dawnscanner 2.0.0.rc5 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72a87bbf8ef2496a0afd46d528d72e054f5dae05ebd931c7def8f99be76961da
-  data.tar.gz: 67625dd36903d067ecf28c8581b130d1b2c612a3b26ded963e2868bb95efb853
+  metadata.gz: b54d897767ce4e5a5e565205cafb15af72ae9bf92079718dfa416d8fcc4900cb
+  data.tar.gz: 17d4cba48fb33fb04c473b0cb9e9f85c1aa40c84f16a39c1df34332695e0435b
 SHA512:
-  metadata.gz: e6621edd0430c27a88d8813e5ca57475466ff8ea6d262cc7f324890d521a10d1f24f055004fdfa4ccb36e9131d1ea6f6d8957e17d26a54846194706279e617a2
-  data.tar.gz: ec14c1e7804f38e5bcb6f87ea7d05afedc83206db846eaec197d4e5be5b48f9ee1059fb87d21ddbab52e023fb2f0a7cc74bc90517be9e62a0e81d9810b93137e
+  metadata.gz: c689915e7a17e4db223a9ef587a3c70ab1e6f748d54dec0463da7cf728770a77f9a298995959befbe77f322771de1c1eefb5bdd9e6c27352c389e2789d4d05e9
+  data.tar.gz: be77801fb48251c860b2b07341927dbc704eb34f28951f082d0971aa23c96cdf90d70bff219b946e67facea7022948ac9aa3353e0a87a4441ab6f7ea5f7fa19f

data/.ruby-version

@@ -1 +1 @@
-3
+3.1

data/Changelog.md

@@ -5,16 +5,23 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: mer 29 mar 2023, 18:32:56, CEST_
+_latest update: thu 13 apr 2023, 16:54:52, CEST_
 
-## Version 2.0.0
+## Version 2.1.0 (2023-04-13)
+
+* BasicCheck: added an attribute do flag as vulnerable a dependency gem only if
+  it matches the name, overriding the version. It will be used in dawn kb list
+  command, when the user won't enter the version information.
+* Added the "list" subcommand to "kb". It can be used to fetch from the
+  knowledge base all CVEs affecting a particular gem.
+
+## Version 2.0.0 (2023-04-13)
 
 * New knowledge base, YAML based and distributed separately from the ruby gem.
 * New CLI based on Thor library. Please read README.md file to know how to
   invoke dawn the right way or use the 'dawn help' command
 * Added a new debug\_verbosely API for engines and checks
 * Removed rake osvdb[name] and rake cve[name] tasks
-* Adding telemetry
 * Dawn::Utils include refactory. Now it's available application wide
 * debug information refactory.
 * engine class, apply_all method now accepts an optional parameter containing a
@@ -309,7 +316,7 @@ _latest update: mer 29 mar 2023, 18:32:56, CEST_
 
 * Adding a check for OSVDB-108569: information disclosure in backup_checksum
   gem (issue #69)
-* Fix issue #74. Now BasicChack has its own cve, osvdb attributes and a rake
+* Fix issue #74. Now BasicCheck has its own cve, osvdb attributes and a rake
   task will perform a sanity check if those values have been initialized
 * Fix issue #62 about codesake-dawn config filename
 * Adding a check for CVE-2013-2105: HTML injection in show_in_browser rubygem

data/README.md

@@ -1,36 +1,15 @@
 # Dawnscanner - The raising security scanner for ruby web applications
 
-dawnscanner is a source code scanner designed to review your web applications for
+dawn is a source code scanner designed to review your web applications for
 security issues.
 
