RubyGems - dawnscanner - Versions diffs - 2.1.1 → 2.2.0 - Mend

dawnscanner 2.1.1 → 2.2.0

Files changed (19) hide show

checksums.yaml +4 -4
data/Changelog.md +8 -1
data/VERSION +1 -1
data/checksum/dawnscanner-2.1.1.gem.sha1 +1 -0
data/lib/dawn/kb/dependency_check.rb +4 -0
data/lib/dawn/kb/unsafe_depedency_check.rb +16 -0
data/lib/dawn/version.rb +4 -4
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +12 -13
data/spec/lib/kb/codesake_unsafe_dependency_check_normal_spec.rb +39 -0
data/spec/lib/kb/codesake_unsafe_dependency_check_version_end_excluding_spec.rb +43 -0
data/spec/lib/kb/codesake_unsafe_dependency_check_version_end_including_spec.rb +44 -0
data/spec/lib/kb/dependency_check_with_version_end_excluding.yml +23 -0
data/spec/lib/kb/dependency_check_with_version_end_including.yml +23 -0
metadata +13 -12
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +0 -1202
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +0 -35
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +0 -41
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +0 -79
data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +0 -29

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fbb231ba7ae0542ffa5a4df93bf1957ca989e4073129f8c57894b2f6d5813973
-  data.tar.gz: 833442b38e833db16ee550a56e26ce67b69cc77ee4ff2b69389bd1dab7ff16b3
+  metadata.gz: 94b039813bed12f92d3312623d3b2168c91a71689b285a49941285b8e3715221
+  data.tar.gz: 7170bc49eeb84ae09c71577b9a79b147dc4fb4e1ba820375f83095e889fa1dea
 SHA512:
-  metadata.gz: 157a7aaf188e55b35027cae52ae7f7a71146d2b490ab5d31b8eaf3dcfc29a10de0dc3ef646e0d9b8f30330ec3b73412df62bdb4467233046b92a98f2ba4bb81a
-  data.tar.gz: 012e8a07b7d8bdde1947b8c0ccd6fee4bd31336c72481934ec74d4f252847fb26a0bcbab60550c2221d9716d2e51bdefeff140425c99a82e7af4df5e15a7b074
+  metadata.gz: db223e25eb6e0cb0330f4e31113858b8b584dc6ccc0bde728c7024e206c80fe811608a2dc256601f143b436941ff7bc4e0331f6901086eccb55aeaea0226e2ad
+  data.tar.gz: 77b67d5bcccb8b610ecc2b123fa707ea7e52d1509db89d05eb249956398b9cec12e7e75a65a4427bce06b5339b3fe53c09d75a9d277f20660990aeb704539ddb

data/Changelog.md CHANGED Viewed

@@ -5,7 +5,14 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
-_latest update: fri 14 apr 2023, 16:36:56, CEST_
+_latest update: Mon 17 Apr 2023, 18:07:04, CEST_
+## Version 2.2.0 (2023-04-17)
+* DepedencyCheck: marked as deprecated
+* UnsafeDependencyCheck: added support for new kb keywords:
+    - versionEndIncluding
+    - versionEndExcluding
 ## Version 2.1.1 (2023-04-14)

data/VERSION CHANGED Viewed

@@ -1,3 +1,3 @@
 # I removed codenames :-)
 # Code review is fun
-2.1.1
+2.2.0

data/checksum/dawnscanner-2.1.1.gem.sha1 ADDED Viewed

	@@ -0,0 +1 @@
1	+ 140e3b04589881711a85100bc9b93959382f9b39

data/lib/dawn/kb/dependency_check.rb CHANGED Viewed

@@ -25,10 +25,14 @@ module Dawn
       attr_accessor :save_minor
       attr_accessor :save_major
+      # @deprecated Please use UnsafeDependencyCheck instead. This class is no
+      # longer supperted and it will be removed really soon.
       def initialize(options)
         super(options)
         @save_minor ||= options[:save_minor]
         @save_major ||= options[:save_major]
+        warn "This class is deprecated. Please use UnsafeDependencyCheck instead"
       end
       def vuln?

