dawnscanner 2.0.0 → 2.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cd4bbcfe33df2cf77a454baf00629653a49480c6606e8ed20c06ded4313c3dfb
4
- data.tar.gz: 0a0e41109d47d2f634f2ecafc1b68c1b2596156054594c6221a9ddabd04dbc23
3
+ metadata.gz: b54d897767ce4e5a5e565205cafb15af72ae9bf92079718dfa416d8fcc4900cb
4
+ data.tar.gz: 17d4cba48fb33fb04c473b0cb9e9f85c1aa40c84f16a39c1df34332695e0435b
5
5
  SHA512:
6
- metadata.gz: 40fb06e99f9cd958a0b5e1c95b52593d250a7aabb6cfd6623cb82561a88b250f1815a7ac6b81a1c4a9a1c2c3b5781d59225070adb0a776b31d0377efd33e7cc7
7
- data.tar.gz: d1a37d012779435d7d8ef91161911126bdf3e0fcccb28ad113276a3036bf2cb6590d32757cccb240a845979e7667f2f8045f24a261bd8dcacabef6a81dbe0534
6
+ metadata.gz: c689915e7a17e4db223a9ef587a3c70ab1e6f748d54dec0463da7cf728770a77f9a298995959befbe77f322771de1c1eefb5bdd9e6c27352c389e2789d4d05e9
7
+ data.tar.gz: be77801fb48251c860b2b07341927dbc704eb34f28951f082d0971aa23c96cdf90d70bff219b946e67facea7022948ac9aa3353e0a87a4441ab6f7ea5f7fa19f
data/Changelog.md CHANGED
@@ -5,9 +5,17 @@ It supports [Sinatra](http://www.sinatrarb.com),
5
5
  [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
6
6
  frameworks.
7
7
 
8
- _latest update: mer 29 mar 2023, 18:32:56, CEST_
8
+ _latest update: thu 13 apr 2023, 16:54:52, CEST_
9
9
 
10
- ## Version 2.0.0
10
+ ## Version 2.1.0 (2023-04-13)
11
+
12
+ * BasicCheck: added an attribute do flag as vulnerable a dependency gem only if
13
+ it matches the name, overriding the version. It will be used in dawn kb list
14
+ command, when the user won't enter the version information.
15
+ * Added the "list" subcommand to "kb". It can be used to fetch from the
16
+ knowledge base all CVEs affecting a particular gem.
17
+
18
+ ## Version 2.0.0 (2023-04-13)
11
19
 
12
20
  * New knowledge base, YAML based and distributed separately from the ruby gem.
13
21
  * New CLI based on Thor library. Please read README.md file to know how to
@@ -308,7 +316,7 @@ _latest update: mer 29 mar 2023, 18:32:56, CEST_
308
316
 
309
317
  * Adding a check for OSVDB-108569: information disclosure in backup_checksum
310
318
  gem (issue #69)
311
- * Fix issue #74. Now BasicChack has its own cve, osvdb attributes and a rake
319
+ * Fix issue #74. Now BasicCheck has its own cve, osvdb attributes and a rake
312
320
  task will perform a sanity check if those values have been initialized
313
321
  * Fix issue #62 about codesake-dawn config filename
314
322
  * Adding a check for CVE-2013-2105: HTML injection in show_in_browser rubygem
data/README.md CHANGED
@@ -100,11 +100,12 @@ being analyzed.
100
100
  Is it possible, with the kb subcommand, to query the knowledge base.
101
101
 
102
102
  ```
103
- dawn kb find # Searches the knowledge base for a given security test
104
- dawn kb help [COMMAND] # Describe subcommands or one specific subcommand
105
- dawn kb lint # Checks knowledge base content for correcteness
106
- dawn kb status # Checks the status of the knowledge base
107
- dawn kb unpack # Unpacks security checks in KB library path
103
+ dawn kb find # Searches the knowledge base for a given vulnerability
104
+ dawn kb help [COMMAND] # Describe subcommands or one specific subcommand
105
+ dawn kb lint # Checks knowledge base content for correcteness
106
+ dawn kb list gem_name[gem_version] # List all security issues affecting a gem passed as argument (the version string is optional).
107
+ dawn kb status # Checks the status of the knowledge base
108
+ dawn kb unpack # Unpacks security checks in KB library path
108
109
  ```
109
110
 