-dawnscanner is able to scan web applications written in Ruby and it supports all 
+The tool is able to scan web applications written in Ruby and it supports all
 major MVC (Model View Controller) frameworks, out of the box:
 
 * [Ruby on Rails](http://rubyonrails.org)
 * [Sinatra](http://www.sinatrarb.com)
 * [Padrino](http://www.padrinorb.com)
 
-## Quick update from April, 2019
-
-We just released version 2.0.0 release candidate 1 with a YAML powered revamped
-knowledge base. Please note that dawnscanner will include a telemetry facility
-sending a POST  on https://dawnscanner.org/telemetry with an application id and
-some information about version and knowledge base.
-
-We won't now and ever collect your source code on our side.
-
-## Quick update from November, 2018
-
-As you can see dawnscanner is on hold since more then an year. Sorry for that.
-It's life. I was overwhelmed by tons of stuff and I dedicated free time to
-Offensive Security certifications. True to be told, I'm starting OSCE journey
-really soon.
-
-The dawnscanner project will be updated soon with new security checks and
-kickstarted again.
-
-Paolo
-
 ---
 
 [![Gem Version](https://badge.fury.io/rb/dawnscanner.png)](http://badge.fury.io/rb/dawnscanner)
@@ -42,13 +21,13 @@ Paolo
 
 ---
 
-dawnscanner version 1.6.6 has 235 security checks loaded in its knowledge
-base. Most of them are CVE bulletins applying to gems or the ruby interpreter
-itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
+dawn version 2.0 has 680+ security checks loaded in its knowledge base
+which is weekly updated from the [National Vulnerability
+Database](https://nvd.nist.gov/) by NIST.
 
-## An overall introduction
+## A brief "how it works"
 
-When you run dawnscanner on your code it parses your project Gemfile.lock
+When you run dawn on your code it parses your project Gemfile.lock
 looking for the gems used and it tries to detect the ruby interpreter version
 you are using or you declared in your ruby version management tool you like
 most (RVM, rbenv, ...).
@@ -57,244 +36,94 @@ Then the tool tries to detect the MVC framework your web application uses and
 it applies the security check accordingly. There checks designed to match rails
 application or checks that are appliable to any ruby code.
 
-dawnscanner can also understand the code in your views and to backtrack
+dawn can also understand the code in your views and to backtrack
 sinks to spot cross site scripting and sql injections introduced by the code
-you actually wrote. In the project roadmap this is the code most of the future
-development effort will be focused on.
+you actually wrote **(in the project roadmap this is the code most of the future
+development effort will be focused on).**
 
-dawnscanner security scan result is a list of vulnerabilities with some
+dawn security scan result is a list of vulnerabilities with some
 mitigation actions you want to follow in order to build a stronger web
 application.
 
 ## Installation
 
-You can install latest dawnscanner version, fetching it from
+You can install latest dawn version, fetching it from
 [Rubygems](https://rubygems.org) by typing:
 
 ```
-$ gem install dawnscanner 
-```
-
-If you want to add dawn to your project Gemfile, you must add the following:
-
-    group :development do
-      gem 'dawnscanner', :require=>false
-    end
-
-And then upgrade your bundle
-
-    $ bundle install
-
-You may want to build it from source, so you have to check it out from github first:
-
-    $ git clone https://github.com/thesp0nge/dawnscanner.git
-    $ cd dawnscanner
-    $ bundle install
-    $ rake install
-
-And the dawnscanner gem will be built in a pkg directory and then installed
-on your system. Please note that you have to manage dependencies on your own
-this way. It makes sense only if you want to hack the code or something like
-that.
-
-## Usage
-
-You can start your code review with dawnscanner very easily. Simply tell the tool
-where the project root directory.
-
-Underlying MVC framework is autodetected by dawnscanner using target Gemfile.lock
-file. If autodetect fails for some reason, the tool will complain about it and
-you have to specify if it's a rails, sinatra or padrino web application by
-hand.
-
-Basic usage is to specify some optional command line option to fit best your
-needs, and to specify the target directory where your code is stored.
-
-```
-$ dawn [options] target
+$ gem install dawnscanner
 ```
 
