Merge branch 'issue_34_MVC_and_Ruby_deprecation_warning' into develop…

…ment

Changelog.md

@@ -3,7 +3,7 @@
 Codesake::Dawn is a static analysis security scanner for ruby written web applications.
 It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
-frameworks. 
+frameworks.
 
 _latest update: Thu Feb 13 08:31:37 CET 2014_
 
@@ -48,6 +48,12 @@ _latest update: Thu Feb 13 08:31:37 CET 2014_
   is provided as well. True to be told, there are some CVE valid but not found
   on NVID website, so having @rubysec link is even more accurate in those
   situations.
+* New Codesake::Dawn::Kb::VersionCheck class to provide version specific
+  checks, supporting beta version number, release candidate and pre. Fully
+  integrated with DepedencyCheck and RubyVersionCheck
+* Issue #34. I added a deprecation check. However I haven't found an official
+  link saying which are MVC gem version to be considered officially deprecated
+  or just old. I enabled only check against ruby
 
 ## Version 1.0.3 - codename: Lightning McQueen (2014-02-13)
 
@@ -181,7 +187,7 @@ _latest update: Thu Feb 13 08:31:37 CET 2014_
 ## Version 0.85 - codename: elevator (2013-12-17)
 
 * refactoring bin/dawn script: some stuff were moved into Codesake::Core class
-* Added a check against Denial of Service vulnerability for Nokogiri 1.5.x 
+* Added a check against Denial of Service vulnerability for Nokogiri 1.5.x
   and 1.6.0 when used with JRuby.
 * Added a check against Denial of Service vulnerability due to entity expansion
   for Nokogiri 1.5.x and 1.6.0 when used with JRuby.
@@ -214,7 +220,7 @@ able to scan something. It deserves a special release.
 * adding test for CVE-2013-2065
 * adding test for CVE-2013-4389
 * adding test for CVE-2010-1330
-* adding test for CVE-2011-0446 
+* adding test for CVE-2011-0446
 * adding test for CVE-2011-0995
 * adding test for CVE-2011-2929
 * adding test for CVE-2011-4815
@@ -283,7 +289,7 @@ able to scan something. It deserves a special release.
 * adding test for CVE-2013-2616
 * adding test for CVE-2013-2617
 * adding test for CVE-2013-3221
-* make output less verbose. Only vulnerabilities and severity will be shown 
+* make output less verbose. Only vulnerabilities and severity will be shown
 * adding a '--verbose' option to see also the whole knowledge base info about each findings
 * adding a '--output' option
 * adding a '--count-only' option

bin/dawn

@@ -64,7 +64,6 @@ opts.each do |opt, val|
       options[:gemfile_name] = val 
       guess = Codesake::Dawn::Core.guess_mvc(val)
     end
-
   when '--verbose'
     options[:verbose]=true
   when '--count-only'
@@ -77,7 +76,6 @@ opts.each do |opt, val|
   when '--list-knowledgebase'
     options[:dump_kb]=true
     check = val unless val.nil?
-
   when '--list-known-framework'
     puts "Ruby MVC framework supported by #{APPNAME}:"
     LIST_KNOWN_FRAMEWORK.each do |mvc|

lib/codesake/dawn/kb/basic_check.rb

@@ -44,19 +44,11 @@ module BasicCheck
         # Put the check in debug mode
         attr_accessor :debug
 
-        # Tells a version is not vulnerable even if in the fixes array that has
-        # a minor version number higher than the current.
-        # This is useful especially for rails version where 3.0.x, 3.1.y, 3.2.z
-        # are separated branches and the patch is provided for all of those. So
-        # if version 3.1.10 is safe and you have it, you don't be prompted
-        # about 3.2.x.
-        attr_accessor :save_minor_fixes
 
         def initialize(options={})
           @applies                  = []
           @ruby_version             = ""
           @ruby_vulnerable_versions = []
-          @save_minor_fixes         = false
 
           @name         = options[:name]
           @cvss         = options[:cvss]
@@ -78,7 +70,11 @@ def initialize(options={})
           @mitigated    = false
           @status       = false
           @debug        = false
-
+
+          if $logger.nil?
+            $logger  = Codesake::Commons::Logging.instance
+            $logger.helo "dawn-basic-check", Codesake::Dawn::VERSION
+          end
         end
 
         def applies_to?(name)
@@ -108,99 +104,13 @@ def is_ruby_vulnerable_version?
 
