dawnscanner 1.2.99 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +4 -4
- data.tar.gz.sig +0 -0
- data/.gitignore +1 -0
- data/Changelog.md +11 -9
- data/KnowledgeBase.md +2 -2
- data/README.md +58 -56
- data/Rakefile +32 -36
- data/certs/paolo_at_dawnscanner_dot_org.pem +21 -0
- data/checksum/dawnscanner-1.2.99.gem.sha1 +1 -0
- data/dawnscanner.gemspec +4 -4
- data/lib/dawn/core.rb +173 -0
- data/lib/dawn/engine.rb +378 -0
- data/lib/dawn/gemfile_lock.rb +10 -0
- data/lib/dawn/kb/basic_check.rb +226 -0
- data/lib/dawn/kb/combo_check.rb +62 -0
- data/lib/{codesake/dawn → dawn}/kb/cve_2004_0755.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2004_0983.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2005_1992.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2005_2337.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_1931.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_2582.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_3694.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_4112.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_5467.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_6303.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_6852.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2006_6979.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_0469.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_5162.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_5379.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_5380.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_5770.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_6077.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2007_6612.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_1145.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_1891.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_2376.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_2662.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_2663.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_2664.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_2725.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_3655.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_3657.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_3790.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_3905.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_4094.rb +1 -3
- data/lib/dawn/kb/cve_2008_4310.rb +100 -0
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_5189.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2008_7248.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2009_4078.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2009_4124.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2009_4214.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2010_1330.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2010_2489.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2010_3933.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_0188.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_0446.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_0447.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_0739.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_0995.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_1004.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_1005.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2197.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2686.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2705.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2929.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2930.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2931.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_2932.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_3009.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_3186.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_3187.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_4319.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_4815.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2011_5036.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_1098.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_1099.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_1241.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2139.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2140.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2660.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2661.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2671.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2694.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_2695.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_3424.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_3463.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_3464.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_3465.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_4464.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_4466.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_4481.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_4522.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_5370.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_5371.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_5380.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_6109.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_6134.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_6496.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2012_6497.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0155.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0156.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0162.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0175.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0183.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0184.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0233.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0256.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0262.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0263.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0269.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0276.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0277.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0284.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0285.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_0333.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1607.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1655.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1656.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1756.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1800.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1801.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1802.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1812.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1821.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1854.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1855.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1856.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1857.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1875.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1898.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1911.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1933.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1947.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_1948.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2065.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2090.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2105.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2119.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2512.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2513.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2516.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2615.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2616.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_2617.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_3221.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4164.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4203.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4389.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4413.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4457.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4478.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4479.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4489.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4491.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4492.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4562.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_4593.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_5647.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_5671.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6414.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6415.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6416.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6417.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6421.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6459.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6460.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_6461.rb +3 -5
