dawnscanner 1.2.99 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (307) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +4 -4
  3. data.tar.gz.sig +0 -0
  4. data/.gitignore +1 -0
  5. data/Changelog.md +11 -9
  6. data/KnowledgeBase.md +2 -2
  7. data/README.md +58 -56
  8. data/Rakefile +32 -36
  9. data/certs/paolo_at_dawnscanner_dot_org.pem +21 -0
  10. data/checksum/dawnscanner-1.2.99.gem.sha1 +1 -0
  11. data/dawnscanner.gemspec +4 -4
  12. data/lib/dawn/core.rb +173 -0
  13. data/lib/dawn/engine.rb +378 -0
  14. data/lib/dawn/gemfile_lock.rb +10 -0
  15. data/lib/dawn/kb/basic_check.rb +226 -0
  16. data/lib/dawn/kb/combo_check.rb +62 -0
  17. data/lib/{codesake/dawn → dawn}/kb/cve_2004_0755.rb +1 -3
  18. data/lib/{codesake/dawn → dawn}/kb/cve_2004_0983.rb +1 -3
  19. data/lib/{codesake/dawn → dawn}/kb/cve_2005_1992.rb +1 -3
  20. data/lib/{codesake/dawn → dawn}/kb/cve_2005_2337.rb +1 -3
  21. data/lib/{codesake/dawn → dawn}/kb/cve_2006_1931.rb +1 -3
  22. data/lib/{codesake/dawn → dawn}/kb/cve_2006_2582.rb +1 -3
  23. data/lib/{codesake/dawn → dawn}/kb/cve_2006_3694.rb +1 -3
  24. data/lib/{codesake/dawn → dawn}/kb/cve_2006_4112.rb +1 -3
  25. data/lib/{codesake/dawn → dawn}/kb/cve_2006_5467.rb +1 -3
  26. data/lib/{codesake/dawn → dawn}/kb/cve_2006_6303.rb +1 -3
  27. data/lib/{codesake/dawn → dawn}/kb/cve_2006_6852.rb +1 -3
  28. data/lib/{codesake/dawn → dawn}/kb/cve_2006_6979.rb +1 -3
  29. data/lib/{codesake/dawn → dawn}/kb/cve_2007_0469.rb +1 -3
  30. data/lib/{codesake/dawn → dawn}/kb/cve_2007_5162.rb +1 -3
  31. data/lib/{codesake/dawn → dawn}/kb/cve_2007_5379.rb +1 -3
  32. data/lib/{codesake/dawn → dawn}/kb/cve_2007_5380.rb +1 -3
  33. data/lib/{codesake/dawn → dawn}/kb/cve_2007_5770.rb +1 -3
  34. data/lib/{codesake/dawn → dawn}/kb/cve_2007_6077.rb +1 -3
  35. data/lib/{codesake/dawn → dawn}/kb/cve_2007_6612.rb +1 -3
  36. data/lib/{codesake/dawn → dawn}/kb/cve_2008_1145.rb +1 -3
  37. data/lib/{codesake/dawn → dawn}/kb/cve_2008_1891.rb +1 -3
  38. data/lib/{codesake/dawn → dawn}/kb/cve_2008_2376.rb +1 -3
  39. data/lib/{codesake/dawn → dawn}/kb/cve_2008_2662.rb +1 -3
  40. data/lib/{codesake/dawn → dawn}/kb/cve_2008_2663.rb +1 -3
  41. data/lib/{codesake/dawn → dawn}/kb/cve_2008_2664.rb +1 -3
  42. data/lib/{codesake/dawn → dawn}/kb/cve_2008_2725.rb +1 -3
  43. data/lib/{codesake/dawn → dawn}/kb/cve_2008_3655.rb +1 -3
  44. data/lib/{codesake/dawn → dawn}/kb/cve_2008_3657.rb +1 -3
  45. data/lib/{codesake/dawn → dawn}/kb/cve_2008_3790.rb +1 -3
  46. data/lib/{codesake/dawn → dawn}/kb/cve_2008_3905.rb +1 -3
  47. data/lib/{codesake/dawn → dawn}/kb/cve_2008_4094.rb +1 -3
  48. data/lib/dawn/kb/cve_2008_4310.rb +100 -0
  49. data/lib/{codesake/dawn → dawn}/kb/cve_2008_5189.rb +1 -3
  50. data/lib/{codesake/dawn → dawn}/kb/cve_2008_7248.rb +1 -3
  51. data/lib/{codesake/dawn → dawn}/kb/cve_2009_4078.rb +1 -3
  52. data/lib/{codesake/dawn → dawn}/kb/cve_2009_4124.rb +1 -3
  53. data/lib/{codesake/dawn → dawn}/kb/cve_2009_4214.rb +1 -3
  54. data/lib/{codesake/dawn → dawn}/kb/cve_2010_1330.rb +1 -3
  55. data/lib/{codesake/dawn → dawn}/kb/cve_2010_2489.rb +3 -5
  56. data/lib/{codesake/dawn → dawn}/kb/cve_2010_3933.rb +1 -3
  57. data/lib/{codesake/dawn → dawn}/kb/cve_2011_0188.rb +3 -5
  58. data/lib/{codesake/dawn → dawn}/kb/cve_2011_0446.rb +1 -3
  59. data/lib/{codesake/dawn → dawn}/kb/cve_2011_0447.rb +1 -3
  60. data/lib/{codesake/dawn → dawn}/kb/cve_2011_0739.rb +1 -3
  61. data/lib/{codesake/dawn → dawn}/kb/cve_2011_0995.rb +3 -5
  62. data/lib/{codesake/dawn → dawn}/kb/cve_2011_1004.rb +1 -3
  63. data/lib/{codesake/dawn → dawn}/kb/cve_2011_1005.rb +1 -3
  64. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2197.rb +1 -3
  65. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2686.rb +1 -3
  66. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2705.rb +1 -3
  67. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2929.rb +1 -3
  68. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2930.rb +1 -3
  69. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2931.rb +1 -3
  70. data/lib/{codesake/dawn → dawn}/kb/cve_2011_2932.rb +1 -3
  71. data/lib/{codesake/dawn → dawn}/kb/cve_2011_3009.rb +1 -3
  72. data/lib/{codesake/dawn → dawn}/kb/cve_2011_3186.rb +1 -3
  73. data/lib/{codesake/dawn → dawn}/kb/cve_2011_3187.rb +1 -3
  74. data/lib/{codesake/dawn → dawn}/kb/cve_2011_4319.rb +1 -3
  75. data/lib/{codesake/dawn → dawn}/kb/cve_2011_4815.rb +1 -3
  76. data/lib/{codesake/dawn → dawn}/kb/cve_2011_5036.rb +1 -3
  77. data/lib/{codesake/dawn → dawn}/kb/cve_2012_1098.rb +1 -3
  78. data/lib/{codesake/dawn → dawn}/kb/cve_2012_1099.rb +1 -3
  79. data/lib/{codesake/dawn → dawn}/kb/cve_2012_1241.rb +1 -3
  80. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2139.rb +1 -3
  81. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2140.rb +1 -3
  82. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2660.rb +1 -3
  83. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2661.rb +1 -3
