dawnscanner 2.0.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd4bbcfe33df2cf77a454baf00629653a49480c6606e8ed20c06ded4313c3dfb
-  data.tar.gz: 0a0e41109d47d2f634f2ecafc1b68c1b2596156054594c6221a9ddabd04dbc23
+  metadata.gz: fbb231ba7ae0542ffa5a4df93bf1957ca989e4073129f8c57894b2f6d5813973
+  data.tar.gz: 833442b38e833db16ee550a56e26ce67b69cc77ee4ff2b69389bd1dab7ff16b3
 SHA512:
-  metadata.gz: 40fb06e99f9cd958a0b5e1c95b52593d250a7aabb6cfd6623cb82561a88b250f1815a7ac6b81a1c4a9a1c2c3b5781d59225070adb0a776b31d0377efd33e7cc7
-  data.tar.gz: d1a37d012779435d7d8ef91161911126bdf3e0fcccb28ad113276a3036bf2cb6590d32757cccb240a845979e7667f2f8045f24a261bd8dcacabef6a81dbe0534
+  metadata.gz: 157a7aaf188e55b35027cae52ae7f7a71146d2b490ab5d31b8eaf3dcfc29a10de0dc3ef646e0d9b8f30330ec3b73412df62bdb4467233046b92a98f2ba4bb81a
+  data.tar.gz: 012e8a07b7d8bdde1947b8c0ccd6fee4bd31336c72481934ec74d4f252847fb26a0bcbab60550c2221d9716d2e51bdefeff140425c99a82e7af4df5e15a7b074

data/Changelog.md

@@ -5,9 +5,21 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: mer 29 mar 2023, 18:32:56, CEST_
+_latest update: fri 14 apr 2023, 16:36:56, CEST_
 
-## Version 2.0.0
+## Version 2.1.1 (2023-04-14)
+
+* Issue #252 fix was uncomplete.
+
+## Version 2.1.0 (2023-04-13)
+
+* BasicCheck: added an attribute do flag as vulnerable a dependency gem only if
+  it matches the name, overriding the version. It will be used in dawn kb list
+  command, when the user won't enter the version information.
+* Added the "list" subcommand to "kb". It can be used to fetch from the
+  knowledge base all CVEs affecting a particular gem.
+
+## Version 2.0.0 (2023-04-13)
 
 * New knowledge base, YAML based and distributed separately from the ruby gem.
 * New CLI based on Thor library. Please read README.md file to know how to
@@ -308,7 +320,7 @@ _latest update: mer 29 mar 2023, 18:32:56, CEST_
 
 * Adding a check for OSVDB-108569: information disclosure in backup_checksum
   gem (issue #69)
-* Fix issue #74. Now BasicChack has its own cve, osvdb attributes and a rake
+* Fix issue #74. Now BasicCheck has its own cve, osvdb attributes and a rake
   task will perform a sanity check if those values have been initialized
 * Fix issue #62 about codesake-dawn config filename
 * Adding a check for CVE-2013-2105: HTML injection in show_in_browser rubygem

data/README.md

@@ -100,11 +100,12 @@ being analyzed.
 Is it possible, with the kb subcommand, to query the knowledge base.
 
 ```
-dawn kb find            # Searches the knowledge base for a given security test
-dawn kb help [COMMAND]  # Describe subcommands or one specific subcommand
-dawn kb lint            # Checks knowledge base content for correcteness
-dawn kb status          # Checks the status of the knowledge base
-dawn kb unpack          # Unpacks security checks in KB library path
+dawn kb find                        # Searches the knowledge base for a given vulnerability
+dawn kb help [COMMAND]              # Describe subcommands or one specific subcommand
+dawn kb lint                        # Checks knowledge base content for correcteness
+dawn kb list gem_name[gem_version]  # List all security issues affecting a gem passed as argument (the version string is optional).
+dawn kb status                      # Checks the status of the knowledge base
+dawn kb unpack                      # Unpacks security checks in KB library path
 ```
 
 ## Useful links

data/Rakefile

@@ -160,35 +160,35 @@ namespace :rubysec do
 end
 
 def __kb_pack
-  if Dir.exists? "#{YAML_KB}/bulletin"
+  if Dir.exist? "#{YAML_KB}/bulletin"
     system "tar cfvz #{YAML_KB}/bulletin.tar.gz -C #{YAML_KB} bulletin"
     system "rm -rf #{YAML_KB}/bulletin"
     system "shasum -a 256 #{YAML_KB}/bulletin.tar.gz > #{YAML_KB}/bulletin.tar.gz.sig"
   end
 
-  if Dir.exists? "#{YAML_KB}/generic_check"
+  if Dir.exist? "#{YAML_KB}/generic_check"
     system "tar cfvz #{YAML_KB}/generic_check.tar.gz -C #{YAML_KB} generic_check"
     system "rm -rf #{YAML_KB}/generic_check"
     system "shasum -a 256 #{YAML_KB}/generic_check.tar.gz > #{YAML_KB}/generic_check.tar.gz.sig"
   end
 
