Skip to content

Commit

Permalink
Merge branch 'issue_212_CVE-2014-2538_false_positive' into development
Browse files Browse the repository at this point in the history
  • Loading branch information
@thesp0nge
thesp0nge committed Sep 30, 2016
2 parents fbe5f50 + dfc3589 commit 12ae84d
Show file tree
Hide file tree
Showing 4 changed files with 13 additions and 7 deletions.
6 changes: 6 additions & 0 deletions Changelog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ frameworks.

_latest update: Tue Sep 27 23:32:32 CEST 2016_

## Version 1.6.5 - codename: Tow Mater (2016-09-30)

* Issue #212 - CVE-2014-2538 is marked as being vulnerable to rack-ssl 1.3.4.
The check was triggered for rack-ssl version < 1.4.0. However 1.3.4 is marked
as safe, so the check has to be changed as well.

## Version 1.6.4 - codename: Tow Mater (2016-09-27)

* Issue #199 - CVE-2015-4020 seems to give the wrong Solution
Expand Down
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ box:

---

dawnscanner version 1.6.2 has 229 security checks loaded in its knowledge
dawnscanner version 1.6.4 has 229 security checks loaded in its knowledge
base. Most of them are CVE bulletins applying to gems or the ruby interpreter
itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.

Expand Down
4 changes: 2 additions & 2 deletions lib/dawn/kb/cve_2014_2538.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ def initialize
:applies=>["rails"],
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
:message=>message,
:mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.4.0 or higher.",
:mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.3.4 or higher.",
:aux_links=>["http://seclists.org/oss-sec/2014/q1/594"]
})

self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.4.0']}]
self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.3.4']}]
end
end
end
Expand Down
8 changes: 4 additions & 4 deletions spec/lib/kb/cve_2014_2538_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@
@check = Dawn::Kb::CVE_2014_2538.new
# @check.debug = true
end
it "is reported when rack-ssl vulnerable version it has been found (1.3.9)" do
@check.dependencies = [{:name=>'rack-ssl', :version=>'1.3.9'}]
it "is reported when rack-ssl vulnerable version it has been found (1.3.2)" do
@check.dependencies = [{:name=>'rack-ssl', :version=>'1.3.2'}]
expect(@check.vuln?).to eq(true)
end
it "is reported when rack-ssl not vulnerable version it has been found (1.4.0)" do
@check.dependencies = [{:name=>'rack-ssl', :version=>'1.4.0'}]
it "is reported when rack-ssl not vulnerable version it has been found (1.3.4)" do
@check.dependencies = [{:name=>'rack-ssl', :version=>'1.3.4'}]
expect(@check.vuln?).to eq(false)
end
end

0 comments on commit 12ae84d

Please sign in to comment.