  84. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2671.rb +1 -3
  85. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2694.rb +1 -3
  86. data/lib/{codesake/dawn → dawn}/kb/cve_2012_2695.rb +1 -3
  87. data/lib/{codesake/dawn → dawn}/kb/cve_2012_3424.rb +1 -3
  88. data/lib/{codesake/dawn → dawn}/kb/cve_2012_3463.rb +1 -3
  89. data/lib/{codesake/dawn → dawn}/kb/cve_2012_3464.rb +1 -3
  90. data/lib/{codesake/dawn → dawn}/kb/cve_2012_3465.rb +1 -3
  91. data/lib/{codesake/dawn → dawn}/kb/cve_2012_4464.rb +1 -3
  92. data/lib/{codesake/dawn → dawn}/kb/cve_2012_4466.rb +1 -3
  93. data/lib/{codesake/dawn → dawn}/kb/cve_2012_4481.rb +1 -3
  94. data/lib/{codesake/dawn → dawn}/kb/cve_2012_4522.rb +1 -3
  95. data/lib/{codesake/dawn → dawn}/kb/cve_2012_5370.rb +1 -3
  96. data/lib/{codesake/dawn → dawn}/kb/cve_2012_5371.rb +1 -3
  97. data/lib/{codesake/dawn → dawn}/kb/cve_2012_5380.rb +1 -3
  98. data/lib/{codesake/dawn → dawn}/kb/cve_2012_6109.rb +1 -3
  99. data/lib/{codesake/dawn → dawn}/kb/cve_2012_6134.rb +1 -3
  100. data/lib/{codesake/dawn → dawn}/kb/cve_2012_6496.rb +1 -3
  101. data/lib/{codesake/dawn → dawn}/kb/cve_2012_6497.rb +1 -3
  102. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0155.rb +1 -3
  103. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0156.rb +1 -3
  104. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0162.rb +1 -3
  105. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0175.rb +1 -3
  106. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0183.rb +1 -3
  107. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0184.rb +1 -3
  108. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0233.rb +1 -3
  109. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0256.rb +3 -5
  110. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0262.rb +1 -3
  111. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0263.rb +1 -3
  112. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0269.rb +1 -3
  113. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0276.rb +1 -3
  114. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0277.rb +1 -3
  115. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0284.rb +1 -3
  116. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0285.rb +1 -3
  117. data/lib/{codesake/dawn → dawn}/kb/cve_2013_0333.rb +1 -3
  118. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1607.rb +1 -3
  119. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1655.rb +3 -5
  120. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1656.rb +1 -3
  121. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1756.rb +1 -3
  122. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1800.rb +1 -3
  123. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1801.rb +1 -3
  124. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1802.rb +1 -3
  125. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1812.rb +1 -3
  126. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1821.rb +1 -3
  127. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1854.rb +1 -3
  128. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1855.rb +1 -3
  129. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1856.rb +1 -3
  130. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1857.rb +1 -3
  131. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1875.rb +1 -3
  132. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1898.rb +1 -3
  133. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1911.rb +1 -3
  134. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1933.rb +1 -3
  135. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1947.rb +1 -3
  136. data/lib/{codesake/dawn → dawn}/kb/cve_2013_1948.rb +1 -3
  137. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2065.rb +1 -3
  138. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2090.rb +1 -3
  139. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2105.rb +1 -3
  140. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2119.rb +1 -3
  141. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2512.rb +1 -3
  142. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2513.rb +1 -3
  143. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2516.rb +1 -3
  144. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2615.rb +1 -3
  145. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2616.rb +1 -3
  146. data/lib/{codesake/dawn → dawn}/kb/cve_2013_2617.rb +1 -3
  147. data/lib/{codesake/dawn → dawn}/kb/cve_2013_3221.rb +1 -3
  148. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4164.rb +1 -3
  149. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4203.rb +1 -3
  150. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4389.rb +1 -3
  151. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4413.rb +1 -3
  152. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4457.rb +1 -3
  153. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4478.rb +1 -3
  154. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4479.rb +1 -3
  155. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4489.rb +1 -3
