dawnscanner 1.6.8 → 1.6.9
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/Changelog.md +11 -1
- data/README.md +46 -51
- data/VERSION +1 -1
- data/bin/dawn +32 -56
- data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
- data/dawnscanner.gemspec +4 -8
- data/lib/dawn/core.rb +0 -3
- data/lib/dawn/kb/version_check.rb +18 -1
- data/lib/dawn/version.rb +4 -4
- data/lib/dawnscanner.rb +2 -2
- data/spec/lib/kb/cve_2016_2098_spec.rb +5 -1
- metadata +7 -57
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 269664ca2d6f8f14993ab85be4b78b81bba739743f25b560cc2e5c724e7d40e2
|
4
|
+
data.tar.gz: 88a2ad2f4e4e9a130e349ccde068d857b1b3eab17b531855f09e0262b7914be0
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fa2a9f80292666ddfec7e62f3f75559dbbcf72f09b8787b7b67a31d2c89da87a0c51a9041bbf6958a6b51df0a29cd504b45e893a0a0949d0c63fcb611894bad5
|
7
|
+
data.tar.gz: d0a70f5255f423d5da629946efbc46531e2e7d881157a6a5800e9be7f11e1fa1dd6f5e64642a5fa103be9b138194693188f0d28da4c96bda8f541047c45302c9
|
data/Changelog.md
CHANGED
@@ -5,7 +5,17 @@ It supports [Sinatra](http://www.sinatrarb.com),
|
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
6
6
|
frameworks.
|
7
7
|
|
8
|
-
_latest update:
|
8
|
+
_latest update: mer 28 nov 2018, 11.03.53, CET_
|
9
|
+
|
10
|
+
## Version 1.6.9 - codename: Tow Mater (2018-11-28)
|
11
|
+
|
12
|
+
* Removed signing certificate. This will solve issue #233 and #229
|
13
|
+
* Removed datamapper support. I will change to active\_record sooner or later.
|
14
|
+
This will solve issue #232 and issue #218
|
15
|
+
|
16
|
+
## Version 1.6.8 - codename: Tow Mater (2017-04-07)
|
17
|
+
|
18
|
+
* Update signing certficate
|
9
19
|
|
10
20
|
## Version 1.6.7 - codename: Tow Mater (2016-11-24)
|
11
21
|
|
data/README.md
CHANGED
@@ -12,11 +12,22 @@ box:
|
|
12
12
|
* [Sinatra](http://www.sinatrarb.com)
|
13
13
|
* [Padrino](http://www.padrinorb.com)
|
14
14
|
|
15
|
+
## Quick update from November, 2018
|
16
|
+
|
17
|
+
As you can see dawnscanner is on hold since more then an year. Sorry for that.
|
18
|
+
It's life. I was overwhelmed by tons of stuff and I dedicated free time to
|
19
|
+
Offensive Security certifications. True to be told, I'm starting OSCE journey
|
20
|
+
really soon.
|
21
|
+
|
22
|
+
The dawnscanner project will be updated soon with new security checks and
|
23
|
+
kickstarted again.
|
24
|
+
|
25
|
+
Paolo
|
26
|
+
|
15
27
|
---
|
16
28
|
|
17
29
|
[![Gem Version](https://badge.fury.io/rb/dawnscanner.png)](http://badge.fury.io/rb/dawnscanner)
|
18
30
|
[![Build Status](https://travis-ci.org/thesp0nge/dawnscanner.png?branch=master)](https://travis-ci.org/thesp0nge/dawnscanner)
|
19
|
-
[![Dependency Status](https://gemnasium.com/thesp0nge/dawnscanner.png)](https://gemnasium.com/thesp0nge/dawnscanner)
|
20
31
|
[![Coverage Status](https://coveralls.io/repos/thesp0nge/dawnscanner/badge.png)](https://coveralls.io/r/thesp0nge/dawnscanner)
|
21
32
|
[![Code Triagers Badge](https://www.codetriage.com/thesp0nge/dawnscanner/badges/users.svg)](https://www.codetriage.com/thesp0nge/dawnscanner)
|
22
33
|
[![Inline docs](http://inch-ci.org/github/thesp0nge/dawnscanner.png?branch=master)](http://inch-ci.org/github/thesp0nge/dawnscanner)
|
@@ -50,30 +61,11 @@ application.
