dawnscanner 1.3.5 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.travis.yml +0 -1
- data/Changelog.md +21 -1
- data/Rakefile +24 -23
- data/Roadmap.md +4 -4
- data/VERSION +1 -1
- data/checksum/dawnscanner-1.3.5.gem.sha1 +1 -0
- data/dawnscanner.gemspec +4 -4
- data/lib/dawn/kb/cve_2012_6684.rb +28 -0
- data/lib/dawn/kb/cve_2013_4491.rb +1 -0
- data/lib/dawn/kb/cve_2014_3916.rb +29 -0
- data/lib/dawn/kb/cve_2014_4975.rb +28 -0
- data/lib/dawn/kb/cve_2014_7818.rb +26 -0
- data/lib/dawn/kb/cve_2014_7819.rb +31 -0
- data/lib/dawn/kb/cve_2014_7829.rb +28 -0
- data/lib/dawn/kb/cve_2014_8090.rb +30 -0
- data/lib/dawn/kb/cve_2014_9490.rb +29 -0
- data/lib/dawn/kb/cve_2015_3448.rb +29 -0
- data/lib/dawn/knowledge_base.rb +18 -0
- data/lib/dawn/version.rb +5 -5
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +46 -0
- data/spec/lib/kb/cve_2012_6684_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_4491_spec.rb +16 -0
- data/spec/lib/kb/cve_2014_7818_spec.rb +42 -0
- data/spec/lib/kb/cve_2014_7819_spec.rb +139 -0
- data/spec/lib/kb/cve_2014_7829_spec.rb +50 -0
- data/spec/lib/kb/cve_2014_9490_spec.rb +17 -0
- data/spec/lib/kb/cve_2015_3448_spec.rb +16 -0
- metadata +36 -10
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f003db35fdc15bed8267a03e98b8486332a8c5bc
|
4
|
+
data.tar.gz: 136a1d5c19c13401f309bb967a6847b2c4c3e00a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b07ea6ad252a9b8bc81b13fcf3a6cef8621894d1621681d1b2898c746639327e2b96a197690562e9d0837e8d87360509645578f5ff3333052b6ef0b4dfb4b50d
|
7
|
+
data.tar.gz: 88129983599961a585d141c1387772acdec4b18a1525763d6ad1371a14fad4e6ae7c22befe0c2412d961738ca812fb522198a965a88d213e9497a5397303cecf
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/.travis.yml
CHANGED
data/Changelog.md
CHANGED
@@ -5,7 +5,27 @@ It supports [Sinatra](http://www.sinatrarb.com),
|
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
6
6
|
frameworks.
|
7
7
|
|
8
|
-
_latest update: Wed
|
8
|
+
_latest update: Wed Sep 16 18:20:21 CEST 2015_
|
9
|
+
|
10
|
+
## Version 1.4.0 - codename: Tow Mater (2015-09-16)
|
11
|
+
|
12
|
+
* Fixing issue #144. CVE-2013-4491 detected rails version 3.2.22 as vulnerable
|
13
|
+
meanwhile it is not.
|
14
|
+
* Adding a check for CVE-2014-7818: Directory traversal in Action Pack
|
15
|
+
contained in Ruby on Rails before 3.2.20, 4.0.11, 4.1.7 and 4.2.0.beta3
|
16
|
+
* Adding a check for CVE-2014-7819: Directory traversal in multiple sprocket
|
17
|
+
versions.
|
18
|
+
* Adding a check for CVE-2014-4975: DoS in Ruby interpreter 1.9.x, 2.0.x, 2.1.x
|
19
|
+
* Adding a check for CVE-2014-3916: DoS in Ruby interpreter 1.9.x, 2.0.x, 2.1.x
|
20
|
+
* Adding a check for CVE-2014-7829: Directory traversal in several rails
|
21
|
+
versions
|
22
|
+
* Adding a check for CVE-2014-8090: DoS in REXML parser in some ruby
|
23
|
+
interpreter versions.
|
24
|
+
* Adding a check for CVE-2012-6674: XSS in RedCloth gem (issue #143)
|
25
|
+
* Adding a check for CVE-2014-9490: Denial of Service in raven-ruby gem (issue
|
26
|
+
#124)
|
27
|
+
* Adding a check for CVE-2015-3448: Information leakage in rest-client gem
|
28
|
+
(issue #125)
|
9
29
|
|
10
30
|
## Version 1.3.5 - codename: Lightning McQueen (2015-07-29)
|
11
31
|
|
data/Rakefile
CHANGED
@@ -19,7 +19,7 @@ RSpec::Core::RakeTask.new do |t|
|
|
19
19
|
end
|
20
20
|
|
21
21
|
|
22
|
-
task :default => [ :spec, :features, :kb ]
|
22
|
+
task :default => [ :spec, :features, :'kb:create', :'kb:lint' ]
|
23
23
|
task :test => :spec
|
24
24
|
task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
|
25
25
|
task :release => [:prepare]
|
@@ -116,8 +116,8 @@ task :cve, :name do |t,args|
|
|
116
116
|
end
|
117
117
|
puts "#{spec_filename} created"
|
118
118
|
|
119
|
-
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/
|
120
|
-
puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
|
119
|
+
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN ./spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
|
120
|
+
puts "*** PLEASE ADD THIS CODE IN ./lib/dawn/knowledge_base.rb in order to reflect changes"
|
121
121
|
puts "require \"dawn/kb/#{class_name.downcase}\""
|
122
122
|
puts "it \"must have test for #{name}\" do"
|
123
123
|
puts " sc = kb.find(\"#{name}\")"
|
@@ -179,8 +179,8 @@ task :osvdb, :name do |t,args|
|
|
179
179
|
puts "#{spec_filename} created"
|
180
180
|
|
181
181
|
|
182
|
-
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
|
183
|
-
puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
|
182
|
+
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN ./spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
|
183
|
+
puts "*** PLEASE ADD THIS CODE IN ./lib/dawn/knowledge_base.rb in order to reflect changes"
|
184
184
|
puts "require \"dawn/kb/#{class_name.downcase}\""
|
185
185
|
puts "it \"must have test for #{name}\" do"
|
186
186
|
puts " sc = kb.find(\"#{name}\")"
|
@@ -240,8 +240,8 @@ task :check, :name do |t,args|
|
|
240
240
|
puts "#{spec_filename} created"
|
241
241
|
|
242
242
|
|
243
|
-
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/
|
244
|
-
puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
|
243
|
+
puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN ./spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
|
244
|
+
puts "*** PLEASE ADD THIS CODE IN ./lib/dawn/knowledge_base.rb in order to reflect changes"
|
245
245
|
puts "require \"dawn/kb/#{class_name.downcase}\""
|
246
246
|
puts "it \"must have test for #{name}\" do"
|
247
247
|
puts " sc = kb.find(\"#{name}\")"
|
@@ -261,24 +261,25 @@ namespace :kb do
|
|
261
261
|
end
|
262
262
|
|
263
263
|
end
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
|
269
|
-
|
270
|
-
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
264
|
+
|
265
|
+
desc 'Creates a KnowledgeBase.md file'
|
266
|
+
task :create do
|
267
|
+
checks = Dawn::KnowledgeBase.new.all
|
268
|
+
open("KnowledgeBase.md", "w") do |file|
|
269
|
+
file.puts "# Dawn Knowledge base"
|
270
|
+
file.puts "\nThe knowledge base library for Dawn version #{Dawn::VERSION} contains #{checks.count} security checks."