  156. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4491.rb +1 -3
  157. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4492.rb +1 -3
  158. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4562.rb +1 -3
  159. data/lib/{codesake/dawn → dawn}/kb/cve_2013_4593.rb +1 -3
  160. data/lib/{codesake/dawn → dawn}/kb/cve_2013_5647.rb +1 -3
  161. data/lib/{codesake/dawn → dawn}/kb/cve_2013_5671.rb +1 -3
  162. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6414.rb +1 -3
  163. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6415.rb +1 -3
  164. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6416.rb +1 -3
  165. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6417.rb +1 -3
  166. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6421.rb +1 -3
  167. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6459.rb +1 -3
  168. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6460.rb +3 -5
  169. data/lib/{codesake/dawn → dawn}/kb/cve_2013_6461.rb +3 -5
  170. data/lib/{codesake/dawn → dawn}/kb/cve_2013_7086.rb +1 -3
  171. data/lib/{codesake/dawn → dawn}/kb/cve_2014_0036.rb +1 -3
  172. data/lib/{codesake/dawn → dawn}/kb/cve_2014_0080.rb +1 -3
  173. data/lib/{codesake/dawn → dawn}/kb/cve_2014_0081.rb +1 -3
  174. data/lib/{codesake/dawn → dawn}/kb/cve_2014_0082.rb +1 -3
  175. data/lib/{codesake/dawn → dawn}/kb/cve_2014_0130.rb +1 -3
  176. data/lib/{codesake/dawn → dawn}/kb/cve_2014_1233.rb +1 -3
  177. data/lib/{codesake/dawn → dawn}/kb/cve_2014_1234.rb +1 -3
  178. data/lib/{codesake/dawn → dawn}/kb/cve_2014_2322.rb +1 -3
  179. data/lib/{codesake/dawn → dawn}/kb/cve_2014_2525.rb +4 -6
  180. data/lib/{codesake/dawn → dawn}/kb/cve_2014_2538.rb +1 -3
  181. data/lib/{codesake/dawn → dawn}/kb/cve_2014_3482.rb +1 -3
  182. data/lib/{codesake/dawn → dawn}/kb/cve_2014_3483.rb +1 -3
  183. data/lib/dawn/kb/dependency_check.rb +84 -0
  184. data/lib/{codesake/dawn → dawn}/kb/deprecation_check.rb +1 -3
  185. data/lib/{codesake/dawn → dawn}/kb/not_revised_code.rb +1 -3
  186. data/lib/{codesake/dawn → dawn}/kb/operating_system_check.rb +0 -2
  187. data/lib/dawn/kb/osvdb_105971.rb +29 -0
  188. data/lib/dawn/kb/osvdb_108530.rb +27 -0
  189. data/lib/dawn/kb/osvdb_108563.rb +28 -0
  190. data/lib/dawn/kb/osvdb_108569.rb +28 -0
  191. data/lib/dawn/kb/osvdb_108570.rb +27 -0
  192. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet.rb +0 -0
  193. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -0
  194. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +1 -3
  195. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/command_injection.rb +2 -4
  196. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/csrf.rb +1 -3
  197. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +1 -3
  198. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/security_related_headers.rb +1 -4
  199. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/sensitive_files.rb +1 -3
  200. data/lib/{codesake/dawn → dawn}/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +1 -3
  201. data/lib/dawn/kb/pattern_match_check.rb +127 -0
  202. data/lib/dawn/kb/ruby_version_check.rb +88 -0
  203. data/lib/dawn/kb/simpleform_xss_20131129.rb +28 -0
  204. data/lib/dawn/kb/version_check.rb +416 -0
  205. data/lib/dawn/knowledge_base.rb +511 -0
  206. data/lib/dawn/padrino.rb +79 -0
  207. data/lib/dawn/rails.rb +13 -0
  208. data/lib/dawn/railtie.rb +7 -0
  209. data/lib/dawn/reporter.rb +278 -0
  210. data/lib/dawn/sinatra.rb +127 -0
  211. data/lib/{codesake/dawn → dawn}/tasks.rb +0 -0
  212. data/lib/dawn/utils.rb +19 -0
  213. data/lib/dawn/version.rb +26 -0
  214. data/lib/dawnscanner.rb +12 -0
  215. data/lib/tasks/dawn_tasks.rake +1 -0
  216. data/spec/lib/dawn/codesake_core_spec.rb +3 -3
  217. data/spec/lib/dawn/codesake_knowledgebase_spec.rb +174 -174
  218. data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +2 -2
  219. data/spec/lib/dawn/codesake_rails_engine_disabled.rb +2 -2
  220. data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +5 -5
  221. data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +6 -6
  222. data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +8 -8
  223. data/spec/lib/kb/codesake_dependency_version_check_spec.rb +8 -8
  224. data/spec/lib/kb/codesake_deprecation_check_spec.rb +12 -12
  225. data/spec/lib/kb/codesake_ruby_version_check_spec.rb +6 -6
  226. data/spec/lib/kb/codesake_version_check_spec.rb +44 -44
  227. data/spec/lib/kb/cve_2011_2705_spec.rb +8 -8
  228. data/spec/lib/kb/cve_2011_2930_spec.rb +7 -7
  229. data/spec/lib/kb/cve_2011_3009_spec.rb +5 -5
  230. data/spec/lib/kb/cve_2011_3187_spec.rb +5 -5
  231. data/spec/lib/kb/cve_2011_4319_spec.rb +10 -10
  232. data/spec/lib/kb/cve_2011_5036_spec.rb +22 -22
  233. data/spec/lib/kb/cve_2012_1098_spec.rb +8 -8
  234. data/spec/lib/kb/cve_2012_2139_spec.rb +4 -4
  235. data/spec/lib/kb/cve_2012_2671_spec.rb +5 -5
  236. data/spec/lib/kb/cve_2012_6109_spec.rb +26 -26
  237. data/spec/lib/kb/cve_2013_0162_spec.rb +5 -5