- data/lib/{codesake/dawn → dawn}/kb/cve_2013_7086.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_0036.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_0080.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_0081.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_0082.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_0130.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_1233.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_1234.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_2322.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_2525.rb +4 -6
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_2538.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_3482.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/cve_2014_3483.rb +1 -3
- data/lib/dawn/kb/dependency_check.rb +84 -0
- data/lib/{codesake/dawn → dawn}/kb/deprecation_check.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/not_revised_code.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/operating_system_check.rb +0 -2
- data/lib/dawn/kb/osvdb_105971.rb +29 -0
- data/lib/dawn/kb/osvdb_108530.rb +27 -0
- data/lib/dawn/kb/osvdb_108563.rb +28 -0
- data/lib/dawn/kb/osvdb_108569.rb +28 -0
- data/lib/dawn/kb/osvdb_108570.rb +27 -0
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet.rb +0 -0
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -0
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/command_injection.rb +2 -4
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/csrf.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/security_related_headers.rb +1 -4
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/sensitive_files.rb +1 -3
- data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +1 -3
- data/lib/dawn/kb/pattern_match_check.rb +127 -0
- data/lib/dawn/kb/ruby_version_check.rb +88 -0
- data/lib/dawn/kb/simpleform_xss_20131129.rb +28 -0
- data/lib/dawn/kb/version_check.rb +416 -0
- data/lib/dawn/knowledge_base.rb +511 -0
- data/lib/dawn/padrino.rb +79 -0
- data/lib/dawn/rails.rb +13 -0
- data/lib/dawn/railtie.rb +7 -0
- data/lib/dawn/reporter.rb +278 -0
- data/lib/dawn/sinatra.rb +127 -0
- data/lib/{codesake/dawn → dawn}/tasks.rb +0 -0
- data/lib/dawn/utils.rb +19 -0
- data/lib/dawn/version.rb +26 -0
- data/lib/dawnscanner.rb +12 -0
- data/lib/tasks/dawn_tasks.rake +1 -0
- data/spec/lib/dawn/codesake_core_spec.rb +3 -3
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +174 -174
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +2 -2
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +2 -2
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +5 -5
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +6 -6
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +8 -8
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +8 -8
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +12 -12
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +6 -6
- data/spec/lib/kb/codesake_version_check_spec.rb +44 -44
- data/spec/lib/kb/cve_2011_2705_spec.rb +8 -8
- data/spec/lib/kb/cve_2011_2930_spec.rb +7 -7
- data/spec/lib/kb/cve_2011_3009_spec.rb +5 -5
- data/spec/lib/kb/cve_2011_3187_spec.rb +5 -5
- data/spec/lib/kb/cve_2011_4319_spec.rb +10 -10
- data/spec/lib/kb/cve_2011_5036_spec.rb +22 -22
- data/spec/lib/kb/cve_2012_1098_spec.rb +8 -8
- data/spec/lib/kb/cve_2012_2139_spec.rb +4 -4
- data/spec/lib/kb/cve_2012_2671_spec.rb +5 -5
- data/spec/lib/kb/cve_2012_6109_spec.rb +26 -26
- data/spec/lib/kb/cve_2013_0162_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_0183_spec.rb +12 -12
- data/spec/lib/kb/cve_2013_0184_spec.rb +27 -27
- data/spec/lib/kb/cve_2013_0256_spec.rb +7 -7
- data/spec/lib/kb/cve_2013_0262_spec.rb +10 -10
- data/spec/lib/kb/cve_2013_0263_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_1607_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_1655_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_1756_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_2090_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_2105_spec.rb +2 -2
- data/spec/lib/kb/cve_2013_2119_spec.rb +6 -6
- data/spec/lib/kb/cve_2013_2512_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_2513_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_2516_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_4203_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_4413_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_4489_spec.rb +12 -12
- data/spec/lib/kb/cve_2013_4593_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_5647_spec.rb +4 -4
- data/spec/lib/kb/cve_2013_5671_spec.rb +5 -5
- data/spec/lib/kb/cve_2013_6416_spec.rb +6 -6
- data/spec/lib/kb/cve_2013_6459_spec.rb +3 -3
- data/spec/lib/kb/cve_2013_7086_spec.rb +4 -4
- data/spec/lib/kb/cve_2014_0036_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_0080_spec.rb +6 -6
- data/spec/lib/kb/cve_2014_0081_spec.rb +11 -11
- data/spec/lib/kb/cve_2014_0082_spec.rb +9 -9
- data/spec/lib/kb/cve_2014_0130_spec.rb +4 -4
- data/spec/lib/kb/cve_2014_1233_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_1234_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_2322_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_2538_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_3482_spec.rb +3 -3
- data/spec/lib/kb/cve_2014_3483_spec.rb +5 -5
- data/spec/lib/kb/osvdb_105971_spec.rb +3 -3
- data/spec/lib/kb/osvdb_108530_spec.rb +4 -4
- data/spec/lib/kb/osvdb_108563_spec.rb +3 -3
- data/spec/lib/kb/osvdb_108569_spec.rb +3 -3
- data/spec/lib/kb/osvdb_108570_spec.rb +3 -3
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +8 -8
- data/spec/spec_helper.rb +1 -1
- metadata +227 -226
- metadata.gz.sig +0 -0
- data/certs/paolo_at_codesake_dot_com.pem +0 -21
- data/lib/codesake-dawn.rb +0 -12
- data/lib/codesake/dawn/core.rb +0 -175
- data/lib/codesake/dawn/engine.rb +0 -380
- data/lib/codesake/dawn/gemfile_lock.rb +0 -12
- data/lib/codesake/dawn/kb/basic_check.rb +0 -228
- data/lib/codesake/dawn/kb/combo_check.rb +0 -64
- data/lib/codesake/dawn/kb/cve_2008_4310.rb +0 -103
- data/lib/codesake/dawn/kb/dependency_check.rb +0 -86
- data/lib/codesake/dawn/kb/osvdb_105971.rb +0 -31
- data/lib/codesake/dawn/kb/osvdb_108530.rb +0 -29
- data/lib/codesake/dawn/kb/osvdb_108563.rb +0 -30
- data/lib/codesake/dawn/kb/osvdb_108569.rb +0 -30
- data/lib/codesake/dawn/kb/osvdb_108570.rb +0 -29
- data/lib/codesake/dawn/kb/pattern_match_check.rb +0 -129
- data/lib/codesake/dawn/kb/ruby_version_check.rb +0 -91
- data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +0 -30
- data/lib/codesake/dawn/kb/version_check.rb +0 -418
- data/lib/codesake/dawn/knowledge_base.rb +0 -513
- data/lib/codesake/dawn/padrino.rb +0 -82
- data/lib/codesake/dawn/rails.rb +0 -17
- data/lib/codesake/dawn/railtie.rb +0 -9
- data/lib/codesake/dawn/reporter.rb +0 -280
- data/lib/codesake/dawn/sinatra.rb +0 -129
- data/lib/codesake/dawn/utils.rb +0 -21
- data/lib/codesake/dawn/version.rb +0 -28
- data/lib/tasks/codesake-dawn_tasks.rake +0 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 1b30d65a04af4cd34b129b0c0239e6b8201f95fb
|
4
|
+
data.tar.gz: 0aed7efd5f30659bfdea8b52376ec3d23a4d7a3e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ba85cc6a84e4a3f0d766631aa71dfc1db749b8890bb1f5156fc0cd0205364a97172823a73897857318db9f9b71f63b8fd73bd107f4634a9053537778c7b9b41b
|
7
|
+
data.tar.gz: 0c96b639355d9e7d06d9609632adb7566842a0cd662407c8e71812efc8ef153aee20620da0ea65232475fa0b65e95557be6357d93b05413ad29ee5f2d0e48b81
|
checksums.yaml.gz.sig
CHANGED
@@ -1,4 +1,4 @@
|
|
1
|
-
|
2
|
-
|
3
|
-
|
4
|
-
�
|
1
|
+
e!