|
|
50
61
|
|
51
62
|
## Installation
|
52
63
|
|
53
|
-
dawnscanner rubygem is cryptographically signed. To be sure the gem you
|
54
|
-
install hasn’t been tampered, you must first add ```paolo@dawnscanner.org```
|
55
|
-
public signing certificate as trusted to your gem specific keyring.
|
56
|
-
|
57
|
-
```
|
58
|
-
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
|
59
|
-
```
|
60
|
-
|
61
64
|
You can install latest dawnscanner version, fetching it from
|
62
65
|
[Rubygems](https://rubygems.org) by typing:
|
63
66
|
|
64
67
|
```
|
65
|
-
$ gem install dawnscanner
|
66
|
-
```
|
67
|
-
|
68
|
-
The MediumSecurity trust profile will verify signed gems, but allow the
|
69
|
-
installation of unsigned dependencies. This is necessary because not all of
|
70
|
-
dawnscanner’s dependencies are signed, so we cannot use HighSecurity.
|
71
|
-
|
72
|
-
In order to install a release candidate version, the gem install command line
|
73
|
-
is the following:
|
74
|
-
|
75
|
-
```
|
76
|
-
$ gem install dawnscanner --pre -P MediumSecurity
|
68
|
+
$ gem install dawnscanner
|
77
69
|
```
|
78
70
|
|
79
71
|
If you want to add dawn to your project Gemfile, you must add the following:
|
@@ -123,44 +115,47 @@ $ dawn -h
|
|
123
115
|
Usage: dawn [options] target_directory
|
124
116
|
|
125
117
|
Examples:
|
126
|
-
|
127
|
-
|
128
|
-
|
129
|
-
|
130
|
-
|
131
|
-
|
132
|
-
-
|
133
|
-
-
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
-
|
138
|
-
-
|
139
|
-
-
|
140
|
-
-
|
141
|
-
-
|
118
|
+
$ dawn a_sinatra_webapp_directory
|
119
|
+
$ dawn -C the_rails_blog_engine
|
120
|
+
$ dawn -C --json a_sinatra_webapp_directory
|
121
|
+
$ dawn --ascii-tabular-report my_rails_blog_ecommerce
|
122
|
+
$ dawn --html -F my_report.html my_rails_blog_ecommerce
|
123
|
+
|
124
|
+
-G, --gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)
|
125
|
+
-d, --dependencies force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
|
126
|
+
|
127
|
+
Reporting
|
128
|
+
|
129
|
+
-a, --ascii-tabular-report cause dawn to format findings using tables in ascii art (DEPRECATED)
|
130
|
+
-j, --json cause dawn to format findings using json
|
131
|
+
-K, --console cause dawn to format findings using plain ascii text
|
132
|
+
-C, --count-only dawn will only count vulnerabilities (useful for scripts)
|
133
|
+
-z, --exit-on-warn dawn will return number of found vulnerabilities as exit code
|
134
|
+
-F, --file filename tells dawn to write output to filename
|
135
|
+
-c, --config-file filename tells dawn to load configuration from filename
|
142
136
|
|
143
137
|
Disable security check family
|
144
138
|
|
145
|
-
--disable-cve-bulletins
|
146
|
-
--disable-code-quality
|
147
|
-
--disable-code-style
|
148
|
-
--disable-owasp-ror-cheatsheet
|
149
|
-
--disable-owasp-top-10
|
139
|
+
--disable-cve-bulletins disable all CVE security checks
|
140
|
+
--disable-code-quality disable all code quality checks
|
141
|
+
--disable-code-style disable all code style checks
|
142
|
+
--disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks
|
143
|
+
--disable-owasp-top-10 disable all Owasp Top 10 checks
|
150
144
|
|
151
|
-
Flags useful to query
|
145
|
+
Flags useful to query Dawn
|
152
146
|
|
153
|
-
|
154
|
-
|
155
|
-
|
156
|
-
|
147
|
+
-S, --search-knowledge-base [check_name] search check_name in the knowledge base
|
148
|
+
--list-knowledge-base list knowledge-base content
|
149
|
+
--list-known-families list security check families contained in dawn's knowledge base
|
150
|
+
--list-known-framework list ruby MVC frameworks supported by dawn
|
151
|
+
--list-scan-registry list past scan informations stored in scan registry
|
157
152
|
|
158
153
|
Service flags
|
159
154
|
|
160
|
-
-D, --debug
|
161
|
-
-V, --verbose
|
162
|
-
-v, --version
|
163
|
-
-h, --help
|
155
|
+
-D, --debug enters dawn debug mode
|
156
|
+
-V, --verbose the output will be more verbose
|
157
|
+
-v, --version show version information
|
158
|
+
-h, --help show this help
|
164
159
|
```
|
165
160
|
|
166
161
|
### Rake task
|
data/VERSION
CHANGED
data/bin/dawn
CHANGED
@@ -13,10 +13,10 @@ LIST_KNOWN_FRAMEWORK = %w(rails sinatra padrino)
|
|
13
13
|
VALID_OUTPUT_FORMAT = %w(console json csv html)
|
14
14
|
|
15
15
|
# Datamapper stuff
|
16
|
-
DataMapper.setup(:default, "sqlite3://#{Dawn::Core.registry_db_name}")
|
17
|
-
DataMapper::Logger.new(Dawn::Core.sql_log_name, :debug)
|
18
|
-
DataMapper.finalize
|
19
|
-
DataMapper.auto_upgrade!