  238. data/spec/lib/kb/cve_2013_0183_spec.rb +12 -12
  239. data/spec/lib/kb/cve_2013_0184_spec.rb +27 -27
  240. data/spec/lib/kb/cve_2013_0256_spec.rb +7 -7
  241. data/spec/lib/kb/cve_2013_0262_spec.rb +10 -10
  242. data/spec/lib/kb/cve_2013_0263_spec.rb +2 -2
  243. data/spec/lib/kb/cve_2013_1607_spec.rb +3 -3
  244. data/spec/lib/kb/cve_2013_1655_spec.rb +5 -5
  245. data/spec/lib/kb/cve_2013_1756_spec.rb +5 -5
  246. data/spec/lib/kb/cve_2013_2090_spec.rb +3 -3
  247. data/spec/lib/kb/cve_2013_2105_spec.rb +2 -2
  248. data/spec/lib/kb/cve_2013_2119_spec.rb +6 -6
  249. data/spec/lib/kb/cve_2013_2512_spec.rb +3 -3
  250. data/spec/lib/kb/cve_2013_2513_spec.rb +3 -3
  251. data/spec/lib/kb/cve_2013_2516_spec.rb +3 -3
  252. data/spec/lib/kb/cve_2013_4203_spec.rb +3 -3
  253. data/spec/lib/kb/cve_2013_4413_spec.rb +3 -3
  254. data/spec/lib/kb/cve_2013_4489_spec.rb +12 -12
  255. data/spec/lib/kb/cve_2013_4593_spec.rb +3 -3
  256. data/spec/lib/kb/cve_2013_5647_spec.rb +4 -4
  257. data/spec/lib/kb/cve_2013_5671_spec.rb +5 -5
  258. data/spec/lib/kb/cve_2013_6416_spec.rb +6 -6
  259. data/spec/lib/kb/cve_2013_6459_spec.rb +3 -3
  260. data/spec/lib/kb/cve_2013_7086_spec.rb +4 -4
  261. data/spec/lib/kb/cve_2014_0036_spec.rb +3 -3
  262. data/spec/lib/kb/cve_2014_0080_spec.rb +6 -6
  263. data/spec/lib/kb/cve_2014_0081_spec.rb +11 -11
  264. data/spec/lib/kb/cve_2014_0082_spec.rb +9 -9
  265. data/spec/lib/kb/cve_2014_0130_spec.rb +4 -4
  266. data/spec/lib/kb/cve_2014_1233_spec.rb +3 -3
  267. data/spec/lib/kb/cve_2014_1234_spec.rb +3 -3
  268. data/spec/lib/kb/cve_2014_2322_spec.rb +3 -3
  269. data/spec/lib/kb/cve_2014_2538_spec.rb +3 -3
  270. data/spec/lib/kb/cve_2014_3482_spec.rb +3 -3
  271. data/spec/lib/kb/cve_2014_3483_spec.rb +5 -5
  272. data/spec/lib/kb/osvdb_105971_spec.rb +3 -3
  273. data/spec/lib/kb/osvdb_108530_spec.rb +4 -4
  274. data/spec/lib/kb/osvdb_108563_spec.rb +3 -3
  275. data/spec/lib/kb/osvdb_108569_spec.rb +3 -3
  276. data/spec/lib/kb/osvdb_108570_spec.rb +3 -3
  277. data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +8 -8
  278. data/spec/spec_helper.rb +1 -1
  279. metadata +227 -226
  280. metadata.gz.sig +0 -0
  281. data/certs/paolo_at_codesake_dot_com.pem +0 -21
  282. data/lib/codesake-dawn.rb +0 -12
  283. data/lib/codesake/dawn/core.rb +0 -175
  284. data/lib/codesake/dawn/engine.rb +0 -380
  285. data/lib/codesake/dawn/gemfile_lock.rb +0 -12
  286. data/lib/codesake/dawn/kb/basic_check.rb +0 -228
  287. data/lib/codesake/dawn/kb/combo_check.rb +0 -64
  288. data/lib/codesake/dawn/kb/cve_2008_4310.rb +0 -103
  289. data/lib/codesake/dawn/kb/dependency_check.rb +0 -86
  290. data/lib/codesake/dawn/kb/osvdb_105971.rb +0 -31
  291. data/lib/codesake/dawn/kb/osvdb_108530.rb +0 -29
  292. data/lib/codesake/dawn/kb/osvdb_108563.rb +0 -30
  293. data/lib/codesake/dawn/kb/osvdb_108569.rb +0 -30
  294. data/lib/codesake/dawn/kb/osvdb_108570.rb +0 -29
  295. data/lib/codesake/dawn/kb/pattern_match_check.rb +0 -129
  296. data/lib/codesake/dawn/kb/ruby_version_check.rb +0 -91
  297. data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +0 -30
  298. data/lib/codesake/dawn/kb/version_check.rb +0 -418
  299. data/lib/codesake/dawn/knowledge_base.rb +0 -513
  300. data/lib/codesake/dawn/padrino.rb +0 -82
  301. data/lib/codesake/dawn/rails.rb +0 -17
  302. data/lib/codesake/dawn/railtie.rb +0 -9
  303. data/lib/codesake/dawn/reporter.rb +0 -280
  304. data/lib/codesake/dawn/sinatra.rb +0 -129
  305. data/lib/codesake/dawn/utils.rb +0 -21
  306. data/lib/codesake/dawn/version.rb +0 -28
  307. data/lib/tasks/codesake-dawn_tasks.rake +0 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 96652166e96b4230261eedd3e31210b1629936de
4
- data.tar.gz: 094ed8dd07f42d69b6d3792f427aaab9dc048654
3
+ metadata.gz: 1b30d65a04af4cd34b129b0c0239e6b8201f95fb
4
+ data.tar.gz: 0aed7efd5f30659bfdea8b52376ec3d23a4d7a3e
5
5
  SHA512:
6
- metadata.gz: a1563bc6716a6d525697af3551211ef7403d11249bdf493aa86b0e63a16751018898aeed7186f85cc572de867d0420757982bba3580e9adcd915a21ac79f7131
7
- data.tar.gz: c5268d7a968d472c144fa17bb86795dc2e2d0e970db5e2575672345d5721735da35c2716669f976661fd04642a209343a1a1d8213db9cdf61a0b57e51af53903
6
+ metadata.gz: ba85cc6a84e4a3f0d766631aa71dfc1db749b8890bb1f5156fc0cd0205364a97172823a73897857318db9f9b71f63b8fd73bd107f4634a9053537778c7b9b41b
7
+ data.tar.gz: 0c96b639355d9e7d06d9609632adb7566842a0cd662407c8e71812efc8ef153aee20620da0ea65232475fa0b65e95557be6357d93b05413ad29ee5f2d0e48b81
checksums.yaml.gz.sig CHANGED
@@ -1,4 +1,4 @@
1
-
2
- ������8ٕ[01w��*�hQ5Ȃ�q��М�
3
- R���.���M�?�Xn~���$������s��GK$��<��^���ٶ�X���&�鸧�t�-���+�]��@��yvWD��>�BQ��o͊�(
4
- LS瓮 Es
1
+ e!
2
+ ��
3
+ Qgign&
4
+ s(b�t�^ ) ����(�!Y�]<�;'bi���0����s��\\�[ ����~G�3�4TXh�h�a~�B�F�zT�,5H�xY�Of�O�� ~<��3:� {�C����l�|"��/
data.tar.gz.sig CHANGED
Binary file
data/.gitignore CHANGED
@@ -1,4 +1,5 @@
1
1
  .DS_Store
2
+ .coveralls.yml
2
3
  *.log
3
4
  *.sw?
4
5
  *.gem
data/Changelog.md CHANGED
@@ -1,16 +1,18 @@
1
- # Codesake Dawn - changelog
1
+ # Dawn - changelog
2
2
 