110
111
  ## Useful links
data/VERSION CHANGED
@@ -1,3 +1,3 @@
1
1
  # I removed codenames :-)
2
2
  # Code review is fun
3
- 2.0.0
3
+ 2.1.0
@@ -0,0 +1 @@
1
+ 85ef0190d8b51e779c42122f673bb6dd495a8d9f
data/dawnscanner.gemspec CHANGED
@@ -5,17 +5,17 @@ Gem::Specification.new do |gem|
5
5
  gem.name = "dawnscanner"
6
6
  gem.version = Dawn::VERSION
7
7
  gem.authors = ["Paolo Perego"]
8
- gem.email = ["paolo@dawnscanner.org"]
9
- gem.description = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
10
- gem.summary = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
11
- gem.homepage = "https://dawnscanner.org"
8
+ gem.email = ["paolo@armoredcode.com"]
9
+ gem.description = %q{dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 680 security checks with their own mitigation suggestion.}
10
+ gem.summary = %q{dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
11
+ gem.homepage = "https://github.com/thesp0nge/dawnscanner"
12
12
  gem.files = `git ls-files`.split($/)
13
13
  gem.license = "MIT"
14
14
  gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
15
15
  gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
16
16
  gem.require_paths = ["lib"]
17
17
 
18
- gem.required_ruby_version = '>= 2.3.0'
18
+ gem.required_ruby_version = '>= 3.0.0'
19
19
 
20
20
  gem.add_dependency 'cvss'
21
21
  gem.add_dependency 'haml'
@@ -6,21 +6,34 @@ module Dawn
6
6
  # This class is responsible for the "dawn kb" command and related
7
7
  # subcommands.
8
8
  class Kb < Thor
9
- package_name "dawnscanner"
10
- desc "find", "Searches the knowledge base for a given security test"
9
+ package_name "dawn"
10
+ class_option :verbose, :type=>:boolean
11
+ class_option :debug, :type=>:boolean
12
+
13
+ no_commands{
14
+ def init_globals
15
+ $debug = true if options[:debug]
16
+ $verbose = true if options[:verbose]
17
+ end
18
+ }
19
+
20
+ desc "find", "Searches the knowledge base for a given vulnerability"
11
21
  def find(string)
22
+ init_globals
12
23
  kb = Dawn::KnowledgeBase.instance
13
24
  kb.find(string)
14
25
  end
15
26
 
16
27
  desc "lint", "Checks knowledge base content for correcteness"
17
28
  def lint
29
+ init_globals
18
30
  kb = Dawn::KnowledgeBase.instance
19
31
  kb.load(true)
20
32
  end
21
33
 
22
34
  desc "unpack", "Unpacks security checks in KB library path"
23
35
  def unpack
36
+ init_globals
24
37
  $logger.helo APPNAME, Dawn::VERSION
25
38
  kb = Dawn::KnowledgeBase.instance
26
39
  kb.unpack
@@ -30,6 +43,7 @@ module Dawn
30
43
 