|
271
|
+
file.puts "---"
|
272
|
+
checks.each do |c|
|
273
|
+
file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
|
274
|
+
file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
|
275
|
+
file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
|
276
|
+
end
|
277
|
+
|
278
|
+
file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
|
275
279
|
end
|
280
|
+
puts "KnowledgeBase.md file successfully generated"
|
276
281
|
|
277
|
-
file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
|
278
282
|
end
|
279
|
-
puts "KnowledgeBase.md file successfully generated"
|
280
|
-
|
281
|
-
end
|
282
283
|
end
|
283
284
|
|
284
285
|
require 'digest/sha1'
|
@@ -325,7 +326,7 @@ namespace :rubysec do
|
|
325
326
|
# CVE-2013-1878 is a duplicate of CVE-2013-2617 that is in knowledge base
|
326
327
|
# CVE-2013-1876 is a duplicate of CVE-2013-2615 that is in knowledge base
|
327
328
|
exclusion = ["CVE-2007-6183", "CVE-2013-1876", "CVE-2013-1878"]
|
328
|
-
if exclusion.include?(cve)
|
329
|
+
if exclusion.include?(cve)
|
329
330
|
puts "#{cve} is in the exclusion list"
|
330
331
|
else
|
331
332
|
found = Dawn::KnowledgeBase.find(nil, cve)
|
data/Roadmap.md
CHANGED
@@ -9,7 +9,7 @@ This is an ongoing roadmap for the Dawnscanner source code review tool.
|
|
9
9
|
|
10
10
|
_latest update: Tue Feb 24 08:02:56 CET 2015_
|
11
11
|
|
12
|
-
## Version 1.
|
12
|
+
## Version 1.5.0
|
13
13
|
|
14
14
|
* clear Codesake:Commons dependency mess. This will dramatically simplify
|
15
15
|
dawnscanner installation
|
@@ -29,7 +29,7 @@ _latest update: Tue Feb 24 08:02:56 CET 2015_
|
|
29
29
|
cyclomatic complexity index, ...)
|
30
30
|
|
31
31
|
|
32
|
-
## Version 1.
|
32
|
+
## Version 1.6.0
|
33
33
|
|
34
34
|
* Add a ruby deprecation check, accordingly to
|
35
35
|
https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
|
@@ -43,14 +43,14 @@ _latest update: Tue Feb 24 08:02:56 CET 2015_
|
|
43
43
|
* Add support for github hooks
|
44
44
|
* Add premilinary SQL injection detection for Ruby on Rails
|
45
45
|
|
46
|
-
## Version 1.
|
46
|
+
## Version 1.7.0
|
47
47
|
|
48
48
|
* Add insecure direct object reference detection for all MVC frameworks (including Rack)
|
49
49
|
* SQL Injection detection: it must be done for all MVC frameworks (including Rack)
|
50
50
|
* Add automatic mitigation patch generation
|
51
51
|
* Add support for Javascript
|
52
52
|
|
53
|
-
## Version 1.
|
53
|
+
## Version 1.8.0
|
54
54
|
|
55
55
|
* Add automatic mitigation patch generation
|
56
56
|
|
data/VERSION
CHANGED
@@ -0,0 +1 @@
|
|
1
|
+
b4bbd272755fbfe08aa848220681e86d987e4fb0
|
data/dawnscanner.gemspec
CHANGED
@@ -8,8 +8,8 @@ Gem::Specification.new do |gem|
|
|
8
8
|
gem.version = Dawn::VERSION
|
9
9
|
gem.authors = ["Paolo Perego"]
|
10
10
|
gem.email = ["paolo@dawnscanner.org"]
|
11
|
-
gem.description = %q{
|
12
|
-
gem.summary = %q{
|
11
|
+
gem.description = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
|
12
|
+
gem.summary = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
|
13
13
|
gem.homepage = "http://dawnscanner.org"
|
14
14
|
gem.files = `git ls-files`.split($/)
|
15
15
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
@@ -19,7 +19,7 @@ Gem::Specification.new do |gem|
|
|
19
19
|
gem.cert_chain = ['certs/paolo_at_dawnscanner_dot_org.pem']
|
20
20
|
gem.signing_key = File.expand_path("~/.ssh/paolo_at_dawnscanner_dot_org_private_key.pem") if $0 =~ /gem\z/
|
21
21
|
|
22
|
-
gem.required_ruby_version = '>= 1.9.
|
22
|
+
gem.required_ruby_version = '>= 1.9.3'
|
23
23
|
|
24
24
|
gem.add_dependency 'cvss'
|
25
25
|
gem.add_dependency 'haml'
|
@@ -32,7 +32,7 @@ Gem::Specification.new do |gem|
|
|
32
32
|
gem.add_dependency 'justify'
|
33
33
|
gem.add_dependency 'logger-colors'
|
34
34
|
|
35
|
-
gem.
|
35
|
+
gem.add_development_dependency ('coveralls')
|
36
36
|
|
37
37
|
gem.add_development_dependency 'rake'
|
38
38
|
gem.add_development_dependency 'rspec'
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-07-31
|
4
|
+
class CVE_2012_6684
|
5
|
+
include DependencyCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI."