|
2
|
+
��
|
3
|
+
�Q�gig�n&
|
4
|
+
�s�(b�t�^ )����(�!Y�]<�;'bi���0����s��\\�[ ����~G�3�4TXh�h�a~�B�F�zT�,5H�xY�Of�O��~<��3:�{�C����l�|"��/
|
data.tar.gz.sig
CHANGED
Binary file
|
data/.gitignore
CHANGED
data/Changelog.md
CHANGED
@@ -1,16 +1,18 @@
|
|
1
|
-
#
|
1
|
+
# Dawn - changelog
|
2
2
|
|
3
|
-
|
3
|
+
Dawn is a static analysis security scanner for ruby written web applications.
|
4
4
|
It supports [Sinatra](http://www.sinatrarb.com),
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
6
6
|
frameworks.
|
7
7
|
|
8
|
-
_latest update:
|
8
|
+
_latest update: Thu Jan 8 17:19:37 CET 2015_
|
9
9
|
|
10
10
|
## Version 1.2.99 - codename: Lightning McQueen (2015-01-07)
|
11
11
|
|
12
12
|
* Add a deprecation message. This is the last codesake-dawn release. New gem
|
13
13
|
will be called dawnscanner.
|
14
|
+
* gem name changed from codesake-dawn to dawnscanner. Binary program remains
|
15
|
+
'dawn' but the repository is moved here: https://github.com/thesp0nge/dawnscanner
|
14
16
|
|
15
17
|
## Version 1.2.0 - codename: Lightning McQueen (2014-07-14)
|
16
18
|
|
@@ -83,14 +85,14 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
|
|
83
85
|
* Added a check for CVE-2014-0080
|
84
86
|
* Added a check for CVE-2014-2525
|
85
87
|
* Added remaining compliance checks against Owasp Ruby on Rails cheatsheet.
|
86
|
-
Some other checks in the cheatsheet can't be turned into a
|
88
|
+
Some other checks in the cheatsheet can't be turned into a Dawn
|
87
89
|
test, so all the cheatsheet content is covered since now.
|
88
90
|
* Added a --ascii-tabular-report (-a) to produce a report formatted with ascii
|
89
91
|
tables. A bit of bin/dawn refactoring was necessary.
|
90
92
|
* Added a --json (-j) to produce JSON reports
|
91
93
|
* Added a --html (-h) to produce HTML reports
|
92
94
|
* Added a --file (-F) flag to save report to supplied filename
|
93
|
-
* Added
|
95
|
+
* Added Dawn gem signature as described in
|
94
96
|
http://guides.rubygems.org/security/. README is modified accordingly with new
|
95
97
|
installation suggestions. Added also gem SHA512 checksum in repository.
|
96
98
|
* Added a not_affected attribute to dependency check to flag as not vulnerable
|
@@ -103,7 +105,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
|
|
103
105
|
is provided as well. True to be told, there are some CVE valid but not found
|
104
106
|
on NVID website, so having @rubysec link is even more accurate in those
|
105
107
|
situations.
|
106
|
-
* New
|
108
|
+
* New Dawn::Kb::VersionCheck class to provide version specific
|
107
109
|
checks, supporting beta version number, release candidate and pre. Fully
|
108
110
|
integrated with DepedencyCheck and RubyVersionCheck
|
109
111
|
* Issue #34. I added a deprecation check. However I haven't found an official
|
@@ -113,7 +115,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
|
|
113
115
|
--list-knowledge-base that is just for listing.
|
114
116
|
* Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short
|
115
117
|
option was removed
|
116
|
-
* Added a --list-known-families option printing out
|
118
|
+
* Added a --list-known-families option printing out Dawn supported
|
117
119
|
check family name
|
118
120
|
* Removed '-f' short option for list-known-framework
|
119
121
|
* Added family and severity to Owasp RoR Cheatsheet files
|
@@ -129,7 +131,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
|
|
129
131
|
cheatsheet checks
|
130
132
|
* Added --disable-owasp-top-10 flag to disable all Owasp Top 10 checks
|
131
133
|
* Revamped help output
|
132
|
-
* Added YAML
|
134
|
+
* Added YAML Dawn configuration support. Now you can specify your
|
133
135
|
preferences in a .codesake-dawn.yaml file in your home directory (or you can
|
134
136
|
use the --config-file option to specify the file you want to use). It returns
|
135
137
|
an embedded default configuration if the supplied filename doesn't exist.
|
@@ -172,7 +174,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
|
|
172
174
|
|
173
175
|
* Fixing issue #27. With rainbow gem version 2.0.0 there is an exception while
|
174
176
|
codesake-commons logging facilities tries to print something with the .color
|
175
|
-
method. Now
|
177
|
+
method. Now Dawn uses a new codesake-commons gem version that fixes
|
176
178
|
how rainbow gem deals with colorized output.