           found = false
 
-
           @ruby_vulnerable_versions.each do |v|
             found = true if v == @ruby_version
           end
 
           found
         end
 
-        # @target_version = '2.3.11'
-        # @fixes_version = ['2.3.18', '3.2.13', '3.1.12' ] 
-        def is_vulnerable_version?(target = nil, fixes = nil)
-          target  = @target_version if target.nil?
-          fixes   = @fixes_version  if fixes.nil?
-          return false if target.nil? || fixes.empty?
-
-          ret = false
-
-          target_v_array = target.split(".").map! { |n| n.to_i }
-          fixes.sort.each do |fv|
-            fixes_v_array = fv.split(".").map! { |n| n.to_i }
-
-            debug_me "target_array = #{target_v_array}"
-            debug_me "fixes_array = #{fixes_v_array}"
-            if target_v_array[0] == fixes_v_array[0]
-              # SAME MAJOR RELEASE
-              ret = true if target_v_array[1] < fixes_v_array[1] # same major but previous minor
-              if target_v_array[1] == fixes_v_array[1] 
-                # SAME MINOR RELEASE
-                # This is the case of version number made by 2 digits (e.g.
-                # 3.12). If both major and minor are the same then there is no
-                # vuln
-                return false if target_v_array.count == 2 && fixes_v_array.count == 2
-
-                # This it the case of the vulneable version that is made by 2
-                # digit and fixed one made by 3. (eg. all the 6.2.x is
-                # vulnerable and 6.2 without patchlevel is found.
-                return true if target_v_array.count == 2 && fixes_v_array.count == 3
-
-                ret = true if target_v_array[2] < fixes_v_array[2] 
-                # In order to support CVE-2013-7086 security check we must be able to 
-                # hande the 'fourth' version number -> 1.5.0.4 
-                debug_me "target array count = #{target_v_array.count}"
-                debug_me "fixes array count = #{fixes_v_array.count}"
-                debug_me "same patchlevel?: #{(target_v_array[2] == fixes_v_array[2])}"
-                if (target_v_array[2] == fixes_v_array[2]) && target_v_array.count == 4 && fixes_v_array.count == 4
-                  ret = true if target_v_array[3] < fixes_v_array[3]
-                  ret = false if target_v_array[3] >= fixes_v_array[3]
-                end
-                ret = false if (target_v_array[2] == fixes_v_array[2]) && target_v_array.count != 4 && fixes_v_array.count != 4
-                ret = false if target_v_array[2] > fixes_v_array[2] 
-
-              end
-            end
-            # This is the save minor version workaround.
-            # fixes is something like ['2.2.2', '3.1.1', '3.2.2']
-            # target is '3.1.1' and save_minor_fixes is true
-            # I don't want that check for 3.2.2 marks this as vulnerable, so I will save it
-            debug_me "save minor fixes flag is #{save_minor_fixes}"
-            debug_me "is_there_an_higher_minor_version? is #{is_there_an_higher_minor_version?(fixes, fv)}"
-            if target_v_array[0] == fixes_v_array[0] && target_v_array[1] == fixes_v_array[1] && target_v_array[2] >= fixes_v_array[2] && is_there_an_higher_minor_version?(fixes, fv) && save_minor_fixes
-              debug_me "Honoring save_minor_fixes flag. Found a version #{target} that matches #{fixes} but there is another fixed version with higher minor version"
-              return false
-            end
-
-            debug_me("RET IS #{ret}")
-            ret = false if is_not_affected?(target_v_array)
-            debug_me("RET AFTER NOT AFFECTED CHECK IS #{ret}")
-
-          end
-
-          ret
-        end
-
-        def is_not_affected?(detected_gem_version)
-          return false if self.kind != Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
-          return false if self.not_affected.nil?
-          self.not_affected[:version].each do |na|
-            na_array = na.split(".").map! { |n| n.to_i }
-            debug_me("na_array: #{na_array}")
-            debug_me("detected_gem_version: #{detected_gem_version}")
-
-            return false if detected_gem_version[0] > na_array[0]
-            return true if detected_gem_version[0] < na_array[0] && self.not_affected[:earlier]
-
-            # here the two versions have the same major number
-            return true if detected_gem_version[1] == na_array[1]
-            return true if detected_gem_version[1] < na_array[1] && self.not_affected[:earlier]
-
-          end
-          debug_me("IS_NOT_AFFECTED? IS FALSE")
-          return false
-        end
-
         def cvss_score
           return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
           "    "
@@ -210,17 +120,6 @@ def mitigated?
           self.mitigated
         end
 
-        # checks in the array if there is another string with higher minor version but the same major as the parameter element)
-        def is_there_an_higher_minor_version?(array, element)
-          ev = element.split(".").map! { |n| n.to_i }
-          array.sort.each do |a|
-            av = a.split(".").map! { |n| n.to_i }
-            return true if ev[0] == av[0] && ev[1] < av[1]
-          end
-          return false
-
-        end
-
       end
     end
   end

lib/codesake/dawn/kb/combo_check.rb

@@ -26,25 +26,26 @@ def vuln?
             check.detected_ruby   = @options[:detected_ruby]    if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
             check.dependencies    = @options[:dependencies]     if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
             check.root_dir        = @options[:root_dir]         if check.kind == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+            check.debug           = self.debug
 
             check_vuln = check.vuln? if check.respond_to?(:vuln?)
 