31
44
  desc "status", "Checks the status of the knowledge base"
32
45
  def status
46
+ init_globals
33
47
  $logger.helo APPNAME, Dawn::VERSION
34
48
  Dawn::KnowledgeBase.enabled_checks=[:bulletin, :generic_check]
35
49
  kb = Dawn::KnowledgeBase.instance
@@ -44,10 +58,29 @@ module Dawn
44
58
  $logger.bye
45
59
  Kernel.exit(0)
46
60
  end
61
+
62
+ desc "list gem_name[gem_version]", "List all security issues affecting a gem passed as argument (the version string is optional)."
63
+ def list(gem_name, gem_version=nil)
64
+ init_globals
65
+ to_check="#{gem_name}"
66
+ to_check += ":#{gem_version}" unless gem_version.nil?
67
+
68
+ Dawn::KnowledgeBase.enabled_checks=[:bulletin]
69
+ kb = Dawn::KnowledgeBase.instance
70
+ kb.load
71
+ if kb.security_checks.empty?
72
+ $logger.error(kb.error)
73
+ end
74
+ issues = kb.find_issues_by_gem(to_check)
75
+
76
+ issues.each do |issue|
77
+ puts "#{issue.name} "
78
+ end
79
+ end
47
80
  end
48
81
 
49
82
  class DawnCli < Thor
50
- package_name "dawnscanner"
83
+ package_name "dawn"
51
84
  class_option :verbose, :type=>:boolean
52
85
  class_option :debug, :type=>:boolean
53
86
 
@@ -78,6 +78,13 @@ module Dawn
78
78
  # + :none
79
79
  attr_accessor :priority
80
80
 
81
+ # Introduced in 2.1.0
82
+ # It allows a security check to be marked as positive (vulnerable), only
83
+ # if it matches the dependency gem name, ignoring the version.
84
+ #
85
+ # Only used in DEPENDENCY and UNSAFE_DEPENDENCY checks
86
+ attr_accessor :please_ignore_dep_version
87
+
81
88
  def initialize(options={})
82
89
  @applies = []
83
90
  @ruby_version = ""
@@ -114,6 +121,8 @@ module Dawn
114
121
  @priority = options[:priority] unless options[:priority].nil?
115
122
  @check_family = options[:check_family] unless options[:check_family].nil?
116
123
 
124
+ @please_ignore_dep_version = false
125
+
117
126
  # FIXME.20140325
118
127
  #
119
128
  # I don't want to manually fix 150+ ruby files to add something I can
@@ -31,10 +31,9 @@ module Dawn
31
31
  @dependencies.each do |dep|
32
32
  unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
33
33
  if dep[:name] == @vulnerable_version_array[0][:name]
34
- debug_me("DEP VERSION #{dep[:version]}")
35
- debug_me("VULN_VER #{@vulnerable_version_array[0][:version]}")
36
- return false if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
37
- return true if @vulnerable_version_array[0][:version].include? dep[:version]
34
+ return true if @please_ignore_dep_version
35
+ return false if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
36
+ return true if @vulnerable_version_array[0][:version].include? dep[:version]
38
37
  end
39
38
  end
40
39
  end
@@ -122,6 +122,39 @@ module Dawn
122
122
 
123
123
  def find(name)
124
124
  debug_me "I'm asked to find #{name}"
125
+ debug_me "Please implement find command"
126
+ end
127
+
128
+ # Find all security issues affecting the gem passed as argument.
129
+ # The gem parameter can contains also the version number, separated by a
130
+ # ':'
131
+ #
132
+ # == Parameters:
133
+ # string::
134
+ # A string containing the gem name, and eventually the version, to search
135
+ # for vulnerabilities.
136
+ # e.g.
137
+ # $ dawn kb list sinatra => returns all bulletins affecting sinatra gem
138
+ # $ dawn kb list sinatra 2.0.0 => return all bulletins affecting
139
+ # sinatra gem version 2.0.0
140
+ #
141
+ # == Returns:
142
+ # An array with all the vulnerabilities affecting the gem (or the
143
+ # particular gem version if provided).
144
+ def find_issues_by_gem(string = "")
145
+ issues = []
146
+ @security_checks.each do |check|
147
+ if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK or check.kind == Dawn::KnowledgeBase::UNSAFE_DEPENDENCY_CHECK
148
+ debug_me "applying check #{check.name}"
149
+ name = string.split(':')[0]
150
+ version = string.split(':')[1]
151
+ check.please_ignore_dep_version = true if version.nil?
152
+ check.dependencies = [{:name=>name, :version=>version}]
153
+ issues << check if check.vuln?
154
+ end
155
+ end
156
+ debug_me "#{issues}"
157
+ return issues
125
158
  end
126
159
 