|
177
179
|
|
178
180
|
## Version 1.0.1 - codename: Lightning McQueen (2014-01-25)
|
data/KnowledgeBase.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
|
-
#
|
1
|
+
# Dawn Knowledge base
|
2
2
|
|
3
|
-
The knowledge base library for
|
3
|
+
The knowledge base library for Dawn version 1.2.0 contains 180 security checks.
|
4
4
|
---
|
5
5
|
* Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
|
6
6
|
* [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
|
data/README.md
CHANGED
@@ -1,11 +1,12 @@
|
|
1
|
-
#
|
1
|
+
# Dawn - The raising security scanner for ruby web applications
|
2
2
|
|
3
|
-
|
4
|
-
|
3
|
+
Dawn is a source code scanner designed to review your ruby code for security
|
4
|
+
issues.
|
5
5
|
|
6
|
-
|
7
|
-
|
8
|
-
MVC (Model View Controller) frameworks,
|
6
|
+
Dawn is able to scan plain ruby scripts (e.g. command line applications) but
|
7
|
+
all its features are unleashed when dealing with web applications source code.
|
8
|
+
Dawn is able to scan major MVC (Model View Controller) frameworks, out of the
|
9
|
+
box:
|
9
10
|
|
10
11
|
* [Ruby on Rails](http://rubyonrails.org)
|
11
12
|
* [Sinatra](http://www.sinatrarb.com)
|
@@ -13,22 +14,22 @@ MVC (Model View Controller) frameworks, like:
|
|
13
14
|
|
14
15
|
---
|
15
16
|
|
16
|
-
[![Gem Version](https://badge.fury.io/rb/
|
17
|
-
[![Build Status](https://travis-ci.org/
|
18
|
-
[![Dependency Status](https://gemnasium.com/
|
19
|
-
[![Coverage Status](https://coveralls.io/repos/
|
20
|
-
[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/
|
21
|
-
[![Inline docs](http://inch-ci.org/github/
|
17
|
+
[![Gem Version](https://badge.fury.io/rb/dawnscanner.png)](http://badge.fury.io/rb/dawnscanner)
|
18
|
+
[![Build Status](https://travis-ci.org/thesp0nge/dawnscanner.png?branch=master)](https://travis-ci.org/thesp0nge/dawnscanner)
|
19
|
+
[![Dependency Status](https://gemnasium.com/thesp0nge/dawnscanner.png)](https://gemnasium.com/thesp0nge/dawnscanner)
|
20
|
+
[![Coverage Status](https://coveralls.io/repos/thesp0nge/dawnscanner/badge.png)](https://coveralls.io/r/thesp0nge/dawnscanner)
|
21
|
+
[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/thesp0nge/dawnscanner/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
|
22
|
+
[![Inline docs](http://inch-ci.org/github/thesp0nge/dawnscanner.png?branch=master)](http://inch-ci.org/github/thesp0nge/dawnscanner)
|
22
23
|
|
23
24
|
---
|
24
25
|
|
25
|
-
|
26
|
+
Dawn version 1.3 has 180 security checks loaded in its knowledge
|
26
27
|
base. Most of them are CVE bulletins applying to gems or the ruby interpreter
|
27
28
|
itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
|
28
29
|
|
29
30
|
## An overall introduction
|
30
31
|
|
31
|
-
When you run
|
32
|
+
When you run Dawn on your code it parses your project Gemfile.lock
|
32
33
|
looking for the gems used and it tries to detect the ruby interpreter version
|
33
34
|
you are using or you declared in your ruby version management tool you like
|
34
35
|
most (RVM, rbenv, ...).
|
@@ -37,47 +38,47 @@ Then the tool tries to detect the MVC framework your web application uses and
|
|
37
38
|
it applies the security check accordingly. There checks designed to match rails
|
38
39
|
application or checks that are appliable to any ruby code.
|
39
40
|
|
40
|
-
|
41
|
+
Dawn can also understand the code in your views and to backtrack
|
41
42
|
sinks to spot cross site scripting and sql injections introduced by the code
|
42
43
|
you actually wrote. In the project roadmap this is the code most of the future
|
43
44
|
development effort will be focused on.
|
44
45
|
|
45
|
-
|
46
|
+
Dawn security scan result is a list of vulnerabilities with some
|
46
47
|
mitigation actions you want to follow in order to build a stronger web
|
47
48
|
application.
|
48
49
|
|
49
50
|
## Installation
|
50
51
|
|
51
|
-
|
52
|
-
install hasn’t been tampered, you must first add ```paolo@
|
52
|
+
dawnscanner rubygem is cryptographically signed. To be sure the gem you
|
53
|
+
install hasn’t been tampered, you must first add ```paolo@dawnscanner.org```
|
53
54
|
public signing certificate as trusted to your gem specific keyring.
|
54
55
|
|
55
56
|
```
|
56
|
-
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/
|
57
|
+
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
|
57
58
|
```
|
58
59
|
|
59
|
-
You can install latest
|
60
|
+
You can install latest Dawn version, fetching it from
|
60
61
|
[Rubygems](https://rubygems.org) by typing:
|
61
62
|
|
62
63
|
```
|
63
|
-
$ gem install
|
64
|
+
$ gem install dawnscanner -P MediumSecurity
|
64
65
|
```
|
65
66
|
|
66
67
|
The MediumSecurity trust profile will verify signed gems, but allow the
|
67
68
|
installation of unsigned dependencies. This is necessary because not all of
|
68
|
-
|
69
|
+
Dawn’s dependencies are signed, so we cannot use HighSecurity.
