dawnscanner 2.0.0.rc2 → 2.0.0.rc3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Changelog.md +2 -0
- data/README.md +2 -2
- data/VERSION +1 -1
- data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
- data/lib/dawn/cli/dawn_cli.rb +11 -4
- data/lib/dawn/engine.rb +16 -15
- data/lib/dawn/version.rb +5 -5
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 72552d751163f1b0a97daa602bf4251d879e66155cb213aaecb0e7b4e9654af1
|
|
4
|
+
data.tar.gz: 2f50331bf792286959cd79efb3fc36f106548e11f7c338318b84779b5cb3aa4a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4e1d78d9d5e1b8c407b560a5199d0a3536382e13ce09bda3de2e98a9bffde2e8a0b472acb90a18b16e252355bbfbdde35180072c034500388389613dabd8497a
|
|
7
|
+
data.tar.gz: 600b924b3801499ef17e75fbfd5b9e01f9973394f7a76d34828f2702ae76ad4b0364b75403fc0c12820089f9b56a55ec1d2c42a8b7c8c57d5e434f96dac621f1
|
data/Changelog.md
CHANGED
|
@@ -17,6 +17,8 @@ _latest update: mer 28 nov 2018, 11.03.53, CET_
|
|
|
17
17
|
* Adding telemetry
|
|
18
18
|
* Dawn::Utils include refactory. Now it's available application wide
|
|
19
19
|
* debug information refactory.
|
|
20
|
+
* engine class, apply_all method now accepts an optional parameter containing a
|
|
21
|
+
list of security checks to be excluded (issue #230).
|
|
20
22
|
|
|
21
23
|
## Version 1.6.9 - codename: Tow Mater (2018-11-28)
|
|
22
24
|
|
data/README.md
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
# Dawnscanner - The raising security scanner for ruby web applications
|
|
2
2
|
|
|
3
|
-
dawnscanner is a source code scanner designed to review your ruby code for
|
|
4
|
-
issues.
|
|
3
|
+
dawnscanner is a source code scanner designed to review your ruby code for
|
|
4
|
+
security issues.
|
|
5
5
|
|
|
6
6
|
dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but
|
|
7
7
|
all its features are unleashed when dealing with web applications source code.
|
data/VERSION
CHANGED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
1c96f786d3683b79311855a14b8ef7d7ebe7b13d
|
data/lib/dawn/cli/dawn_cli.rb
CHANGED
|
@@ -50,11 +50,13 @@ module Dawn
|
|
|
50
50
|
desc "kb SUBCOMMAND ... ARGS", "Interacts with the knowledge base"
|
|
51
51
|
subcommand "kb", Dawn::Cli::Kb
|
|
52
52
|
|
|
53
|
-
desc "scan", "scans a
|
|
53
|
+
desc "scan", "scans a ruby written application for security issues"
|
|
54
54
|
option :config_file
|
|
55
|
-
|
|
55
|
+
method_option :gemfile, :type=>:boolean, :default=>true, :aliases => "-G", :desc => "uses Gemfile.lock to detect MVC"
|
|
56
|
+
method_option :skip, :type=>:array, :aliases => "-S", :desc => "specify a list of security checks to be skipped"
|
|
56
57
|
option :exit_on_warn, :type=>:boolean
|
|
57
58
|
option :count, :type=>:boolean
|
|
59
|
+
option :s
|
|
58
60
|
option :output
|
|
59
61
|
|
|
60
62
|
def scan(target)
|
|
@@ -65,6 +67,10 @@ module Dawn
|
|
|
65
67
|
|
|
66
68
|
$debug = true if options[:debug]
|
|
67
69
|
$verbose = true if options[:verbose]
|
|
70
|
+
checks_to_be_skipped = []
|
|
71
|
+
checks_to_be_skipped = options[:skip] unless options[:skip].nil?
|
|
72
|
+
|
|
73
|
+
$logger.error("#{options[:skip]}")
|
|
68
74
|
|
|
69
75
|
debug_me("scanning #{target}")
|
|
70
76
|
|
|
@@ -73,9 +79,10 @@ module Dawn
|
|
|
73
79
|
|
|
74
80
|
$telemetry_url = $config[:telemetry][:endpoint] if $config[:telemetry][:enabled]
|
|
75
81
|
debug_me("telemetry url is " + $telemetry_url) unless @telemetry_url.nil?