-In case of need, there is a quick command line option reference running 
-```dawn -h``` at your OS prompt.
-
-```
-$ dawn -h
-Usage: dawn [options] target_directory
-
-Examples:
-	$ dawn a_sinatra_webapp_directory
-	$ dawn -C the_rails_blog_engine
-	$ dawn -C --json a_sinatra_webapp_directory
-	$ dawn --ascii-tabular-report my_rails_blog_ecommerce
-	$ dawn --html -F my_report.html my_rails_blog_ecommerce
-
-   -G, --gem-lock				force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)
-   -d, --dependencies				force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
-
-Reporting
-
-   -a, --ascii-tabular-report			cause dawn to format findings using tables in ascii art (DEPRECATED)
-   -j, --json					cause dawn to format findings using json
-   -K, --console					cause dawn to format findings using plain ascii text
-   -C, --count-only				dawn will only count vulnerabilities (useful for scripts)
-   -z, --exit-on-warn				dawn will return number of found vulnerabilities as exit code
-   -F, --file filename				tells dawn to write output to filename
-   -c, --config-file filename			tells dawn to load configuration from filename
-
-Disable security check family
-
-       --disable-cve-bulletins			disable all CVE security checks
-       --disable-code-quality			disable all code quality checks
-       --disable-code-style			disable all code style checks
-       --disable-owasp-ror-cheatsheet		disable all Owasp Ruby on Rails cheatsheet checks
-       --disable-owasp-top-10			disable all Owasp Top 10 checks
-
-Flags useful to query Dawn
-
-   -S, --search-knowledge-base [check_name]	search check_name in the knowledge base
-       --list-knowledge-base			list knowledge-base content
-       --list-known-families			list security check families contained in dawn's knowledge base
-       --list-known-framework			list ruby MVC frameworks supported by dawn
-       --list-scan-registry			list past scan informations stored in scan registry 
-
-Service flags
-
-   -D, --debug					enters dawn debug mode
-   -V, --verbose				the output will be more verbose
-   -v, --version				show version information
-   -h, --help					show this help
-```
+After that, you need to download the [knowledge
+base](https://github.com/thesp0nge/dawn_knowledge_base/releases) from
+Github and unpack the archive to ```$HOME/dawnscanner/kb``` directory.
 
-### Rake task
-
-To include dawnscanner in your rake task list, you simply have to put this line in
-your ```Rakefile```
+A typical kb directory layout is similar to this:
 
 ```
-require 'dawn/tasks'
+$ ll ~/dawnscanner/kb
+total 56K
+drwxr-xr-x 2 thesp0nge users  28K 29 mar 18.27 bulletin
+drwxr-xr-x 2 thesp0nge users   72  7 lug  2021 generic_check
+-rw-r--r-- 1 thesp0nge users   65 29 mar 17.06 kb.yaml
+-rw-r--r-- 1 thesp0nge users   74 29 mar 17.06 kb.yaml.sig
+drwxr-xr-x 2 thesp0nge users 4,0K  7 lug  2021 owasp_ror_cheatsheet
 ```
 
-Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to
-execute.
+The knowledge base is structured this way:
+* bulletin is the folder where all CVE downloaded from NIST are stored.
+* generic_check is the folder with all custom checks for your code
+* owasp_ror_cheatsheet is for the Owasp Ruby on Rails cheatsheet
+  recomendations
 
-```
-$ rake -T
-...
-rake dawn:run                  # Execute dawnscanner on the current directory
-...
-```
-
-### Interacting with the knowledge base
-
-You can dump all security checks in the knowledge base this way
-
-```
-$ dawn --list-knowledge-base
-```
-
-Useful in scripts, you can use ```--search-knowledge-base``` or ```-S``` with
-as parameter the check name you want to see if it's implemented as a security
-control or not.
-
-```
-$ dawn -S CVE-2013-6421
-07:59:30 [*] dawn v1.1.0 is starting up
-CVE-2013-6421 found in knowledgebase.
-
-$ dawn -S this_test_does_not_exist
-08:02:17 [*] dawn v1.1.0 is starting up
-this_test_does_not_exist not found in knowledgebase
-```
-
-### dawnscanner security scan in action
+## Usage
 
-As output, dawnscanner will put all security checks that are failed during the scan.
+Starting from version 2.0, the tool uses subcommands to start specific tasks,
+each of them with specific help messages.
 
