dawnscanner 1.3.5 → 1.4.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 05b506c1430295b474c31984bc9a1b9a155b5d51
4
- data.tar.gz: 7e0417a90ad9c5a2a054d1579b26ac0ce25747ff
3
+ metadata.gz: f003db35fdc15bed8267a03e98b8486332a8c5bc
4
+ data.tar.gz: 136a1d5c19c13401f309bb967a6847b2c4c3e00a
5
5
  SHA512:
6
- metadata.gz: fa103df76aeb6f50084803cd653aa328eb29734ac123ec06a4dd5a5d3cb2bb2600318c26ae36ab5669e06dd7d052197d1ca68a1c80594231e6be073832f58ed9
7
- data.tar.gz: 8a8a0fe09ba77ec3d69433a33ed4cf75f9fbb469f6e3e9fd43f05841b38095ffe43d6b5b1d201f97de2d041214435f9c1361166762fc877a37e6a52d84a1a393
6
+ metadata.gz: b07ea6ad252a9b8bc81b13fcf3a6cef8621894d1621681d1b2898c746639327e2b96a197690562e9d0837e8d87360509645578f5ff3333052b6ef0b4dfb4b50d
7
+ data.tar.gz: 88129983599961a585d141c1387772acdec4b18a1525763d6ad1371a14fad4e6ae7c22befe0c2412d961738ca812fb522198a965a88d213e9497a5397303cecf
checksums.yaml.gz.sig CHANGED
Binary file
data.tar.gz.sig CHANGED
Binary file
data/.travis.yml CHANGED
@@ -3,6 +3,5 @@ rvm:
3
3
  - 2.1.0
4
4
  - 2.0.0
5
5
  - 1.9.3
6
- - 1.9.2
7
6
  - ruby-head
8
7
  - rbx
data/Changelog.md CHANGED
@@ -5,7 +5,27 @@ It supports [Sinatra](http://www.sinatrarb.com),
5
5
  [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
6
6
  frameworks.
7
7
 
8
- _latest update: Wed Jul 29 23:10:24 CEST 2015_
8
+ _latest update: Wed Sep 16 18:20:21 CEST 2015_
9
+
10
+ ## Version 1.4.0 - codename: Tow Mater (2015-09-16)
11
+
12
+ * Fixing issue #144. CVE-2013-4491 detected rails version 3.2.22 as vulnerable
13
+ meanwhile it is not.
14
+ * Adding a check for CVE-2014-7818: Directory traversal in Action Pack
15
+ contained in Ruby on Rails before 3.2.20, 4.0.11, 4.1.7 and 4.2.0.beta3
16
+ * Adding a check for CVE-2014-7819: Directory traversal in multiple sprocket
17
+ versions.
18
+ * Adding a check for CVE-2014-4975: DoS in Ruby interpreter 1.9.x, 2.0.x, 2.1.x
19
+ * Adding a check for CVE-2014-3916: DoS in Ruby interpreter 1.9.x, 2.0.x, 2.1.x
20
+ * Adding a check for CVE-2014-7829: Directory traversal in several rails
21
+ versions
22
+ * Adding a check for CVE-2014-8090: DoS in REXML parser in some ruby
23
+ interpreter versions.
24
+ * Adding a check for CVE-2012-6674: XSS in RedCloth gem (issue #143)
25
+ * Adding a check for CVE-2014-9490: Denial of Service in raven-ruby gem (issue
26
+ #124)
27
+ * Adding a check for CVE-2015-3448: Information leakage in rest-client gem
28
+ (issue #125)
9
29
 
10
30
  ## Version 1.3.5 - codename: Lightning McQueen (2015-07-29)
11
31
 
data/Rakefile CHANGED
@@ -19,7 +19,7 @@ RSpec::Core::RakeTask.new do |t|
19
19
  end
20
20
 
21
21
 
22
- task :default => [ :spec, :features, :kb ]
22
+ task :default => [ :spec, :features, :'kb:create', :'kb:lint' ]
23
23
  task :test => :spec
24
24
  task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
25
25
  task :release => [:prepare]
@@ -116,8 +116,8 @@ task :cve, :name do |t,args|
116
116
  end
117
117
  puts "#{spec_filename} created"
118
118
 
119
- puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/knowledgebase_spec.rb in order to reflect changes"
120
- puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
119
+ puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN ./spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
120
+ puts "*** PLEASE ADD THIS CODE IN ./lib/dawn/knowledge_base.rb in order to reflect changes"
121
121
  puts "require \"dawn/kb/#{class_name.downcase}\""
122
122
  puts "it \"must have test for #{name}\" do"
123
123
  puts " sc = kb.find(\"#{name}\")"
@@ -179,8 +179,8 @@ task :osvdb, :name do |t,args|
179
179
  puts "#{spec_filename} created"
180
180
 
181
181
 
182
- puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
183
- puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
182
+ puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN ./spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
183
+ puts "*** PLEASE ADD THIS CODE IN ./lib/dawn/knowledge_base.rb in order to reflect changes"
184
184
  puts "require \"dawn/kb/#{class_name.downcase}\""
185
185
  puts "it \"must have test for #{name}\" do"
186
186
  puts " sc = kb.find(\"#{name}\")"
@@ -240,8 +240,8 @@ task :check, :name do |t,args|
240
240
  puts "#{spec_filename} created"
241
241
 
242
242
 
243
- puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/knowledgebase_spec.rb in order to reflect changes"
244
- puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
243
+ puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN ./spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
244
+ puts "*** PLEASE ADD THIS CODE IN ./lib/dawn/knowledge_base.rb in order to reflect changes"
245
245
  puts "require \"dawn/kb/#{class_name.downcase}\""
246
246
  puts "it \"must have test for #{name}\" do"
247
247
  puts " sc = kb.find(\"#{name}\")"
@@ -261,24 +261,25 @@ namespace :kb do
261
261
  end
262
262
 