-  if Dir.exists? "#{YAML_KB}/owasp_ror_cheatsheet"
+  if Dir.exist? "#{YAML_KB}/owasp_ror_cheatsheet"
     system "tar cfvz #{YAML_KB}/owasp_ror_cheatsheet.tar.gz -C #{YAML_KB} owasp_ror_cheatsheet"
     system "rm -rf #{YAML_KB}/owasp_ror_cheatsheet"
     system "shasum -a 256 #{YAML_KB}/owasp_ror_cheatsheet.tar.gz > #{YAML_KB}/owasp_ror_cheatsheet.tar.gz.sig"
   end
 
-  if Dir.exists? "#{YAML_KB}/code_style"
+  if Dir.exist? "#{YAML_KB}/code_style"
     system "tar cfvz #{YAML_KB}/code_style.tar.gz -C #{YAML_KB} code_style"
     system "rm -rf #{YAML_KB}/code_style"
     system "shasum -a 256 #{YAML_KB}/code_style.tar.gz > #{YAML_KB}/code_style.tar.gz.sig"
   end
-  if Dir.exists? "#{YAML_KB}/code_quality"
+  if Dir.exist? "#{YAML_KB}/code_quality"
     system "tar cfvz #{YAML_KB}/code_quality.tar.gz -C #{YAML_KB} code_quality"
     system "rm -rf #{YAML_KB}/code_quality"
     system "shasum -a 256 #{YAML_KB}/code_quality.tar.gz > #{YAML_KB}/code_quality.tar.gz.sig"
   end
-  if Dir.exists? "#{YAML_KB}/owasp_top_10"
+  if Dir.exist? "#{YAML_KB}/owasp_top_10"
     system "tar cfvz #{YAML_KB}/owasp_top_10.tar.gz -C #{YAML_KB} owasp_top_10"
     system "rm -rf #{YAML_KB}/owasp_top_10"
     system "shasum -a 256 #{YAML_KB}/owasp_top_10.tar.gz > #{YAML_KB}/owasp_top_10.tar.gz.sig"

data/VERSION

@@ -1,3 +1,3 @@
 # I removed codenames :-)
 # Code review is fun
-2.0.0
+2.1.1

data/checksum/dawnscanner-2.0.0.gem.sha1

@@ -0,0 +1 @@
+85ef0190d8b51e779c42122f673bb6dd495a8d9f

data/checksum/dawnscanner-2.1.0.gem.sha1

@@ -0,0 +1 @@
+e463c7c3f54c900752f3b9be47da3f311cddd941

data/dawnscanner.gemspec

@@ -5,17 +5,17 @@ Gem::Specification.new do |gem|
   gem.name          = "dawnscanner"
   gem.version       = Dawn::VERSION
   gem.authors       = ["Paolo Perego"]
-  gem.email         = ["paolo@dawnscanner.org"]
-  gem.description   = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
-  gem.summary       = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
-  gem.homepage      = "https://dawnscanner.org"
+  gem.email         = ["paolo@armoredcode.com"]
+  gem.description   = %q{dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 680 security checks with their own mitigation suggestion.}
+  gem.summary       = %q{dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
+  gem.homepage      = "https://github.com/thesp0nge/dawnscanner"
   gem.files         = `git ls-files`.split($/)
   gem.license       = "MIT"
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.required_ruby_version = '>= 2.3.0'
+  gem.required_ruby_version = '>= 3.0.0'
 
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'

data/features/step_definition/dawn_steps.rb

@@ -1,19 +1,18 @@
 Given /^the generic project "(.*?)" doesn't exist$/ do |file|
-  FileUtils.rm(file) if File.exists?(file)
+  FileUtils.rm(file) if File.exist?(file)
 end
 
 Given /^the hello world rails project does exist$/ do
   system("rm -rf /tmp/hello_world_3.2.13")
-  system("cp -a ./spec/support/hello_world_3.2.13 /tmp") 
+  system("cp -a ./spec/support/hello_world_3.2.13 /tmp")
 end
 
 Given /^a safe sinatra application exists$/ do
   system("rm -rf /tmp/sinatra-safe")
-  system("cp -a ./spec/support/sinatra-safe /tmp") 
+  system("cp -a ./spec/support/sinatra-safe /tmp")
 end
 