|
16
|
+
#DataMapper.setup(:default, "sqlite3://#{Dawn::Core.registry_db_name}")
|
17
|
+
#DataMapper::Logger.new(Dawn::Core.sql_log_name, :debug)
|
18
|
+
#DataMapper.finalize
|
19
|
+
#DataMapper.auto_upgrade!
|
20
20
|
|
21
21
|
require 'logger'
|
22
22
|
$logger = Logger.new(STDOUT)
|
@@ -31,13 +31,6 @@ opts = GetoptLong.new(
|
|
31
31
|
[ '--html', '-H', GetoptLong::NO_ARGUMENT],
|
32
32
|
[ '--console', '-K', GetoptLong::NO_ARGUMENT],
|
33
33
|
|
34
|
-
# MVC forcing
|
35
|
-
# Deprecated in 1.5.x
|
36
|
-
# To be removed in 2.0.0
|
37
|
-
[ '--rails', '-r', GetoptLong::NO_ARGUMENT],
|
38
|
-
[ '--sinatra', '-s', GetoptLong::NO_ARGUMENT],
|
39
|
-
[ '--padrino', '-p', GetoptLong::NO_ARGUMENT],
|
40
|
-
|
41
34
|
[ '--gem-lock', '-G', GetoptLong::REQUIRED_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
|
42
35
|
[ '--dependencies', '-d', GetoptLong::REQUIRED_ARGUMENT],
|
43
36
|
|
@@ -125,12 +118,6 @@ opts.each do |opt, val|
|
|
125
118
|
options[:output] = "tabular"
|
126
119
|
when '--html'
|
127
120
|
options[:output] = "html"
|
128
|
-
when '--rails'
|
129
|
-
options[:mvc]=:rails
|
130
|
-
when '--sinatra'
|
131
|
-
options[:mvc]=:sinatra
|
132
|
-
when '--padrino'
|
133
|
-
options[:mvc]=:padrino
|
134
121
|
when '--file'
|
135
122
|
options[:filename] = val
|
136
123
|
when '--gem-lock'
|
@@ -193,25 +180,20 @@ target=ARGV.shift
|
|
193
180
|
target = File.expand_path(".") if target == "."
|
194
181
|
|
195
182
|
$logger.helo APPNAME, Dawn::VERSION
|
196
|
-
r = Dawn::Registry.new
|
197
183
|
|
198
|
-
|
199
|
-
|
200
|
-
|
201
|
-
|
184
|
+
## It will be migrated to active record in 2019
|
185
|
+
# r = Dawn::Registry.new
|
186
|
+
|
187
|
+
# unless Dir.exist?(Dawn::Core.registry_db_folder)
|
188
|
+
# FileUtils.mkdir_p(Dawn::Core.registry_db_folder)
|
189
|
+
# $logger.info "#{Dawn::Core.registry_db_folder} created" if Dir.exist?(Dawn::Core.registry_db_folder)
|
190
|
+
# end
|
202
191
|
|
203
192
|
trap("INT") { $logger.die('[INTERRUPTED]') }
|
204
193
|
$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
|
205
194
|
$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty? &&! Dawn::Core.is_good_target?(target)
|
206
|
-
$logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
|
207
195
|
$logger.debug("security check enabled: #{options[:enabled_checks]}") if options[:debug]
|
208
196
|
|
209
|
-
# MVC flag deprecation warnings
|
210
|
-
$logger.warn("the --rails is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :rails
|
211
|
-
$logger.warn("the --sinatra is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :sinatra
|
212
|
-
$logger.warn("the --padrino is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :padrino
|
213
|
-
|
214
|
-
|
215
197
|
## MVC auto detect.
|
216
198
|
|
217
199
|
# Skipping MVC autodetect if it's already been done by guess_mvc when choosing
|
@@ -219,16 +201,10 @@ $logger.warn("the --padrino is deprecated and it will be removed in version 2.0.