data/lib/dawn/kb/unsafe_depedency_check.rb CHANGED Viewed

@@ -31,6 +31,22 @@ module Dawn
         @dependencies.each do |dep|
           unless @vulnerable_version_array.nil? or @vulnerable_version_array.empty?
             if dep[:name] == @vulnerable_version_array[0][:name]
+              unless @vulnerable_version_array[0][:versionEndIncluding].nil?
+                if (Gem::Version.new(dep[:version]) > Gem::Version.new(@vulnerable_version_array[0][:versionEndIncluding]))
+                  return false
+                else
+                  return true
+                end
+              end
+              unless @vulnerable_version_array[0][:versionEndExcluding].nil?
+                if (Gem::Version.new(dep[:version]) >= Gem::Version.new(@vulnerable_version_array[0][:versionEndExcluding]))
+                  return false
+                else
+                  return true
+                end
+              end
               return true   if @please_ignore_dep_version
               return false  if @vulnerable_version_array[0][:version].nil? or @vulnerable_version_array[0][:version].empty?
               return true   if @vulnerable_version_array[0][:version].include? dep[:version]

data/lib/dawn/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 module Dawn
-    VERSION = "2.1.1"
-    RELEASE = "20230414"
-    BUILD = "1"
-    COMMIT = "gbb3ea6d"
+    VERSION = "2.2.0"
+    RELEASE = "20230417"
+    BUILD = "4"
+    COMMIT = "gbd023a5"
 end

data/spec/lib/kb/codesake_ruby_version_check_spec.rb CHANGED Viewed

@@ -2,29 +2,28 @@ require 'spec_helper'
 describe "The security check for Ruby interpreter version" do
   before(:all) do
-    @check = Dawn::Kb::RubyVersionCheck.new
-    @check.message = "This is a mock"
-    @check.kind=Dawn::KnowledgeBase::RUBY_VERSION_CHECK
-    @check.applies=['sinatra', 'padrino', 'rails']
-    @check.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
+    @check = Dawn::Kb::RubyVersionCheck.new(:name=>"Mocked",
+                                            :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+                                            :applies=>['sinatra', 'padrino', 'rails'])
+    @check.safe_rubies=[{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
   end
   it "fires if ruby version is vulnerable" do
-    check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
-    expect(check.vuln?).to    eq(true)
+    @check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
+    expect(@check.vuln?).to    eq(true)
   end
   it "doesn't fire if ruby version is not vulnerable and patchlevel is not vulnerable" do
-    check.detected_ruby = {:version=>"1.9.4", :patchlevel=>"p10000"}
-    expect(check.vuln?).to    eq(false)
+    @check.detected_ruby = {:version=>"1.9.4", :patchlevel=>"p10000"}
+    expect(@check.vuln?).to    eq(false)
   end
   it "doesn't fire if ruby version is vulnerable and patchlevel is not vulnerable" do
-    check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p10000"}
-    expect(check.vuln?).to    eq(false)
+    @check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p10000"}
+    expect(@check.vuln?).to    eq(false)
   end
   it "fires if ruby version is vulnerable and patchlevel is vulnerable" do
-    check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p391"}
-    expect(check.vuln?).to    eq(true)
+    @check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p391"}
+    expect(@check.vuln?).to    eq(true)
   end
 end

data/spec/lib/kb/codesake_unsafe_dependency_check_normal_spec.rb ADDED Viewed

@@ -0,0 +1,39 @@
+require 'spec_helper'
+describe "The security check for gem unsafe dependency should" do
+  before(:all) do
+    f = "./spec/lib/kb/dependency_check.yml"
+    @check = YAML.load_file(f, permitted_classes: [Dawn::Kb::UnsafeDependencyCheck,
+                                                   Dawn::Kb::BasicCheck,
+                                                   Dawn::Kb::ComboCheck,
+                                                   Dawn::Kb::DependencyCheck,
+                                                   Dawn::Kb::DeprecationCheck,
+                                                   Dawn::Kb::OperatingSystemCheck,
+                                                   Dawn::Kb::PatternMatchCheck,
+                                                   Dawn::Kb::RubygemCheck,
+                                                   Dawn::Kb::RubyVersionCheck,
+                                                   Dawn::Kb::VersionCheck,
+                                                   Date,
+                                                   Symbol])
+  end
+  it "fires if vulnerable 0.5.0 version is detected" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'0.5.0'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 1.3.2 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'1.3.2'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 3.4.0 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'3.4.0'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "doesn't fire if not vulnerable 3.0.0 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'3.0.0'}]
+    expect(@check.vuln?).to    eq(false)
+  end
+end