 Given /^a vulnerable sinatra application exists$/ do
   system("rm -rf /tmp/sinatra-vulnerable")
-  system("cp -a ./spec/support/sinatra-vulnerable /tmp") 
+  system("cp -a ./spec/support/sinatra-vulnerable /tmp")
 end
-

data/lib/dawn/cli/dawn_cli.rb

@@ -6,21 +6,34 @@ module Dawn
     # This class is responsible for the "dawn kb" command and related
     # subcommands.
     class Kb < Thor
-      package_name "dawnscanner"
-      desc "find", "Searches the knowledge base for a given security test"
+      package_name "dawn"
+      class_option :verbose, :type=>:boolean
+      class_option :debug, :type=>:boolean
+
+      no_commands{
+        def init_globals
+          $debug = true if options[:debug]
+          $verbose = true if options[:verbose]
+        end
+      }
+
+      desc "find", "Searches the knowledge base for a given vulnerability"
       def find(string)
+        init_globals
         kb = Dawn::KnowledgeBase.instance
         kb.find(string)
       end
 
       desc "lint", "Checks knowledge base content for correcteness"
       def lint
+        init_globals
         kb = Dawn::KnowledgeBase.instance
         kb.load(true)
       end
 
       desc "unpack", "Unpacks security checks in KB library path"
       def unpack
+        init_globals
         $logger.helo APPNAME, Dawn::VERSION
         kb = Dawn::KnowledgeBase.instance
         kb.unpack
@@ -30,6 +43,7 @@ module Dawn
 
       desc "status", "Checks the status of the knowledge base"
       def status
+        init_globals
         $logger.helo APPNAME, Dawn::VERSION
         Dawn::KnowledgeBase.enabled_checks=[:bulletin, :generic_check]
         kb = Dawn::KnowledgeBase.instance
@@ -44,10 +58,29 @@ module Dawn
         $logger.bye
         Kernel.exit(0)
       end
+
+      desc "list gem_name[gem_version]", "List all security issues affecting a gem passed as argument (the version string is optional)."
+      def list(gem_name, gem_version=nil)
+        init_globals
+        to_check="#{gem_name}"
+        to_check += ":#{gem_version}" unless gem_version.nil?
+
+        Dawn::KnowledgeBase.enabled_checks=[:bulletin]
+        kb = Dawn::KnowledgeBase.instance
+        kb.load
+        if kb.security_checks.empty?
+          $logger.error(kb.error)
+        end
+        issues = kb.find_issues_by_gem(to_check)
+
+        issues.each do |issue|
+          puts "#{issue.name} "
+        end
+      end
     end
 
     class DawnCli < Thor
-      package_name "dawnscanner"
+      package_name "dawn"
       class_option :verbose, :type=>:boolean
       class_option :debug, :type=>:boolean
 

data/lib/dawn/kb/basic_check.rb

@@ -78,6 +78,13 @@ module Dawn
       #   + :none
       attr_accessor :priority
 
+      # Introduced in 2.1.0
+      # It allows a security check to be marked as positive (vulnerable), only
+      # if it matches the dependency gem name, ignoring the version.
+      #
+      # Only used in DEPENDENCY and UNSAFE_DEPENDENCY checks
+      attr_accessor :please_ignore_dep_version
+
       def initialize(options={})
         @applies                  = []
         @ruby_version             = ""
@@ -114,6 +121,8 @@ module Dawn
         @priority         = options[:priority] unless options[:priority].nil?
         @check_family     = options[:check_family] unless options[:check_family].nil?
 
+        @please_ignore_dep_version = false
+
         # FIXME.20140325
         #
         # I don't want to manually fix 150+ ruby files to add something I can

data/lib/dawn/kb/unsafe_depedency_check.rb

@@ -31,10 +31,9 @@ module Dawn
         @dependencies.each do |dep|
           unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
             if dep[:name] == @vulnerable_version_array[0][:name]
-              debug_me("DEP VERSION #{dep[:version]}")
-              debug_me("VULN_VER #{@vulnerable_version_array[0][:version]}")
-              return false if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
-              return true if @vulnerable_version_array[0][:version].include? dep[:version]
+              return true   if @please_ignore_dep_version
+              return false  if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
+              return true   if @vulnerable_version_array[0][:version].include? dep[:version]
             end
           end
         end

data/lib/dawn/knowledge_base.rb

@@ -122,6 +122,39 @@ module Dawn
 
     def find(name)
       debug_me "I'm asked to find #{name}"
+      debug_me "Please implement find command"
+    end
+
+    # Find all security issues affecting the gem passed as argument.
+    # The gem parameter can contains also the version number, separated by a
+    # ':'
+    #
+    # == Parameters:
+    # string::
+    #   A string containing the gem name, and eventually the version, to search
+    #   for vulnerabilities.
+    #   e.g.
+    #     $ dawn kb list sinatra        =>  returns all bulletins affecting sinatra gem
+    #     $ dawn kb list sinatra 2.0.0  =>  return all bulletins affecting
+    #                                       sinatra gem version 2.0.0
+    #
+    # == Returns:
+    # An array with all the vulnerabilities affecting the gem (or the
+    # particular gem version if provided).
+    def find_issues_by_gem(string = "")
+      issues = []
+      @security_checks.each do |check|
+        if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK or check.kind == Dawn::KnowledgeBase::UNSAFE_DEPENDENCY_CHECK
+             debug_me "applying check #{check.name}"
+             name = string.split(':')[0]
+             version = string.split(':')[1]
+             check.please_ignore_dep_version = true if version.nil?
+             check.dependencies  = [{:name=>name, :version=>version}]
+             issues << check if check.vuln?
+        end
+      end
+      debug_me "#{issues}"
+      return issues
     end
 