|
9
|
+
super({
|
10
|
+
:name=>"CVE-2012-6684",
|
11
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
12
|
+
:release_date => Date.new(2015, 1, 7),
|
13
|
+
:cwe=>"79",
|
14
|
+
:owasp=>"A1",
|
15
|
+
:osvdb=>"",
|
16
|
+
:applies=>["sinatra", "padrino", "rails"],
|
17
|
+
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade RedCloth gem to the latest version",
|
20
|
+
:aux_links=>["https://gist.github.com/co3k/75b3cb416c342aa1414c", "http://co3k.org/blog/redcloth-unfixed-xss-en"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"RedCloth", :version=>['4.2.10']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-08-03
|
4
|
+
class CVE_2014_3916
|
5
|
+
include RubyVersionCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string."
|
9
|
+
super({
|
10
|
+
:name=>"CVE-2014-3916",
|
11
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
12
|
+
:release_date => Date.new(2014, 11, 16),
|
13
|
+
:cwe=>"19",
|
14
|
+
:owasp=>"A9",
|
15
|
+
:applies=>["rails", "sinatra", "padrino"],
|
16
|
+
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
+
:message=>message,
|
18
|
+
:mitigation=>"Please upgrade ruby interpreter to 2.2.x or later.",
|
19
|
+
:aux_links=>["https://bugs.ruby-lang.org/issues/9709", "http://www.securityfocus.com/bid/67705"]
|
20
|
+
})
|
21
|
+
|
22
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
|
23
|
+
{:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
|
24
|
+
{:engine=>"ruby", :version=>"2.1.99", :patchlevel=>"p999"}]
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-08-03
|
4
|
+
class CVE_2014_4975
|
5
|
+
include RubyVersionCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow."
|
9
|
+
super({
|
10
|
+
:name=>"CVE-2014-4975",
|
11
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
12
|
+
:release_date => Date.new(2014, 11, 15),
|
13
|
+
:cwe=>"119",
|
14
|
+
:owasp=>"A9",
|
15
|
+
:applies=>["rails", "sinatra", "padrino"],
|
16
|
+
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
+
:message=>message,
|
18
|
+
:mitigation=>"Please upgrade ruby interpreter to 2.1.3 or later. Please note that latest 2.2.x version is suggested.",
|
19
|
+
:aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46778", "https://bugs.ruby-lang.org/issues/10019"]
|
20
|
+
})
|
21
|
+
|
22
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
|
23
|
+
{:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
|
24
|
+
{:engine=>"ruby", :version=>"2.1.2", :patchlevel=>"p999"}]
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-09-02
|
4
|
+
class CVE_2014_7818
|
5
|
+
include DependencyCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
|
9
|
+
super({
|
10
|
+
:name=>"CVE-2014-7818",
|
11
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
12
|
+
:release_date => Date.new(2014, 11, 8),
|
13
|
+
:cwe=>"22",
|
14
|
+
:owasp=>"A9",
|
15
|
+
:applies=>["rails", "sinatra", "padrino"],
|
16
|
+
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
+
:message=>message,
|
18
|
+
:mitigation=>"Please upgrade rails gem to latest version or at least 3.2.20, 4.0.11, 4.1.7 or 4.2.0.beta3. If unsure upgrade to the latest available version.",
|
19
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"]
|
20
|
+
})
|
21
|
+
|
22
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.20', '4.0.11', '4.1.7', '4.2.0.beta3']}]
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-08-31
|
4
|
+
class CVE_2014_7819
|
5
|
+
include DependencyCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
|
9
|
+
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2014-7819",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N)",
|
13
|
+
:release_date => Date.new(2014, 11, 8),
|
14
|
+
:cwe=>"22",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails gem to latest version or at least 3.2.18 or 4.1.8. If you're using sprockets standalone, please upgrade it to the latest version.",
|
20
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.save_major = true
|
24
|
+
self.save_minor = true
|
25
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.1.8']},
|
26
|
+
{:name=>"sprockets", :version=>['2.0.6', '2.1.4', '2.2.3', '2.3.3', '2.4.6', '2.5.1', '2.6.1', '2.7.1', '2.8.3', '2.9.4', '2.10.2', '2.11.3', '2.12.3', '3.0.0.beta3']}]
|
27
|
+
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,28 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-07-31
|
4
|
+
class CVE_2014_7829
|
5
|
+
include DependencyCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818."
|
9
|
+
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2014-7829",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
13
|
+
:release_date => Date.new(2014, 11, 18),
|
14
|
+
:cwe=>"22",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails"],
|
17
|
+
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade rails gem to latest version or at least 3.2.21, 4.0.12, 4.1.8 or 4.2.0.beta4.",
|
20
|
+
:aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.21', '4.0.12', '4.1.8', '4.2.0.beta4']}]
|
24
|
+
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
@@ -0,0 +1,30 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-07-31
|
4
|
+
class CVE_2014_8090
|
5
|
+
include RubyVersionCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080."
|
9
|
+
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2014-8090",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
13
|
+
:release_date => Date.new(2014, 11, 21),
|
14
|
+
:cwe=>"611",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
17
|
+
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
18
|
+
:message=>message,
|
19
|
+
:mitigation=>"Please upgrade ruby interpreter to 1.9.3-p551 or 2.0.0-p598 or 2.1.5. Please note that latest 2.2.x version is suggested.",
|
20
|
+
:aux_links=>["https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/"]
|
21
|
+
})
|
22
|
+
|
23
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p551"},
|
24
|
+
{:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p598"},
|
25
|
+
{:engine=>"ruby", :version=>"2.1.5", :patchlevel=>"p0"}]
|
26
|
+
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-07-30
|
4
|
+
class CVE_2014_9490
|
5
|
+
include DependencyCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number."
|
9
|
+
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2014-9490",
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
13
|
+
:release_date => Date.new(2015, 1, 20),
|
14
|
+
:cwe=>"399",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:osvdb=>"115654",
|
17
|
+
:applies=>["sinatra", "padrino", "rails"],
|
18
|
+
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade raven-ruby gem to the latest version",
|
21
|
+
:aux_links=>["https://github.com/getsentry/raven-ruby/commit/477ee93a3f735be33bc1e726820654cdf6e22d8f", "http://seclists.org/oss-sec/2015/q1/26"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"raven-ruby", :version=>['0.12.2']}]
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Dawn
|
2
|
+
module Kb
|
3
|
+
# Automatically created with rake on 2015-07-30
|
4
|
+
class CVE_2015_3448
|
5
|
+
include DependencyCheck
|
6
|
+
|
7
|
+
def initialize
|
8
|
+
message = "REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log."