data/spec/lib/kb/codesake_unsafe_dependency_check_version_end_excluding_spec.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'spec_helper'
+describe "The security check for gem unsafe dependency, when versionEndExcluding is set, should" do
+  before(:all) do
+    f = "./spec/lib/kb/dependency_check_with_version_end_excluding.yml"
+    @check = YAML.load_file(f, permitted_classes: [Dawn::Kb::UnsafeDependencyCheck,
+                                                   Dawn::Kb::BasicCheck,
+                                                   Dawn::Kb::ComboCheck,
+                                                   Dawn::Kb::DependencyCheck,
+                                                   Dawn::Kb::DeprecationCheck,
+                                                   Dawn::Kb::OperatingSystemCheck,
+                                                   Dawn::Kb::PatternMatchCheck,
+                                                   Dawn::Kb::RubygemCheck,
+                                                   Dawn::Kb::RubyVersionCheck,
+                                                   Dawn::Kb::VersionCheck,
+                                                   Date,
+                                                   Symbol])
+  end
+  it "fires if vulnerable 0.5.0 version is detected" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'0.5.0'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 1.3.2 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'1.3.2'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 2.7.2.1 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'2.7.2.1'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 2.7.2.2 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'2.7.2.2'}]
+    expect(@check.vuln?).to    eq(false)
+  end
+  it "doesn't fire if not vulnerable 3.0 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'3.0'}]
+    expect(@check.vuln?).to    eq(false)
+  end
+end

data/spec/lib/kb/codesake_unsafe_dependency_check_version_end_including_spec.rb ADDED Viewed

@@ -0,0 +1,44 @@
+require 'spec_helper'
+describe "The security check for gem unsafe dependency, when versionEndIncluding is set, should" do
+  before(:all) do
+    f = "./spec/lib/kb/dependency_check_with_version_end_including.yml"
+    @check = YAML.load_file(f, permitted_classes: [Dawn::Kb::UnsafeDependencyCheck,
+                                                   Dawn::Kb::BasicCheck,
+                                                   Dawn::Kb::ComboCheck,
+                                                   Dawn::Kb::DependencyCheck,
+                                                   Dawn::Kb::DeprecationCheck,
+                                                   Dawn::Kb::OperatingSystemCheck,
+                                                   Dawn::Kb::PatternMatchCheck,
+                                                   Dawn::Kb::RubygemCheck,
+                                                   Dawn::Kb::RubyVersionCheck,
+                                                   Dawn::Kb::VersionCheck,
+                                                   Date,
+                                                   Symbol])
+    @check.debug=true
+  end
+  it "fires if vulnerable 0.5.0 version is detected" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'0.5.0'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 1.3.2 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'1.3.2'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 2.7.2.1 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'2.7.2.1'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "fires if vulnerable 2.7.2.2 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'2.7.2.2'}]
+    expect(@check.vuln?).to    eq(true)
+  end
+  it "doesn't fire if not vulnerable 3.0 version is found" do
+    @check.dependencies = [{:name=>"acme-gem", :version=>'3.0'}]
+    expect(@check.vuln?).to    eq(false)
+  end
+end