|
69
70
|
|
70
71
|
In order to install a release candidate version, the gem install command line
|
71
72
|
is the following:
|
72
73
|
|
73
74
|
```
|
74
|
-
$ gem install
|
75
|
+
$ gem install dawnscanner --pre -P MediumSecurity
|
75
76
|
```
|
76
77
|
|
77
78
|
If you want to add dawn to your project Gemfile, you must add the following:
|
78
79
|
|
79
80
|
group :development do
|
80
|
-
gem '
|
81
|
+
gem 'dawnscanner', :require=>false
|
81
82
|
end
|
82
83
|
|
83
84
|
And then upgrade your bundle
|
@@ -86,22 +87,22 @@ And then upgrade your bundle
|
|
86
87
|
|
87
88
|
You may want to build it from source, so you have to check it out from github first:
|
88
89
|
|
89
|
-
$ git clone https://github.com/
|
90
|
-
$ cd
|
90
|
+
$ git clone https://github.com/thesp0nge/dawnscanner.git
|
91
|
+
$ cd dawn
|
91
92
|
$ bundle install
|
92
93
|
$ rake install
|
93
94
|
|
94
|
-
And the
|
95
|
+
And the dawnscanner gem will be built in a pkg directory and then installed
|
95
96
|
on your system. Please note that you have to manage dependencies on your own
|
96
97
|
this way. It makes sense only if you want to hack the code or something like
|
97
98
|
that.
|
98
99
|
|
99
100
|
## Usage
|
100
101
|
|
101
|
-
You can start your code review with
|
102
|
+
You can start your code review with Dawn very easily. Simply tell the tool
|
102
103
|
where the project root directory.
|
103
104
|
|
104
|
-
Underlying MVC framework is autodetected by
|
105
|
+
Underlying MVC framework is autodetected by Dawn using target Gemfile.lock
|
105
106
|
file. If autodetect fails for some reason, the tool will complain about it and
|
106
107
|
you have to specify if it's a rails, sinatra or padrino web application by
|
107
108
|
hand.
|
@@ -113,7 +114,8 @@ needs, and to specify the target directory where your code is stored.
|
|
113
114
|
$ dawn [options] target
|
114
115
|
```
|
115
116
|
|
116
|
-
In case of need, there is a quick command line option reference running
|
117
|
+
In case of need, there is a quick command line option reference running
|
118
|
+
```dawn -h``` at your OS prompt.
|
117
119
|
|
118
120
|
```
|
119
121
|
$ dawn -h
|
@@ -145,7 +147,7 @@ Disable security check family
|
|
145
147
|
--disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks
|
146
148
|
--disable-owasp-top-10 disable all Owasp Top 10 checks
|
147
149
|
|
148
|
-
Flags useful to query
|
150
|
+
Flags useful to query Dawn
|
149
151
|
|
150
152
|
-S, --search-knowledge-base [check_name] search check_name in the knowledge base
|
151
153
|
--list-knowledge-base list knowledge-base content
|
@@ -162,18 +164,20 @@ Service flags
|
|
162
164
|
|
163
165
|
### Rake task
|
164
166
|
|
165
|
-
To include
|
167
|
+
To include Dawn in your rake task list, you simply have to put this line in
|
168
|
+
your ```Rakefile```
|
166
169
|
|
167
170
|
```
|
168
|
-
require '
|
171
|
+
require 'dawn/tasks'
|
169
172
|
```
|
170
173
|
|
171
|
-
Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to
|
174
|
+
Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to
|
175
|
+
execute.
|
172
176
|
|
173
177
|
```
|
174
178
|
$ rake -T
|
175
179
|
...
|
176
|
-
rake dawn:run # Execute
|
180
|
+
rake dawn:run # Execute dawnscanner on the current directory
|
177
181
|
...
|
178
182
|
```
|
179
183
|
|
@@ -199,15 +203,15 @@ $ dawn -S this_test_does_not_exist
|
|
199
203
|
this_test_does_not_exist not found in knowledgebase
|
200
204
|
```
|
201
205
|
|
202
|
-
###
|
206
|
+
### Dawn security scan in action
|
203
207
|
|
204
|
-
As output,
|
208
|
+
As output, Dawn will put all security checks that are failed during the scan.
|
205
209
|
|
206
210
|
This the result of Codedake::Dawn running against a
|
207
211
|
[Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
|
208
212
|
delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
|
209
213
|
|
210
|
-
As you may see,
|
214
|
+
As you may see, Dawn first detects MVC running the application by
|
211
215
|
looking at Gemfile.lock, than it discards all security checks not appliable to
|
212
216
|
Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
|
213
217
|
Rails) and it applies them.
|
@@ -232,11 +236,11 @@ $ dawn ~/src/hacking/railsberry2013
|
|
232
236
|
|
233
237
|
---
|
234
238
|
|
235
|
-
When you run
|
239
|
+
When you run Dawn on a web application with up to date dependencies,
|
236
240
|
it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
|
237
241
|
working that way!
|
238
242
|
|
239
|
-
This is
|
243
|
+
This is Dawn running against a Padrino web application I wrote for [a
|
240
244
|
scorecard quiz game about application security](http://scorecard.armoredcode.com).