263
263
  end
264
- desc 'Creates a KnowledgeBase.md file'
265
- task :create do
266
- checks = Dawn::KnowledgeBase.new.all
267
- open("KnowledgeBase.md", "w") do |file|
268
- file.puts "# Dawn Knowledge base"
269
- file.puts "\nThe knowledge base library for Dawn version #{Dawn::VERSION} contains #{checks.count} security checks."
270
- file.puts "---"
271
- checks.each do |c|
272
- file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
273
- file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
274
- file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
264
+
265
+ desc 'Creates a KnowledgeBase.md file'
266
+ task :create do
267
+ checks = Dawn::KnowledgeBase.new.all
268
+ open("KnowledgeBase.md", "w") do |file|
269
+ file.puts "# Dawn Knowledge base"
270
+ file.puts "\nThe knowledge base library for Dawn version #{Dawn::VERSION} contains #{checks.count} security checks."
271
+ file.puts "---"
272
+ checks.each do |c|
273
+ file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
274
+ file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
275
+ file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
276
+ end
277
+
278
+ file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
275
279
  end
280
+ puts "KnowledgeBase.md file successfully generated"
276
281
 
277
- file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
278
282
  end
279
- puts "KnowledgeBase.md file successfully generated"
280
-
281
- end
282
283
  end
283
284
 
284
285
  require 'digest/sha1'
@@ -325,7 +326,7 @@ namespace :rubysec do
325
326
  # CVE-2013-1878 is a duplicate of CVE-2013-2617 that is in knowledge base
326
327
  # CVE-2013-1876 is a duplicate of CVE-2013-2615 that is in knowledge base
327
328
  exclusion = ["CVE-2007-6183", "CVE-2013-1876", "CVE-2013-1878"]
328
- if exclusion.include?(cve)
329
+ if exclusion.include?(cve)
329
330
  puts "#{cve} is in the exclusion list"
330
331
  else
331
332
  found = Dawn::KnowledgeBase.find(nil, cve)
data/Roadmap.md CHANGED
@@ -9,7 +9,7 @@ This is an ongoing roadmap for the Dawnscanner source code review tool.
9
9
 
10
10
  _latest update: Tue Feb 24 08:02:56 CET 2015_
11
11
 
12
- ## Version 1.4.0
12
+ ## Version 1.5.0
13
13
 
14
14
  * clear Codesake:Commons dependency mess. This will dramatically simplify
15
15
  dawnscanner installation
@@ -29,7 +29,7 @@ _latest update: Tue Feb 24 08:02:56 CET 2015_
29
29
  cyclomatic complexity index, ...)
30
30
 
31
31
 
32
- ## Version 1.5.0
32
+ ## Version 1.6.0
33
33
 
34
34
  * Add a ruby deprecation check, accordingly to
35
35
  https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
@@ -43,14 +43,14 @@ _latest update: Tue Feb 24 08:02:56 CET 2015_
43
43
  * Add support for github hooks
44
44
  * Add premilinary SQL injection detection for Ruby on Rails
45
45
 
46
- ## Version 1.6.0
46
+ ## Version 1.7.0
47
47
 
48
48
  * Add insecure direct object reference detection for all MVC frameworks (including Rack)
49
49
  * SQL Injection detection: it must be done for all MVC frameworks (including Rack)
50
50
  * Add automatic mitigation patch generation
51
51
  * Add support for Javascript
52
52
 
53
- ## Version 1.7.0
53
+ ## Version 1.8.0
54
54
 
55
55
  * Add automatic mitigation patch generation
56
56
 
data/VERSION CHANGED
@@ -13,4 +13,4 @@
13
13
  # | "Guido" | 1.12.0 |
14
14
  # | "Luigi" | 1.14.0 |
15
15
  # | "Doc Hudson" | 1.16.0 |
16
- 1.3.5 - Lightning McQueen
16
+ 1.4.0 - Tow Mater
@@ -0,0 +1 @@
1
+ b4bbd272755fbfe08aa848220681e86d987e4fb0
data/dawnscanner.gemspec CHANGED
@@ -8,8 +8,8 @@ Gem::Specification.new do |gem|
8
8
  gem.version = Dawn::VERSION
9
9
  gem.authors = ["Paolo Perego"]
10
10
  gem.email = ["paolo@dawnscanner.org"]
11
- gem.description = %q{Dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
12
- gem.summary = %q{Dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
11
+ gem.description = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
12
+ gem.summary = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
13
13
  gem.homepage = "http://dawnscanner.org"
14
14
  gem.files = `git ls-files`.split($/)
15
15
  gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
@@ -19,7 +19,7 @@ Gem::Specification.new do |gem|
19
19
  gem.cert_chain = ['certs/paolo_at_dawnscanner_dot_org.pem']
20
20
  gem.signing_key = File.expand_path("~/.ssh/paolo_at_dawnscanner_dot_org_private_key.pem") if $0 =~ /gem\z/
21
21
 
22
- gem.required_ruby_version = '>= 1.9.2'
22
+ gem.required_ruby_version = '>= 1.9.3'
23
23
 
24
24
  gem.add_dependency 'cvss'
25
25
  gem.add_dependency 'haml'
@@ -32,7 +32,7 @@ Gem::Specification.new do |gem|
32
32
  gem.add_dependency 'justify'
33
33
  gem.add_dependency 'logger-colors'
34
34
 
35
- gem.add_dependency ('coveralls')
35
+ gem.add_development_dependency ('coveralls')
36
36
 
37
37
  gem.add_development_dependency 'rake'
38
38
  gem.add_development_dependency 'rspec'
@@ -0,0 +1,28 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-07-31
4
+ class CVE_2012_6684
5
+ include DependencyCheck
6
+
7
+ def initialize
8
+ message = "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI."
9
+ super({
10
+ :name=>"CVE-2012-6684",
11
+ :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
+ :release_date => Date.new(2015, 1, 7),
13
+ :cwe=>"79",
14
+ :owasp=>"A1",
15
+ :osvdb=>"",
16
+ :applies=>["sinatra", "padrino", "rails"],
17
+ :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
+ :message=>message,
19
+ :mitigation=>"Please upgrade RedCloth gem to the latest version",
20
+ :aux_links=>["https://gist.github.com/co3k/75b3cb416c342aa1414c", "http://co3k.org/blog/redcloth-unfixed-xss-en"]
21
+ })
22
+
23
+ self.safe_dependencies = [{:name=>"RedCloth", :version=>['4.2.10']}]
24
+
25
+ end
26
+ end
27
+ end
28
+ end
@@ -20,6 +20,7 @@
20
20
  :aux_links=>["https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"]
21
21
  })
22
22
 