|
9
|
+
|
10
|
+
super({
|
11
|
+
:name=>"CVE-2015-3448",
|
12
|
+
:cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
|
13
|
+
:release_date => Date.new(2015, 4, 29),
|
14
|
+
:cwe=>"200",
|
15
|
+
:owasp=>"A9",
|
16
|
+
:osvdb=>"117461",
|
17
|
+
:applies=>["sinatra", "padrino", "rails"],
|
18
|
+
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
+
:message=>message,
|
20
|
+
:mitigation=>"Please upgrade rest-client gem to the latest version",
|
21
|
+
:aux_links=>["https://github.com/rest-client/rest-client/issues/349","http://www.osvdb.org/117461"]
|
22
|
+
})
|
23
|
+
|
24
|
+
self.safe_dependencies = [{:name=>"rest-client", :version=>['1.7.3']}]
|
25
|
+
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
data/lib/dawn/knowledge_base.rb
CHANGED
@@ -134,6 +134,7 @@ require "dawn/kb/cve_2012_6109"
|
|
134
134
|
require "dawn/kb/cve_2012_6134"
|
135
135
|
require "dawn/kb/cve_2012_6496"
|
136
136
|
require "dawn/kb/cve_2012_6497"
|
137
|
+
require "dawn/kb/cve_2012_6684"
|
137
138
|
|
138
139
|
# CVE - 2013
|
139
140
|
require "dawn/kb/cve_2013_0155"
|
@@ -220,6 +221,13 @@ require "dawn/kb/cve_2014_2525"
|
|
220
221
|
require "dawn/kb/cve_2014_2538"
|
221
222
|
require "dawn/kb/cve_2014_3482"
|
222
223
|
require "dawn/kb/cve_2014_3483"
|
224
|
+
require "dawn/kb/cve_2014_3916"
|
225
|
+
require "dawn/kb/cve_2014_4975"
|
226
|
+
require "dawn/kb/cve_2014_7818"
|
227
|
+
require "dawn/kb/cve_2014_7819"
|
228
|
+
require "dawn/kb/cve_2014_7829"
|
229
|
+
require "dawn/kb/cve_2014_8090"
|
230
|
+
require "dawn/kb/cve_2014_9490"
|
223
231
|
|
224
232
|
# CVE - 2015
|
225
233
|
|
@@ -234,6 +242,7 @@ require "dawn/kb/cve_2015_3224"
|
|
234
242
|
require "dawn/kb/cve_2015_3225"
|
235
243
|
require "dawn/kb/cve_2015_3226"
|
236
244
|
require "dawn/kb/cve_2015_3227"
|
245
|
+
require "dawn/kb/cve_2015_3448"
|
237
246
|
|
238
247
|
|
239
248
|
# OSVDB
|
@@ -410,6 +419,7 @@ module Dawn
|
|
410
419
|
Dawn::Kb::CVE_2012_6134.new,
|
411
420
|
Dawn::Kb::CVE_2012_6496.new,
|
412
421
|
Dawn::Kb::CVE_2012_6497.new,
|
422
|
+
Dawn::Kb::CVE_2012_6684.new,
|
413
423
|
Dawn::Kb::CVE_2013_0155.new,
|
414
424
|
Dawn::Kb::CVE_2013_0156.new,
|
415
425
|
Dawn::Kb::CVE_2013_0162.new,
|
@@ -491,6 +501,13 @@ module Dawn
|
|
491
501
|
Dawn::Kb::CVE_2014_2538.new,
|
492
502
|
Dawn::Kb::CVE_2014_3482.new,
|
493
503
|
Dawn::Kb::CVE_2014_3483.new,
|
504
|
+
Dawn::Kb::CVE_2014_3916.new,
|
505
|
+
Dawn::Kb::CVE_2014_4975.new,
|
506
|
+
Dawn::Kb::CVE_2014_7818.new,
|
507
|
+
Dawn::Kb::CVE_2014_7819.new,
|
508
|
+
Dawn::Kb::CVE_2014_7829.new,
|
509
|
+
Dawn::Kb::CVE_2014_8090.new,
|
510
|
+
Dawn::Kb::CVE_2014_9490.new,
|
494
511
|
Dawn::Kb::CVE_2015_1840_a.new,
|
495
512
|
Dawn::Kb::CVE_2015_1840_b.new,
|
496
513
|
Dawn::Kb::CVE_2015_2963.new,
|
@@ -498,6 +515,7 @@ module Dawn
|
|
498
515
|
Dawn::Kb::CVE_2015_3225.new,
|
499
516
|
Dawn::Kb::CVE_2015_3226.new,
|
500
517
|
Dawn::Kb::CVE_2015_3227.new,
|
518
|
+
Dawn::Kb::CVE_2015_3448.new,
|
501
519
|
|
502
520
|
|
503
521
|
# OSVDB Checks are still here since are all about dependencies
|
data/lib/dawn/version.rb
CHANGED
@@ -988,4 +988,50 @@ describe "The Codesake Dawn knowledge base" do
|
|
988
988
|
sc.class.should == Dawn::Kb::CVE_2015_2963
|
989
989
|
end
|
990
990
|
it "CVE-2015-1840 can't be tested. Trust me. It works"
|
991
|
+
it "must have test for CVE-2015-3448" do
|
992
|
+
sc = kb.find("CVE-2015-3448")
|
993
|
+
sc.should_not be_nil
|
994
|
+
sc.class.should == Dawn::Kb::CVE_2015_3448
|
995
|
+
end
|
996
|
+
it "must have test for CVE-2014-9490" do
|
997
|
+
sc = kb.find("CVE-2014-9490")
|
998
|
+
sc.should_not be_nil
|
999
|
+
sc.class.should == Dawn::Kb::CVE_2014_9490
|
1000
|
+
end
|
1001
|
+
it "must have test for CVE-2012-6684" do
|
1002
|
+
sc = kb.find("CVE-2012-6684")
|
1003
|
+
sc.should_not be_nil
|
1004
|
+
sc.class.should == Dawn::Kb::CVE_2012_6684
|
1005
|
+
end
|
1006
|
+
it "must have test for CVE-2014-8090" do
|
1007
|
+
sc = kb.find("CVE-2014-8090")
|
1008
|
+
sc.should_not be_nil
|
1009
|
+
sc.class.should == Dawn::Kb::CVE_2014_8090
|
1010
|
+
end
|
1011
|
+
it "must have test for CVE-2014-7829" do
|
1012
|
+
sc = kb.find("CVE-2014-7829")
|
1013
|
+
sc.should_not be_nil
|
1014
|
+
sc.class.should == Dawn::Kb::CVE_2014_7829
|
1015
|
+
end
|
1016
|
+
it "must have test for CVE-2014-3916" do
|
1017
|
+
sc = kb.find("CVE-2014-3916")
|
1018
|
+
sc.should_not be_nil
|
1019
|
+
sc.class.should == Dawn::Kb::CVE_2014_3916
|
1020
|
+
end
|
1021
|
+
it "not sure if it must have check for CVE-2014-3248. Too much gem involved in a single CVE only with ruby 1.9.1 and with social engineering required"
|
1022
|
+
it "must have test for CVE-2014-4975" do
|
1023
|
+
sc = kb.find("CVE-2014-4975")
|
1024
|
+
sc.should_not be_nil
|
1025
|
+
sc.class.should == Dawn::Kb::CVE_2014_4975
|
1026
|
+
end
|
1027
|
+
it "must have test for CVE-2014-7819" do
|
1028
|
+
sc = kb.find("CVE-2014-7819")
|
1029
|
+
sc.should_not be_nil
|
1030
|
+
sc.class.should == Dawn::Kb::CVE_2014_7819
|
1031
|
+
end
|
1032
|
+
it "must have test for CVE-2014-7818" do
|
1033
|
+
sc = kb.find("CVE-2014-7818")
|
1034
|
+
sc.should_not be_nil
|
1035
|
+
sc.class.should == Dawn::Kb::CVE_2014_7818
|
1036
|
+
end
|
991
1037
|
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2012-6684 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2012_6684.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when vulnerable raven-ruby gem is used (4.2.9)" do
|
8
|
+
@check.dependencies = [{:name=>"RedCloth", :version=>'4.2.9'}]