|
241
245
|
Italian language only. Sorry.
|
242
246
|
|
@@ -250,7 +254,7 @@ Italian language only. Sorry.
|
|
250
254
|
18:42:39 [*] dawn is leaving
|
251
255
|
```
|
252
256
|
|
253
|
-
If you need a fancy HTML report about your scan, just ask it to
|
257
|
+
If you need a fancy HTML report about your scan, just ask it to Dawn
|
254
258
|
with the ```--html``` flag used with the ```--file``` since I wanto to save the
|
255
259
|
HTML to disk.
|
256
260
|
|
@@ -266,29 +270,27 @@ $ dawn /Users/thesp0nge/src/hacking/rt_first_app --html --file report.html
|
|
266
270
|
|
267
271
|
## Useful links
|
268
272
|
|
269
|
-
Project homepage: [http://
|
273
|
+
Project homepage: [http://dawnscanner.org](http://dawnscanner.org)
|
270
274
|
|
271
275
|
Twitter profile: [@dawnscanner](https://twitter.com/dawnscanner)
|
272
276
|
|
273
|
-
Github repository: [https://github.com/
|
277
|
+
Github repository: [https://github.com/thesp0nge/dawnscanner](https://github.com/thesp0nge/dawnscanner)
|
274
278
|
|
275
|
-
|
276
|
-
|
277
|
-
Mailing list: [https://groups.google.com/forum/#!forum/codesake-dawn](https://groups.google.com/forum/#!forum/codesake-dawn)
|
279
|
+
Mailing list: [https://groups.google.com/forum/#!forum/dawnscanner](https://groups.google.com/forum/#!forum/dawnscanner)
|
278
280
|
|
279
281
|
## Support us
|
280
282
|
|
281
283
|
Feedbacks are great and we really love to hear your voice.
|
282
284
|
|
283
|
-
If you're a proud
|
285
|
+
If you're a proud dawnscanner user, if you find it useful, if you integrated
|
284
286
|
it in your release process and if you want to openly support the project you
|
285
287
|
can put your reference here. Just open an
|
286
|
-
[issue](https://github.com/
|
288
|
+
[issue](https://github.com/thesp0nge/dawn/issues/new) with a statement saying
|
287
289
|
how do you feel the tool and your company logo if any.
|
288
290
|
|
289
|
-
More easily you can drop an email to
|
290
|
-
statement about your
|
291
|
-
|
291
|
+
More easily you can drop an email to
|
292
|
+
[paolo@dawnscanner.org](mailto:paolo@dawnscanner.org) sending a statement about your
|
293
|
+
success story and I'll put on the website.
|
292
294
|
|
293
295
|
Thank you.
|
294
296
|
|
@@ -302,20 +304,20 @@ Thank you.
|
|
302
304
|
|
303
305
|
[Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
|
304
306
|
|
305
|
-
## Contribute to
|
307
|
+
## Contribute to Dawn
|
306
308
|
|
307
|
-
Are you interested in contributing to
|
309
|
+
Are you interested in contributing to Dawn project? Great, here is
|
308
310
|
some very basic rules in order to make rocking pull requests.
|
309
311
|
|
310
312
|
First of all, I use the branching model described in [this
|
311
313
|
post](http://nvie.com/posts/a-successful-git-branching-model/). There are two
|
312
314
|
major branches:
|
313
315
|
|
314
|
-
* master: it contains in every moment the code for the latest
|
316
|
+
* master: it contains in every moment the code for the latest dawnscanner
|
315
317
|
released gem. You can't make branches from here unless you're working on a
|
316
318
|
bugfix.
|
317
319
|
* development: it contains the unstable code that is going to be the next
|
318
|
-
|
320
|
+
dawnscanner realease. You start from here. Pick a task on the Roadmap.md
|
319
321
|
and create a separated branch to work on your feature to. When you're ready
|
320
322
|
(remember to include also spec files), submit your pull request. If the code
|
321
323
|
will be fine, it will be merged into the development tree ready to be include
|
@@ -326,7 +328,7 @@ In this case, the branch name must be something like _issue\_#xx\_description_
|
|
326
328
|
|
327
329
|
## LICENSE
|
328
330
|
|
329
|
-
Copyright (c) 2013, 2014 Paolo Perego
|
331
|
+
Copyright (c) 2013, 2014, 2015 Paolo Perego
|
330
332
|
|
331
333
|
MIT License
|
332
334
|
|
data/Rakefile
CHANGED
@@ -6,8 +6,8 @@ require 'cucumber'
|
|
6
6
|
require 'cucumber/rake/task'
|
7
7
|
|
8
8
|
require 'fileutils'
|
9
|
-
require "
|
10
|
-
require "
|
9
|
+
require "dawn/utils"
|
10
|
+
require "dawn/knowledge_base"
|
11
11
|
|
12
12
|
Cucumber::Rake::Task.new(:features) do |t|
|
13
13
|
t.cucumber_opts = "features --format pretty -x"
|
@@ -33,10 +33,10 @@ task :release => [:prepare]
|
|
33
33
|
desc "Create a new CVE test"
|
34
34
|
task :cve, :name do |t,args|
|
35
35
|
name = args.name
|
36
|
-
SRC_DIR = "./lib/
|
36
|
+
SRC_DIR = "./lib/dawn/kb/"
|
37
37
|
SPEC_DIR = "./spec/lib/kb/"
|
38
38
|
|
39
|
-
raise "### It seems that #{name} is already in Dawn knowledge base" unless
|
39
|
+
raise "### It seems that #{name} is already in Dawn knowledge base" unless Dawn::KnowledgeBase.find(nil, name).nil?
