Added support for ascii tables report. Now we can improve the output

generation putting all the presentation logic in the Reporting class,
refactoring bin/dawn script to be more readable... far more readable.

Changelog.md

@@ -7,6 +7,11 @@ frameworks.
 
 _latest update: Fri Jan 24 07:57:58 CET 2014_
 
+## Version 1.1.0 - codename: Tom Mater (2014-xx-xx)
+
+* Added a --ascii-tabular-report (-a) to produce a report formatted with ascii
+  tables. A bit of bin/dawn refactoring was necessary.
+
 ## Version 1.0.1 - codename: Lightning McQueen (2014-01-25)
 
 * Fixing issue #22. PatternMatchingCheck evaluates lines starting with the '#'

Roadmap.md

@@ -7,7 +7,7 @@ frameworks.
 
 This is an ongoing roadmap for the Codesake::Dawn source code review tool.
 
-_latest update: Fri Jan 17 08:09:29 CET 2014_
+_latest update: Thu Jan 30 08:39:13 CET 2014_
 
 ## Version 1.1.0
 
@@ -43,8 +43,7 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
 * Add a ruby deprecation check, accordingly to https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
 * Add a severity attribute to basic check. It must be calculated automatically
   on the cvss_score or it may be overriden upon check creation.
-* Better bin/dawn script output formatting using some library like PrettyPrint
-  (this can involve a change in codesake-commons package).
+* bin/dawn refactoring using the new Reporting class to produce json, csv, html output
 
 ## Version 1.2.0
 

bin/dawn

@@ -16,7 +16,7 @@ VALID_OUTPUT_FORMAT   = %w(console json csv html)
 $logger  = Codesake::Commons::Logging.instance
 $logger.helo APPNAME, Codesake::Dawn::VERSION
 opts    = GetoptLong.new(
-  [ '--ascii-report',           '-a',   GetoptLong::NO_ARGUMENT],
+  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT],
   [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
   [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
   [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
@@ -32,7 +32,7 @@ opts    = GetoptLong.new(
   [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
 )
 engine  = nil
-options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false, :exit_on_warn => false, :ascii_report=>false}
+options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false, :exit_on_warn => false, :ascii_tabular_report=>false}
 
 trap("INT")   { $logger.die('[INTERRUPTED]') }
 check = ""
@@ -44,8 +44,8 @@ opts.each do |opt, val|
   when '--version'
     puts "#{Codesake::Dawn::VERSION} [#{Codesake::Dawn::CODENAME}]"
     Kernel.exit(0)
-  when '--ascii-report'
-    options[:ascii_report] = true
+  when '--ascii-tabular-report'
+    options[:ascii_tabular_report] = true
   when '--rails'
     options[:mvc]=:rails
   when '--sinatra'
@@ -129,6 +129,13 @@ if options[:exit_on_warn]
   end
 end
 
+$logger.die "missing target framework option" if engine.nil?
+$logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
+$logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply? 
+
+engine.load_knowledge_base
+ret = engine.apply_all
+
 if options[:count_only] 
   ret = Codesake::Dawn::Core.dry_run(target, engine)
 
@@ -142,14 +149,8 @@ if options[:output] == "json"
   Kernel.exit(0)
 end
 
-$logger.die "missing target framework option" if engine.nil?
 
-engine.load_knowledge_base
-$logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
-
-$logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply? 
-
-unless options[:ascii_report]
+unless options[:ascii_tabular_report]
 
 $logger.log "scanning #{target}"
 $logger.log "#{engine.name} v#{engine.get_mvc_version} detected" unless engine.name == "Gemfile.lock"
@@ -195,48 +196,6 @@ if engine.mitigated_issues.count != 0
 end
 
 else
-  ret = engine.apply_all
-  # 0_First table: executive summary
-  rows = []
-  rows << ['Dawn version', Codesake::Dawn::VERSION]
-  rows << ['Scan started', engine.scan_start]
-  rows << ['Scan duration', "#{engine.scan_time.round(3)} sec"]
-  rows << ['Target', target]
-  rows << ['MVC detected framework', "#{engine.name} v#{engine.get_mvc_version}" ] unless engine.name == "Gemfile.lock"
-  rows << ['MVC detected framework', "#{engine.force} v#{engine.get_mvc_version}" ] if engine.name == "Gemfile.lock"
-  if ret
-    rows << ['Applied checks', "#{engine.applied_checks} security checks"]
-    rows << ['Skipped checks', "#{engine.skipped_checks} security checks"]
-  else
-    rows << ['Applied checks', "No security checks in the knowledge base"]
-  end
-  rows << ['Vulnerabilities found', engine.count_vulnerabilities]
-  rows << ['Mitigated issues found', engine.mitigated_issues.count]
-  table = Terminal::Table.new :title=>'Scan summary', :rows => rows
-  puts table
-
-
-  if engine.count_vulnerabilities > 0
-
-    # 1_Vulnerabilities
-    rows = []
-    engine.vulnerabilities.each do |vuln|
-      rows << [vuln[:name].justify(10), vuln[:message].justify(50), vuln[:remediation].justify(15), vuln[:evidences].join.justify(15)]
-      rows << :separator
-    end
-    table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Description', 'Solution', 'Evidences'], :rows=>rows
-    puts table
-  end
-  if engine.mitigated_issues.count > 0
-    # 2_Mitigated issues
-    rows = []
-    engine.mitigated_issues.each do |vuln|
-      rows << [vuln[:name].justify(10), vuln[:message].justify(50), vuln[:evidences].join.justify(15)]
-      rows << :separator
-    end
-    table = Terminal::Table.new :title=>"Mitigated issues", :headings=>['Issue', 'Description', 'Evidences'], :rows=>rows
-    puts table
-  end
-
+  Codesake::Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>:tabular}).report
 end
 $logger.bye