-This the result of Codedake::dawnscanner running against a
-[Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
-delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
+### Scanning a project
 
-As you may see, dawnscanner first detects MVC running the application by
-looking at Gemfile.lock, than it discards all security checks not appliable to
-Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
-Rails) and it applies them.
+The scan subcommand tells dawn to scan the specified target for security
+issues.
 
 ```
-$ dawn ~/src/hacking/railsberry2013
-18:40:27 [*] dawn v1.1.0 is starting up
-18:40:27 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013
-18:40:27 [$] dawn: sinatra v1.4.2 detected
-18:40:27 [$] dawn: applying all security checks
-18:40:27 [$] dawn: 109 security checks applied - 0 security checks skipped
-18:40:27 [$] dawn: 1 vulnerabilities found
-18:40:27 [!] dawn: CVE-2013-1800 check failed
-18:40:27 [$] dawn: Severity: high
-18:40:27 [$] dawn: Priority: unknown
-18:40:27 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
-18:40:27 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
-18:40:27 [$] dawn: Evidence:
-18:40:27 [$] dawn:      Vulnerable crack gem version found: 0.3.1
-18:40:27 [*] dawn is leaving
+$ dawn scan target
 ```
 
----
+At the moment results are available in text format only and they are stored in
+a directory named with the scan timestamp, under
+$HOME/dawnscanner/results/target, where target is the name of the application
+being analyzed.
 
-When you run dawnscanner on a web application with up to date dependencies,
-it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
-working that way!
+### Querying the knowledge base
 
-This is dawnscanner running against a Padrino web application I wrote for [a
-scorecard quiz game about application security](http://scorecard.armoredcode.com).
-Italian language only. Sorry.
+Is it possible, with the kb subcommand, to query the knowledge base.
 
 ```
-18:42:39 [*] dawn v1.1.0 is starting up
-18:42:39 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard
-18:42:39 [$] dawn: padrino v0.11.2 detected
-18:42:39 [$] dawn: applying all security checks
-18:42:39 [$] dawn: 109 security checks applied - 0 security checks skipped
-18:42:39 [*] dawn: no vulnerabilities found.
-18:42:39 [*] dawn is leaving
+dawn kb find                        # Searches the knowledge base for a given vulnerability
+dawn kb help [COMMAND]              # Describe subcommands or one specific subcommand
+dawn kb lint                        # Checks knowledge base content for correcteness
+dawn kb list gem_name[gem_version]  # List all security issues affecting a gem passed as argument (the version string is optional).
+dawn kb status                      # Checks the status of the knowledge base
+dawn kb unpack                      # Unpacks security checks in KB library path
 ```
 
-If you need a fancy HTML report about your scan, just ask it to dawnscanner
-with the ```--html``` flag used with the ```--file``` since I wanto to save the
-HTML to disk.
-
-```
-$ dawn /Users/thesp0nge/src/hacking/rt_first_app --html --file report.html
-
-09:00:54 [*] dawn v1.1.0 is starting up
-09:00:54 [*] dawn: report.html created (2952 bytes)
-09:00:54 [*] dawn is leaving
-```
-
----
-
 ## Useful links
 
-Project homepage: [http://dawnscanner.org](http://dawnscanner.org)
-
 Twitter profile:  [@dawnscanner](https://twitter.com/dawnscanner)
-
 Github repository:   [https://github.com/thesp0nge/dawnscanner](https://github.com/thesp0nge/dawnscanner)
 
-Mailing list: [https://groups.google.com/forum/#!forum/dawnscanner](https://groups.google.com/forum/#!forum/dawnscanner)
 
 ## Support us
 
 Feedbacks are great and we really love to hear your voice.
 
-If you're a proud dawnscanner user, if you find it useful, if you integrated
+If you're a proud dawn user, if you find it useful, if you integrated
 it in your release process and if you want to openly support the project you
 can put your reference here. Just open an
 [issue](https://github.com/thesp0nge/dawnscanner/issues/new) with a statement saying
 how do you feel the tool and your company logo if any.
 
-More easily you can drop an email to
-[paolo@dawnscanner.org](mailto:paolo@dawnscanner.org) sending a statement about your
-success story and I'll put on the website.
-
 Thank you.
 