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is not reported when safe raven-ruby gem is used (4.2.10)" do
|
12
|
+
@check.dependencies = [{:name=>"RedCloth", :version=>'4.2.10'}]
|
13
|
+
@check.vuln?.should == false
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2013-4491 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2013_4491.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
|
8
|
+
it "is reported when the vulnerable gem is detected" do
|
9
|
+
@check.dependencies = [{:name=>"rails", :version=>"3.2.15"}]
|
10
|
+
@check.vuln?.should == true
|
11
|
+
end
|
12
|
+
it "is not reported when a fixed release is detected" do
|
13
|
+
@check.dependencies = [{:name=>"rails", :version=>"3.2.22"}]
|
14
|
+
@check.vuln?.should == false
|
15
|
+
end
|
16
|
+
end
|
@@ -0,0 +1,42 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2014-7818 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2014_7818.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when vulnerable rails gem is used (3.2.18)" do
|
8
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.18'}]
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is reported when vulnerable rails gem is used (4.0.7)" do
|
12
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.0.7'}]
|
13
|
+
@check.vuln?.should == true
|
14
|
+
end
|
15
|
+
it "is reported when vulnerable rails gem is used (4.1.6)" do
|
16
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.6'}]
|
17
|
+
@check.vuln?.should == true
|
18
|
+
end
|
19
|
+
it "is reported when vulnerable rails gem is used (4.2.0.beta2)" do
|
20
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta2'}]
|
21
|
+
@check.vuln?.should == true
|
22
|
+
end
|
23
|
+
|
24
|
+
# SAFE VERSIONS
|
25
|
+
it "is not reported when safe rails gem is used (3.2.20)" do
|
26
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.20'}]
|
27
|
+
@check.vuln?.should == false
|
28
|
+
end
|
29
|
+
it "is not reported when safe rails gem is used (4.0.11)" do
|
30
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.0.11'}]
|
31
|
+
@check.vuln?.should == false
|
32
|
+
end
|
33
|
+
it "is not reported when safe rails gem is used (4.1.7)" do
|
34
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.7'}]
|
35
|
+
@check.vuln?.should == false
|
36
|
+
end
|
37
|
+
it "is not reported when safe rails gem is used (4.2.0.beta3)" do
|
38
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta3'}]
|
39
|
+
@check.vuln?.should == false
|
40
|
+
end
|
41
|
+
|
42
|
+
end
|
@@ -0,0 +1,139 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2014-7819 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2014_7819.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
# Vulnerable versions
|
8
|
+
it "is reported when vulnerable rails gem is used (4.1.7)" do
|
9
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.7'}]
|
10
|
+
@check.vuln?.should == true
|
11
|
+
end
|
12
|
+
it "is reported when vulnerable rails gem is used (3.2.17)" do
|
13
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
|
14
|
+
@check.vuln?.should == true
|
15
|
+
end
|
16
|
+
it "is reported when vulnerable sprockets gem is used (2.0.5)" do
|
17
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.0.5'}]
|
18
|
+
@check.vuln?.should == true
|
19
|
+
end
|
20
|
+
it "is reported when vulnerable sprockets gem is used (2.1.3)" do
|
21
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.1.3'}]
|
22
|
+
@check.vuln?.should == true
|
23
|
+
end
|
24
|
+
it "is reported when vulnerable sprockets gem is used (2.2.2)" do
|
25
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.2.2'}]
|
26
|
+
@check.vuln?.should == true
|
27
|
+
end
|
28
|
+
it "is reported when vulnerable sprockets gem is used (2.3.2)" do
|
29
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.3.2'}]
|
30
|
+
@check.vuln?.should == true
|
31
|
+
end
|
32
|
+
it "is reported when vulnerable sprockets gem is used (2.4.5)" do
|
33
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.4.5'}]
|
34
|
+
@check.vuln?.should == true
|
35
|
+
end
|
36
|
+
it "is reported when vulnerable sprockets gem is used (2.5.0)" do
|
37
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.5.0'}]
|
38
|
+
@check.vuln?.should == true
|
39
|
+
end
|
40
|
+
it "is reported when vulnerable sprockets gem is used (2.6.0)" do
|
41
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.6.0'}]
|
42
|
+
@check.vuln?.should == true
|
43
|
+
end
|
44
|
+
it "is reported when vulnerable sprockets gem is used (2.7.0)" do
|
45
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.7.0'}]
|
46
|
+
@check.vuln?.should == true
|
47
|
+
end
|
48
|
+
it "is reported when vulnerable sprockets gem is used (2.8.2)" do
|
49
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.8.2'}]
|
50
|
+
@check.vuln?.should == true
|
51
|
+
end
|
52
|
+
it "is reported when vulnerable sprockets gem is used (2.9.3)" do
|
53
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.9.3'}]
|
54
|
+
@check.vuln?.should == true
|
55
|
+
end
|
56
|
+
it "is reported when vulnerable sprockets gem is used (2.10.1)" do
|
57
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.10.1'}]
|
58
|
+
@check.vuln?.should == true
|
59
|
+
end
|
60
|
+
it "is reported when vulnerable sprockets gem is used (2.11.2)" do
|
61
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.11.2'}]
|
62
|
+
@check.vuln?.should == true
|
63
|
+
end
|
64
|
+
it "is reported when vulnerable sprockets gem is used (2.12.2)" do
|
65
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.12.2'}]
