dawnscanner 2.0.0.rc4 → 2.0.0.rc5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Changelog.md +6 -2
- data/Rakefile +0 -4
- data/VERSION +3 -15
- data/dawnscanner.gemspec +3 -4
- data/lib/dawn/engine.rb +1 -0
- data/lib/dawn/kb/pattern_match_check.rb +1 -1
- data/lib/dawn/knowledge_base.rb +14 -1
- data/lib/dawn/reporter.rb +2 -0
- data/lib/dawn/version.rb +4 -5
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +18 -15
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +7 -17
- metadata +3 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 72a87bbf8ef2496a0afd46d528d72e054f5dae05ebd931c7def8f99be76961da
|
4
|
+
data.tar.gz: 67625dd36903d067ecf28c8581b130d1b2c612a3b26ded963e2868bb95efb853
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e6621edd0430c27a88d8813e5ca57475466ff8ea6d262cc7f324890d521a10d1f24f055004fdfa4ccb36e9131d1ea6f6d8957e17d26a54846194706279e617a2
|
7
|
+
data.tar.gz: ec14c1e7804f38e5bcb6f87ea7d05afedc83206db846eaec197d4e5be5b48f9ee1059fb87d21ddbab52e023fb2f0a7cc74bc90517be9e62a0e81d9810b93137e
|
data/Changelog.md
CHANGED
@@ -5,9 +5,9 @@ It supports [Sinatra](http://www.sinatrarb.com),
|
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
6
6
|
frameworks.
|
7
7
|
|
8
|
-
_latest update: mer
|
8
|
+
_latest update: mer 29 mar 2023, 18:32:56, CEST_
|
9
9
|
|
10
|
-
## Version 2.0.0
|
10
|
+
## Version 2.0.0
|
11
11
|
|
12
12
|
* New knowledge base, YAML based and distributed separately from the ruby gem.
|
13
13
|
* New CLI based on Thor library. Please read README.md file to know how to
|
@@ -22,6 +22,10 @@ _latest update: mer 28 nov 2018, 11.03.53, CET_
|
|
22
22
|
* Fix issue #244. Now the KB path is no more hardcoded but it is relative to
|
23
23
|
$HOME and 'dawnscanner' folder where results are stored.
|
24
24
|
* Fix issue #245. Pattern matching check is skipped on empty files.
|
25
|
+
* Fix issue #250. Require missing fileutils, thanks to @lukaszsliwa
|
26
|
+
* Fix issue #252. File.exists was removed in newer interpreter versions
|
27
|
+
* Dropping codenames
|
28
|
+
* Class names must be declared before loading YAML files
|
25
29
|
|
26
30
|
## Version 1.6.9 - codename: Tow Mater (2018-11-28)
|
27
31
|
|
data/Rakefile
CHANGED
@@ -37,7 +37,6 @@ namespace :version do
|
|
37
37
|
a = f.readlines
|
38
38
|
end
|
39
39
|
version = a[a.length - 1].split('-')[0]# .chomp
|
40
|
-
codename = a[a.length - 1].split('-')[1]
|
41
40
|
|
42
41
|
File.open("./lib/dawn/version.rb", "w") do |f|
|
43
42
|
|
@@ -47,12 +46,9 @@ namespace :version do
|
|
47
46
|
if branch_name != "main"
|
48
47
|
av = version.split('.')