     def unpack
@@ -187,6 +220,10 @@ module Dawn
       good    =0
       invalid =0
 
+      unless @security_checks.nil?
+        debug_me("KB was previously loaded")
+        return @security_checks
+      end
       @security_checks = []
       # $path = File.join(Dir.pwd, "db")
 
@@ -207,7 +244,7 @@ module Dawn
         # Please note that if we enter in this branch, it means someone
         # tampered the KB between the previous __valid? check and this point.
         # Of course this is a very rare situation, but we must handle it.
-        unless Dir.exists?(dir)
+        unless Dir.exist?(dir)
           $logger.warn "Missing check directory #{dir}"
         else
           Dir.glob(dir+"/**/*.yml").each do |f|
@@ -274,12 +311,12 @@ module Dawn
 
       lines = ""
 
-      unless File.exists?(File.join(@path, "kb.yaml"))
+      unless File.exist?(File.join(@path, "kb.yaml"))
         $logger.error  "Missing kb.yaml in #{path}. Giving up"
         return false
       end
 
-      unless File.exists?(File.join(@path, "kb.yaml.sig"))
+      unless File.exist?(File.join(@path, "kb.yaml.sig"))
         $logger.error  "Missing kb.yaml signature in #{path}. Giving up"
         return false
       end
@@ -306,7 +343,7 @@ module Dawn
     # local DB path
     def __packed?
       FILES.each do |fn|
-        return true if fn.end_with? 'tar.gz' and File.exists?(File.join(@path, fn))
+        return true if fn.end_with? 'tar.gz' and File.exist?(File.join(@path, fn))
       end
       return false
     end

data/lib/dawn/version.rb

@@ -1,6 +1,6 @@
 module Dawn
-    VERSION = "2.0.0"
-    RELEASE = "20230413"
-    BUILD = "13"
-    COMMIT = "g23e6a59"
+    VERSION = "2.1.1"
+    RELEASE = "20230414"
+    BUILD = "1"
+    COMMIT = "gbb3ea6d"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Paolo Perego
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-13 00:00:00.000000000 Z
+date: 2023-04-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cvss
@@ -220,13 +220,12 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Dawnscanner is a security source code scanner for ruby powered code.
-  It is especially designed for web applications, but it works also with general purpose
-  ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
-  and sinatra; it provides more than 150 security checks with their own mitigation
-  suggestion.
+description: dawn is a security source code scanner for ruby powered code. It is especially
+  designed for web applications, but it works also with general purpose ruby scripts.
+  Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra;
+  it provides more than 680 security checks with their own mitigation suggestion.
 email:
-- paolo@dawnscanner.org
+- paolo@armoredcode.com
 executables:
 - dawn
 extensions: []
@@ -273,10 +272,12 @@ files:
 - checksum/dawnscanner-1.6.6.gem.sha1
 - checksum/dawnscanner-1.6.7.gem.sha1
 - checksum/dawnscanner-1.6.8.gem.sha1
+- checksum/dawnscanner-2.0.0.gem.sha1
 - checksum/dawnscanner-2.0.0.rc1.gem.sha1
 - checksum/dawnscanner-2.0.0.rc2.gem.sha1
 - checksum/dawnscanner-2.0.0.rc3.gem.sha1
 - checksum/dawnscanner-2.0.0.rc5.gem.sha1
+- checksum/dawnscanner-2.1.0.gem.sha1
 - code_of_conduct.md
 - dawnscanner.gemspec
 - doc/change.sh
@@ -342,7 +343,7 @@ files:
 - support/bootstrap.js
 - support/bootstrap.min.css
 - support/codesake.css
-homepage: https://dawnscanner.org
+homepage: https://github.com/thesp0nge/dawnscanner
 licenses:
 - MIT
 metadata: {}
@@ -354,7 +355,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -364,9 +365,8 @@ requirements: []
 rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: Dawnscanner is a security source code scanner for ruby powered code. It is
-  crafted with love to make your sinatra, padrino and ruby on rails web applications
-  secure.
+summary: dawn is a security source code scanner for ruby powered code. It is crafted
+  with love to make your sinatra, padrino and ruby on rails web applications secure.
 test_files:
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
 - features/dawn_scan_a_secure_sinatra_app.feature.disabled