|
|
219
201
|
|
220
202
|
unless options[:gemfile_scan]
|
221
203
|
begin
|
222
|
-
|
223
|
-
|
224
|
-
$logger.debug("using #{engine.class.name} engine via autodect") if options[:debug]
|
225
|
-
else
|
226
|
-
engine = Dawn::Rails.new(target) if options[:mvc] == :rails
|
227
|
-
engine = Dawn::Sinatra.new(target) if options[:mvc] == :sinatra
|
228
|
-
engine = Dawn::Padrino.new(target) if options[:mvc] == :padrino
|
229
|
-
end
|
204
|
+
engine = Dawn::Core.detect_mvc(target)
|
205
|
+
$logger.debug("using #{engine.class.name} engine via autodect") if options[:debug]
|
230
206
|
rescue ArgumentError => e
|
231
|
-
r.do_save({:target=>File.basename(target), :scan_started=>DateTime.now, :scan_duration => 0, :issues_found=> -1, :output_dir=> "", :message=>e.message, :scan_status=>:failed})
|
207
|
+
# r.do_save({:target=>File.basename(target), :scan_started=>DateTime.now, :scan_duration => 0, :issues_found=> -1, :output_dir=> "", :message=>e.message, :scan_status=>:failed})
|
232
208
|
$logger.die(e.message)
|
233
209
|
end
|
234
210
|
else
|
@@ -238,15 +214,15 @@ end
|
|
238
214
|
|
239
215
|
if engine.nil?
|
240
216
|
$logger.error("MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues")
|
241
|
-
r.do_save({:target=>File.basename(target), :message=>"MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues", :scan_status=>:failed})
|
242
|
-
$logger.die(
|
217
|
+
# r.do_save({:target=>File.basename(target), :message=>"MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues", :scan_status=>:failed})
|
218
|
+
$logger.die('ruby framework auto detect failed.')
|
243
219
|
end
|
244
220
|
## end MVC auto detect.
|
245
221
|
|
246
222
|
if options[:exit_on_warn]
|
247
223
|
Kernel.at_exit do
|
248
224
|
if engine.count_vulnerabilities != 0
|
249
|
-
r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
|
225
|
+
# r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
|
250
226
|
Kernel.exit(engine.count_vulnerabilities)
|
251
227
|
end
|
252
228
|
end
|
@@ -260,12 +236,12 @@ end
|
|
260
236
|
$logger.warn "this is a development Dawn version" if Dawn::RELEASE == "(development)"
|
261
237
|
|
262
238
|
if engine.nil?
|
263
|
-
r.do_save({:target=>File.basename(target), :message=>"missing target framework option", :scan_status=>:failed})
|
239
|
+
# r.do_save({:target=>File.basename(target), :message=>"missing target framework option", :scan_status=>:failed})
|
264
240
|
$logger.die "missing target framework option"
|
265
241
|
end
|
266
242
|
|
267
243
|
if ! options[:gemfile_scan] && ! engine.can_apply?