|
49
48
|
f.puts " VERSION = \"#{av[0]}.#{av[1]}.#{commit_hash.chop}\""
|
50
|
-
f.puts " CODENAME = \"#{codename.lstrip!.chop}\""
|
51
49
|
f.puts " RELEASE = \"(development)\""
|
52
50
|
else
|
53
|
-
puts "here"
|
54
51
|
f.puts " VERSION = \"#{version.rstrip!}\""
|
55
|
-
f.puts " CODENAME = \"#{codename.lstrip!.chop}\""
|
56
52
|
f.puts " RELEASE = \"#{release}\""
|
57
53
|
end
|
58
54
|
f.puts " BUILD = \"#{build_number.chop}\""
|
data/VERSION
CHANGED
@@ -1,15 +1,3 @@
|
|
1
|
-
#
|
2
|
-
#
|
3
|
-
|
4
|
-
#
|
5
|
-
# Future releases
|
6
|
-
#
|
7
|
-
# | Character | Release |
|
8
|
-
# |-----------------|---------|
|
9
|
-
# | "Finn McMissile"| 2.0.0 |
|
10
|
-
# | "Fillmore" | x.x.0 |
|
11
|
-
# |"Holly Shiftwell"| x.x.0 |
|
12
|
-
# | "Guido" | x.x.0 |
|
13
|
-
# | "Luigi" | x.x.0 |
|
14
|
-
# | "Doc Hudson" | x.x.0 |
|
15
|
-
2.0.0.rc4 - Finn McMissile
|
1
|
+
# I removed codenames :-)
|
2
|
+
# Code review is fun
|
3
|
+
2.0.0.rc5
|
data/dawnscanner.gemspec
CHANGED
@@ -52,10 +52,9 @@ Gem::Specification.new do |gem|
|
|
52
52
|
# Marked to be unused right now
|
53
53
|
# gem.add_dependency 'parser'
|
54
54
|
|
55
|
-
gem.add_development_dependency
|
56
|
-
gem.add_development_dependency
|
57
|
-
gem.add_development_dependency
|
55
|
+
gem.add_development_dependency('coveralls')
|
56
|
+
gem.add_development_dependency('rake')
|
57
|
+
gem.add_development_dependency('rspec')
|
58
58
|
gem.add_development_dependency('tomdoc')
|
59
59
|
gem.add_development_dependency('aruba')
|
60
|
-
gem.add_development_dependency('simplecov')
|
61
60
|
end
|
data/lib/dawn/engine.rb
CHANGED
@@ -62,7 +62,7 @@ module Dawn
|
|
62
62
|
matches = []
|
63
63
|
raise ArgumentError.new("skipping empty file") if File.zero?(filename)
|
64
64
|
begin
|
65
|
-
matches = run(load_file(filename)) if File.
|
65
|
+
matches = run(load_file(filename)) if File.exist?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
|
66
66
|
found = ! matches.empty?
|
67
67
|
rescue ArgumentError => e
|
68
68
|
puts "Skipping pattern match check for #{filename}: #{e.message}"
|
data/lib/dawn/knowledge_base.rb
CHANGED
@@ -11,6 +11,8 @@ require 'digest'
|
|
11
11
|
|
12
12
|
require 'date'
|
13
13
|
|
14
|
+
require 'fileutils'
|
15
|
+
|
14
16
|
# Core KB
|
15
17
|
require "dawn/kb/basic_check"
|
16
18
|
require "dawn/kb/pattern_match_check"
|
@@ -210,7 +212,18 @@ module Dawn
|
|
210
212
|
else
|
211
213
|
Dir.glob(dir+"/**/*.yml").each do |f|
|
212
214
|
begin
|
213
|
-
data = YAML.load_file(f
|
215
|
+
data = YAML.load_file(f, permitted_classes: [Dawn::Kb::UnsafeDependencyCheck,
|
216
|
+
Dawn::Kb::BasicCheck,
|
217
|
+
Dawn::Kb::ComboCheck,
|
218
|
+
Dawn::Kb::DependencyCheck,
|
219
|
+
Dawn::Kb::DeprecationCheck,
|
220
|
+
Dawn::Kb::OperatingSystemCheck,
|
221
|
+
Dawn::Kb::PatternMatchCheck,
|
222
|
+
Dawn::Kb::RubygemCheck,
|
223
|
+
Dawn::Kb::RubyVersionCheck,
|
224
|
+
Dawn::Kb::VersionCheck,
|
225
|
+
Date,
|
226
|
+
Symbol])
|
214
227
|
@security_checks << data
|
215
228
|
good+=1
|
216
229
|
$logger.info("#{File.basename(f)} loaded") if lint
|
data/lib/dawn/reporter.rb
CHANGED
data/lib/dawn/version.rb
CHANGED
@@ -1,26 +1,29 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
|
3
|
-
class DependencyMockup
|
4
|
-
|
3
|
+
# class DependencyMockup
|
4
|
+
# include Dawn::Kb::DependencyCheck
|
5
5
|
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
