module Dawn::Kb::BasicCheck

Constants

ALLOWED_FAMILIES

Attributes

applies[R]
check_family[RW]

This is a flag for the security check family. Valid values are:

+ generic_check
+ code_quality
+ bulletin
+ code_style
+ owasp_ror_cheatsheet
+ owasp_top_10_n (where n is a number between 1 and 10)
cve[R]
cvss[R]
cwe[R]
debug[RW]

Put the check in debug mode

evidences[R]

Vulnerability evidences

fixes_version[R]

The versions of the framework that fixes the vulnerability

kind[R]
message[R]
mitigated[R]
name[R]
osvdb[R]
owasp[R]
please_ignore_dep_version[RW]

Introduced in 2.1.0 It allows a security check to be marked as positive (vulnerable), only if it matches the dependency gem name, ignoring the version.

Only used in DEPENDENCY and UNSAFE_DEPENDENCY checks

priority[RW]

This is the check priority level. It tells how fast you should mitigate the vulnerability.

Valid values are:

+ :critical
+ :high
+ :medium
+ :low
+ :info
+ :none
release_date[R]
remediation[R]
ruby_version[RW]

This is the ruby version used by the target application. set in Engine class around line #107

ruby_vulnerable_versions[R]

This is an array of ruby versions that lead a parcitular version to be exploitable. In example, consider CVE-2013-1655, the Puppet rubygem version vulnerability can be exploited only if ruby version is 1.9.3 or higher

severity[RW]

This is the check severity level. It tells how dangerous is the vulnerability for you application.

Valid values are:

+ :critical
+ :high
+ :medium
+ :low
+ :info
+ :none
status[R]

Check status. Returns the latest vuln? call result

target_version[R]

The framework target version

title[R]

Public Class Methods

families() click to toggle source
# File lib/dawn/kb/basic_check.rb, line 149
def self.families
  return ALLOWED_FAMILIES.map { |x| x.to_s }
end
new(options={}) click to toggle source
# File lib/dawn/kb/basic_check.rb, line 88
def initialize(options={})
  @applies                  = []
  @ruby_version             = ""
  @ruby_vulnerable_versions = []

  @title        = options[:title]
  @name         = options[:name]
  @cvss         = options[:cvss]
  @cwe          = options[:cwe]
  @cve          = options[:cve]
  @osvdb        = options[:osvdb]
  @owasp        = options[:owasp]
  @release_date = options[:release_date]
  @applies      = options[:applies] unless options[:applies].nil?
  @kind         = options[:kind]
  @message      = options[:message]
  @remediation  = options[:mitigation]
  @aux_links    = options[:aux_links]

  @target_version = options[:target_version]
  @fixes_version  = options[:fixes_version]
  @ruby_version   = options[:ruby_version]

  @evidences    = []
  @evidences    = options[:evidences] unless options[:evidences].nil?
  @mitigated    = false
  @status       = false
  @debug        = false
  @severity     = :none
  @priority     = :none
  @check_family = :generic_check

  @severity         = options[:severity] unless options[:severity].nil?
  @priority         = options[:priority] unless options[:priority].nil?
  @check_family     = options[:check_family] unless options[:check_family].nil?

  @please_ignore_dep_version = false

  # FIXME.20140325
  #
  # I don't want to manually fix 150+ ruby files to add something I can
  # deal here
  @check_family = :bulletin if !options[:name].nil? && (options[:name].start_with?('CVE-') || options[:name].start_with?('OSVDB'))

  if $logger.nil?
    # This is the old codesake-commons logging.
    #
    # Starting from 20150720 we will use the standard library Logger
    # class. This is mainly to remove codesake-commons dependency and to
    # have a clean API
    #
    # require 'codesake-commons'
    # $logger  = Codesake::Commons::Logging.instance
    # $logger.helo "dawn-basic-check", Dawn::VERSION

    require 'dawn/logger'
    $logger = Logger.new(STDOUT)
    $logger.helo "dawn-basic-check", Dawn::VERSION
  end
end

Public Instance Methods

applies_to?(name) click to toggle source
# File lib/dawn/kb/basic_check.rb, line 210
def applies_to?(name)
  ! @applies.find_index(name).nil?
end
cvss_score() click to toggle source
# File lib/dawn/kb/basic_check.rb, line 226
def cvss_score
  return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
  "    "
end
family() click to toggle source
# File lib/dawn/kb/basic_check.rb, line 164
def family
  return "CVE or OSVDB bulletin"          if @check_family == :bulletin
  return "Ruby coding style"              if @check_family == :code_style
  return "Ruby code quality check"        if @check_family == :code_quality
  return "Owasp Ruby on Rails cheatsheet" if @check_family == :owasp_ror_cheatsheet
  return "Owasp Top 10"                   if @check_family.== :owasp_top_10
  return "Unknown"
end
family=(item) click to toggle source
# File lib/dawn/kb/basic_check.rb, line 153
def family=(item)
  if ! ALLOWED_FAMILIES.find_index(item.to_sym).nil?
    instance_variable_set(:@check_family, item.to_sym)
    return item
  else
    $logger.err("invalid check family: #{item}")
    instance_variable_set(:@check_family, :generic_check)
    return @family
  end
end
lint() click to toggle source

Performs a self check against some core values from being not nil

@return an Array with attributes with a nil value

# File lib/dawn/kb/basic_check.rb, line 238
def lint
  ret = []
  ret << :cve if self.cve.nil?
  ret << :osvdb if @osvdb.nil?
  ret << :cvss if self.cvss.nil? || self.cvss.empty? || self.cvss == "not assigned"
  ret << :severity if self.severity == "unknown"
  ret << :priority if self.priority == "unknown"
  ret << :title if self.title.nil?

  ret
end
mitigated?() click to toggle source
# File lib/dawn/kb/basic_check.rb, line 231
def mitigated?
  self.mitigated
end