|
268
|
-
r.do_save({:target=>File.basename(target), :message=>"nothing to do on #{target}", :scan_status=>:failed})
|
244
|
+
# r.do_save({:target=>File.basename(target), :message=>"nothing to do on #{target}", :scan_status=>:failed})
|
269
245
|
$logger.die "nothing to do on #{target}"
|
270
246
|
end
|
271
247
|
|
@@ -276,22 +252,22 @@ if options[:output] == "count"
|
|
276
252
|
STDERR.puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
|
277
253
|
STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json if options[:output] == "json"
|
278
254
|
|
279
|
-
r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
|
255
|
+
# r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
|
280
256
|
$logger.bye
|
281
257
|
Kernel.exit(0)
|
282
258
|
end
|
283
259
|
|
284
260
|
Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
|
285
|
-
if (r.do_save({:target=>File.basename(engine.target),
|
286
|
-
:scan_started=>engine.scan_start,
|
287
|
-
:scan_duration => engine.scan_time.round(3),
|
288
|
-
:issues_found=>engine.vulnerabilities.count,
|
289
|
-
:output_dir=>engine.output_dir_name,
|
290
|
-
:scan_status=>:completed}))
|
291
|
-
$logger.info "#{Dawn::Core.registry_db_name} updated with scan infos"
|
292
|
-
else
|
293
|
-
r.errors.each do |error|
|
294
|
-
$logger.error error
|
295
|
-
end
|
296
|
-
end
|
261
|
+
#if (r.do_save({:target=>File.basename(engine.target),
|
262
|
+
# :scan_started=>engine.scan_start,
|
263
|
+
# :scan_duration => engine.scan_time.round(3),
|
264
|
+
# :issues_found=>engine.vulnerabilities.count,
|
265
|
+
# :output_dir=>engine.output_dir_name,
|
266
|
+
# :scan_status=>:completed}))
|
267
|
+
# $logger.info "#{Dawn::Core.registry_db_name} updated with scan infos"
|
268
|
+
#else
|
269
|
+
# r.errors.each do |error|
|
270
|
+
# $logger.error error
|
271
|
+
# end
|
272
|
+
#end
|
297
273
|
$logger.bye
|
@@ -0,0 +1 @@
|
|
1
|
+
7f56617eeab5f897c910d9bfbfd54425c4856fc1
|
data/dawnscanner.gemspec
CHANGED
@@ -10,17 +10,14 @@ Gem::Specification.new do |gem|
|
|
10
10
|
gem.email = ["paolo@dawnscanner.org"]
|
11
11
|
gem.description = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
|
12
12
|
gem.summary = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
|
13
|
-
gem.homepage = "
|
13
|
+
gem.homepage = "https://dawnscanner.org"
|
14
14
|
gem.files = `git ls-files`.split($/)
|
15
15
|
gem.license = "MIT"
|
16
16
|
gem.executables = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
|
17
17
|
gem.test_files = gem.files.grep(%r{^(test|spec|features)/})
|
18
18
|
gem.require_paths = ["lib"]
|
19
19
|
|
20
|
-
gem.
|
21
|
-
gem.signing_key = File.expand_path("~/.ssh/paolo_at_dawnscanner_dot_org_private_key.pem") if $0 =~ /gem\z/
|
22
|
-
|
23
|
-
gem.required_ruby_version = '>= 1.9.3'
|
20
|
+
gem.required_ruby_version = '>= 2.3.0'
|
24
21
|
|
25
22
|
gem.add_dependency 'cvss'
|
26
23
|
gem.add_dependency 'haml'
|
@@ -31,10 +28,9 @@ Gem::Specification.new do |gem|
|
|
31
28
|
gem.add_dependency 'logger-colors'
|
32
29
|
gem.add_dependency 'ptools'
|
33
30
|
gem.add_dependency 'sqlite3'
|
34
|
-
gem.add_dependency '
|
35
|
-
gem.add_dependency '
|
31
|
+
# gem.add_dependency 'datamapper'
|
32
|
+
# gem.add_dependency 'dm-sqlite-adapter'
|
36
33
|
|
37
|
-
# Dependencies for code stats
|
38
34
|
# To be added back in 1.5.5
|
39
35
|
# gem.add_dependency 'code_metrics'
|
40
36
|
# gem.add_dependency 'metric_fu-Saikuro'
|
data/lib/dawn/core.rb
CHANGED
@@ -24,9 +24,6 @@ module Dawn
|
|
24
24
|
puts "\t$ dawn -C --json a_sinatra_webapp_directory"
|
25
25
|
puts "\t$ dawn --ascii-tabular-report my_rails_blog_ecommerce"
|
26
26
|
puts "\t$ dawn --html -F my_report.html my_rails_blog_ecommerce"
|
27
|
-
printf "\n -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application (DEPRECATED)"
|
28
|
-
printf "\n -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application (DEPRECATED)"
|
29
|
-
printf "\n -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application (DEPRECATED)"
|
30
27
|
printf "\n -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)"
|
31
28
|
printf "\n -d, --dependencies\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
|
32
29
|
printf "\n\nReporting\n"
|
@@ -41,7 +41,24 @@ module Dawn
|
|
41
41
|
return debug_me_and_return_false("detected version #{@detected} found as is in safe array") if is_detected_in_safe?