23
+ self.save_major = true
23
24
  self.safe_dependencies = [{:name=>"rails", :version=>['3.2.16', '4.0.2', '3.1.9999', '3.0.9999']}]
24
25
 
25
26
  end
@@ -0,0 +1,29 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-08-03
4
+ class CVE_2014_3916
5
+ include RubyVersionCheck
6
+
7
+ def initialize
8
+ message = "The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string."
9
+ super({
10
+ :name=>"CVE-2014-3916",
11
+ :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
12
+ :release_date => Date.new(2014, 11, 16),
13
+ :cwe=>"19",
14
+ :owasp=>"A9",
15
+ :applies=>["rails", "sinatra", "padrino"],
16
+ :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
+ :message=>message,
18
+ :mitigation=>"Please upgrade ruby interpreter to 2.2.x or later.",
19
+ :aux_links=>["https://bugs.ruby-lang.org/issues/9709", "http://www.securityfocus.com/bid/67705"]
20
+ })
21
+
22
+ self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
23
+ {:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
24
+ {:engine=>"ruby", :version=>"2.1.99", :patchlevel=>"p999"}]
25
+
26
+ end
27
+ end
28
+ end
29
+ end
@@ -0,0 +1,28 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-08-03
4
+ class CVE_2014_4975
5
+ include RubyVersionCheck
6
+
7
+ def initialize
8
+ message = "Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow."
9
+ super({
10
+ :name=>"CVE-2014-4975",
11
+ :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
12
+ :release_date => Date.new(2014, 11, 15),
13
+ :cwe=>"119",
14
+ :owasp=>"A9",
15
+ :applies=>["rails", "sinatra", "padrino"],
16
+ :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
+ :message=>message,
18
+ :mitigation=>"Please upgrade ruby interpreter to 2.1.3 or later. Please note that latest 2.2.x version is suggested.",
19
+ :aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46778", "https://bugs.ruby-lang.org/issues/10019"]
20
+ })
21
+
22
+ self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
23
+ {:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
24
+ {:engine=>"ruby", :version=>"2.1.2", :patchlevel=>"p999"}]
25
+ end
26
+ end
27
+ end
28
+ end
@@ -0,0 +1,26 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-09-02
4
+ class CVE_2014_7818
5
+ include DependencyCheck
6
+
7
+ def initialize
8
+ message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
9
+ super({
10
+ :name=>"CVE-2014-7818",
11
+ :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
12
+ :release_date => Date.new(2014, 11, 8),
13
+ :cwe=>"22",
14
+ :owasp=>"A9",
15
+ :applies=>["rails", "sinatra", "padrino"],
16
+ :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
+ :message=>message,
18
+ :mitigation=>"Please upgrade rails gem to latest version or at least 3.2.20, 4.0.11, 4.1.7 or 4.2.0.beta3. If unsure upgrade to the latest available version.",
19
+ :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"]
20
+ })
21
+
22
+ self.safe_dependencies = [{:name=>"rails", :version=>['3.2.20', '4.0.11', '4.1.7', '4.2.0.beta3']}]
23
+ end
24
+ end
25
+ end
26
+ end
@@ -0,0 +1,31 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-08-31
4
+ class CVE_2014_7819
5
+ include DependencyCheck
6
+
7
+ def initialize
8
+ message = "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
9
+
10
+ super({
11
+ :name=>"CVE-2014-7819",
12
+ :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N)",
13
+ :release_date => Date.new(2014, 11, 8),
14
+ :cwe=>"22",
15
+ :owasp=>"A9",
16
+ :applies=>["rails", "sinatra", "padrino"],
17
+ :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
+ :message=>message,
19
+ :mitigation=>"Please upgrade rails gem to latest version or at least 3.2.18 or 4.1.8. If you're using sprockets standalone, please upgrade it to the latest version.",
20
+ :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"]
21
+ })
22
+
23
+ self.save_major = true
24
+ self.save_minor = true
25
+ self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.1.8']},
26
+ {:name=>"sprockets", :version=>['2.0.6', '2.1.4', '2.2.3', '2.3.3', '2.4.6', '2.5.1', '2.6.1', '2.7.1', '2.8.3', '2.9.4', '2.10.2', '2.11.3', '2.12.3', '3.0.0.beta3']}]
27
+
28
+ end
29
+ end
30
+ end
31
+ end
@@ -0,0 +1,28 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-07-31
4
+ class CVE_2014_7829
5
+ include DependencyCheck
6
+
7
+ def initialize
8
+ message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818."
9
+
10
+ super({
11
+ :name=>"CVE-2014-7829",
12
+ :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
13
+ :release_date => Date.new(2014, 11, 18),
14
+ :cwe=>"22",
15
+ :owasp=>"A9",
16
+ :applies=>["rails"],
17
+ :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
+ :message=>message,
19
+ :mitigation=>"Please upgrade rails gem to latest version or at least 3.2.21, 4.0.12, 4.1.8 or 4.2.0.beta4.",
20
+ :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"]
21
+ })
22
+
23
+ self.safe_dependencies = [{:name=>"rails", :version=>['3.2.21', '4.0.12', '4.1.8', '4.2.0.beta4']}]
24
+
25
+ end
26
+ end
27
+ end
28
+ end
@@ -0,0 +1,30 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-07-31
4
+ class CVE_2014_8090
5
+ include RubyVersionCheck
6
+
7
+ def initialize
8
+ message = "The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080."
9
+
10
+ super({
11
+ :name=>"CVE-2014-8090",
12
+ :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
+ :release_date => Date.new(2014, 11, 21),
14
+ :cwe=>"611",
15
+ :owasp=>"A9",
16
+ :applies=>["rails", "sinatra", "padrino"],
17
+ :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
18
+ :message=>message,
19
+ :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p551 or 2.0.0-p598 or 2.1.5. Please note that latest 2.2.x version is suggested.",
20
+ :aux_links=>["https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/"]
21
+ })
22
+
23
+ self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p551"},
24
+ {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p598"},
25
+ {:engine=>"ruby", :version=>"2.1.5", :patchlevel=>"p0"}]
26
+
27
+ end
28
+ end
29
+ end
30
+ end
@@ -0,0 +1,29 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-07-30
4
+ class CVE_2014_9490
5
+ include DependencyCheck
6
+
7
+ def initialize
8
+ message = "The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number."
9
+
10
+ super({
11
+ :name=>"CVE-2014-9490",
12
+ :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
+ :release_date => Date.new(2015, 1, 20),
14
+ :cwe=>"399",
15
+ :owasp=>"A9",
16
+ :osvdb=>"115654",
17
+ :applies=>["sinatra", "padrino", "rails"],
18
+ :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
+ :message=>message,
20
+ :mitigation=>"Please upgrade raven-ruby gem to the latest version",
21
+ :aux_links=>["https://github.com/getsentry/raven-ruby/commit/477ee93a3f735be33bc1e726820654cdf6e22d8f", "http://seclists.org/oss-sec/2015/q1/26"]
22
+ })
23
+
24
+ self.safe_dependencies = [{:name=>"raven-ruby", :version=>['0.12.2']}]
25
+
26
+ end
27
+ end
28
+ end
29
+ end
@@ -0,0 +1,29 @@
1
+ module Dawn
2
+ module Kb
3
+ # Automatically created with rake on 2015-07-30
4
+ class CVE_2015_3448
5
+ include DependencyCheck
6
+
7
+ def initialize
8
+ message = "REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log."
9
+
10
+ super({
11
+ :name=>"CVE-2015-3448",
12
+ :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
13
+ :release_date => Date.new(2015, 4, 29),
14
+ :cwe=>"200",
15
+ :owasp=>"A9",
16
+ :osvdb=>"117461",
17
+ :applies=>["sinatra", "padrino", "rails"],
18
+ :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
+ :message=>message,
20
+ :mitigation=>"Please upgrade rest-client gem to the latest version",
21
+ :aux_links=>["https://github.com/rest-client/rest-client/issues/349","http://www.osvdb.org/117461"]
22
+ })
23
+
24
+ self.safe_dependencies = [{:name=>"rest-client", :version=>['1.7.3']}]
25
+
26
+ end
27
+ end
28
+ end
29
+ end
@@ -134,6 +134,7 @@ require "dawn/kb/cve_2012_6109"
134
134
  require "dawn/kb/cve_2012_6134"
135
135
  require "dawn/kb/cve_2012_6496"
136
136
  require "dawn/kb/cve_2012_6497"
137
+ require "dawn/kb/cve_2012_6684"
137
138
 