|
66
|
+
@check.vuln?.should == true
|
67
|
+
end
|
68
|
+
it "is reported when vulnerable sprockets gem is used (3.0.0.beta2)" do
|
69
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'3.0.0.beta2'}]
|
70
|
+
@check.vuln?.should == true
|
71
|
+
end
|
72
|
+
# Safe versions
|
73
|
+
it "is not reported when safe rails gem is used (4.1.8)" do
|
74
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.8'}]
|
75
|
+
@check.vuln?.should == false
|
76
|
+
end
|
77
|
+
it "is not reported when safe rails gem is used (3.2.18)" do
|
78
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.18'}]
|
79
|
+
@check.vuln?.should == false
|
80
|
+
end
|
81
|
+
it "is not reported when safe sprockets gem is used (2.0.6)" do
|
82
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.0.6'}]
|
83
|
+
@check.vuln?.should == false
|
84
|
+
end
|
85
|
+
it "is not reported when safe sprockets gem is used (2.1.4)" do
|
86
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.1.4'}]
|
87
|
+
@check.vuln?.should == false
|
88
|
+
end
|
89
|
+
it "is not reported when safe sprockets gem is used (2.2.3)" do
|
90
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.2.3'}]
|
91
|
+
@check.vuln?.should == false
|
92
|
+
end
|
93
|
+
it "is not reported when safe sprockets gem is used (2.3.3)" do
|
94
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.3.3'}]
|
95
|
+
@check.vuln?.should == false
|
96
|
+
end
|
97
|
+
it "is not reported when safe sprockets gem is used (2.4.6)" do
|
98
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.4.6'}]
|
99
|
+
@check.vuln?.should == false
|
100
|
+
end
|
101
|
+
it "is not reported when safe sprockets gem is used (2.5.6)" do
|
102
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.5.6'}]
|
103
|
+
@check.vuln?.should == false
|
104
|
+
end
|
105
|
+
it "is not reported when safe sprockets gem is used (2.6.6)" do
|
106
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.6.6'}]
|
107
|
+
@check.vuln?.should == false
|
108
|
+
end
|
109
|
+
it "is not reported when safe sprockets gem is used (2.7.6)" do
|
110
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.7.6'}]
|
111
|
+
@check.vuln?.should == false
|
112
|
+
end
|
113
|
+
it "is not reported when safe sprockets gem is used (2.8.6)" do
|
114
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.8.6'}]
|
115
|
+
@check.vuln?.should == false
|
116
|
+
end
|
117
|
+
it "is not reported when safe sprockets gem is used (2.9.6)" do
|
118
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.9.6'}]
|
119
|
+
@check.vuln?.should == false
|
120
|
+
end
|
121
|
+
it "is not reported when safe sprockets gem is used (2.10.6)" do
|
122
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.10.6'}]
|
123
|
+
@check.vuln?.should == false
|
124
|
+
end
|
125
|
+
it "is not reported when safe sprockets gem is used (2.11.6)" do
|
126
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.11.6'}]
|
127
|
+
@check.vuln?.should == false
|
128
|
+
end
|
129
|
+
it "is not reported when safe sprockets gem is used (2.12.6)" do
|
130
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'2.12.6'}]
|
131
|
+
@check.vuln?.should == false
|
132
|
+
end
|
133
|
+
it "is not reported when safe sprockets gem is used (3.0.0.beta3)" do
|
134
|
+
@check.dependencies = [{:name=>"sprockets", :version=>'3.0.0.beta3'}]
|
135
|
+
@check.vuln?.should == false
|
136
|
+
end
|
137
|
+
|
138
|
+
|
139
|
+
end
|
@@ -0,0 +1,50 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2014-7829 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2014_7829.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when vulnerable rails gem is used (3.2.20)" do
|
8
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.20'}]
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is reported when vulnerable rails gem is used (3.1.20)" do
|
12
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.1.20'}]
|
13
|
+
@check.vuln?.should == true
|
14
|
+
end
|
15
|
+
it "is reported when vulnerable rails gem is used (3.0.20)" do
|
16
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.0.20'}]
|
17
|
+
@check.vuln?.should == true
|
18
|
+
end
|
19
|
+
it "is reported when vulnerable rails gem is used (4.0.11)" do
|
20
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.0.11'}]
|
21
|
+
@check.vuln?.should == true
|
22
|
+
end
|
23
|
+
it "is reported when vulnerable rails gem is used (4.1.7)" do
|
24
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.7'}]
|
25
|
+
@check.vuln?.should == true
|
26
|
+
end
|
27
|
+
it "is reported when vulnerable rails gem is used (4.2.0.beta3)" do
|
28
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta3'}]
|
29
|
+
@check.vuln?.should == true
|
30
|
+
end
|
31
|
+
|
32
|
+
it "is not reported when safe rails gem is used (3.2.21)" do
|
33
|
+
@check.dependencies = [{:name=>"rails", :version=>'3.2.21'}]
|
34
|
+
@check.vuln?.should == false
|
35
|
+
end
|
36
|
+
it "is not reported when safe rails gem is used (4.0.12)" do
|
37
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.0.12'}]
|
38
|
+
@check.vuln?.should == false
|
39
|
+
end
|
40
|
+
it "is not reported when safe rails gem is used (4.1.8)" do
|
41
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.1.8'}]
|
42
|
+
@check.vuln?.should == false
|
43
|
+
end
|
44
|
+
it "is not reported when safe rails gem is used (4.2.0.beta4)" do
|
45
|
+
@check.dependencies = [{:name=>"rails", :version=>'4.2.0.beta4'}]
|
46
|
+
@check.vuln?.should == false
|
47
|
+
end
|
48
|
+
|
49
|
+
it "is reported when..."