 ## Thanks to
@@ -310,7 +139,7 @@ Thank you.
 
 ## LICENSE
 
-Copyright (c) 2013-2016 Paolo Perego <paolo@dawnscanner.org>
+Copyright (c) 2013-2023 Paolo Perego <paolo@armoredcode.com>
 
 MIT License
 
@@ -332,7 +161,3 @@ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-
-
-

data/VERSION

@@ -1,3 +1,3 @@
 # I removed codenames :-)
 # Code review is fun
-2.0.0.rc5
+2.1.0

data/checksum/dawnscanner-2.0.0.gem.sha1

@@ -0,0 +1 @@
+85ef0190d8b51e779c42122f673bb6dd495a8d9f

data/checksum/dawnscanner-2.0.0.rc5.gem.sha1

@@ -0,0 +1 @@
+a3c19b2d55316c328e45c0f316216b56397f4ef3

data/code_of_conduct.md

@@ -55,7 +55,7 @@ further defined and clarified by project maintainers.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at paolo@dawnscanner.org. All
+reported by contacting the project team at paolo@armoredcode.com. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.

data/dawnscanner.gemspec

@@ -1,23 +1,21 @@
 # -*- encoding: utf-8 -*-
-lib = File.expand_path('../lib', __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'dawn/version'
+require_relative 'lib/dawn/version'
 
 Gem::Specification.new do |gem|
   gem.name          = "dawnscanner"
   gem.version       = Dawn::VERSION
   gem.authors       = ["Paolo Perego"]
-  gem.email         = ["paolo@dawnscanner.org"]
-  gem.description   = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
-  gem.summary       = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
-  gem.homepage      = "https://dawnscanner.org"
+  gem.email         = ["paolo@armoredcode.com"]
+  gem.description   = %q{dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 680 security checks with their own mitigation suggestion.}
+  gem.summary       = %q{dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
+  gem.homepage      = "https://github.com/thesp0nge/dawnscanner"
   gem.files         = `git ls-files`.split($/)
   gem.license       = "MIT"
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.required_ruby_version = '>= 2.3.0'
+  gem.required_ruby_version = '>= 3.0.0'
 
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'

data/lib/dawn/cli/dawn_cli.rb

@@ -6,21 +6,34 @@ module Dawn
     # This class is responsible for the "dawn kb" command and related
     # subcommands.
     class Kb < Thor
-      package_name "dawnscanner"
-      desc "find", "Searches the knowledge base for a given security test"
+      package_name "dawn"
+      class_option :verbose, :type=>:boolean
+      class_option :debug, :type=>:boolean
+
+      no_commands{
+        def init_globals
+          $debug = true if options[:debug]
+          $verbose = true if options[:verbose]
+        end
+      }
+
+      desc "find", "Searches the knowledge base for a given vulnerability"
       def find(string)
+        init_globals
         kb = Dawn::KnowledgeBase.instance
         kb.find(string)
       end
 
       desc "lint", "Checks knowledge base content for correcteness"
       def lint
+        init_globals
         kb = Dawn::KnowledgeBase.instance
         kb.load(true)
       end
 
       desc "unpack", "Unpacks security checks in KB library path"
       def unpack
+        init_globals
         $logger.helo APPNAME, Dawn::VERSION
         kb = Dawn::KnowledgeBase.instance
         kb.unpack
@@ -30,6 +43,7 @@ module Dawn
 
       desc "status", "Checks the status of the knowledge base"
       def status
+        init_globals
         $logger.helo APPNAME, Dawn::VERSION
         Dawn::KnowledgeBase.enabled_checks=[:bulletin, :generic_check]
         kb = Dawn::KnowledgeBase.instance
@@ -44,10 +58,29 @@ module Dawn
         $logger.bye
         Kernel.exit(0)
       end
+
+      desc "list gem_name[gem_version]", "List all security issues affecting a gem passed as argument (the version string is optional)."
+      def list(gem_name, gem_version=nil)
+        init_globals
+        to_check="#{gem_name}"
+        to_check += ":#{gem_version}" unless gem_version.nil?
+
+        Dawn::KnowledgeBase.enabled_checks=[:bulletin]
+        kb = Dawn::KnowledgeBase.instance
+        kb.load
+        if kb.security_checks.empty?
+          $logger.error(kb.error)
+        end
+        issues = kb.find_issues_by_gem(to_check)
+
+        issues.each do |issue|
+          puts "#{issue.name} "
+        end
+      end
     end
 
     class DawnCli < Thor
-      package_name "dawnscanner"
+      package_name "dawn"
       class_option :verbose, :type=>:boolean
       class_option :debug, :type=>:boolean
 