138
139
  # CVE - 2013
139
140
  require "dawn/kb/cve_2013_0155"
@@ -220,6 +221,13 @@ require "dawn/kb/cve_2014_2525"
220
221
  require "dawn/kb/cve_2014_2538"
221
222
  require "dawn/kb/cve_2014_3482"
222
223
  require "dawn/kb/cve_2014_3483"
224
+ require "dawn/kb/cve_2014_3916"
225
+ require "dawn/kb/cve_2014_4975"
226
+ require "dawn/kb/cve_2014_7818"
227
+ require "dawn/kb/cve_2014_7819"
228
+ require "dawn/kb/cve_2014_7829"
229
+ require "dawn/kb/cve_2014_8090"
230
+ require "dawn/kb/cve_2014_9490"
223
231
 
224
232
  # CVE - 2015
225
233
 
@@ -234,6 +242,7 @@ require "dawn/kb/cve_2015_3224"
234
242
  require "dawn/kb/cve_2015_3225"
235
243
  require "dawn/kb/cve_2015_3226"
236
244
  require "dawn/kb/cve_2015_3227"
245
+ require "dawn/kb/cve_2015_3448"
237
246
 
238
247
 
239
248
  # OSVDB
@@ -410,6 +419,7 @@ module Dawn
410
419
  Dawn::Kb::CVE_2012_6134.new,
411
420
  Dawn::Kb::CVE_2012_6496.new,
412
421
  Dawn::Kb::CVE_2012_6497.new,
422
+ Dawn::Kb::CVE_2012_6684.new,
413
423
  Dawn::Kb::CVE_2013_0155.new,
414
424
  Dawn::Kb::CVE_2013_0156.new,
415
425
  Dawn::Kb::CVE_2013_0162.new,
@@ -491,6 +501,13 @@ module Dawn
491
501
  Dawn::Kb::CVE_2014_2538.new,
492
502
  Dawn::Kb::CVE_2014_3482.new,
493
503
  Dawn::Kb::CVE_2014_3483.new,
504
+ Dawn::Kb::CVE_2014_3916.new,
505
+ Dawn::Kb::CVE_2014_4975.new,
506
+ Dawn::Kb::CVE_2014_7818.new,
507
+ Dawn::Kb::CVE_2014_7819.new,
508
+ Dawn::Kb::CVE_2014_7829.new,
509
+ Dawn::Kb::CVE_2014_8090.new,
510
+ Dawn::Kb::CVE_2014_9490.new,
494
511
  Dawn::Kb::CVE_2015_1840_a.new,
495
512
  Dawn::Kb::CVE_2015_1840_b.new,
496
513
  Dawn::Kb::CVE_2015_2963.new,
@@ -498,6 +515,7 @@ module Dawn
498
515
  Dawn::Kb::CVE_2015_3225.new,
499
516
  Dawn::Kb::CVE_2015_3226.new,
500
517
  Dawn::Kb::CVE_2015_3227.new,
518
+ Dawn::Kb::CVE_2015_3448.new,
501
519
 