|
50
|
+
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2014-9490 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2014_9490.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
|
8
|
+
it "is reported when vulnerable raven-ruby gem is used (0.12.1)" do
|
9
|
+
@check.dependencies = [{:name=>"raven-ruby", :version=>'0.12.1'}]
|
10
|
+
@check.vuln?.should == true
|
11
|
+
end
|
12
|
+
it "is not reported when safe raven-ruby gem is used (0.12.2)" do
|
13
|
+
@check.dependencies = [{:name=>"raven-ruby", :version=>'0.12.2'}]
|
14
|
+
@check.vuln?.should == false
|
15
|
+
end
|
16
|
+
|
17
|
+
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2015-3448 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2015_3448.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when vulnerable rest-client gem is used (1.7.2)" do
|
8
|
+
@check.dependencies = [{:name=>"rest-client", :version=>'1.7.2'}]
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is not reported when safe rest-client gem is used (1.7.3)" do
|
12
|
+
@check.dependencies = [{:name=>"rest-client", :version=>'1.7.3'}]
|
13
|
+
@check.vuln?.should == false
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dawnscanner
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
1zH2rpK27DW5pOeHUEJn31+gGd111ogP5tYruPV7Qgfy2jUrUPmP67v7nRNlgd84
|
31
31
|
Z5mHj9jGk4wgMQy2pk4GDwsXiirZfI0z2WZfySqEldE=
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2015-
|
33
|
+
date: 2015-09-16 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: cvss
|
@@ -179,7 +179,7 @@ dependencies:
|
|
179
179
|
- - ">="
|
180
180
|
- !ruby/object:Gem::Version
|
181
181
|
version: '0'
|
182
|
-
type: :
|
182
|
+
type: :development
|
183
183
|
prerelease: false
|
184
184
|
version_requirements: !ruby/object:Gem::Requirement
|
185
185
|
requirements:
|
@@ -256,10 +256,11 @@ dependencies:
|
|
256
256
|
- - ">="
|
257
257
|
- !ruby/object:Gem::Version
|
258
258
|
version: '0'
|
259
|
-
description:
|
260
|
-
designed for web applications, but it works also with general purpose
|
261
|
-
Dawn supports all major MVC frameworks like ruby on rails, padrino
|
262
|
-
it provides more than 150 security checks with their own mitigation
|
259
|
+
description: Dawnscanner is a security source code scanner for ruby powered code.
|
260
|
+
It is especially designed for web applications, but it works also with general purpose
|
261
|
+
ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
|
262
|
+
and sinatra; it provides more than 150 security checks with their own mitigation
|
263
|
+
suggestion.
|
263
264
|
email:
|
264
265
|
- paolo@dawnscanner.org
|
265
266
|
executables:
|
@@ -293,6 +294,7 @@ files:
|
|
293
294
|
- checksum/dawnscanner-1.2.99.gem.sha1
|
294
295
|
- checksum/dawnscanner-1.3.0.gem.sha1
|
295
296
|
- checksum/dawnscanner-1.3.1.gem.sha1
|
297
|
+
- checksum/dawnscanner-1.3.5.gem.sha1
|
296
298
|
- dawnscanner.gemspec
|
297
299
|
- doc/codesake-dawn.yaml.sample
|
298
300
|
- doc/dawn_1_0_announcement.md
|
@@ -393,6 +395,7 @@ files:
|
|
393
395
|
- lib/dawn/kb/cve_2012_6134.rb
|
394
396
|
- lib/dawn/kb/cve_2012_6496.rb
|
395
397
|
- lib/dawn/kb/cve_2012_6497.rb
|
398
|
+
- lib/dawn/kb/cve_2012_6684.rb
|
396
399
|
- lib/dawn/kb/cve_2013_0155.rb
|
397
400
|
- lib/dawn/kb/cve_2013_0156.rb
|
398
401
|
- lib/dawn/kb/cve_2013_0162.rb
|
@@ -474,6 +477,13 @@ files:
|
|
474
477
|
- lib/dawn/kb/cve_2014_2538.rb
|
475
478
|
- lib/dawn/kb/cve_2014_3482.rb
|
476
479
|
- lib/dawn/kb/cve_2014_3483.rb
|
480
|
+
- lib/dawn/kb/cve_2014_3916.rb
|
481
|
+
- lib/dawn/kb/cve_2014_4975.rb
|
482
|
+
- lib/dawn/kb/cve_2014_7818.rb
|
483
|
+
- lib/dawn/kb/cve_2014_7819.rb
|
484
|
+
- lib/dawn/kb/cve_2014_7829.rb
|
485
|
+
- lib/dawn/kb/cve_2014_8090.rb
|
486
|
+
- lib/dawn/kb/cve_2014_9490.rb
|
477
487
|
- lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb
|
478
488
|
- lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb
|
479
489
|
- lib/dawn/kb/cve_2015_2963.rb
|
@@ -481,6 +491,7 @@ files:
|
|
481
491
|
- lib/dawn/kb/cve_2015_3225.rb
|
482
492
|
- lib/dawn/kb/cve_2015_3226.rb
|
483
493
|
- lib/dawn/kb/cve_2015_3227.rb
|
494
|
+
- lib/dawn/kb/cve_2015_3448.rb
|
484
495
|
- lib/dawn/kb/dependency_check.rb
|
485
496
