dawnscanner 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cd4bbcfe33df2cf77a454baf00629653a49480c6606e8ed20c06ded4313c3dfb
-  data.tar.gz: 0a0e41109d47d2f634f2ecafc1b68c1b2596156054594c6221a9ddabd04dbc23
+  metadata.gz: b54d897767ce4e5a5e565205cafb15af72ae9bf92079718dfa416d8fcc4900cb
+  data.tar.gz: 17d4cba48fb33fb04c473b0cb9e9f85c1aa40c84f16a39c1df34332695e0435b
 SHA512:
-  metadata.gz: 40fb06e99f9cd958a0b5e1c95b52593d250a7aabb6cfd6623cb82561a88b250f1815a7ac6b81a1c4a9a1c2c3b5781d59225070adb0a776b31d0377efd33e7cc7
-  data.tar.gz: d1a37d012779435d7d8ef91161911126bdf3e0fcccb28ad113276a3036bf2cb6590d32757cccb240a845979e7667f2f8045f24a261bd8dcacabef6a81dbe0534
+  metadata.gz: c689915e7a17e4db223a9ef587a3c70ab1e6f748d54dec0463da7cf728770a77f9a298995959befbe77f322771de1c1eefb5bdd9e6c27352c389e2789d4d05e9
+  data.tar.gz: be77801fb48251c860b2b07341927dbc704eb34f28951f082d0971aa23c96cdf90d70bff219b946e67facea7022948ac9aa3353e0a87a4441ab6f7ea5f7fa19f

data/Changelog.md

@@ -5,9 +5,17 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: mer 29 mar 2023, 18:32:56, CEST_
+_latest update: thu 13 apr 2023, 16:54:52, CEST_
 
-## Version 2.0.0
+## Version 2.1.0 (2023-04-13)
+
+* BasicCheck: added an attribute do flag as vulnerable a dependency gem only if
+  it matches the name, overriding the version. It will be used in dawn kb list
+  command, when the user won't enter the version information.
+* Added the "list" subcommand to "kb". It can be used to fetch from the
+  knowledge base all CVEs affecting a particular gem.
+
+## Version 2.0.0 (2023-04-13)
 
 * New knowledge base, YAML based and distributed separately from the ruby gem.
 * New CLI based on Thor library. Please read README.md file to know how to
@@ -308,7 +316,7 @@ _latest update: mer 29 mar 2023, 18:32:56, CEST_
 
 * Adding a check for OSVDB-108569: information disclosure in backup_checksum
   gem (issue #69)
-* Fix issue #74. Now BasicChack has its own cve, osvdb attributes and a rake
+* Fix issue #74. Now BasicCheck has its own cve, osvdb attributes and a rake
   task will perform a sanity check if those values have been initialized
 * Fix issue #62 about codesake-dawn config filename
 * Adding a check for CVE-2013-2105: HTML injection in show_in_browser rubygem

data/README.md

@@ -100,11 +100,12 @@ being analyzed.
 Is it possible, with the kb subcommand, to query the knowledge base.
 
 ```
-dawn kb find            # Searches the knowledge base for a given security test
-dawn kb help [COMMAND]  # Describe subcommands or one specific subcommand
-dawn kb lint            # Checks knowledge base content for correcteness
-dawn kb status          # Checks the status of the knowledge base
-dawn kb unpack          # Unpacks security checks in KB library path
+dawn kb find                        # Searches the knowledge base for a given vulnerability
+dawn kb help [COMMAND]              # Describe subcommands or one specific subcommand
+dawn kb lint                        # Checks knowledge base content for correcteness
+dawn kb list gem_name[gem_version]  # List all security issues affecting a gem passed as argument (the version string is optional).
+dawn kb status                      # Checks the status of the knowledge base
+dawn kb unpack                      # Unpacks security checks in KB library path
 ```
 