data/spec/lib/kb/dependency_check_with_version_end_excluding.yml ADDED Viewed

@@ -0,0 +1,23 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: A test here
+cvss: '(AV:L/AC:L/Au:S/C:N/I:C/A:C)'
+cve: 'CVE-2023-99999'
+owasp: A9
+release_date: '25/03/2023'
+kind: :unsafe_dependency_check
+message: |-
+  Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur nisi turpis, tincidunt rhoncus leo sed, euismod sollicitudin nisl. In a arcu accumsan, fermentum quam vel, auctor risus. Nulla non sollicitudin libero. Cras hendrerit consectetur pulvinar. Vivamus ligula quam, vulputate eget justo in, varius rhoncus lorem. Nulla vel volutpat enim. Nulla hendrerit posuere tempor. Nulla in metus eget lacus tempor sollicitudin sed et dolor. Ut interdum volutpat felis, ac bibendum mauris volutpat ut. Etiam posuere justo ex, nec faucibus orci suscipit sit amet. Vivamus rutrum massa fermentum mi pellentesque vehicula. Nullam elementum urna mauris, nec cursus risus convallis vel. Nulla consectetur enim ut magna rutrum, et mollis ante auctor. Etiam accumsan in lacus et ultricies. Morbi ullamcorper velit a ipsum egestas, quis laoreet lectus placerat. Maecenas nunc augue, pulvinar non ligula ac, maximus venenatis mi.
+remediation: |-
+  Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse et metus blandit, viverra ante a, auctor urna. Integer eget est ac nisl bibendum pharetra. Vivamus rhoncus neque vitae felis congue luctus. Praesent vitae lobortis mi. Nulla malesuada elit dictum tincidunt volutpat. Quisque tincidunt lorem nec eros ullamcorper lobortis. Nunc in felis sit amet purus sollicitudin tincidunt. Sed semper sapien nisi, non rutrum orci ultricies eget. Integer neque mauris, gravida ac varius nec, tincidunt consequat turpis. Fusce nisi metus, iaculis a eros eget, interdum sodales lectus. Pellentesque purus nisi, venenatis ut quam vitae, lacinia tristique turpis. Morbi sed maximus odio, et interdum risus. Duis nec congue lacus. Nunc sed elit a leo fermentum feugiat a aliquam arcu.
+severity: :critical
+priority: :high
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'acme-gem'
+  :versionEndExcluding: '2.7.2.2'