6
|
+
# def initialize
|
7
|
+
# message = "This is a mock"
|
8
|
+
# super(
|
9
|
+
# :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
10
|
+
# :applies=>['sinatra', 'padrino', 'rails'],
|
11
|
+
# :message=> message
|
12
|
+
# )
|
13
|
+
# # self.debug = true
|
14
14
|
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
end
|
15
|
+
# self.safe_dependencies = [{:name=>'this_gem', :version=>['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2']}]
|
16
|
+
# self.save_major = true
|
17
|
+
# end
|
18
|
+
# end
|
19
19
|
|
20
20
|
|
21
21
|
describe "The security check for gem dependency should" do
|
22
22
|
before(:all) do
|
23
|
-
@check =
|
23
|
+
@check = Dawn::Kb::DependencyCheck.new
|
24
|
+
@check.kind=Dawn::KnowledgeBase::DEPENDENCY_CHECK
|
25
|
+
@check.applies = ['sinatra', 'padrino', 'rails']
|
26
|
+
@check.message = "This is a mock"
|
24
27
|
end
|
25
28
|
# let (:check) {Mockup.new}
|
26
29
|
|
@@ -1,23 +1,13 @@
|
|
1
1
|
require 'spec_helper'
|
2
2
|
|
3
|
-
class Mockup
|
4
|
-
include Dawn::Kb::RubyVersionCheck
|
5
|
-
|
6
|
-
def initialize
|
7
|
-
message = "This is a mock"
|
8
|
-
super(
|
9
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
10
|
-
:applies=>['sinatra', 'padrino', 'rails'],
|
11
|
-
:message=> message
|
12
|
-
)
|
13
|
-
# self.debug = true
|
14
|
-
|
15
|
-
self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
|
16
|
-
end
|
17
|
-
end
|
18
|
-
|
19
3
|
describe "The security check for Ruby interpreter version" do
|
20
|
-
|
4
|
+
before(:all) do
|
5
|
+
@check = Dawn::Kb::RubyVersionCheck.new
|
6
|
+
@check.message = "This is a mock"
|
7
|
+
@check.kind=Dawn::KnowledgeBase::RUBY_VERSION_CHECK
|
8
|
+
@check.applies=['sinatra', 'padrino', 'rails']
|
9
|
+
@check.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
|
10
|
+
end
|
21
11
|
|
22
12
|
it "fires if ruby version is vulnerable" do
|
23
13
|
check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: dawnscanner
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.0.
|
4
|
+
version: 2.0.0.rc5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-03-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: cvss
|
@@ -220,20 +220,6 @@ dependencies:
|
|
220
220
|
- - ">="
|
221
221
|
- !ruby/object:Gem::Version
|
222
222
|
version: '0'
|
223
|
-
- !ruby/object:Gem::Dependency
|
224
|
-
name: simplecov
|
225
|
-
requirement: !ruby/object:Gem::Requirement
|
226
|
-
requirements:
|
227
|
-
- - ">="
|
228
|
-
- !ruby/object:Gem::Version
|
229
|
-
version: '0'
|
230
|
-
type: :development
|
231
|
-
prerelease: false
|
232
|
-
version_requirements: !ruby/object:Gem::Requirement
|
233
|
-
requirements:
|
234
|
-
- - ">="
|
235
|
-
- !ruby/object:Gem::Version
|
236
|
-
version: '0'
|
237
223
|
description: Dawnscanner is a security source code scanner for ruby powered code.
|
238
224
|
It is especially designed for web applications, but it works also with general purpose
|
239
225
|
ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
|
@@ -374,7 +360,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
374
360
|
- !ruby/object:Gem::Version
|
375
361
|
version: 1.3.1
|
376
362
|
requirements: []
|
377
|
-
rubygems_version: 3.
|
363
|
+
rubygems_version: 3.3.26
|
378
364
|
signing_key:
|
379
365
|
specification_version: 4
|
380
366
|
summary: Dawnscanner is a security source code scanner for ruby powered code. It is
|