@@ -90,14 +123,6 @@ module Dawn
 
         debug_me($config)
 
-        $telemetry_url = $config[:telemetry][:endpoint] if $config[:telemetry][:enabled]
-        debug_me("telemetry url is " + $telemetry_url) unless @telemetry_url.nil?
-
-        $telemetry_id = $config[:telemetry][:id] if $config[:telemetry][:enabled]
-        debug_me("telemetry id is " + $telemetry_id) unless @telemetry_id.nil?
-
-        debug_me("telemetry is disabled in config file") unless $config[:telemetry][:enabled]
-
         engine = Dawn::Core.detect_mvc(target) unless options[:gemfile]
         engine = Dawn::GemfileLock.new(target) if options[:gemfile]
 
@@ -127,6 +152,7 @@ module Dawn
         end
 
         $logger.info("#{engine.count_vulnerabilities} issues found")
+        $logger.info("#{engine.checks.count} checks applied")
 
         Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret}).report
         $logger.bye

data/lib/dawn/core.rb

@@ -123,7 +123,7 @@ module Dawn
 
       # If create_if_none flag is set to true, than I'll create a config file
       # on the current directory with the default configuration.
-      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES, :telemetry=>{:enabled=>false, :endpoint=>"", :id=>""}}
+      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
 
       # Calculate the conf file path
       conf_path = File.expand_path('~') +'/.'+conf_name
@@ -138,7 +138,7 @@ module Dawn
     end
 
     def self.read_conf(file=nil)
-      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES, :telemetry=>{:enabled=>false, :endpoint=>"", :id=>""}}
+      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
       begin
         debug_me("returning a default config") if file.nil? or ! File.exist?(file)
         return conf if file.nil?
@@ -151,7 +151,6 @@ module Dawn
 
       cf = YAML.load_file(file)
 
-      tm = cf[:telemetry]
       cc = cf[:enabled_checks]
 
       # TODO
@@ -160,7 +159,6 @@ module Dawn
       conf[:debug] = cf["debug"] unless cf["debug"].nil?
       conf[:output] = cf["output"] unless cf["output"].nil?
       conf[:enabled_checks] = cc unless cc.nil?
-      conf[:telemetry] = tm unless tm.nil?
 
       return conf
     end

data/lib/dawn/engine.rb

@@ -270,8 +270,6 @@ module Dawn
     # otherwise
     def apply(name)
 
-      telemetry
-
       # FIXME.20140325
       # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
       # Reason is simple, load_knowledge_base now needs enabled check array
@@ -293,66 +291,13 @@ module Dawn
       false
     end
 
-    def have_a_telemetry_id?
-      debug_me ($telemetry_id != ""  and ! $telemetry_id.nil?)
-      return ($telemetry_id != ""  and ! $telemetry_id.nil?)
-
-    end
-
-    def get_a_telemetry_id
-      return "" if ($telemetry_url == "" or $telemetry_url.nil?)
-      debug_me("T: " + $telemetry_url)
-
-      url = URI.parse($telemetry_url+"/new")
-      res = Net::HTTP.get_response(url)
-
-      return "" unless res.code.to_i == 200
-      return JSON.parse(res.body)["uuid"]
-    end
-
-    def telemetry
-      unless $config[:telemetry][:enabled]
-        debug_me("telemetry is disabled")
-        return false
-      end
-
-      unless have_a_telemetry_id?
-        $telemetry_id = get_a_telemetry_id
-        $config[:telemetry][:id] = $telemetry_id
-        debug_me($config)
-        debug_me("saving config to " + $config_name)
-        File.open($config_name, 'w') { |f| f.write $config.to_yaml }
-      end
 
