 
93
- $telemetry_url = $config[:telemetry][:endpoint] if $config[:telemetry][:enabled]
94
- debug_me("telemetry url is " + $telemetry_url) unless @telemetry_url.nil?
95
-
96
- $telemetry_id = $config[:telemetry][:id] if $config[:telemetry][:enabled]
97
- debug_me("telemetry id is " + $telemetry_id) unless @telemetry_id.nil?
98
-
99
- debug_me("telemetry is disabled in config file") unless $config[:telemetry][:enabled]
100
-
101
93
  engine = Dawn::Core.detect_mvc(target) unless options[:gemfile]
102
94
  engine = Dawn::GemfileLock.new(target) if options[:gemfile]
103
95
 
@@ -127,6 +119,7 @@ module Dawn
127
119
  end
128
120
 
129
121
  $logger.info("#{engine.count_vulnerabilities} issues found")
122
+ $logger.info("#{engine.checks.count} checks applied")
130
123
 
131
124
  Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret}).report
132
125
  $logger.bye
data/lib/dawn/core.rb CHANGED
@@ -123,7 +123,7 @@ module Dawn
123
123
 
124
124
  # If create_if_none flag is set to true, than I'll create a config file
125
125
  # on the current directory with the default configuration.
126
- conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES, :telemetry=>{:enabled=>false, :endpoint=>"", :id=>""}}
126
+ conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
127
127
 
128
128
  # Calculate the conf file path
129
129
  conf_path = File.expand_path('~') +'/.'+conf_name
@@ -138,7 +138,7 @@ module Dawn
138
138
  end
139
139
 
140
140
  def self.read_conf(file=nil)
141
- conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES, :telemetry=>{:enabled=>false, :endpoint=>"", :id=>""}}
141
+ conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
142
142
  begin
143
143
  debug_me("returning a default config") if file.nil? or ! File.exist?(file)
144
144
  return conf if file.nil?
@@ -151,7 +151,6 @@ module Dawn
151
151
 
152
152
  cf = YAML.load_file(file)
153
153
 
154
- tm = cf[:telemetry]
155
154
  cc = cf[:enabled_checks]
156
155
 
157
156
  # TODO
@@ -160,7 +159,6 @@ module Dawn
160
159
  conf[:debug] = cf["debug"] unless cf["debug"].nil?
161
160
  conf[:output] = cf["output"] unless cf["output"].nil?
162
161
  conf[:enabled_checks] = cc unless cc.nil?
163
- conf[:telemetry] = tm unless tm.nil?
164
162
 
165
163
  return conf
166
164
  end
data/lib/dawn/engine.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  require 'net/http'
2
2
  require 'json'
3
3
  require 'socket'
4
+ require 'fileutils'
4
5
  # Statistics stuff
5
6
  # require 'code_metrics/statistics'
6
7
 
@@ -269,8 +270,6 @@ module Dawn
269
270
  # otherwise
270
271
  def apply(name)
271
272
 
272
- telemetry
273
-
274
273
  # FIXME.20140325
275
274
  # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
276
275
  # Reason is simple, load_knowledge_base now needs enabled check array
@@ -292,66 +291,13 @@ module Dawn
292
291
  false
293
292
  end
294
293
 
295
- def have_a_telemetry_id?
296
- debug_me ($telemetry_id != "" and ! $telemetry_id.nil?)
297
- return ($telemetry_id != "" and ! $telemetry_id.nil?)
298
-
299
- end
300
-
301
- def get_a_telemetry_id
302
- return "" if ($telemetry_url == "" or $telemetry_url.nil?)
303
- debug_me("T: " + $telemetry_url)
304
-
305
- url = URI.parse($telemetry_url+"/new")
306
- res = Net::HTTP.get_response(url)
307
-
308
- return "" unless res.code.to_i == 200
309
- return JSON.parse(res.body)["uuid"]
310
- end
311
-
312
- def telemetry
313
- unless $config[:telemetry][:enabled]
314
- debug_me("telemetry is disabled")
315
- return false
316
- end
317
-
318
- unless have_a_telemetry_id?
319
- $telemetry_id = get_a_telemetry_id
320
- $config[:telemetry][:id] = $telemetry_id
321
- debug_me($config)
322
- debug_me("saving config to " + $config_name)
323
- File.open($config_name, 'w') { |f| f.write $config.to_yaml }
324
- end
325
294
 
326
- debug_me("Telemetry ID is: " + $telemetry_id)
327
-
328
- uri=URI.parse($telemetry_url+"/"+$telemetry_id)
329
- header = {'Content-Type': 'text/json'}
330
- tele = { "kb_version" => Dawn::KnowledgeBase::VERSION ,
331
- "ip" => Socket.ip_address_list.detect{|intf| intf.ipv4_private?}.ip_address,
332
- "message"=> Dawn::KnowledgeBase
333
- }
334
- http = Net::HTTP.new(uri.host, uri.port)
335
- request = Net::HTTP::Post.new(uri.request_uri, header)
336
- request.body = tele.to_json
337
-
338
- begin
339
- response=http.request(request)
340
- debug_me(response.inspect)
341
- return true
342
- rescue => e
343
- $logger.error "telemetry: #{e.message}"
344
- return false
345
- end
346
- end
347
295
 