502
520
 
503
521
  # OSVDB Checks are still here since are all about dependencies
data/lib/dawn/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module Dawn
2
- VERSION = "1.3.5"
3
- CODENAME = "Lightning McQueen"
4
- RELEASE = "20150729"
5
- BUILD = "31"
6
- COMMIT = "ge32c804"
2
+ VERSION = "1.4.0"
3
+ CODENAME = "Tow Mater"
4
+ RELEASE = "20150916"
5
+ BUILD = "21"
6
+ COMMIT = "gb184185"
7
7
  end
@@ -988,4 +988,50 @@ describe "The Codesake Dawn knowledge base" do
988
988
  sc.class.should == Dawn::Kb::CVE_2015_2963
989
989
  end
990
990
  it "CVE-2015-1840 can't be tested. Trust me. It works"
991
+ it "must have test for CVE-2015-3448" do
992
+ sc = kb.find("CVE-2015-3448")
993
+ sc.should_not be_nil
994
+ sc.class.should == Dawn::Kb::CVE_2015_3448
995
+ end
996
+ it "must have test for CVE-2014-9490" do
997
+ sc = kb.find("CVE-2014-9490")
998
+ sc.should_not be_nil
999
+ sc.class.should == Dawn::Kb::CVE_2014_9490
1000
+ end
1001
+ it "must have test for CVE-2012-6684" do
1002
+ sc = kb.find("CVE-2012-6684")
1003
+ sc.should_not be_nil
1004
+ sc.class.should == Dawn::Kb::CVE_2012_6684
1005
+ end
1006
+ it "must have test for CVE-2014-8090" do
1007
+ sc = kb.find("CVE-2014-8090")
1008
+ sc.should_not be_nil
1009
+ sc.class.should == Dawn::Kb::CVE_2014_8090
1010
+ end
1011
+ it "must have test for CVE-2014-7829" do
1012
+ sc = kb.find("CVE-2014-7829")
1013
+ sc.should_not be_nil
1014
+ sc.class.should == Dawn::Kb::CVE_2014_7829
1015
+ end
1016
+ it "must have test for CVE-2014-3916" do
1017
+ sc = kb.find("CVE-2014-3916")
1018
+ sc.should_not be_nil
1019
+ sc.class.should == Dawn::Kb::CVE_2014_3916
1020
+ end
1021
+ it "not sure if it must have check for CVE-2014-3248. Too much gem involved in a single CVE only with ruby 1.9.1 and with social engineering required"
1022
+ it "must have test for CVE-2014-4975" do
1023
+ sc = kb.find("CVE-2014-4975")
1024
+ sc.should_not be_nil
1025
+ sc.class.should == Dawn::Kb::CVE_2014_4975
1026
+ end
1027
+ it "must have test for CVE-2014-7819" do
1028
+ sc = kb.find("CVE-2014-7819")
1029
+ sc.should_not be_nil
1030
+ sc.class.should == Dawn::Kb::CVE_2014_7819
1031
+ end
1032
+ it "must have test for CVE-2014-7818" do
1033
+ sc = kb.find("CVE-2014-7818")
1034
+ sc.should_not be_nil
1035
+ sc.class.should == Dawn::Kb::CVE_2014_7818
1036
+ end
991
1037
  end
@@ -0,0 +1,16 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2012-6684 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2012_6684.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when vulnerable raven-ruby gem is used (4.2.9)" do
8
+ @check.dependencies = [{:name=>"RedCloth", :version=>'4.2.9'}]
9
+ @check.vuln?.should == true
10
+ end
11
+ it "is not reported when safe raven-ruby gem is used (4.2.10)" do
12
+ @check.dependencies = [{:name=>"RedCloth", :version=>'4.2.10'}]
13
+ @check.vuln?.should == false
14
+ end
15
+
16
+ end
@@ -0,0 +1,16 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2013-4491 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2013_4491.new
5
+ # @check.debug = true
6
+ end
7
+
8
+ it "is reported when the vulnerable gem is detected" do
9
+ @check.dependencies = [{:name=>"rails", :version=>"3.2.15"}]
10
+ @check.vuln?.should == true
11
+ end
12
+ it "is not reported when a fixed release is detected" do
13
+ @check.dependencies = [{:name=>"rails", :version=>"3.2.22"}]
14
+ @check.vuln?.should == false
15
+ end
16
+ end
@@ -0,0 +1,42 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2014-7818 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2014_7818.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when vulnerable rails gem is used (3.2.18)" do
8
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.18'}]
9
+ @check.vuln?.should == true
10
+ end
11
+ it "is reported when vulnerable rails gem is used (4.0.7)" do
12
+ @check.dependencies = [{:name=>"rails", :version=>'4.0.7'}]
13
+ @check.vuln?.should == true
14
+ end
15
+ it "is reported when vulnerable rails gem is used (4.1.6)" do
16
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.6'}]
17
+ @check.vuln?.should == true
18
+ end
19
+ it "is reported when vulnerable rails gem is used (4.2.0.beta2)" do
20
+ @check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta2'}]
21
+ @check.vuln?.should == true
22
+ end
23
+
24
+ # SAFE VERSIONS
25
+ it "is not reported when safe rails gem is used (3.2.20)" do
26
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.20'}]
27
+ @check.vuln?.should == false
28
+ end
29
+ it "is not reported when safe rails gem is used (4.0.11)" do
30
+ @check.dependencies = [{:name=>"rails", :version=>'4.0.11'}]
31
+ @check.vuln?.should == false
32
+ end
33
+ it "is not reported when safe rails gem is used (4.1.7)" do
34
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.7'}]
35
+ @check.vuln?.should == false
36
+ end
37
+ it "is not reported when safe rails gem is used (4.2.0.beta3)" do
38
+ @check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta3'}]
39
+ @check.vuln?.should == false
40
+ end
41
+
42
+ end
@@ -0,0 +1,139 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2014-7819 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2014_7819.new
5
+ # @check.debug = true
6
+ end
7
+ # Vulnerable versions
8
+ it "is reported when vulnerable rails gem is used (4.1.7)" do
9