-      debug_me("Telemetry ID is: " + $telemetry_id)
-
-      uri=URI.parse($telemetry_url+"/"+$telemetry_id)
-      header = {'Content-Type': 'text/json'}
-      tele = { "kb_version" => Dawn::KnowledgeBase::VERSION ,
-               "ip" => Socket.ip_address_list.detect{|intf| intf.ipv4_private?}.ip_address,
-               "message"=> Dawn::KnowledgeBase
-            }
-      http = Net::HTTP.new(uri.host, uri.port)
-      request = Net::HTTP::Post.new(uri.request_uri, header)
-      request.body = tele.to_json
-
-      begin
-        response=http.request(request)
-        debug_me(response.inspect)
-        return true
-      rescue => e
-        $logger.error "telemetry: #{e.message}"
-        return false
-      end
-    end
 
     def apply_all(checks_to_be_skipped=[])
       @scan_start = Time.now
       debug_me("I'm asked to skip those checks #{checks_to_be_skipped}")
       debug_me("SCAN STARTED: #{@scan_start}")
 
-      telemetry
-
       if @checks.nil?
         $logger.error "you must load knowledge base before trying to apply security checks"
         @scan_stop = Time.now
@@ -456,15 +401,15 @@ module Dawn
           vc = nil
           vc = check.vulnerable_checks if check.kind == Dawn::KnowledgeBase::COMBO_CHECK
 
-          @vulnerabilities  << {:name=> check.name,
-                                :severity=>check.severity,
-                                :priority=>check.priority,
-                                :kind=>check.check_family,
-                                :message=>check.message,
-                                :remediation=>check.remediation,
-                                :evidences=>check.evidences,
-                                :cve_link=>check.cve_link,
-                                :cvss_score=>check.cvss_score,
+          @vulnerabilities  << {:name=> check.name || "CVE-XXXX-YYYY",
+                                :severity=>check.severity || "Unknown severity",
+                                :priority=>check.priority || "Unknown priority",
+                                :kind=>check.check_family || "Unknown kind",
+                                :message=>check.message || "",
+                                :remediation=>check.remediation || "",
+                                :evidences=>check.evidences || [],
+                                :cve_link=>check.cve_link || "No link",
+                                :cvss_score=>check.cvss_score || "No score",
                                 :vulnerable_checks=>vc}
 
         end

data/lib/dawn/kb/basic_check.rb

@@ -78,6 +78,13 @@ module Dawn
       #   + :none
       attr_accessor :priority
 
+      # Introduced in 2.1.0
+      # It allows a security check to be marked as positive (vulnerable), only
+      # if it matches the dependency gem name, ignoring the version.
+      #
+      # Only used in DEPENDENCY and UNSAFE_DEPENDENCY checks
+      attr_accessor :please_ignore_dep_version
+
       def initialize(options={})
         @applies                  = []
         @ruby_version             = ""
@@ -114,6 +121,8 @@ module Dawn
         @priority         = options[:priority] unless options[:priority].nil?
         @check_family     = options[:check_family] unless options[:check_family].nil?
 
+        @please_ignore_dep_version = false
+
         # FIXME.20140325
         #
         # I don't want to manually fix 150+ ruby files to add something I can

data/lib/dawn/kb/unsafe_depedency_check.rb

@@ -31,8 +31,9 @@ module Dawn
         @dependencies.each do |dep|
           unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
             if dep[:name] == @vulnerable_version_array[0][:name]
-              return false if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
-              return true if @vulnerable_version_array[0][:version].include? dep[:version]
+              return true   if @please_ignore_dep_version
+              return false  if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
+              return true   if @vulnerable_version_array[0][:version].include? dep[:version]
             end
           end
         end