348
296
  def apply_all(checks_to_be_skipped=[])
349
297
  @scan_start = Time.now
350
298
  debug_me("I'm asked to skip those checks #{checks_to_be_skipped}")
351
299
  debug_me("SCAN STARTED: #{@scan_start}")
352
300
 
353
- telemetry
354
-
355
301
  if @checks.nil?
356
302
  $logger.error "you must load knowledge base before trying to apply security checks"
357
303
  @scan_stop = Time.now
@@ -455,15 +401,15 @@ module Dawn
455
401
  vc = nil
456
402
  vc = check.vulnerable_checks if check.kind == Dawn::KnowledgeBase::COMBO_CHECK
457
403
 
458
- @vulnerabilities << {:name=> check.name,
459
- :severity=>check.severity,
460
- :priority=>check.priority,
461
- :kind=>check.check_family,
462
- :message=>check.message,
463
- :remediation=>check.remediation,
464
- :evidences=>check.evidences,
465
- :cve_link=>check.cve_link,
466
- :cvss_score=>check.cvss_score,
404
+ @vulnerabilities << {:name=> check.name || "CVE-XXXX-YYYY",
405
+ :severity=>check.severity || "Unknown severity",
406
+ :priority=>check.priority || "Unknown priority",
407
+ :kind=>check.check_family || "Unknown kind",
408
+ :message=>check.message || "",
409
+ :remediation=>check.remediation || "",
410
+ :evidences=>check.evidences || [],
411
+ :cve_link=>check.cve_link || "No link",
412
+ :cvss_score=>check.cvss_score || "No score",
467
413
  :vulnerable_checks=>vc}
468
414
 
469
415
  end
@@ -62,7 +62,7 @@ module Dawn
62
62
  matches = []
63
63
  raise ArgumentError.new("skipping empty file") if File.zero?(filename)
64
64
  begin
65
- matches = run(load_file(filename)) if File.exists?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
65
+ matches = run(load_file(filename)) if File.exist?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
66
66
  found = ! matches.empty?
67
67
  rescue ArgumentError => e
68
68
  puts "Skipping pattern match check for #{filename}: #{e.message}"
@@ -31,6 +31,8 @@ module Dawn
31
31
  @dependencies.each do |dep|
32
32
  unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
33
33
  if dep[:name] == @vulnerable_version_array[0][:name]
34
+ debug_me("DEP VERSION #{dep[:version]}")
35
+ debug_me("VULN_VER #{@vulnerable_version_array[0][:version]}")
34
36
  return false if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
35
37
  return true if @vulnerable_version_array[0][:version].include? dep[:version]
36
38
  end
@@ -11,6 +11,8 @@ require 'digest'
11
11
 
12
12
  require 'date'
13
13
 
14
+ require 'fileutils'
15
+
14
16
  # Core KB
15
17
  require "dawn/kb/basic_check"
16
18
  require "dawn/kb/pattern_match_check"
@@ -210,7 +212,18 @@ module Dawn
210
212
  else
211
213
  Dir.glob(dir+"/**/*.yml").each do |f|
212
214
  begin
213
- data = YAML.load_file(f)
215
+ data = YAML.load_file(f, permitted_classes: [Dawn::Kb::UnsafeDependencyCheck,
216
+ Dawn::Kb::BasicCheck,
217
+ Dawn::Kb::ComboCheck,
218
+ Dawn::Kb::DependencyCheck,
219
+ Dawn::Kb::DeprecationCheck,
220
+ Dawn::Kb::OperatingSystemCheck,
221
+ Dawn::Kb::PatternMatchCheck,
222
+ Dawn::Kb::RubygemCheck,
223
+ Dawn::Kb::RubyVersionCheck,
224
+ Dawn::Kb::VersionCheck,
225
+ Date,
226
+ Symbol])
214
227
  @security_checks << data
215
228
  good+=1
216
229
  $logger.info("#{File.basename(f)} loaded") if lint
data/lib/dawn/reporter.rb CHANGED
@@ -1,3 +1,5 @@
1
+ require 'fileutils'
2
+
1
3
  module Dawn
2
4
  class Reporter
3
5
 
data/lib/dawn/version.rb CHANGED
@@ -1,7 +1,6 @@
1
1
  module Dawn
2
- VERSION = "2.0.0.rc4"
3
- CODENAME = "Finn McMissile"
4
- RELEASE = "20210406"
5
- BUILD = "26"
6
- COMMIT = "g9f7c8c3"
2
+ VERSION = "2.0.0"
3
+ RELEASE = "20230413"
4
+ BUILD = "13"
5
+ COMMIT = "g23e6a59"
7
6
  end
@@ -1,26 +1,29 @@
1
1
  require 'spec_helper'
2
2
 