|
42
42
|
return debug_me_and_return_false("detected version #{@detected} is higher than all version marked safe") if is_detected_highest?
|
43
43
|
|
44
|
-
|
44
|
+
check_versions = nil
|
45
|
+
@safe.each do |safe_version|
|
46
|
+
|
47
|
+
sva = version_string_to_array(safe_version)
|
48
|
+
dva = version_string_to_array(@detected)
|
49
|
+
|
50
|
+
next unless is_same_version?(sva[:version], dva[:version], true)
|
51
|
+
next unless sva[:version].count == dva[:version].count || is_beta_check?(sva[:beta], dva[:beta]) || is_rc_check?(sva[:rc], dva[:rc]) || is_pre_check?(sva[:pre], dva[:pre])
|
52
|
+
|
53
|
+
check_versions = [safe_version]
|
54
|
+
break
|
55
|
+
end
|
56
|
+
|
57
|
+
debug_me "vuln?: limited check_versions: #{check_versions.inspect}"
|
58
|
+
check_versions ||= @safe
|
59
|
+
debug_me "vuln?: fallback check_versions: #{check_versions.inspect}"
|
60
|
+
|
61
|
+
check_versions.sort.each do |s|
|
45
62
|
debug_me "vuln?: evaluating #{@detected} against save version: #{s}"
|
46
63
|
|
47
64
|
@save_minor_fix = save_minor_fix
|
data/lib/dawn/version.rb
CHANGED
data/lib/dawnscanner.rb
CHANGED
@@ -32,8 +32,12 @@ describe "The CVE-2016-2098 vulnerability" do
|
|
32
32
|
@check.dependencies = [{:name=>"actionpack", :version=>"5.0.0.1"}]
|
33
33
|
expect(@check.vuln?).to eq(false)
|
34
34
|
end
|
35
|
-
|
35
|
+
it "is not reported when a fixed release is detected" do
|
36
36
|
@check.dependencies = [{:name=>"actionpack", :version=>"3.2.22.2"}]
|
37
|
+
expect(@check.vuln?).to eq(false)
|
38
|
+
end
|
39
|
+
it "is not reported when a higher release is detected" do
|
40
|
+
@check.dependencies = [{:name=>"actionpack", :version=>"3.2.22.5"}]
|
37
41
|
expect(@check.vuln?).to eq(false)
|
38
42
|
end
|
39
43
|
it "is not reported when a fixed release is detected" do
|
metadata
CHANGED
@@ -1,36 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dawnscanner
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.6.
|
4
|
+
version: 1.6.9
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
|
-
cert_chain:
|
11
|
-
-
|
12
|
-
-----BEGIN CERTIFICATE-----
|
13
|
-
MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQ4wDAYDVQQDDAVwYW9s
|
14
|
-
bzEbMBkGCgmSJomT8ixkARkWC2Rhd25zY2FubmVyMRMwEQYKCZImiZPyLGQBGRYD
|
15
|
-
b3JnMB4XDTE3MDQwNzE0MjU0M1oXDTE4MDQwNzE0MjU0M1owQjEOMAwGA1UEAwwF
|
16
|
-
cGFvbG8xGzAZBgoJkiaJk/IsZAEZFgtkYXduc2Nhbm5lcjETMBEGCgmSJomT8ixk
|
17
|
-
ARkWA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKY7klJMYUud
|
18
|
-
10+6gsb1R7Vvnn96BpVc6sPXxInmQeoaQCZ4lT04ARfya7M6E5NHQDjCtSxv2Nib
|
19
|
-
QX8gASLQ/zbg6fDXsUh/SACzguSqBMmwa1LcFs/cBtFuNjq8I/dPffHUVKw1OgzE
|
20
|
-
hkzzmfoYHtga/XptmC24HGdJs5bEGCYTwX6luXPJVAMSxQVx/ZXoHjoR2P/ZMobO
|
21
|
-
md7FSsd4Tk03z/MpkDF9jjMPb7DjMy2ke8VHMRzBurMldhmD2GLRBo+QAnTHrRNp
|
22
|
-
a3yXoWmTlnnxAlJUqSGn83n7r1roHasdT7KzhPmAQ42qh6FrjbkQl/jdJA2fl3I3
|
23
|
-
F0+emUMo9J8CAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
|
24
|
-
BBYEFGrgDWYLVLOvh1i9ValuYILfIy7rMCAGA1UdEQQZMBeBFXBhb2xvQGRhd25z
|
25
|
-
Y2FubmVyLm9yZzAgBgNVHRIEGTAXgRVwYW9sb0BkYXduc2Nhbm5lci5vcmcwDQYJ
|
26
|
-
KoZIhvcNAQEFBQADggEBAHnheFofuUUhycQUbvvo/QlilUWwm5ez9a8tnU3rAeGs