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.7'}]
10
+ @check.vuln?.should == true
11
+ end
12
+ it "is reported when vulnerable rails gem is used (3.2.17)" do
13
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
14
+ @check.vuln?.should == true
15
+ end
16
+ it "is reported when vulnerable sprockets gem is used (2.0.5)" do
17
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.0.5'}]
18
+ @check.vuln?.should == true
19
+ end
20
+ it "is reported when vulnerable sprockets gem is used (2.1.3)" do
21
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.1.3'}]
22
+ @check.vuln?.should == true
23
+ end
24
+ it "is reported when vulnerable sprockets gem is used (2.2.2)" do
25
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.2.2'}]
26
+ @check.vuln?.should == true
27
+ end
28
+ it "is reported when vulnerable sprockets gem is used (2.3.2)" do
29
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.3.2'}]
30
+ @check.vuln?.should == true
31
+ end
32
+ it "is reported when vulnerable sprockets gem is used (2.4.5)" do
33
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.4.5'}]
34
+ @check.vuln?.should == true
35
+ end
36
+ it "is reported when vulnerable sprockets gem is used (2.5.0)" do
37
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.5.0'}]
38
+ @check.vuln?.should == true
39
+ end
40
+ it "is reported when vulnerable sprockets gem is used (2.6.0)" do
41
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.6.0'}]
42
+ @check.vuln?.should == true
43
+ end
44
+ it "is reported when vulnerable sprockets gem is used (2.7.0)" do
45
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.7.0'}]
46
+ @check.vuln?.should == true
47
+ end
48
+ it "is reported when vulnerable sprockets gem is used (2.8.2)" do
49
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.8.2'}]
50
+ @check.vuln?.should == true
51
+ end
52
+ it "is reported when vulnerable sprockets gem is used (2.9.3)" do
53
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.9.3'}]
54
+ @check.vuln?.should == true
55
+ end
56
+ it "is reported when vulnerable sprockets gem is used (2.10.1)" do
57
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.10.1'}]
58
+ @check.vuln?.should == true
59
+ end
60
+ it "is reported when vulnerable sprockets gem is used (2.11.2)" do
61
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.11.2'}]
62
+ @check.vuln?.should == true
63
+ end
64
+ it "is reported when vulnerable sprockets gem is used (2.12.2)" do
65
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.12.2'}]
66
+ @check.vuln?.should == true
67
+ end
68
+ it "is reported when vulnerable sprockets gem is used (3.0.0.beta2)" do
69
+ @check.dependencies = [{:name=>"sprockets", :version=>'3.0.0.beta2'}]
70
+ @check.vuln?.should == true
71
+ end
72
+ # Safe versions
73
+ it "is not reported when safe rails gem is used (4.1.8)" do
74
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.8'}]
75
+ @check.vuln?.should == false
76
+ end
77
+ it "is not reported when safe rails gem is used (3.2.18)" do
78
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.18'}]
79
+ @check.vuln?.should == false
80
+ end
81
+ it "is not reported when safe sprockets gem is used (2.0.6)" do
82
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.0.6'}]
83
+ @check.vuln?.should == false
84
+ end
85
+ it "is not reported when safe sprockets gem is used (2.1.4)" do
86
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.1.4'}]
87
+ @check.vuln?.should == false
88
+ end
89
+ it "is not reported when safe sprockets gem is used (2.2.3)" do
90
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.2.3'}]
91
+ @check.vuln?.should == false
92
+ end
93
+ it "is not reported when safe sprockets gem is used (2.3.3)" do
94
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.3.3'}]
95
+ @check.vuln?.should == false
96
+ end
97
+ it "is not reported when safe sprockets gem is used (2.4.6)" do
98
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.4.6'}]
99
+ @check.vuln?.should == false
100
+ end
101
+ it "is not reported when safe sprockets gem is used (2.5.6)" do
102
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.5.6'}]
103
+ @check.vuln?.should == false
104
+ end
105
+ it "is not reported when safe sprockets gem is used (2.6.6)" do
106
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.6.6'}]
107
+ @check.vuln?.should == false
108
+ end
109
+ it "is not reported when safe sprockets gem is used (2.7.6)" do
110
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.7.6'}]
111
+ @check.vuln?.should == false
112
+ end
113
+ it "is not reported when safe sprockets gem is used (2.8.6)" do
114
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.8.6'}]
115
+ @check.vuln?.should == false
116
+ end
117
+ it "is not reported when safe sprockets gem is used (2.9.6)" do
118
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.9.6'}]
119
+ @check.vuln?.should == false
120
+ end
121
+ it "is not reported when safe sprockets gem is used (2.10.6)" do
122
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.10.6'}]
123
+ @check.vuln?.should == false
124
+ end
125
+ it "is not reported when safe sprockets gem is used (2.11.6)" do
126
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.11.6'}]
127
+ @check.vuln?.should == false
128
+ end
129
+ it "is not reported when safe sprockets gem is used (2.12.6)" do