3
- Codesake::Dawn is a static analysis security scanner for ruby written web applications.
3
+ Dawn is a static analysis security scanner for ruby written web applications.
4
4
  It supports [Sinatra](http://www.sinatrarb.com),
5
5
  [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
6
6
  frameworks.
7
7
 
8
- _latest update: Fri Jul 11 18:06:30 CEST 2014_
8
+ _latest update: Thu Jan 8 17:19:37 CET 2015_
9
9
 
10
10
  ## Version 1.2.99 - codename: Lightning McQueen (2015-01-07)
11
11
 
12
12
  * Add a deprecation message. This is the last codesake-dawn release. New gem
13
13
  will be called dawnscanner.
14
+ * gem name changed from codesake-dawn to dawnscanner. Binary program remains
15
+ 'dawn' but the repository is moved here: https://github.com/thesp0nge/dawnscanner
14
16
 
15
17
  ## Version 1.2.0 - codename: Lightning McQueen (2014-07-14)
16
18
 
@@ -83,14 +85,14 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
83
85
  * Added a check for CVE-2014-0080
84
86
  * Added a check for CVE-2014-2525
85
87
  * Added remaining compliance checks against Owasp Ruby on Rails cheatsheet.
86
- Some other checks in the cheatsheet can't be turned into a Codesake::Dawn
88
+ Some other checks in the cheatsheet can't be turned into a Dawn
87
89
  test, so all the cheatsheet content is covered since now.
88
90
  * Added a --ascii-tabular-report (-a) to produce a report formatted with ascii
89
91
  tables. A bit of bin/dawn refactoring was necessary.
90
92
  * Added a --json (-j) to produce JSON reports
91
93
  * Added a --html (-h) to produce HTML reports
92
94
  * Added a --file (-F) flag to save report to supplied filename
93
- * Added Codesake::Dawn gem signature as described in
95
+ * Added Dawn gem signature as described in
94
96
  http://guides.rubygems.org/security/. README is modified accordingly with new
95
97
  installation suggestions. Added also gem SHA512 checksum in repository.
96
98
  * Added a not_affected attribute to dependency check to flag as not vulnerable
@@ -103,7 +105,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
103
105
  is provided as well. True to be told, there are some CVE valid but not found
104
106
  on NVID website, so having @rubysec link is even more accurate in those
105
107
  situations.
106
- * New Codesake::Dawn::Kb::VersionCheck class to provide version specific
108
+ * New Dawn::Kb::VersionCheck class to provide version specific
107
109
  checks, supporting beta version number, release candidate and pre. Fully
108
110
  integrated with DepedencyCheck and RubyVersionCheck
109
111
  * Issue #34. I added a deprecation check. However I haven't found an official
@@ -113,7 +115,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
113
115
  --list-knowledge-base that is just for listing.
114
116
  * Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short
115
117
  option was removed
116
- * Added a --list-known-families option printing out Codesake::Dawn supported
118
+ * Added a --list-known-families option printing out Dawn supported
117
119
  check family name
118
120
  * Removed '-f' short option for list-known-framework
119
121
  * Added family and severity to Owasp RoR Cheatsheet files
@@ -129,7 +131,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
129
131
  cheatsheet checks
130
132
  * Added --disable-owasp-top-10 flag to disable all Owasp Top 10 checks
131
133
  * Revamped help output
132
- * Added YAML Codesake::Dawn configuration support. Now you can specify your
134
+ * Added YAML Dawn configuration support. Now you can specify your
133
135
  preferences in a .codesake-dawn.yaml file in your home directory (or you can
134
136
  use the --config-file option to specify the file you want to use). It returns
135
137
  an embedded default configuration if the supplied filename doesn't exist.
@@ -172,7 +174,7 @@ _latest update: Fri Jul 11 18:06:30 CEST 2014_
172
174
 
173
175
  * Fixing issue #27. With rainbow gem version 2.0.0 there is an exception while
174
176
  codesake-commons logging facilities tries to print something with the .color
175
- method. Now Codesake::Dawn uses a new codesake-commons gem version that fixes
177
+ method. Now Dawn uses a new codesake-commons gem version that fixes
176
178
  how rainbow gem deals with colorized output.
177
179
 
178
180
  ## Version 1.0.1 - codename: Lightning McQueen (2014-01-25)
data/KnowledgeBase.md CHANGED
@@ -1,6 +1,6 @@
1
- # Codesake::Dawn Knowledge base
1
+ # Dawn Knowledge base
2
2
 
3
- The knowledge base library for Codesake::Dawn version 1.2.0 contains 180 security checks.
3
+ The knowledge base library for Dawn version 1.2.0 contains 180 security checks.
4
4
  ---
5
5
  * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
6
6
  * [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
data/README.md CHANGED
@@ -1,11 +1,12 @@
1
- # Codesake::Dawn - The security code scanner for Ruby
1
+ # Dawn - The raising security scanner for ruby web applications
2
2
 
3
- Codesake::Dawn is a source code scanner designed to review your code for
4
- security issues.
3
+ Dawn is a source code scanner designed to review your ruby code for security
4
+ issues.
5
5
 
6
- Codesake::Dawn is able to scan your ruby standalone programs but its main usage
7
- is to deal with web applications. It supports applications written using majors
8
- MVC (Model View Controller) frameworks, like:
6
+ Dawn is able to scan plain ruby scripts (e.g. command line applications) but
7
+ all its features are unleashed when dealing with web applications source code.
8
+ Dawn is able to scan major MVC (Model View Controller) frameworks, out of the
9
+ box:
9
10
 
10
11
  * [Ruby on Rails](http://rubyonrails.org)
11
12
  * [Sinatra](http://www.sinatrarb.com)
@@ -13,22 +14,22 @@ MVC (Model View Controller) frameworks, like:
13
14
 
14
15
  ---
15
16
 
16
- [![Gem Version](https://badge.fury.io/rb/codesake-dawn.png)](http://badge.fury.io/rb/codesake-dawn)
17
- [![Build Status](https://travis-ci.org/codesake/codesake-dawn.png?branch=master)](https://travis-ci.org/codesake/codesake-dawn)
18
- [![Dependency Status](https://gemnasium.com/codesake/codesake-dawn.png)](https://gemnasium.com/codesake/codesake-dawn)
19
- [![Coverage Status](https://coveralls.io/repos/codesake/codesake-dawn/badge.png)](https://coveralls.io/r/codesake/codesake-dawn)
20
- [![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/codesake/codesake-dawn/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
21
- [![Inline docs](http://inch-ci.org/github/codesake/codesake-dawn.png?branch=master)](http://inch-ci.org/github/codesake/codesake-dawn)
17
+ [![Gem Version](https://badge.fury.io/rb/dawnscanner.png)](http://badge.fury.io/rb/dawnscanner)
18
+ [![Build Status](https://travis-ci.org/thesp0nge/dawnscanner.png?branch=master)](https://travis-ci.org/thesp0nge/dawnscanner)
19
+ [![Dependency Status](https://gemnasium.com/thesp0nge/dawnscanner.png)](https://gemnasium.com/thesp0nge/dawnscanner)
20
+ [![Coverage Status](https://coveralls.io/repos/thesp0nge/dawnscanner/badge.png)](https://coveralls.io/r/thesp0nge/dawnscanner)
21
+ [![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/thesp0nge/dawnscanner/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
22
+ [![Inline docs](http://inch-ci.org/github/thesp0nge/dawnscanner.png?branch=master)](http://inch-ci.org/github/thesp0nge/dawnscanner)
22
23
 
23
24
  ---
24
25
 
25
- Codesake::Dawn version 1.2 has 180 security checks loaded in its knowledge
26
+ Dawn version 1.3 has 180 security checks loaded in its knowledge
26
27
  base. Most of them are CVE bulletins applying to gems or the ruby interpreter
27
28
  itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
28
29
 
29
30
  ## An overall introduction
30
31
 
31
- When you run Codesake::Dawn on your code it parses your project Gemfile.lock
32
+ When you run Dawn on your code it parses your project Gemfile.lock
32
33
  looking for the gems used and it tries to detect the ruby interpreter version
33
34
  you are using or you declared in your ruby version management tool you like
34
35
  most (RVM, rbenv, ...).
@@ -37,47 +38,47 @@ Then the tool tries to detect the MVC framework your web application uses and
37
38
  it applies the security check accordingly. There checks designed to match rails
38
39
  application or checks that are appliable to any ruby code.
39
40
 
40
- Codesake::Dawn can also understand the code in your views and to backtrack
41
+ Dawn can also understand the code in your views and to backtrack
41
42
  sinks to spot cross site scripting and sql injections introduced by the code
42
43
  you actually wrote. In the project roadmap this is the code most of the future
43
44
  development effort will be focused on.
44
45
 
45
- Codesake::Dawn security scan result is a list of vulnerabilities with some
46
+ Dawn security scan result is a list of vulnerabilities with some
46
47
  mitigation actions you want to follow in order to build a stronger web
47
48
  application.
48
49
 