|
27
|
-
6VVsjSf5j30PeQWAVporY3wuPD6Tnqvx0qqOcEtcBJcNcdbqr8h/lLQe66PJnRjM
|
28
|
-
rcAIGSI/KtAfBYSQAP/d711jVjlZr69LjlQjvbV99i36ZDmKHGcrNBnsP49jMuPP
|
29
|
-
cLydkHKvReI6cjZchfO27r1oEVCcd9Z6OTB7StD2SGrXgjbXT6jWuKy9npS0GlCr
|
30
|
-
ZhbONaAaqfNoUhrLptHzm4FNkx1RXERL/HqIsA2pv/L1ZveOWLxrQgI3MuujkoVL
|
31
|
-
nyZ9QdMe5aRX2OoNvfso64jO/IXPlYx+XH8ag3EWRpo=
|
32
|
-
-----END CERTIFICATE-----
|
33
|
-
date: 2017-04-07 00:00:00.000000000 Z
|
10
|
+
cert_chain: []
|
11
|
+
date: 2018-11-28 00:00:00.000000000 Z
|
34
12
|
dependencies:
|
35
13
|
- !ruby/object:Gem::Dependency
|
36
14
|
name: cvss
|
@@ -158,34 +136,6 @@ dependencies:
|
|
158
136
|
- - ">="
|
159
137
|
- !ruby/object:Gem::Version
|
160
138
|
version: '0'
|
161
|
-
- !ruby/object:Gem::Dependency
|
162
|
-
name: dm-sqlite-adapter
|
163
|
-
requirement: !ruby/object:Gem::Requirement
|
164
|
-
requirements:
|
165
|
-
- - ">="
|
166
|
-
- !ruby/object:Gem::Version
|
167
|
-
version: '0'
|
168
|
-
type: :runtime
|
169
|
-
prerelease: false
|
170
|
-
version_requirements: !ruby/object:Gem::Requirement
|
171
|
-
requirements:
|
172
|
-
- - ">="
|
173
|
-
- !ruby/object:Gem::Version
|
174
|
-
version: '0'
|
175
|
-
- !ruby/object:Gem::Dependency
|
176
|
-
name: data_mapper
|
177
|
-
requirement: !ruby/object:Gem::Requirement
|
178
|
-
requirements:
|
179
|
-
- - ">="
|
180
|
-
- !ruby/object:Gem::Version
|
181
|
-
version: '0'
|
182
|
-
type: :runtime
|
183
|
-
prerelease: false
|
184
|
-
version_requirements: !ruby/object:Gem::Requirement
|
185
|
-
requirements:
|
186
|
-
- - ">="
|
187
|
-
- !ruby/object:Gem::Version
|
188
|
-
version: '0'
|
189
139
|
- !ruby/object:Gem::Dependency
|
190
140
|
name: coveralls
|
191
141
|
requirement: !ruby/object:Gem::Requirement
|
@@ -296,7 +246,6 @@ files:
|
|
296
246
|
- Roadmap.md
|
297
247
|
- VERSION
|
298
248
|
- bin/dawn
|
299
|
-
- certs/paolo_at_dawnscanner_dot_org.pem
|
300
249
|
- checksum/.placeholder
|
301
250
|
- checksum/codesake-dawn-1.1.0.gem.sha512
|
302
251
|
- checksum/codesake-dawn-1.1.0.rc1.gem.sha512
|
@@ -323,6 +272,7 @@ files:
|
|
323
272
|
- checksum/dawnscanner-1.6.5.gem.sha1
|
324
273
|
- checksum/dawnscanner-1.6.6.gem.sha1
|
325
274
|
- checksum/dawnscanner-1.6.7.gem.sha1
|
275
|
+
- checksum/dawnscanner-1.6.8.gem.sha1
|
326
276
|
- code_of_conduct.md
|
327
277
|
- dawnscanner.gemspec
|
328
278
|
- doc/dawn_1_0_announcement.md
|
@@ -719,7 +669,7 @@ files:
|
|
719
669
|
- support/bootstrap.js
|
720
670
|
- support/bootstrap.min.css
|
721
671
|
- support/codesake.css
|
722
|
-
homepage:
|
672
|
+
homepage: https://dawnscanner.org
|
723
673
|
licenses:
|
724
674
|
- MIT
|
725
675
|
metadata: {}
|
@@ -731,7 +681,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
731
681
|
requirements:
|
732
682
|
- - ">="
|
733
683
|
- !ruby/object:Gem::Version
|
734
|
-
version:
|
684
|
+
version: 2.3.0
|
735
685
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
736
686
|
requirements:
|
737
687
|
- - ">="
|
@@ -739,7 +689,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
739
689
|
version: '0'
|
740
690
|
requirements: []
|
741
691
|
rubyforge_project:
|
742
|
-
rubygems_version: 2.