             ret = ret && check_vuln
             at_least_one = true if check_vuln
-            @evidences << check.evidences if check_vuln 
+            @evidences << check.evidences if check_vuln
             @vulnerable_checks << check if check_vuln
             raise "A check class doesn't respond to vuln? in combo (#{check.class})" unless check.respond_to?(:vuln?)
           end
 
           dump_status
-          debug_me("AVIAF = #{@vuln_if_all_fails}, RET = #{ret}, AL1= #{at_least_one}") 
+          debug_me("combo_check: is_vulnerable_if_all_checks_fail = #{@vuln_if_all_fails}, RET = #{ret}, at_least_one= #{at_least_one}")
           return ret if @vuln_if_all_fails
           return at_least_one unless @vuln_if_all_fails
         end
 
         def dump_status
           @checks.each do |check|
-            debug_me("#{File.basename(__FILE__)}@#{__LINE__}:#{check.name}: #{check.status}")
+            debug_me("check name is #{check.name} and vulnerable status is #{check.status}")
           end
 
           true

lib/codesake/dawn/kb/cve_2011_2930.rb

@@ -21,6 +21,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['2.3.13', '3.0.10', '3.1.1']}]
+          self.save_major = true
 
 				end
 			end

lib/codesake/dawn/kb/cve_2011_3187.rb

@@ -22,6 +22,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['3.0.6']}]
+          self.save_major = true
 
 				end
 			end

lib/codesake/dawn/kb/cve_2011_4319.rb

@@ -22,6 +22,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['2.3.13', '3.0.11', '3.1.2']}]
+          self.save_major = true
 
 				end
 			end

lib/codesake/dawn/kb/cve_2012_1098.rb

@@ -22,6 +22,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['3.0.12', '3.1.4', '3.2.2']}]
+          self.save_major = true
 
 
 				end

lib/codesake/dawn/kb/cve_2013_0262.rb

@@ -19,7 +19,7 @@ def initialize
             :mitigation=>"Please upgrade rack version up to version 1.5.2 or 1.4.5 or higher.",
             :aux_links=>["https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ"]
           })
-          self.save_minor_fixes = true
+          self.save_minor = true
           self.safe_dependencies = [{:name=>"rack", :version=>['1.5.2', '1.4.5']}]
 				end
 			end

lib/codesake/dawn/kb/cve_2013_0263.rb

@@ -19,7 +19,7 @@ def initialize
             :mitigation=>"Please upgrade rack version to 1.5.2, 1.4.5, 1.3.10, 1.2.8, 1.1.6. As a general rule, using the latest stable version is recommended.",
             :aux_links=>["https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ"]
           })
-           self.save_minor_fixes = true
+           self.save_minor = true
            self.safe_dependencies = [{:name=>"rack", :version=>['1.5.2', '1.4.5', '1.3.10', '1.2.8', '1.1.6']}]
 				end
 			end

lib/codesake/dawn/kb/cve_2013_4457.rb

@@ -20,7 +20,7 @@ def initialize
             :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/3XTGFbAJoTg"]
           })
 
-          self.save_minor_fixes = true
+          self.save_minor = true
           self.safe_dependencies = [{:name=>"cocaine", :version=>['0.5.3', '0.4.3', '0.3.0']}]
 
 

lib/codesake/dawn/kb/cve_2013_4489.rb

@@ -22,7 +22,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"grit", :version=>[ '5.4.1', '6.2.3' ]}]
-          self.not_affected = {:name=>"grit", :version=>['5.1'], :earlier=>true}
+          self.not_affected = {:name=>"grit", :version=>['5.1', '5.0', '4.x', '3.x', '2.x', '1.x', '0.x'], :earlier=>true}
 				end
 			end
 		end

lib/codesake/dawn/kb/cve_2013_5647.rb

@@ -22,6 +22,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"sounder", :version=>['1.0.2']}]
+          self.save_major = true
 
 				end
 			end

lib/codesake/dawn/kb/cve_2013_6416.rb

@@ -22,6 +22,7 @@ def initialize
           })
 
           self.safe_dependencies = [{:name=>"rails", :version=>['4.0.2']}]
+          self.save_major = true
 
 				end
 			end

lib/codesake/dawn/kb/cve_2014_0080.rb

@@ -1,20 +1,20 @@
 module Codesake
-	module Dawn
-		module Kb
-			# Automatically created with rake on 2014-02-19
-			class CVE_2014_0080
-				# Include the testing skeleton for this CVE
-				include DependencyCheck
+  module Dawn
+    module Kb
+      # Automatically created with rake on 2014-02-19
+      class CVE_2014_0080
+        # Include the testing skeleton for this CVE
+        include DependencyCheck
 
-				def initialize
+        def initialize
           message = "SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute \"add data\" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns."
 
            super({
             :name=>"CVE-2014-0080",
             :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
             :release_date => Date.new(2014, 2, 20),
             :cwe=>"89",
-            :owasp=>"A1", 
+            :owasp=>"A1",
             :applies=>["rails"],
             :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
             :message=>message,
@@ -23,8 +23,8 @@ def initialize
            })
            self.safe_dependencies = [{:name=>"rails", :version=>['4.0.3', '4.1.0.beta2']}]
 
-				end
-			end
-		end
-	end
+        end
+      end
+    end
+  end
 end