|
40
40
|
raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
|
41
41
|
raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
|
42
42
|
raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
|
@@ -48,8 +48,7 @@ task :cve, :name do |t,args|
|
|
48
48
|
class_name = name.gsub("-", "_")
|
49
49
|
|
50
50
|
open(rb_filename, "w") do |file|
|
51
|
-
file.puts "module
|
52
|
-
file.puts "\tmodule Dawn"
|
51
|
+
file.puts "module Dawn"
|
53
52
|
file.puts "\t\tmodule Kb"
|
54
53
|
file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
|
55
54
|
file.puts "\t\t\tclass #{class_name}"
|
@@ -62,7 +61,6 @@ task :cve, :name do |t,args|
|
|
62
61
|
file.puts "\t\t\t\tend"
|
63
62
|
file.puts "\t\t\tend"
|
64
63
|
file.puts "\t\tend"
|
65
|
-
file.puts "\tend"
|
66
64
|
file.puts "end"
|
67
65
|
end
|
68
66
|
puts "#{rb_filename} created"
|
@@ -72,7 +70,7 @@ task :cve, :name do |t,args|
|
|
72
70
|
|
73
71
|
file.puts "describe \"The #{name} vulnerability\" do"
|
74
72
|
file.puts "\tbefore(:all) do"
|
75
|
-
file.puts "\t\t@check =
|
73
|
+
file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
|
76
74
|
file.puts "\t\t# @check.debug = true"
|
77
75
|
file.puts "\tend"
|
78
76
|
file.puts "\tit \"is reported when...\""
|
@@ -80,13 +78,13 @@ task :cve, :name do |t,args|
|
|
80
78
|
end
|
81
79
|
puts "#{spec_filename} created"
|
82
80
|
|
83
|
-
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/
|
84
|
-
puts "*** PLEASE ADD THIS CODE IN lib/
|
85
|
-
puts "require \"
|
81
|
+
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/knowledgebase_spec.rb in order to reflect changes"
|
82
|
+
puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
|
83
|
+
puts "require \"dawn/kb/#{class_name.downcase}\""
|
86
84
|
puts "it \"must have test for #{name}\" do"
|
87
85
|
puts " sc = kb.find(\"#{name}\")"
|
88
86
|
puts " sc.should_not be_nil"
|
89
|
-
puts " sc.class.should ==
|
87
|
+
puts " sc.class.should == Dawn::Kb::#{class_name}"
|
90
88
|
puts "end"
|
91
89
|
|
92
90
|
|
@@ -97,10 +95,10 @@ end
|
|
97
95
|
desc "Create a new Generic security check"
|
98
96
|
task :check, :name do |t,args|
|
99
97
|
name = args.name
|
100
|
-
SRC_DIR = "./lib/
|
98
|
+
SRC_DIR = "./lib/dawn/kb/"
|
101
99
|
SPEC_DIR = "./spec/lib/kb/"
|
102
100
|
|
103
|
-
raise "### It seems that #{name} is already in Dawn knowledge base" unless
|
101
|
+
raise "### It seems that #{name} is already in Dawn knowledge base" unless Dawn::KnowledgeBase.find(nil, name).nil?
|
104
102
|
raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
|
105
103
|
raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
|
106
104
|
|
@@ -111,8 +109,7 @@ task :check, :name do |t,args|
|
|
111
109
|
class_name = name.gsub("-", "_")
|
112
110
|
|
113
111
|
open(rb_filename, "w") do |file|
|
114
|
-
file.puts "module
|
115
|
-
file.puts "\tmodule Dawn"
|
112
|
+
file.puts "module Dawn"
|
116
113
|
file.puts "\t\tmodule Kb"
|
117
114
|
file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
|
118
115
|
file.puts "\t\t\tclass #{class_name}"
|
@@ -125,7 +122,6 @@ task :check, :name do |t,args|
|
|
125
122
|
file.puts "\t\t\t\tend"
|
126
123
|
file.puts "\t\t\tend"
|
127
124
|
file.puts "\t\tend"
|
128
|
-
file.puts "\tend"
|
129
125
|
file.puts "end"
|
130
126
|
end
|
131
127
|
puts "#{rb_filename} created"
|
@@ -135,7 +131,7 @@ task :check, :name do |t,args|
|
|
135
131
|
|
136
132
|
file.puts "describe \"The #{name} vulnerability\" do"
|
137
133
|
file.puts "\tbefore(:all) do"
|
138
|
-
file.puts "\t\t@check =
|
134
|
+
file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
|
139
135
|
file.puts "\t\t# @check.debug = true"
|
140
136
|
file.puts "\tend"
|
141
137
|
file.puts "\tit \"is reported when...\""
|
@@ -144,13 +140,13 @@ task :check, :name do |t,args|
|
|
144
140
|
puts "#{spec_filename} created"
|
145
141
|
|
146
142
|
|
147
|
-
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/
|
148
|
-