130
+ @check.dependencies = [{:name=>"sprockets", :version=>'2.12.6'}]
131
+ @check.vuln?.should == false
132
+ end
133
+ it "is not reported when safe sprockets gem is used (3.0.0.beta3)" do
134
+ @check.dependencies = [{:name=>"sprockets", :version=>'3.0.0.beta3'}]
135
+ @check.vuln?.should == false
136
+ end
137
+
138
+
139
+ end
@@ -0,0 +1,50 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2014-7829 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2014_7829.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when vulnerable rails gem is used (3.2.20)" do
8
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.20'}]
9
+ @check.vuln?.should == true
10
+ end
11
+ it "is reported when vulnerable rails gem is used (3.1.20)" do
12
+ @check.dependencies = [{:name=>"rails", :version=>'3.1.20'}]
13
+ @check.vuln?.should == true
14
+ end
15
+ it "is reported when vulnerable rails gem is used (3.0.20)" do
16
+ @check.dependencies = [{:name=>"rails", :version=>'3.0.20'}]
17
+ @check.vuln?.should == true
18
+ end
19
+ it "is reported when vulnerable rails gem is used (4.0.11)" do
20
+ @check.dependencies = [{:name=>"rails", :version=>'4.0.11'}]
21
+ @check.vuln?.should == true
22
+ end
23
+ it "is reported when vulnerable rails gem is used (4.1.7)" do
24
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.7'}]
25
+ @check.vuln?.should == true
26
+ end
27
+ it "is reported when vulnerable rails gem is used (4.2.0.beta3)" do
28
+ @check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta3'}]
29
+ @check.vuln?.should == true
30
+ end
31
+
32
+ it "is not reported when safe rails gem is used (3.2.21)" do
33
+ @check.dependencies = [{:name=>"rails", :version=>'3.2.21'}]
34
+ @check.vuln?.should == false
35
+ end
36
+ it "is not reported when safe rails gem is used (4.0.12)" do
37
+ @check.dependencies = [{:name=>"rails", :version=>'4.0.12'}]
38
+ @check.vuln?.should == false
39
+ end
40
+ it "is not reported when safe rails gem is used (4.1.8)" do
41
+ @check.dependencies = [{:name=>"rails", :version=>'4.1.8'}]
42
+ @check.vuln?.should == false
43
+ end
44
+ it "is not reported when safe rails gem is used (4.2.0.beta4)" do
45
+ @check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta4'}]
46
+ @check.vuln?.should == false
47
+ end
48
+
49
+ it "is reported when..."
50
+ end
@@ -0,0 +1,17 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2014-9490 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2014_9490.new
5
+ # @check.debug = true
6
+ end
7
+
8
+ it "is reported when vulnerable raven-ruby gem is used (0.12.1)" do
9
+ @check.dependencies = [{:name=>"raven-ruby", :version=>'0.12.1'}]
10
+ @check.vuln?.should == true
11
+ end
12
+ it "is not reported when safe raven-ruby gem is used (0.12.2)" do
13
+ @check.dependencies = [{:name=>"raven-ruby", :version=>'0.12.2'}]
14
+ @check.vuln?.should == false
15
+ end
16
+
17
+ end
@@ -0,0 +1,16 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2015-3448 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2015_3448.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when vulnerable rest-client gem is used (1.7.2)" do
8
+ @check.dependencies = [{:name=>"rest-client", :version=>'1.7.2'}]
9
+ @check.vuln?.should == true
10
+ end
11
+ it "is not reported when safe rest-client gem is used (1.7.3)" do
12
+ @check.dependencies = [{:name=>"rest-client", :version=>'1.7.3'}]
13
+ @check.vuln?.should == false
14
+ end
15
+
16
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: dawnscanner
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.5
4
+ version: 1.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
30
30
  1zH2rpK27DW5pOeHUEJn31+gGd111ogP5tYruPV7Qgfy2jUrUPmP67v7nRNlgd84
31
31
  Z5mHj9jGk4wgMQy2pk4GDwsXiirZfI0z2WZfySqEldE=
32
32
  -----END CERTIFICATE-----
33
- date: 2015-07-29 00:00:00.000000000 Z
33
+ date: 2015-09-16 00:00:00.000000000 Z
34
34
  dependencies:
35
35
  - !ruby/object:Gem::Dependency
36
36
  name: cvss
@@ -179,7 +179,7 @@ dependencies:
179
179
  - - ">="
180
180
  - !ruby/object:Gem::Version
181
181
  version: '0'
182
- type: :runtime
182
+ type: :development
183
183
  prerelease: false
184
184
  version_requirements: !ruby/object:Gem::Requirement
185
185
  requirements:
@@ -256,10 +256,11 @@ dependencies:
256
256
  - - ">="
257
257
  - !ruby/object:Gem::Version
258
258
  version: '0'
259
- description: Dawn is a security source code scanner for ruby powered code. It is especially
260
- designed for web applications, but it works also with general purpose ruby scripts.
261
- Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra;
262
- it provides more than 150 security checks with their own mitigation suggestion.
259
+ description: Dawnscanner is a security source code scanner for ruby powered code.
260
+ It is especially designed for web applications, but it works also with general purpose
261
+ ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
262
+ and sinatra; it provides more than 150 security checks with their own mitigation
263
+ suggestion.
263
264
  email:
264
265
  - paolo@dawnscanner.org
265
266
  executables:
@@ -293,6 +294,7 @@ files:
293
294
  - checksum/dawnscanner-1.2.99.gem.sha1
294
295
  - checksum/dawnscanner-1.3.0.gem.sha1
295
296
  - checksum/dawnscanner-1.3.1.gem.sha1
297
+ - checksum/dawnscanner-1.3.5.gem.sha1