127
160
  def unpack
@@ -187,6 +220,10 @@ module Dawn
187
220
  good =0
188
221
  invalid =0
189
222
 
223
+ unless @security_checks.nil?
224
+ debug_me("KB was previously loaded")
225
+ return @security_checks
226
+ end
190
227
  @security_checks = []
191
228
  # $path = File.join(Dir.pwd, "db")
192
229
 
data/lib/dawn/version.rb CHANGED
@@ -1,6 +1,6 @@
1
1
  module Dawn
2
- VERSION = "2.0.0"
2
+ VERSION = "2.1.0"
3
3
  RELEASE = "20230413"
4
- BUILD = "13"
5
- COMMIT = "g23e6a59"
4
+ BUILD = "3"
5
+ COMMIT = "gc8a1ac6"
6
6
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dawnscanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.0
4
+ version: 2.1.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
@@ -220,13 +220,12 @@ dependencies:
220
220
  - - ">="
221
221
  - !ruby/object:Gem::Version
222
222
  version: '0'
223
- description: Dawnscanner is a security source code scanner for ruby powered code.
224
- It is especially designed for web applications, but it works also with general purpose
225
- ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
226
- and sinatra; it provides more than 150 security checks with their own mitigation
227
- suggestion.
223
+ description: dawn is a security source code scanner for ruby powered code. It is especially
224
+ designed for web applications, but it works also with general purpose ruby scripts.
225
+ Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra;
226
+ it provides more than 680 security checks with their own mitigation suggestion.
228
227
  email:
229
- - paolo@dawnscanner.org
228
+ - paolo@armoredcode.com
230
229
  executables:
231
230
  - dawn
232
231
  extensions: []
@@ -273,6 +272,7 @@ files:
273
272
  - checksum/dawnscanner-1.6.6.gem.sha1
274
273
  - checksum/dawnscanner-1.6.7.gem.sha1
275
274
  - checksum/dawnscanner-1.6.8.gem.sha1
275
+ - checksum/dawnscanner-2.0.0.gem.sha1
276
276
  - checksum/dawnscanner-2.0.0.rc1.gem.sha1
277
277
  - checksum/dawnscanner-2.0.0.rc2.gem.sha1
278
278
  - checksum/dawnscanner-2.0.0.rc3.gem.sha1
@@ -342,7 +342,7 @@ files:
342
342
  - support/bootstrap.js
343
343
  - support/bootstrap.min.css
344
344
  - support/codesake.css
345
- homepage: https://dawnscanner.org
345
+ homepage: https://github.com/thesp0nge/dawnscanner
346
346
  licenses:
347
347
  - MIT
348
348
  metadata: {}
@@ -354,7 +354,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
354
354
  requirements:
355
355
  - - ">="
356
356
  - !ruby/object:Gem::Version
357
- version: 2.3.0
357
+ version: 3.0.0
358
358
  required_rubygems_version: !ruby/object:Gem::Requirement
359
359
  requirements:
360
360
  - - ">="
@@ -364,9 +364,8 @@ requirements: []
364
364
  rubygems_version: 3.3.26
365
365
  signing_key:
366
366
  specification_version: 4
367
- summary: Dawnscanner is a security source code scanner for ruby powered code. It is
368
- crafted with love to make your sinatra, padrino and ruby on rails web applications
369
- secure.
367
+ summary: dawn is a security source code scanner for ruby powered code. It is crafted
368
+ with love to make your sinatra, padrino and ruby on rails web applications secure.
370
369
  test_files:
371
370
  - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
372
371
  - features/dawn_scan_a_secure_sinatra_app.feature.disabled