49
50
  ## Installation
50
51
 
51
- codesake-dawn rubygem is cryptographically signed. To be sure the gem you
52
- install hasn’t been tampered, you must first add ```paolo@codesake.com```
52
+ dawnscanner rubygem is cryptographically signed. To be sure the gem you
53
+ install hasn’t been tampered, you must first add ```paolo@dawnscanner.org```
53
54
  public signing certificate as trusted to your gem specific keyring.
54
55
 
55
56
  ```
56
- $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/codesake/codesake-dawn/master/certs/paolo_at_codesake_dot_com.pem)
57
+ $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
57
58
  ```
58
59
 
59
- You can install latest Codesake::Dawn version, fetching it from
60
+ You can install latest Dawn version, fetching it from
60
61
  [Rubygems](https://rubygems.org) by typing:
61
62
 
62
63
  ```
63
- $ gem install codesake-dawn -P MediumSecurity
64
+ $ gem install dawnscanner -P MediumSecurity
64
65
  ```
65
66
 
66
67
  The MediumSecurity trust profile will verify signed gems, but allow the
67
68
  installation of unsigned dependencies. This is necessary because not all of
68
- Codesake::Dawn’s dependencies are signed, so we cannot use HighSecurity.
69
+ Dawn’s dependencies are signed, so we cannot use HighSecurity.
69
70
 
70
71
  In order to install a release candidate version, the gem install command line
71
72
  is the following:
72
73
 
73
74
  ```
74
- $ gem install codesake-dawn --pre -P MediumSecurity
75
+ $ gem install dawnscanner --pre -P MediumSecurity
75
76
  ```
76
77
 
77
78
  If you want to add dawn to your project Gemfile, you must add the following:
78
79
 
79
80
  group :development do
80
- gem 'codesake-dawn', :require=>false
81
+ gem 'dawnscanner', :require=>false
81
82
  end
82
83
 
83
84
  And then upgrade your bundle
@@ -86,22 +87,22 @@ And then upgrade your bundle
86
87
 
87
88
  You may want to build it from source, so you have to check it out from github first:
88
89
 
89
- $ git clone https://github.com/codesake/codesake-dawn.git
90
- $ cd codesake-dawn
90
+ $ git clone https://github.com/thesp0nge/dawnscanner.git
91
+ $ cd dawn
91
92
  $ bundle install
92
93
  $ rake install
93
94
 
94
- And the codesake-dawn gem will be built in a pkg directory and then installed
95
+ And the dawnscanner gem will be built in a pkg directory and then installed
95
96
  on your system. Please note that you have to manage dependencies on your own
96
97
  this way. It makes sense only if you want to hack the code or something like
97
98
  that.
98
99
 
99
100
  ## Usage
100
101
 
101
- You can start your code review with Codesake::Dawn very easily. Simply tell the tool
102
+ You can start your code review with Dawn very easily. Simply tell the tool
102
103
  where the project root directory.
103
104
 
104
- Underlying MVC framework is autodetected by Codesake::Dawn using target Gemfile.lock
105
+ Underlying MVC framework is autodetected by Dawn using target Gemfile.lock
105
106
  file. If autodetect fails for some reason, the tool will complain about it and
106
107
  you have to specify if it's a rails, sinatra or padrino web application by
107
108
  hand.
@@ -113,7 +114,8 @@ needs, and to specify the target directory where your code is stored.
113
114
  $ dawn [options] target
114
115
  ```
115
116
 
116
- In case of need, there is a quick command line option reference running ```dawn -h``` at your OS prompt.
117
+ In case of need, there is a quick command line option reference running
118
+ ```dawn -h``` at your OS prompt.
117
119
 
118
120
  ```
119
121
  $ dawn -h
@@ -145,7 +147,7 @@ Disable security check family
145
147
  --disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks
146
148
  --disable-owasp-top-10 disable all Owasp Top 10 checks
147
149
 
148
- Flags useful to query Codesake::Dawn
150
+ Flags useful to query Dawn
149
151
 
150
152
  -S, --search-knowledge-base [check_name] search check_name in the knowledge base
151
153
  --list-knowledge-base list knowledge-base content
@@ -162,18 +164,20 @@ Service flags
162
164
 
163
165
  ### Rake task
164
166
 
165
- To include Codesake::Dawn in your rake task list, you simply have to put this line in your ```Rakefile```
167
+ To include Dawn in your rake task list, you simply have to put this line in
168
+ your ```Rakefile```
166
169
 
167
170
  ```
168
- require 'codesake/dawn/tasks'
171
+ require 'dawn/tasks'
169
172
  ```
170
173
 
171
- Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to execute.
174
+ Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to
175
+ execute.
172
176
 
173
177
  ```
174
178
  $ rake -T
175
179
  ...
176
- rake dawn:run # Execute codesake-dawn on the current directory
180
+ rake dawn:run # Execute dawnscanner on the current directory
177
181
  ...
178
182
  ```
179
183
 
@@ -199,15 +203,15 @@ $ dawn -S this_test_does_not_exist
199
203
  this_test_does_not_exist not found in knowledgebase
200
204
  ```
201
205
 
202
- ### Codesake::Dawn security scan in action
206
+ ### Dawn security scan in action
203
207
 
204
- As output, Codesake::Dawn will put all security checks that are failed during the scan.
208
+ As output, Dawn will put all security checks that are failed during the scan.
205
209
 
206
210
  This the result of Codedake::Dawn running against a
207
211
  [Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
208
212
  delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
209
213
 
210
- As you may see, Codesake::Dawn first detects MVC running the application by
214
+ As you may see, Dawn first detects MVC running the application by
211
215
  looking at Gemfile.lock, than it discards all security checks not appliable to
212
216
  Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
213
217
  Rails) and it applies them.
@@ -232,11 +236,11 @@ $ dawn ~/src/hacking/railsberry2013
232
236
 
233
237
  ---
234
238
 
235
- When you run Codesake::Dawn on a web application with up to date dependencies,
239
+ When you run Dawn on a web application with up to date dependencies,
236
240
  it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
237
241
  working that way!
238
242
 
239
- This is Codesake::Dawn running against a Padrino web application I wrote for [a
243
+ This is Dawn running against a Padrino web application I wrote for [a
240
244
  scorecard quiz game about application security](http://scorecard.armoredcode.com).
241
245
  Italian language only. Sorry.
242
246
 