3
- class DependencyMockup
4
- include Dawn::Kb::DependencyCheck
3
+ # class DependencyMockup
4
+ # include Dawn::Kb::DependencyCheck
5
5
 
6
- def initialize
7
- message = "This is a mock"
8
- super(
9
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
10
- :applies=>['sinatra', 'padrino', 'rails'],
11
- :message=> message
12
- )
13
- # self.debug = true
6
+ # def initialize
7
+ # message = "This is a mock"
8
+ # super(
9
+ # :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
10
+ # :applies=>['sinatra', 'padrino', 'rails'],
11
+ # :message=> message
12
+ # )
13
+ # # self.debug = true
14
14
 
15
- self.safe_dependencies = [{:name=>'this_gem', :version=>['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2']}]
16
- self.save_major = true
17
- end
18
- end
15
+ # self.safe_dependencies = [{:name=>'this_gem', :version=>['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2']}]
16
+ # self.save_major = true
17
+ # end
18
+ # end
19
19
 
20
20
 
21
21
  describe "The security check for gem dependency should" do
22
22
  before(:all) do
23
- @check = DependencyMockup.new
23
+ @check = Dawn::Kb::DependencyCheck.new
24
+ @check.kind=Dawn::KnowledgeBase::DEPENDENCY_CHECK
25
+ @check.applies = ['sinatra', 'padrino', 'rails']
26
+ @check.message = "This is a mock"
24
27
  end
25
28
  # let (:check) {Mockup.new}
26
29
 
@@ -1,23 +1,13 @@
1
1
  require 'spec_helper'
2
2
 
3
- class Mockup
4
- include Dawn::Kb::RubyVersionCheck
5
-
6
- def initialize
7
- message = "This is a mock"
8
- super(
9
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
10
- :applies=>['sinatra', 'padrino', 'rails'],
11
- :message=> message
12
- )
13
- # self.debug = true
14
-
15
- self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
16
- end
17
- end
18
-
19
3
  describe "The security check for Ruby interpreter version" do
20
- let (:check) {Mockup.new}
4
+ before(:all) do
5
+ @check = Dawn::Kb::RubyVersionCheck.new
6
+ @check.message = "This is a mock"
7
+ @check.kind=Dawn::KnowledgeBase::RUBY_VERSION_CHECK
8
+ @check.applies=['sinatra', 'padrino', 'rails']
9
+ @check.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
10
+ end
21
11
 
22
12
  it "fires if ruby version is vulnerable" do
23
13
  check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dawnscanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.0.rc4
4
+ version: 2.0.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-04-06 00:00:00.000000000 Z
11
+ date: 2023-04-13 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: cvss
@@ -220,20 +220,6 @@ dependencies:
220
220
  - - ">="
221
221
  - !ruby/object:Gem::Version
222
222
  version: '0'
223
- - !ruby/object:Gem::Dependency
224
- name: simplecov
225
- requirement: !ruby/object:Gem::Requirement
226
- requirements:
227
- - - ">="
228
- - !ruby/object:Gem::Version
229
- version: '0'
230
- type: :development
231
- prerelease: false
232
- version_requirements: !ruby/object:Gem::Requirement
233
- requirements:
234
- - - ">="
235
- - !ruby/object:Gem::Version
236
- version: '0'
237
223
  description: Dawnscanner is a security source code scanner for ruby powered code.
238
224
  It is especially designed for web applications, but it works also with general purpose
239
225
  ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
@@ -290,6 +276,7 @@ files:
290
276
  - checksum/dawnscanner-2.0.0.rc1.gem.sha1
291
277
  - checksum/dawnscanner-2.0.0.rc2.gem.sha1
292
278
  - checksum/dawnscanner-2.0.0.rc3.gem.sha1
279
+ - checksum/dawnscanner-2.0.0.rc5.gem.sha1
293
280
  - code_of_conduct.md
294
281
  - dawnscanner.gemspec
295
282
  - doc/change.sh
@@ -370,11 +357,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
370
357
  version: 2.3.0
371
358
  required_rubygems_version: !ruby/object:Gem::Requirement
372
359
  requirements:
373
- - - ">"
360
+ - - ">="
374
361
  - !ruby/object:Gem::Version
375
- version: 1.3.1
362
+ version: '0'
376
363
  requirements: []
377
- rubygems_version: 3.2.3
364
+ rubygems_version: 3.3.26
378
365
  signing_key:
379
366
  specification_version: 4
380
367
  summary: Dawnscanner is a security source code scanner for ruby powered code. It is