lib/codesake-dawn.rb

@@ -6,6 +6,7 @@
 require "codesake/dawn/sinatra"
 require "codesake/dawn/padrino"
 require "codesake/dawn/gemfile_lock"
+require "codesake/dawn/reporter"
 require "codesake-commons"
 
 require "date"

lib/codesake/dawn/engine.rb

@@ -56,6 +56,7 @@ def initialize(dir=nil, name="", options={})
         @vulnerabilities = []
         @mitigated_issues = []
         @applied = []
+        @reflected_xss = []
         @engine_error = false
         @debug = false
         @debug = options[:debug] unless options[:debug].nil?

lib/codesake/dawn/reporter.rb

@@ -0,0 +1,81 @@
+module Codesake
+  module Dawn
+    class Reporter
+
+      def initialize(options={})
+        @format = :txt
+        @engine = nil
+        @ret = false
+
+        @ret = options[:apply_all_code] unless options[:apply_all_code].nil?
+        @format = options[:format] unless options[:format].nil?
+        @engine = options[:engine] unless options[:engine].nil?
+
+      end
+
+      def report
+        ascii_tabular_report if @format == :tabular
+      end
+      private
+      def ascii_tabular_report
+
+        # 0_First table: executive summary
+        rows = []
+        rows << ['Dawn version', Codesake::Dawn::VERSION] unless Codesake::Dawn::RELEASE == "(development)"
+        rows << ['Dawn development version', Codesake::Dawn::VERSION] if Codesake::Dawn::RELEASE == "(development)"
+        rows << ['Scan started', @engine.scan_start]
+        rows << ['Scan duration', "#{@engine.scan_time.round(3)} sec"]
+        rows << ['Target', @engine.target]
+        rows << ['MVC detected framework', "#{@engine.name} v#{@engine.get_mvc_version}" ] unless @engine.name == "Gemfile.lock"
+        rows << ['MVC detected framework', "#{@engine.force} v#{@engine.get_mvc_version}" ] if @engine.name == "Gemfile.lock"
+        if @ret
+          rows << ['Applied checks', "#{@engine.applied_checks} security checks"]
+          rows << ['Skipped checks', "#{@engine.skipped_checks} security checks"]
+        else
+          rows << ['Applied checks', "No security checks in the knowledge base"]
+        end
+        rows << ['Vulnerabilities found', @engine.count_vulnerabilities]
+        rows << ['Mitigated issues found', @engine.mitigated_issues.count]
+        rows << ['Reflected XSS', @engine.reflected_xss.count] 
+        table = Terminal::Table.new :title=>'Scan summary', :rows => rows
+        puts table
+
+
+        if @engine.count_vulnerabilities > 0
+
+          # 1_Vulnerabilities
+          rows = []
+          @engine.vulnerabilities.each do |vuln|
+            rows << [vuln[:name].justify(10), vuln[:message].justify(50), vuln[:remediation].justify(15), vuln[:evidences].join.justify(15)]
+            rows << :separator
+          end
+          table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Description', 'Solution', 'Evidences'], :rows=>rows
+          puts table
+
+          rows = []
+          if @engine.has_reflected_xss?
+            @engine.reflected_xss.each do |vuln|
+              rows << [vuln[:sink_source], vuln[:sink_view], "#{vuln[:sink_file]}@#{vuln[:sink_line]}",vuln[:sink_evidence]]
+              rows << :separator
+            end
+            table = Terminal::Table.new :title=>"Reflected Cross Site Scripting", :headings=>['Sink name', 'View', 'Location the sink was read', 'Evidences'], :rows=>rows
+            puts table
+
+          end
+
+        end
+
+        if @engine.mitigated_issues.count > 0
+          # 2_Mitigated issues
+          rows = []
+          @engine.mitigated_issues.each do |vuln|
+            rows << [vuln[:name].justify(10), vuln[:message].justify(50), vuln[:evidences].join.justify(15)]
+            rows << :separator
+          end
+          table = Terminal::Table.new :title=>"Mitigated issues", :headings=>['Issue', 'Description', 'Evidences'], :rows=>rows
+          puts table
+        end
+      end
+    end
+  end
+end

lib/codesake/dawn/version.rb

@@ -18,8 +18,8 @@ module Dawn
 
     VERSION   = "1.1.0"
     CODENAME  = "Lightning McQueen"
-    # RELEASE   = "(development)"
-    RELEASE   = "20140125"
+    RELEASE   = "(development)"
+    # RELEASE   = "20140125"
 
   end
 end