 ## Useful links

data/VERSION

@@ -1,3 +1,3 @@
 # I removed codenames :-)
 # Code review is fun
-2.0.0
+2.1.0

data/checksum/dawnscanner-2.0.0.gem.sha1

@@ -0,0 +1 @@
+85ef0190d8b51e779c42122f673bb6dd495a8d9f

data/dawnscanner.gemspec

@@ -5,17 +5,17 @@ Gem::Specification.new do |gem|
   gem.name          = "dawnscanner"
   gem.version       = Dawn::VERSION
   gem.authors       = ["Paolo Perego"]
-  gem.email         = ["paolo@dawnscanner.org"]
-  gem.description   = %q{Dawnscanner is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
-  gem.summary       = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
-  gem.homepage      = "https://dawnscanner.org"
+  gem.email         = ["paolo@armoredcode.com"]
+  gem.description   = %q{dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 680 security checks with their own mitigation suggestion.}
+  gem.summary       = %q{dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
+  gem.homepage      = "https://github.com/thesp0nge/dawnscanner"
   gem.files         = `git ls-files`.split($/)
   gem.license       = "MIT"
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.required_ruby_version = '>= 2.3.0'
+  gem.required_ruby_version = '>= 3.0.0'
 
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'

data/lib/dawn/cli/dawn_cli.rb

@@ -6,21 +6,34 @@ module Dawn
     # This class is responsible for the "dawn kb" command and related
     # subcommands.
     class Kb < Thor
-      package_name "dawnscanner"
-      desc "find", "Searches the knowledge base for a given security test"
+      package_name "dawn"
+      class_option :verbose, :type=>:boolean
+      class_option :debug, :type=>:boolean
+
+      no_commands{
+        def init_globals
+          $debug = true if options[:debug]
+          $verbose = true if options[:verbose]
+        end
+      }
+
+      desc "find", "Searches the knowledge base for a given vulnerability"
       def find(string)
+        init_globals
         kb = Dawn::KnowledgeBase.instance
         kb.find(string)
       end
 
       desc "lint", "Checks knowledge base content for correcteness"
       def lint
+        init_globals
         kb = Dawn::KnowledgeBase.instance
         kb.load(true)
       end
 
       desc "unpack", "Unpacks security checks in KB library path"
       def unpack
+        init_globals
         $logger.helo APPNAME, Dawn::VERSION
         kb = Dawn::KnowledgeBase.instance
         kb.unpack
@@ -30,6 +43,7 @@ module Dawn
 
       desc "status", "Checks the status of the knowledge base"
       def status
+        init_globals
         $logger.helo APPNAME, Dawn::VERSION
         Dawn::KnowledgeBase.enabled_checks=[:bulletin, :generic_check]
         kb = Dawn::KnowledgeBase.instance
@@ -44,10 +58,29 @@ module Dawn
         $logger.bye
         Kernel.exit(0)
       end
+
+      desc "list gem_name[gem_version]", "List all security issues affecting a gem passed as argument (the version string is optional)."
+      def list(gem_name, gem_version=nil)
+        init_globals
+        to_check="#{gem_name}"
+        to_check += ":#{gem_version}" unless gem_version.nil?
+
+        Dawn::KnowledgeBase.enabled_checks=[:bulletin]
+        kb = Dawn::KnowledgeBase.instance
+        kb.load
+        if kb.security_checks.empty?
+          $logger.error(kb.error)
+        end
+        issues = kb.find_issues_by_gem(to_check)
+
+        issues.each do |issue|
+          puts "#{issue.name} "
+        end
+      end
     end
 
     class DawnCli < Thor
-      package_name "dawnscanner"
+      package_name "dawn"
       class_option :verbose, :type=>:boolean
       class_option :debug, :type=>:boolean
 

data/lib/dawn/kb/basic_check.rb

@@ -78,6 +78,13 @@ module Dawn
       #   + :none
       attr_accessor :priority
 
+      # Introduced in 2.1.0
+      # It allows a security check to be marked as positive (vulnerable), only
+      # if it matches the dependency gem name, ignoring the version.
+      #
+      # Only used in DEPENDENCY and UNSAFE_DEPENDENCY checks
+      attr_accessor :please_ignore_dep_version
+
       def initialize(options={})
         @applies                  = []
         @ruby_version             = ""
@@ -114,6 +121,8 @@ module Dawn
         @priority         = options[:priority] unless options[:priority].nil?
         @check_family     = options[:check_family] unless options[:check_family].nil?
 