296
298
  - dawnscanner.gemspec
297
299
  - doc/codesake-dawn.yaml.sample
298
300
  - doc/dawn_1_0_announcement.md
@@ -393,6 +395,7 @@ files:
393
395
  - lib/dawn/kb/cve_2012_6134.rb
394
396
  - lib/dawn/kb/cve_2012_6496.rb
395
397
  - lib/dawn/kb/cve_2012_6497.rb
398
+ - lib/dawn/kb/cve_2012_6684.rb
396
399
  - lib/dawn/kb/cve_2013_0155.rb
397
400
  - lib/dawn/kb/cve_2013_0156.rb
398
401
  - lib/dawn/kb/cve_2013_0162.rb
@@ -474,6 +477,13 @@ files:
474
477
  - lib/dawn/kb/cve_2014_2538.rb
475
478
  - lib/dawn/kb/cve_2014_3482.rb
476
479
  - lib/dawn/kb/cve_2014_3483.rb
480
+ - lib/dawn/kb/cve_2014_3916.rb
481
+ - lib/dawn/kb/cve_2014_4975.rb
482
+ - lib/dawn/kb/cve_2014_7818.rb
483
+ - lib/dawn/kb/cve_2014_7819.rb
484
+ - lib/dawn/kb/cve_2014_7829.rb
485
+ - lib/dawn/kb/cve_2014_8090.rb
486
+ - lib/dawn/kb/cve_2014_9490.rb
477
487
  - lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb
478
488
  - lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb
479
489
  - lib/dawn/kb/cve_2015_2963.rb
@@ -481,6 +491,7 @@ files:
481
491
  - lib/dawn/kb/cve_2015_3225.rb
482
492
  - lib/dawn/kb/cve_2015_3226.rb
483
493
  - lib/dawn/kb/cve_2015_3227.rb
494
+ - lib/dawn/kb/cve_2015_3448.rb
484
495
  - lib/dawn/kb/dependency_check.rb
485
496
  - lib/dawn/kb/deprecation_check.rb
486
497
  - lib/dawn/kb/not_revised_code.rb
@@ -541,6 +552,7 @@ files:
541
552
  - spec/lib/kb/cve_2012_2139_spec.rb
542
553
  - spec/lib/kb/cve_2012_2671_spec.rb
543
554
  - spec/lib/kb/cve_2012_6109_spec.rb
555
+ - spec/lib/kb/cve_2012_6684_spec.rb
544
556
  - spec/lib/kb/cve_2013_0162_spec.rb
545
557
  - spec/lib/kb/cve_2013_0183_spec.rb
546
558
  - spec/lib/kb/cve_2013_0184_spec.rb
@@ -559,6 +571,7 @@ files:
559
571
  - spec/lib/kb/cve_2013_4203_spec.rb
560
572
  - spec/lib/kb/cve_2013_4413_spec.rb
561
573
  - spec/lib/kb/cve_2013_4489_spec.rb
574
+ - spec/lib/kb/cve_2013_4491_spec.rb
562
575
  - spec/lib/kb/cve_2013_4593_spec.rb
563
576
  - spec/lib/kb/cve_2013_5647_spec.rb
564
577
  - spec/lib/kb/cve_2013_5671_spec.rb
@@ -576,12 +589,17 @@ files:
576
589
  - spec/lib/kb/cve_2014_2538_spec.rb
577
590
  - spec/lib/kb/cve_2014_3482_spec.rb
578
591
  - spec/lib/kb/cve_2014_3483_spec.rb
592
+ - spec/lib/kb/cve_2014_7818_spec.rb
593
+ - spec/lib/kb/cve_2014_7819_spec.rb
594
+ - spec/lib/kb/cve_2014_7829_spec.rb
595
+ - spec/lib/kb/cve_2014_9490_spec.rb
579
596
  - spec/lib/kb/cve_2015_1840_spec.rb
580
597
  - spec/lib/kb/cve_2015_2963_spec.rb
581
598
  - spec/lib/kb/cve_2015_3224_spec.rb
582
599
  - spec/lib/kb/cve_2015_3225_spec.rb
583
600
  - spec/lib/kb/cve_2015_3226_spec.rb
584
601
  - spec/lib/kb/cve_2015_3227_spec.rb
602
+ - spec/lib/kb/cve_2015_3448_spec.rb
585
603
  - spec/lib/kb/osvdb_105971_spec.rb
586
604
  - spec/lib/kb/osvdb_108530_spec.rb
587
605
  - spec/lib/kb/osvdb_108563_spec.rb
@@ -608,7 +626,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
608
626
  requirements:
609
627
  - - ">="
610
628
  - !ruby/object:Gem::Version
611
- version: 1.9.2
629
+ version: 1.9.3
612
630
  required_rubygems_version: !ruby/object:Gem::Requirement
613
631
  requirements:
614
632
  - - ">="
@@ -619,8 +637,9 @@ rubyforge_project:
619
637
  rubygems_version: 2.4.8
620
638
  signing_key:
621
639
  specification_version: 4
622
- summary: Dawn is a security source code scanner for ruby powered code. It is crafted
623
- with love to make your sinatra, padrino and ruby on rails web applications secure.
640
+ summary: Dawnscanner is a security source code scanner for ruby powered code. It is
641
+ crafted with love to make your sinatra, padrino and ruby on rails web applications
642
+ secure.
624
643
  test_files:
625
644
  - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
626
645
  - features/dawn_scan_a_secure_sinatra_app.feature.disabled
@@ -648,6 +667,7 @@ test_files:
648
667
  - spec/lib/kb/cve_2012_2139_spec.rb
649
668
  - spec/lib/kb/cve_2012_2671_spec.rb
650
669
  - spec/lib/kb/cve_2012_6109_spec.rb
670
+ - spec/lib/kb/cve_2012_6684_spec.rb
651
671
  - spec/lib/kb/cve_2013_0162_spec.rb
652
672
  - spec/lib/kb/cve_2013_0183_spec.rb
653
673
  - spec/lib/kb/cve_2013_0184_spec.rb
@@ -666,6 +686,7 @@ test_files:
666
686
  - spec/lib/kb/cve_2013_4203_spec.rb
667
687
  - spec/lib/kb/cve_2013_4413_spec.rb
668
688
  - spec/lib/kb/cve_2013_4489_spec.rb
689
+ - spec/lib/kb/cve_2013_4491_spec.rb
669
690
  - spec/lib/kb/cve_2013_4593_spec.rb
670
691
  - spec/lib/kb/cve_2013_5647_spec.rb
671
692
  - spec/lib/kb/cve_2013_5671_spec.rb
@@ -683,12 +704,17 @@ test_files:
683
704
  - spec/lib/kb/cve_2014_2538_spec.rb
684
705
  - spec/lib/kb/cve_2014_3482_spec.rb
685
706
  - spec/lib/kb/cve_2014_3483_spec.rb
707
+ - spec/lib/kb/cve_2014_7818_spec.rb
708
+ - spec/lib/kb/cve_2014_7819_spec.rb
709
+ - spec/lib/kb/cve_2014_7829_spec.rb
710
+ - spec/lib/kb/cve_2014_9490_spec.rb
686
711
  - spec/lib/kb/cve_2015_1840_spec.rb
687
712
  - spec/lib/kb/cve_2015_2963_spec.rb
688
713
  - spec/lib/kb/cve_2015_3224_spec.rb
689
714
  - spec/lib/kb/cve_2015_3225_spec.rb
690
715
  - spec/lib/kb/cve_2015_3226_spec.rb
691
716
  - spec/lib/kb/cve_2015_3227_spec.rb
717
+ - spec/lib/kb/cve_2015_3448_spec.rb
692
718
  - spec/lib/kb/osvdb_105971_spec.rb
693
719
  - spec/lib/kb/osvdb_108530_spec.rb
694
720
  - spec/lib/kb/osvdb_108563_spec.rb
metadata.gz.sig CHANGED
Binary file