puts "*** PLEASE ADD THIS CODE IN lib/
|
149
|
-
puts "require \"
|
143
|
+
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/knowledgebase_spec.rb in order to reflect changes"
|
144
|
+
puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
|
145
|
+
puts "require \"dawn/kb/#{class_name.downcase}\""
|
150
146
|
puts "it \"must have test for #{name}\" do"
|
151
147
|
puts " sc = kb.find(\"#{name}\")"
|
152
148
|
puts " sc.should_not be_nil"
|
153
|
-
puts " sc.class.should ==
|
149
|
+
puts " sc.class.should == Dawn::Kb::#{class_name}"
|
154
150
|
puts "end"
|
155
151
|
|
156
152
|
|
@@ -159,7 +155,7 @@ end
|
|
159
155
|
namespace :kb do
|
160
156
|
desc 'Check information lint'
|
161
157
|
task :lint do
|
162
|
-
|
158
|
+
Dawn::KnowledgeBase.new.all.each do |check|
|
163
159
|
l = check.lint
|
164
160
|
puts "check #{check.name} has this attribute(s) with a nil value: #{l.to_s}" unless l.size == 0
|
165
161
|
end
|
@@ -167,10 +163,10 @@ namespace :kb do
|
|
167
163
|
end
|
168
164
|
desc 'Creates a KnowledgeBase.md file'
|
169
165
|
task :create do
|
170
|
-
checks =
|
166
|
+
checks = Dawn::KnowledgeBase.new.all
|
171
167
|
open("KnowledgeBase.md", "w") do |file|
|
172
|
-
file.puts "#
|
173
|
-
file.puts "\nThe knowledge base library for
|
168
|
+
file.puts "# Dawn Knowledge base"
|
169
|
+
file.puts "\nThe knowledge base library for Dawn version #{Dawn::VERSION} contains #{checks.count} security checks."
|
174
170
|
file.puts "---"
|
175
171
|
checks.each do |c|
|
176
172
|
file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
|
@@ -185,15 +181,15 @@ task :create do
|
|
185
181
|
end
|
186
182
|
end
|
187
183
|
|
188
|
-
require 'digest/
|
184
|
+
require 'digest/sha1'
|
189
185
|
namespace :checksum do
|
190
186
|
|
191
187
|
desc 'Calculate gem checksum'
|
192
188
|
task :calculate do
|
193
189
|
system 'mkdir -p checksum > /dev/null'
|
194
|
-
built_gem_path = "pkg/
|
195
|
-
checksum = Digest::
|
196
|
-
checksum_path = "checksum/
|
190
|
+
built_gem_path = "pkg/dawnscanner-#{Dawn::VERSION}.gem"
|
191
|
+
checksum = Digest::SHA1.new.hexdigest(File.read(built_gem_path))
|
192
|
+
checksum_path = "checksum/dawnscanner-#{Dawn::VERSION}.gem.sha1"
|
197
193
|
File.open(checksum_path, 'w' ) {|f| f.write(checksum) }
|
198
194
|
|
199
195
|
puts "#{checksum_path}: #{checksum}"
|
@@ -201,9 +197,9 @@ end
|
|
201
197
|
|
202
198
|
desc 'Add and commit latest checksum'
|
203
199
|
task :commit do
|
204
|
-
checksum_path = "checksum/
|
200
|
+
checksum_path = "checksum/dawnscanner-#{Dawn::VERSION}.gem.sha1"
|
205
201
|
system "git add #{checksum_path}"
|
206
|
-
system "git commit -v #{checksum_path} -m \"Adding #{
|
202
|
+
system "git commit -v #{checksum_path} -m \"Adding #{Dawn::VERSION} checksum to repo\""
|
207
203
|
end
|
208
204
|
end
|
209
205
|
|
@@ -212,7 +208,7 @@ end
|
|
212
208
|
###############################################################################
|
213
209
|
|
214
210
|
namespace :rubysec do
|
215
|
-
desc 'Find new CVE bulletins to add to
|
211
|
+
desc 'Find new CVE bulletins to add to Dawn'
|
216
212
|
task :find do
|
217
213
|
git_url = 'git@github.com:rubysec/ruby-advisory-db.git'
|
218
214
|
target_dir = './tmp/'
|
@@ -232,15 +228,15 @@ namespace :rubysec do
|
|
232
228
|
if exclusion.include?(cve)
|
233
229
|
puts "#{cve} is in the exclusion list"
|
234
230
|
else
|
235
|
-
found =
|
236
|
-
puts "#{cve} NOT in dawn v#{
|
231
|
+
found = Dawn::KnowledgeBase.find(nil, cve)
|
232
|
+
puts "#{cve} NOT in dawn v#{Dawn::VERSION} knowledge base" unless found
|
237
233
|
list << cve unless found
|
238
234
|
end
|
239
235
|
end
|
240
236
|
end
|
241
237
|
unless list.empty?
|
242
238
|
File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
|
243
|
-
f.puts "Missing CVE bulletins - v#{
|
239
|
+
f.puts "Missing CVE bulletins - v#{Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
|
244
240
|
f.puts list
|
245
241
|
end
|
246
242
|
end
|