@@ -250,7 +254,7 @@ Italian language only. Sorry.
250
254
  18:42:39 [*] dawn is leaving
251
255
  ```
252
256
 
253
- If you need a fancy HTML report about your scan, just ask it to Codesake::Dawn
257
+ If you need a fancy HTML report about your scan, just ask it to Dawn
254
258
  with the ```--html``` flag used with the ```--file``` since I wanto to save the
255
259
  HTML to disk.
256
260
 
@@ -266,29 +270,27 @@ $ dawn /Users/thesp0nge/src/hacking/rt_first_app --html --file report.html
266
270
 
267
271
  ## Useful links
268
272
 
269
- Project homepage: [http://dawn.codesake.com](http://dawn.codesake.com)
273
+ Project homepage: [http://dawnscanner.org](http://dawnscanner.org)
270
274
 
271
275
  Twitter profile: [@dawnscanner](https://twitter.com/dawnscanner)
272
276
 
273
- Github repository: [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
277
+ Github repository: [https://github.com/thesp0nge/dawnscanner](https://github.com/thesp0nge/dawnscanner)
274
278
 
275
- The list of knowledge base content: [http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base)
276
-
277
- Mailing list: [https://groups.google.com/forum/#!forum/codesake-dawn](https://groups.google.com/forum/#!forum/codesake-dawn)
279
+ Mailing list: [https://groups.google.com/forum/#!forum/dawnscanner](https://groups.google.com/forum/#!forum/dawnscanner)
278
280
 
279
281
  ## Support us
280
282
 
281
283
  Feedbacks are great and we really love to hear your voice.
282
284
 
283
- If you're a proud codesake-dawn user, if you find it useful, if you integrated
285
+ If you're a proud dawnscanner user, if you find it useful, if you integrated
284
286
  it in your release process and if you want to openly support the project you
285
287
  can put your reference here. Just open an
286
- [issue](https://github.com/codesake-dawn/issues/new) with a statement saying
288
+ [issue](https://github.com/thesp0nge/dawn/issues/new) with a statement saying
287
289
  how do you feel the tool and your company logo if any.
288
290
 
289
- More easily you can drop an email to [paolo@codesake.com](mailto:paolo@codesake.com) sending a
290
- statement about your success story and I'll put on the
291
- [website](http://dawn.codesake.com/success-stories).
291
+ More easily you can drop an email to
292
+ [paolo@dawnscanner.org](mailto:paolo@dawnscanner.org) sending a statement about your
293
+ success story and I'll put on the website.
292
294
 
293
295
  Thank you.
294
296
 
@@ -302,20 +304,20 @@ Thank you.
302
304
 
303
305
  [Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
304
306
 
305
- ## Contribute to Codesake::Dawn
307
+ ## Contribute to Dawn
306
308
 
307
- Are you interested in contributing to Codesake::Dawn project? Great, here is
309
+ Are you interested in contributing to Dawn project? Great, here is
308
310
  some very basic rules in order to make rocking pull requests.
309
311
 
310
312
  First of all, I use the branching model described in [this
311
313
  post](http://nvie.com/posts/a-successful-git-branching-model/). There are two
312
314
  major branches:
313
315
 
314
- * master: it contains in every moment the code for the latest codesake-dawn
316
+ * master: it contains in every moment the code for the latest dawnscanner
315
317
  released gem. You can't make branches from here unless you're working on a
316
318
  bugfix.
317
319
  * development: it contains the unstable code that is going to be the next
318
- codesake-dawn realease. You start from here. Pick a task on the Roadmap.md
320
+ dawnscanner realease. You start from here. Pick a task on the Roadmap.md
319
321
  and create a separated branch to work on your feature to. When you're ready
320
322
  (remember to include also spec files), submit your pull request. If the code
321
323
  will be fine, it will be merged into the development tree ready to be include
@@ -326,7 +328,7 @@ In this case, the branch name must be something like _issue\_#xx\_description_
326
328
 
327
329
  ## LICENSE
328
330
 
329
- Copyright (c) 2013, 2014 Paolo Perego
331
+ Copyright (c) 2013, 2014, 2015 Paolo Perego
330
332
 
331
333
  MIT License
332
334
 
data/Rakefile CHANGED
@@ -6,8 +6,8 @@ require 'cucumber'
6
6
  require 'cucumber/rake/task'
7
7
 
8
8
  require 'fileutils'
9
- require "codesake/dawn/utils"
10
- require "codesake/dawn/knowledge_base"
9
+ require "dawn/utils"
10
+ require "dawn/knowledge_base"
11
11
 
12
12
  Cucumber::Rake::Task.new(:features) do |t|
13
13
  t.cucumber_opts = "features --format pretty -x"
@@ -33,10 +33,10 @@ task :release => [:prepare]
33
33
  desc "Create a new CVE test"
34
34
  task :cve, :name do |t,args|
35
35
  name = args.name
36
- SRC_DIR = "./lib/codesake/dawn/kb/"
36
+ SRC_DIR = "./lib/dawn/kb/"
37
37
  SPEC_DIR = "./spec/lib/kb/"
38
38
 
39
- raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
39
+ raise "### It seems that #{name} is already in Dawn knowledge base" unless Dawn::KnowledgeBase.find(nil, name).nil?
40
40
  raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
41
41
  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
42
42
  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
@@ -48,8 +48,7 @@ task :cve, :name do |t,args|
48
48
  class_name = name.gsub("-", "_")
49
49
 
50
50
  open(rb_filename, "w") do |file|
51
- file.puts "module Codesake"
52
- file.puts "\tmodule Dawn"
51
+ file.puts "module Dawn"
53
52
  file.puts "\t\tmodule Kb"
54
53
  file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
55
54
  file.puts "\t\t\tclass #{class_name}"
@@ -62,7 +61,6 @@ task :cve, :name do |t,args|
62
61
  file.puts "\t\t\t\tend"
63
62
  file.puts "\t\t\tend"
64
63
  file.puts "\t\tend"
65
- file.puts "\tend"
66
64
  file.puts "end"
67
65
  end
68
66
  puts "#{rb_filename} created"
@@ -72,7 +70,7 @@ task :cve, :name do |t,args|
72
70
 
73
71
  file.puts "describe \"The #{name} vulnerability\" do"
74
72
  file.puts "\tbefore(:all) do"
75
- file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
73
+ file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
76
74
  file.puts "\t\t# @check.debug = true"
77
75
  file.puts "\tend"
78
76
  file.puts "\tit \"is reported when...\""
@@ -80,13 +78,13 @@ task :cve, :name do |t,args|
80
78
  end
81
79
  puts "#{spec_filename} created"
82
80
 
83
- puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
84
- puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
85
- puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
81
+ puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/knowledgebase_spec.rb in order to reflect changes"
82
+ puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
83
+ puts "require \"dawn/kb/#{class_name.downcase}\""
86
84
  puts "it \"must have test for #{name}\" do"
87
85
  puts " sc = kb.find(\"#{name}\")"
88
86
  puts " sc.should_not be_nil"
89
- puts " sc.class.should == Codesake::Dawn::Kb::#{class_name}"
87
+ puts " sc.class.should == Dawn::Kb::#{class_name}"
90
88
  puts "end"
91
89
 
92
90
 
@@ -97,10 +95,10 @@ end
97
95
  desc "Create a new Generic security check"
98
96
  task :check, :name do |t,args|
99
97
  name = args.name
100
- SRC_DIR = "./lib/codesake/dawn/kb/"
98
+ SRC_DIR = "./lib/dawn/kb/"
101
99
  SPEC_DIR = "./spec/lib/kb/"
102
100
 
103
- raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
101
+ raise "### It seems that #{name} is already in Dawn knowledge base" unless Dawn::KnowledgeBase.find(nil, name).nil?
104
102
  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
105
103
  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
106
104
 
@@ -111,8 +109,7 @@ task :check, :name do |t,args|
111
109
  class_name = name.gsub("-", "_")
112
110
 
113
111
  open(rb_filename, "w") do |file|
114
- file.puts "module Codesake"
115
- file.puts "\tmodule Dawn"
112
+ file.puts "module Dawn"
116
113
  file.puts "\t\tmodule Kb"
117
114
  file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
118
115
  file.puts "\t\t\tclass #{class_name}"
@@ -125,7 +122,6 @@ task :check, :name do |t,args|
125
122
  file.puts "\t\t\t\tend"
126
123
  file.puts "\t\t\tend"
127
124
  file.puts "\t\tend"
128
- file.puts "\tend"
129
125
  file.puts "end"
130
126
  end
131
127
  puts "#{rb_filename} created"
@@ -135,7 +131,7 @@ task :check, :name do |t,args|
135
131
 
136
132
  file.puts "describe \"The #{name} vulnerability\" do"
137
133
  file.puts "\tbefore(:all) do"
138
- file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
134
+ file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
139
135
  file.puts "\t\t# @check.debug = true"
140
136
  file.puts "\tend"
141
137
  file.puts "\tit \"is reported when...\""
@@ -144,13 +140,13 @@ task :check, :name do |t,args|
144
140
  puts "#{spec_filename} created"
145
141
 
146
142
 
147
- puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
148
- puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
149
- puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
143
+ puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/knowledgebase_spec.rb in order to reflect changes"
144
+ puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
145
+ puts "require \"dawn/kb/#{class_name.downcase}\""
150
146
  puts "it \"must have test for #{name}\" do"
151
147
  puts " sc = kb.find(\"#{name}\")"
152
148
  puts " sc.should_not be_nil"
153
- puts " sc.class.should == Codesake::Dawn::Kb::#{class_name}"
149
+ puts " sc.class.should == Dawn::Kb::#{class_name}"
154
150
  puts "end"
155
151
 
156
152
 
@@ -159,7 +155,7 @@ end
159
155
  namespace :kb do
160
156
  desc 'Check information lint'
161
157
  task :lint do
162
- Codesake::Dawn::KnowledgeBase.new.all.each do |check|
158
+ Dawn::KnowledgeBase.new.all.each do |check|
163
159
  l = check.lint
164
160
  puts "check #{check.name} has this attribute(s) with a nil value: #{l.to_s}" unless l.size == 0
165
161
  end
@@ -167,10 +163,10 @@ namespace :kb do
167
163
  end
168
164
  desc 'Creates a KnowledgeBase.md file'
169
165
  task :create do
170
- checks = Codesake::Dawn::KnowledgeBase.new.all
166
+ checks = Dawn::KnowledgeBase.new.all
171
167
  open("KnowledgeBase.md", "w") do |file|
172
- file.puts "# Codesake::Dawn Knowledge base"
173
- file.puts "\nThe knowledge base library for Codesake::Dawn version #{Codesake::Dawn::VERSION} contains #{checks.count} security checks."
168
+ file.puts "# Dawn Knowledge base"
169
+ file.puts "\nThe knowledge base library for Dawn version #{Dawn::VERSION} contains #{checks.count} security checks."
174
170
  file.puts "---"
175
171
  checks.each do |c|
176
172
  file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
@@ -185,15 +181,15 @@ task :create do
185
181
  end
186
182
  end
187
183
 
188
- require 'digest/sha2'
184
+ require 'digest/sha1'
189
185
  namespace :checksum do
190
186
 
191
187
  desc 'Calculate gem checksum'
192
188
  task :calculate do
193
189
  system 'mkdir -p checksum > /dev/null'
194
- built_gem_path = "pkg/codesake-dawn-#{Codesake::Dawn::VERSION}.gem"
195
- checksum = Digest::SHA512.new.hexdigest(File.read(built_gem_path))
196
- checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
190
+ built_gem_path = "pkg/dawnscanner-#{Dawn::VERSION}.gem"
191
+ checksum = Digest::SHA1.new.hexdigest(File.read(built_gem_path))
192
+ checksum_path = "checksum/dawnscanner-#{Dawn::VERSION}.gem.sha1"
197
193
  File.open(checksum_path, 'w' ) {|f| f.write(checksum) }
198
194
 
199
195
  puts "#{checksum_path}: #{checksum}"
@@ -201,9 +197,9 @@ end
201
197
 
202
198
  desc 'Add and commit latest checksum'
203
199
  task :commit do
204
- checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
200
+ checksum_path = "checksum/dawnscanner-#{Dawn::VERSION}.gem.sha1"
205
201
  system "git add #{checksum_path}"
206
- system "git commit -v #{checksum_path} -m \"Adding #{Codesake::Dawn::VERSION} checksum to repo\""
202
+ system "git commit -v #{checksum_path} -m \"Adding #{Dawn::VERSION} checksum to repo\""
207
203
  end
208
204
  end
209
205
 
@@ -212,7 +208,7 @@ end
212
208
  ###############################################################################
213
209
 
214
210
  namespace :rubysec do
215
- desc 'Find new CVE bulletins to add to Codesake::Dawn'
211
+ desc 'Find new CVE bulletins to add to Dawn'
216
212
  task :find do
217
213
  git_url = 'git@github.com:rubysec/ruby-advisory-db.git'
218
214
  target_dir = './tmp/'
@@ -232,15 +228,15 @@ namespace :rubysec do
232
228
  if exclusion.include?(cve)
233
229
  puts "#{cve} is in the exclusion list"
234
230
  else
235
- found = Codesake::Dawn::KnowledgeBase.find(nil, cve)
236
- puts "#{cve} NOT in dawn v#{Codesake::Dawn::VERSION} knowledge base" unless found
231
+ found = Dawn::KnowledgeBase.find(nil, cve)
232
+ puts "#{cve} NOT in dawn v#{Dawn::VERSION} knowledge base" unless found
237
233
  list << cve unless found
238
234
  end
239
235
  end
240
236
  end
241
237
  unless list.empty?
242
238
  File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
243
- f.puts "Missing CVE bulletins - v#{Codesake::Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
239
+ f.puts "Missing CVE bulletins - v#{Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
244
240
  f.puts list
245
241
  end
246
242
  end