|
|
82
|
+
|
|
76
83
|
$telemetry_id = $config[:telemetry][:id] if $config[:telemetry][:enabled]
|
|
77
|
-
|
|
78
84
|
debug_me("telemetry id is " + $telemetry_id) unless @telemetry_id.nil?
|
|
85
|
+
|
|
79
86
|
$logger.info("telemetry is disabled in config file") unless $config[:telemetry][:enabled]
|
|
80
87
|
|
|
81
88
|
engine = Dawn::Core.detect_mvc(target) unless options[:gemfile]
|
|
@@ -97,7 +104,7 @@ module Dawn
|
|
|
97
104
|
|
|
98
105
|
engine.load_knowledge_base
|
|
99
106
|
|
|
100
|
-
ret = engine.apply_all
|
|
107
|
+
ret = engine.apply_all(checks_to_be_skipped)
|
|
101
108
|
if options[:output]
|
|
102
109
|
STDERR.puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
|
|
103
110
|
STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json if options[:output] == "json"
|
data/lib/dawn/engine.rb
CHANGED
|
@@ -332,28 +332,25 @@ module Dawn
|
|
|
332
332
|
request = Net::HTTP::Post.new(uri.request_uri, header)
|
|
333
333
|
request.body = tele.to_json
|
|
334
334
|
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
335
|
+
begin
|
|
336
|
+
response=http.request(request)
|
|
337
|
+
debug_me(response.inspect)
|
|
338
|
+
return true
|
|
339
|
+
rescue => e
|
|
340
|
+
$logger.error "telemetry: #{e.message}"
|
|
341
|
+
return false
|
|
342
|
+
end
|
|
340
343
|
end
|
|
341
344
|
|
|
342
|
-
def apply_all
|
|
345
|
+
def apply_all(checks_to_be_skipped=[])
|
|
343
346
|
@scan_start = Time.now
|
|
347
|
+
debug_me("I'm asked to skip those checks #{checks_to_be_skipped}")
|
|
344
348
|
debug_me("SCAN STARTED: #{@scan_start}")
|
|
345
349
|
|
|
346
350
|
telemetry
|
|
347
351
|
|
|
348
|
-
# FIXME.20140325
|
|
349
|
-
# Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
|
|
350
|
-
# Reason is simple, load_knowledge_base now needs enabled check array
|
|
351
|
-
# and I don't want to pollute engine API to propagate this value. It's
|
|
352
|
-
# a param to load_knowledge_base and then bin/dawn calls it
|
|
353
|
-
# accordingly.
|
|
354
|
-
# load_knowledge_base if @checks.nil?
|
|
355
352
|
if @checks.nil?
|
|
356
|
-
$logger.
|
|
353
|
+
$logger.error "you must load knowledge base before trying to apply security checks"
|
|
357
354
|
@scan_stop = Time.now
|
|
358
355
|
debug_me("SCAN STOPPED: #{@scan_stop}")
|
|
359
356
|
return false
|
|
@@ -366,7 +363,11 @@ module Dawn
|
|
|
366
363
|
end
|
|
367
364
|
|
|
368
365
|
@checks.each do |check|
|
|
369
|
-
|
|
366
|
+
if checks_to_be_skipped.include?(check.name)
|
|
367
|
+
$logger.info("skipping security check #{check.name}")
|
|
368
|
+
else
|
|
369
|
+
_do_apply(check)
|
|
370
|
+
end
|
|
370
371
|
end
|
|
371
372
|
|
|
372
373
|
@scan_stop = Time.now
|
data/lib/dawn/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dawnscanner
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.0.0.
|
|
4
|
+
version: 2.0.0.rc3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paolo Perego
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-05-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: cvss
|
|
@@ -288,6 +288,7 @@ files:
|
|
|
288
288
|
- checksum/dawnscanner-1.6.7.gem.sha1
|
|
289
289
|
- checksum/dawnscanner-1.6.8.gem.sha1
|
|
290
290
|
- checksum/dawnscanner-2.0.0.rc1.gem.sha1
|
|
291
|
+
- checksum/dawnscanner-2.0.0.rc2.gem.sha1
|
|
291
292
|
- code_of_conduct.md
|
|
292
293
|
- dawnscanner.gemspec
|
|
293
294
|
- doc/change.sh
|