|
- lib/dawn/kb/deprecation_check.rb
|
486
497
|
- lib/dawn/kb/not_revised_code.rb
|
@@ -541,6 +552,7 @@ files:
|
|
541
552
|
- spec/lib/kb/cve_2012_2139_spec.rb
|
542
553
|
- spec/lib/kb/cve_2012_2671_spec.rb
|
543
554
|
- spec/lib/kb/cve_2012_6109_spec.rb
|
555
|
+
- spec/lib/kb/cve_2012_6684_spec.rb
|
544
556
|
- spec/lib/kb/cve_2013_0162_spec.rb
|
545
557
|
- spec/lib/kb/cve_2013_0183_spec.rb
|
546
558
|
- spec/lib/kb/cve_2013_0184_spec.rb
|
@@ -559,6 +571,7 @@ files:
|
|
559
571
|
- spec/lib/kb/cve_2013_4203_spec.rb
|
560
572
|
- spec/lib/kb/cve_2013_4413_spec.rb
|
561
573
|
- spec/lib/kb/cve_2013_4489_spec.rb
|
574
|
+
- spec/lib/kb/cve_2013_4491_spec.rb
|
562
575
|
- spec/lib/kb/cve_2013_4593_spec.rb
|
563
576
|
- spec/lib/kb/cve_2013_5647_spec.rb
|
564
577
|
- spec/lib/kb/cve_2013_5671_spec.rb
|
@@ -576,12 +589,17 @@ files:
|
|
576
589
|
- spec/lib/kb/cve_2014_2538_spec.rb
|
577
590
|
- spec/lib/kb/cve_2014_3482_spec.rb
|
578
591
|
- spec/lib/kb/cve_2014_3483_spec.rb
|
592
|
+
- spec/lib/kb/cve_2014_7818_spec.rb
|
593
|
+
- spec/lib/kb/cve_2014_7819_spec.rb
|
594
|
+
- spec/lib/kb/cve_2014_7829_spec.rb
|
595
|
+
- spec/lib/kb/cve_2014_9490_spec.rb
|
579
596
|
- spec/lib/kb/cve_2015_1840_spec.rb
|
580
597
|
- spec/lib/kb/cve_2015_2963_spec.rb
|
581
598
|
- spec/lib/kb/cve_2015_3224_spec.rb
|
582
599
|
- spec/lib/kb/cve_2015_3225_spec.rb
|
583
600
|
- spec/lib/kb/cve_2015_3226_spec.rb
|
584
601
|
- spec/lib/kb/cve_2015_3227_spec.rb
|
602
|
+
- spec/lib/kb/cve_2015_3448_spec.rb
|
585
603
|
- spec/lib/kb/osvdb_105971_spec.rb
|
586
604
|
- spec/lib/kb/osvdb_108530_spec.rb
|
587
605
|
- spec/lib/kb/osvdb_108563_spec.rb
|
@@ -608,7 +626,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
608
626
|
requirements:
|
609
627
|
- - ">="
|
610
628
|
- !ruby/object:Gem::Version
|
611
|
-
version: 1.9.
|
629
|
+
version: 1.9.3
|
612
630
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
613
631
|
requirements:
|
614
632
|
- - ">="
|
@@ -619,8 +637,9 @@ rubyforge_project:
|
|
619
637
|
rubygems_version: 2.4.8
|
620
638
|
signing_key:
|
621
639
|
specification_version: 4
|
622
|
-
summary:
|
623
|
-
with love to make your sinatra, padrino and ruby on rails web applications
|
640
|
+
summary: Dawnscanner is a security source code scanner for ruby powered code. It is
|
641
|
+
crafted with love to make your sinatra, padrino and ruby on rails web applications
|
642
|
+
secure.
|
624
643
|
test_files:
|
625
644
|
- features/dawn_complains_about_an_incorrect_command_line.feature.disabled
|
626
645
|
- features/dawn_scan_a_secure_sinatra_app.feature.disabled
|
@@ -648,6 +667,7 @@ test_files:
|
|
648
667
|
- spec/lib/kb/cve_2012_2139_spec.rb
|
649
668
|
- spec/lib/kb/cve_2012_2671_spec.rb
|
650
669
|
- spec/lib/kb/cve_2012_6109_spec.rb
|
670
|
+
- spec/lib/kb/cve_2012_6684_spec.rb
|
651
671
|
- spec/lib/kb/cve_2013_0162_spec.rb
|
652
672
|
- spec/lib/kb/cve_2013_0183_spec.rb
|
653
673
|
- spec/lib/kb/cve_2013_0184_spec.rb
|
@@ -666,6 +686,7 @@ test_files:
|
|
666
686
|
- spec/lib/kb/cve_2013_4203_spec.rb
|
667
687
|
- spec/lib/kb/cve_2013_4413_spec.rb
|
668
688
|
- spec/lib/kb/cve_2013_4489_spec.rb
|
689
|
+
- spec/lib/kb/cve_2013_4491_spec.rb
|
669
690
|
- spec/lib/kb/cve_2013_4593_spec.rb
|
670
691
|
- spec/lib/kb/cve_2013_5647_spec.rb
|
671
692
|
- spec/lib/kb/cve_2013_5671_spec.rb
|
@@ -683,12 +704,17 @@ test_files:
|
|
683
704
|
- spec/lib/kb/cve_2014_2538_spec.rb
|
684
705
|
- spec/lib/kb/cve_2014_3482_spec.rb
|
685
706
|
- spec/lib/kb/cve_2014_3483_spec.rb
|
707
|
+
- spec/lib/kb/cve_2014_7818_spec.rb
|
708
|
+
- spec/lib/kb/cve_2014_7819_spec.rb
|
709
|
+
- spec/lib/kb/cve_2014_7829_spec.rb
|
710
|
+
- spec/lib/kb/cve_2014_9490_spec.rb
|
686
711
|
- spec/lib/kb/cve_2015_1840_spec.rb
|
687
712
|
- spec/lib/kb/cve_2015_2963_spec.rb
|
688
713
|
- spec/lib/kb/cve_2015_3224_spec.rb
|
689
714
|
- spec/lib/kb/cve_2015_3225_spec.rb
|
690
715
|
- spec/lib/kb/cve_2015_3226_spec.rb
|
691
716
|
- spec/lib/kb/cve_2015_3227_spec.rb
|
717
|
+
- spec/lib/kb/cve_2015_3448_spec.rb
|
692
718
|
- spec/lib/kb/osvdb_105971_spec.rb
|
693
719
|
- spec/lib/kb/osvdb_108530_spec.rb
|
694
720
|
- spec/lib/kb/osvdb_108563_spec.rb
|
metadata.gz.sig
CHANGED
Binary file
|