|
692
|
+
rubygems_version: 2.7.7
|
743
693
|
signing_key:
|
744
694
|
specification_version: 4
|
745
695
|
summary: Dawnscanner is a security source code scanner for ruby powered code. It is
|
checksums.yaml.gz.sig
DELETED
Binary file
|
data.tar.gz.sig
DELETED
Binary file
|
@@ -1,21 +0,0 @@
|
|
1
|
-
-----BEGIN CERTIFICATE-----
|
2
|
-
MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQ4wDAYDVQQDDAVwYW9s
|
3
|
-
bzEbMBkGCgmSJomT8ixkARkWC2Rhd25zY2FubmVyMRMwEQYKCZImiZPyLGQBGRYD
|
4
|
-
b3JnMB4XDTE3MDQwNzE0MjU0M1oXDTE4MDQwNzE0MjU0M1owQjEOMAwGA1UEAwwF
|
5
|
-
cGFvbG8xGzAZBgoJkiaJk/IsZAEZFgtkYXduc2Nhbm5lcjETMBEGCgmSJomT8ixk
|
6
|
-
ARkWA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKY7klJMYUud
|
7
|
-
10+6gsb1R7Vvnn96BpVc6sPXxInmQeoaQCZ4lT04ARfya7M6E5NHQDjCtSxv2Nib
|
8
|
-
QX8gASLQ/zbg6fDXsUh/SACzguSqBMmwa1LcFs/cBtFuNjq8I/dPffHUVKw1OgzE
|
9
|
-
hkzzmfoYHtga/XptmC24HGdJs5bEGCYTwX6luXPJVAMSxQVx/ZXoHjoR2P/ZMobO
|
10
|
-
md7FSsd4Tk03z/MpkDF9jjMPb7DjMy2ke8VHMRzBurMldhmD2GLRBo+QAnTHrRNp
|
11
|
-
a3yXoWmTlnnxAlJUqSGn83n7r1roHasdT7KzhPmAQ42qh6FrjbkQl/jdJA2fl3I3
|
12
|
-
F0+emUMo9J8CAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
|
13
|
-
BBYEFGrgDWYLVLOvh1i9ValuYILfIy7rMCAGA1UdEQQZMBeBFXBhb2xvQGRhd25z
|
14
|
-
Y2FubmVyLm9yZzAgBgNVHRIEGTAXgRVwYW9sb0BkYXduc2Nhbm5lci5vcmcwDQYJ
|
15
|
-
KoZIhvcNAQEFBQADggEBAHnheFofuUUhycQUbvvo/QlilUWwm5ez9a8tnU3rAeGs
|
16
|
-
6VVsjSf5j30PeQWAVporY3wuPD6Tnqvx0qqOcEtcBJcNcdbqr8h/lLQe66PJnRjM
|
17
|
-
rcAIGSI/KtAfBYSQAP/d711jVjlZr69LjlQjvbV99i36ZDmKHGcrNBnsP49jMuPP
|
18
|
-
cLydkHKvReI6cjZchfO27r1oEVCcd9Z6OTB7StD2SGrXgjbXT6jWuKy9npS0GlCr
|
19
|
-
ZhbONaAaqfNoUhrLptHzm4FNkx1RXERL/HqIsA2pv/L1ZveOWLxrQgI3MuujkoVL
|
20
|
-
nyZ9QdMe5aRX2OoNvfso64jO/IXPlYx+XH8ag3EWRpo=
|
21
|
-
-----END CERTIFICATE-----
|
metadata.gz.sig
DELETED
Binary file
|