+        @please_ignore_dep_version = false
+
         # FIXME.20140325
         #
         # I don't want to manually fix 150+ ruby files to add something I can

data/lib/dawn/kb/unsafe_depedency_check.rb

@@ -31,10 +31,9 @@ module Dawn
         @dependencies.each do |dep|
           unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
             if dep[:name] == @vulnerable_version_array[0][:name]
-              debug_me("DEP VERSION #{dep[:version]}")
-              debug_me("VULN_VER #{@vulnerable_version_array[0][:version]}")
-              return false if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
-              return true if @vulnerable_version_array[0][:version].include? dep[:version]
+              return true   if @please_ignore_dep_version
+              return false  if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
+              return true   if @vulnerable_version_array[0][:version].include? dep[:version]
             end
           end
         end

data/lib/dawn/knowledge_base.rb

@@ -122,6 +122,39 @@ module Dawn
 
     def find(name)
       debug_me "I'm asked to find #{name}"
+      debug_me "Please implement find command"
+    end
+
+    # Find all security issues affecting the gem passed as argument.
+    # The gem parameter can contains also the version number, separated by a
+    # ':'
+    #
+    # == Parameters:
+    # string::
+    #   A string containing the gem name, and eventually the version, to search
+    #   for vulnerabilities.
+    #   e.g.
+    #     $ dawn kb list sinatra        =>  returns all bulletins affecting sinatra gem
+    #     $ dawn kb list sinatra 2.0.0  =>  return all bulletins affecting
+    #                                       sinatra gem version 2.0.0
+    #
+    # == Returns:
+    # An array with all the vulnerabilities affecting the gem (or the
+    # particular gem version if provided).
+    def find_issues_by_gem(string = "")
+      issues = []
+      @security_checks.each do |check|
+        if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK or check.kind == Dawn::KnowledgeBase::UNSAFE_DEPENDENCY_CHECK
+             debug_me "applying check #{check.name}"
+             name = string.split(':')[0]
+             version = string.split(':')[1]
+             check.please_ignore_dep_version = true if version.nil?
+             check.dependencies  = [{:name=>name, :version=>version}]
+             issues << check if check.vuln?
+        end
+      end
+      debug_me "#{issues}"
+      return issues
     end
 
     def unpack
@@ -187,6 +220,10 @@ module Dawn
       good    =0
       invalid =0
 
+      unless @security_checks.nil?
+        debug_me("KB was previously loaded")
+        return @security_checks
+      end
       @security_checks = []
       # $path = File.join(Dir.pwd, "db")
 

data/lib/dawn/version.rb

@@ -1,6 +1,6 @@
 module Dawn
-    VERSION = "2.0.0"
+    VERSION = "2.1.0"
     RELEASE = "20230413"
-    BUILD = "13"
-    COMMIT = "g23e6a59"
+    BUILD = "3"
+    COMMIT = "gc8a1ac6"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Paolo Perego
@@ -220,13 +220,12 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Dawnscanner is a security source code scanner for ruby powered code.
-  It is especially designed for web applications, but it works also with general purpose
-  ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino
-  and sinatra; it provides more than 150 security checks with their own mitigation
-  suggestion.
+description: dawn is a security source code scanner for ruby powered code. It is especially
+  designed for web applications, but it works also with general purpose ruby scripts.
+  Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra;
+  it provides more than 680 security checks with their own mitigation suggestion.
 email:
-- paolo@dawnscanner.org
+- paolo@armoredcode.com
 executables:
 - dawn
 extensions: []
@@ -273,6 +272,7 @@ files:
 - checksum/dawnscanner-1.6.6.gem.sha1
 - checksum/dawnscanner-1.6.7.gem.sha1
 - checksum/dawnscanner-1.6.8.gem.sha1
+- checksum/dawnscanner-2.0.0.gem.sha1
 - checksum/dawnscanner-2.0.0.rc1.gem.sha1
 - checksum/dawnscanner-2.0.0.rc2.gem.sha1
 - checksum/dawnscanner-2.0.0.rc3.gem.sha1
@@ -342,7 +342,7 @@ files:
 - support/bootstrap.js
 - support/bootstrap.min.css
 - support/codesake.css
-homepage: https://dawnscanner.org
+homepage: https://github.com/thesp0nge/dawnscanner
 licenses:
 - MIT
 metadata: {}
@@ -354,7 +354,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.3.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -364,9 +364,8 @@ requirements: []
 rubygems_version: 3.3.26
 signing_key:
 specification_version: 4
-summary: Dawnscanner is a security source code scanner for ruby powered code. It is
-  crafted with love to make your sinatra, padrino and ruby on rails web applications
-  secure.
+summary: dawn is a security source code scanner for ruby powered code. It is crafted
+  with love to make your sinatra, padrino and ruby on rails web applications secure.
 test_files:
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
 - features/dawn_scan_a_secure_sinatra_app.feature.disabled