data/lib/dawn/knowledge_base.rb

@@ -122,6 +122,39 @@ module Dawn
 
     def find(name)
       debug_me "I'm asked to find #{name}"
+      debug_me "Please implement find command"
+    end
+
+    # Find all security issues affecting the gem passed as argument.
+    # The gem parameter can contains also the version number, separated by a
+    # ':'
+    #
+    # == Parameters:
+    # string::
+    #   A string containing the gem name, and eventually the version, to search
+    #   for vulnerabilities.
+    #   e.g.
+    #     $ dawn kb list sinatra        =>  returns all bulletins affecting sinatra gem
+    #     $ dawn kb list sinatra 2.0.0  =>  return all bulletins affecting
+    #                                       sinatra gem version 2.0.0
+    #
+    # == Returns:
+    # An array with all the vulnerabilities affecting the gem (or the
+    # particular gem version if provided).
+    def find_issues_by_gem(string = "")
+      issues = []
+      @security_checks.each do |check|
+        if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK or check.kind == Dawn::KnowledgeBase::UNSAFE_DEPENDENCY_CHECK
+             debug_me "applying check #{check.name}"
+             name = string.split(':')[0]
+             version = string.split(':')[1]
+             check.please_ignore_dep_version = true if version.nil?
+             check.dependencies  = [{:name=>name, :version=>version}]
+             issues << check if check.vuln?
+        end
+      end
+      debug_me "#{issues}"
+      return issues
     end
 
     def unpack
@@ -187,6 +220,10 @@ module Dawn
       good    =0
       invalid =0
 
+      unless @security_checks.nil?
+        debug_me("KB was previously loaded")
+        return @security_checks
+      end
       @security_checks = []
       # $path = File.join(Dir.pwd, "db")
 

data/lib/dawn/version.rb

@@ -1,6 +1,6 @@
 module Dawn
-    VERSION = "2.0.0.rc5"
-    RELEASE = "20230329"
-    BUILD = "9"
-    COMMIT = "gb57cda0"
+    VERSION = "2.1.0"
+    RELEASE = "20230413"
+    BUILD = "3"
+    COMMIT = "gc8a1ac6"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 2.0.0.rc5
+  version: 2.1.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-29 00:00:00.000000000 Z
+date: 2023-04-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cvss
@@ -220,13 +220,12 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Dawnscanner is a security source code scanner for ruby powered code.
-  It is especially designed for web applications, but it works also with general purpose
-  ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
-  and sinatra; it provides more than 150 security checks with their own mitigation
-  suggestion.
+description: dawn is a security source code scanner for ruby powered code. It is especially
+  designed for web applications, but it works also with general purpose ruby scripts.
+  Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra;
+  it provides more than 680 security checks with their own mitigation suggestion.
 email:
-- paolo@dawnscanner.org
+- paolo@armoredcode.com
 executables:
 - dawn
 extensions: []
@@ -273,9 +272,11 @@ files:
 - checksum/dawnscanner-1.6.6.gem.sha1
 - checksum/dawnscanner-1.6.7.gem.sha1
 - checksum/dawnscanner-1.6.8.gem.sha1
+- checksum/dawnscanner-2.0.0.gem.sha1
 - checksum/dawnscanner-2.0.0.rc1.gem.sha1
 - checksum/dawnscanner-2.0.0.rc2.gem.sha1
 - checksum/dawnscanner-2.0.0.rc3.gem.sha1
+- checksum/dawnscanner-2.0.0.rc5.gem.sha1
 - code_of_conduct.md
 - dawnscanner.gemspec
 - doc/change.sh
@@ -341,7 +342,7 @@ files:
 - support/bootstrap.js
 - support/bootstrap.min.css
 - support/codesake.css
-homepage: https://dawnscanner.org
+homepage: https://github.com/thesp0nge/dawnscanner
 licenses:
 - MIT
 metadata: {}
@@ -353,19 +354,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: Dawnscanner is a security source code scanner for ruby powered code. It is
-  crafted with love to make your sinatra, padrino and ruby on rails web applications
-  secure.
+summary: dawn is a security source code scanner for ruby powered code. It is crafted
+  with love to make your sinatra, padrino and ruby on rails web applications secure.
 test_files:
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
 - features/dawn_scan_a_secure_sinatra_app.feature.disabled