data/spec/lib/kb/dependency_check_with_version_end_including.yml ADDED Viewed

@@ -0,0 +1,23 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: A test here
+cvss: '(AV:L/AC:L/Au:S/C:N/I:C/A:C)'
+cve: 'CVE-2023-99999'
+owasp: A9
+release_date: '25/03/2023'
+kind: :unsafe_dependency_check
+message: |-
+  Lorem ipsum dolor sit amet, consectetur adipiscing elit. Curabitur nisi turpis, tincidunt rhoncus leo sed, euismod sollicitudin nisl. In a arcu accumsan, fermentum quam vel, auctor risus. Nulla non sollicitudin libero. Cras hendrerit consectetur pulvinar. Vivamus ligula quam, vulputate eget justo in, varius rhoncus lorem. Nulla vel volutpat enim. Nulla hendrerit posuere tempor. Nulla in metus eget lacus tempor sollicitudin sed et dolor. Ut interdum volutpat felis, ac bibendum mauris volutpat ut. Etiam posuere justo ex, nec faucibus orci suscipit sit amet. Vivamus rutrum massa fermentum mi pellentesque vehicula. Nullam elementum urna mauris, nec cursus risus convallis vel. Nulla consectetur enim ut magna rutrum, et mollis ante auctor. Etiam accumsan in lacus et ultricies. Morbi ullamcorper velit a ipsum egestas, quis laoreet lectus placerat. Maecenas nunc augue, pulvinar non ligula ac, maximus venenatis mi.
+remediation: |-
+  Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse et metus blandit, viverra ante a, auctor urna. Integer eget est ac nisl bibendum pharetra. Vivamus rhoncus neque vitae felis congue luctus. Praesent vitae lobortis mi. Nulla malesuada elit dictum tincidunt volutpat. Quisque tincidunt lorem nec eros ullamcorper lobortis. Nunc in felis sit amet purus sollicitudin tincidunt. Sed semper sapien nisi, non rutrum orci ultricies eget. Integer neque mauris, gravida ac varius nec, tincidunt consequat turpis. Fusce nisi metus, iaculis a eros eget, interdum sodales lectus. Pellentesque purus nisi, venenatis ut quam vitae, lacinia tristique turpis. Morbi sed maximus odio, et interdum risus. Duis nec congue lacus. Nunc sed elit a leo fermentum feugiat a aliquam arcu.
+severity: :critical
+priority: :high
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'acme-gem'
+  :versionEndIncluding: '2.7.2.2'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.2.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-14 00:00:00.000000000 Z
+date: 2023-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: cvss
@@ -278,6 +278,7 @@ files:
 - checksum/dawnscanner-2.0.0.rc3.gem.sha1
 - checksum/dawnscanner-2.0.0.rc5.gem.sha1
 - checksum/dawnscanner-2.1.0.gem.sha1
+- checksum/dawnscanner-2.1.1.gem.sha1
 - code_of_conduct.md
 - dawnscanner.gemspec
 - doc/change.sh
@@ -325,18 +326,18 @@ files:
 - lib/dawnscanner.rb
 - lib/tasks/dawn_tasks.rake
 - spec/lib/dawn/codesake_core_spec.rb
-- spec/lib/dawn/codesake_knowledgebase_spec.rb
 - spec/lib/dawn/codesake_padrino_engine_disabled.rb
 - spec/lib/dawn/codesake_rails_engine_disabled.rb
 - spec/lib/dawn/codesake_sinatra_engine_disabled.rb
-- spec/lib/kb/codesake_cve_2013_0175_spec.rb
-- spec/lib/kb/codesake_cve_2013_4457_spec.rb
-- spec/lib/kb/codesake_dependency_version_check_spec.rb
 - spec/lib/kb/codesake_deprecation_check_spec.rb
 - spec/lib/kb/codesake_ruby_version_check_spec.rb
-- spec/lib/kb/codesake_unsafe_dependency_check_spec.rb
+- spec/lib/kb/codesake_unsafe_dependency_check_normal_spec.rb
+- spec/lib/kb/codesake_unsafe_dependency_check_version_end_excluding_spec.rb
+- spec/lib/kb/codesake_unsafe_dependency_check_version_end_including_spec.rb
 - spec/lib/kb/codesake_version_check_spec.rb
 - spec/lib/kb/dependency_check.yml
+- spec/lib/kb/dependency_check_with_version_end_excluding.yml
+- spec/lib/kb/dependency_check_with_version_end_including.yml
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/lib/kb/yamilize_kb_spec.rb
 - spec/spec_helper.rb
@@ -374,18 +375,18 @@ test_files:
 - features/step_definition/dawn_steps.rb
 - features/support/env.rb
 - spec/lib/dawn/codesake_core_spec.rb
-- spec/lib/dawn/codesake_knowledgebase_spec.rb
 - spec/lib/dawn/codesake_padrino_engine_disabled.rb
 - spec/lib/dawn/codesake_rails_engine_disabled.rb
 - spec/lib/dawn/codesake_sinatra_engine_disabled.rb
-- spec/lib/kb/codesake_cve_2013_0175_spec.rb
-- spec/lib/kb/codesake_cve_2013_4457_spec.rb
-- spec/lib/kb/codesake_dependency_version_check_spec.rb
 - spec/lib/kb/codesake_deprecation_check_spec.rb
 - spec/lib/kb/codesake_ruby_version_check_spec.rb
-- spec/lib/kb/codesake_unsafe_dependency_check_spec.rb
+- spec/lib/kb/codesake_unsafe_dependency_check_normal_spec.rb
+- spec/lib/kb/codesake_unsafe_dependency_check_version_end_excluding_spec.rb
+- spec/lib/kb/codesake_unsafe_dependency_check_version_end_including_spec.rb
 - spec/lib/kb/codesake_version_check_spec.rb
 - spec/lib/kb/dependency_check.yml
+- spec/lib/kb/dependency_check_with_version_end_excluding.yml
+- spec/lib/kb/dependency_check_with_version_end_including.yml
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/lib/kb/yamilize_kb_spec.rb
 - spec/spec_helper.rb