Module: Dawn::Kb::BasicCheck

Included in:

ComboCheck, DependencyCheck, DeprecationCheck, OperatingSystemCheck, PatternMatchCheck, RubyVersionCheck, RubygemCheck, UnsafeDependencyCheck, VersionCheck

Defined in:

lib/dawn/kb/basic_check.rb

Constant Summary

ALLOWED_FAMILIES =

[:generic_check, :code_quality, :bulletin, :code_style, :owasp_ror_cheatsheet, :owasp_top_10]

Instance Attribute Summary

• #applies ⇒ Object readonly

  Returns the value of attribute applies.

• #aux_links ⇒ Object readonly

  Returns the value of attribute aux_links.

• #check_family ⇒ Object

  This is a flag for the security check family.

• #cve ⇒ Object readonly

  Returns the value of attribute cve.

• #cvss ⇒ Object readonly

  Returns the value of attribute cvss.

• #cwe ⇒ Object readonly

  Returns the value of attribute cwe.

• #debug ⇒ Object

  Put the check in debug mode.

• #evidences ⇒ Object readonly

  Vulnerability evidences.

• #fixes_version ⇒ Object readonly

  The versions of the framework that fixes the vulnerability.

• #kind ⇒ Object readonly

  Returns the value of attribute kind.

• #message ⇒ Object readonly

  Returns the value of attribute message.

• #mitigated ⇒ Object readonly

  Returns the value of attribute mitigated.

• #name ⇒ Object readonly

  Returns the value of attribute name.

• #osvdb ⇒ Object readonly

  Returns the value of attribute osvdb.

• #owasp ⇒ Object readonly

  Returns the value of attribute owasp.

• #please_ignore_dep_version ⇒ Object

  Introduced in 2.1.0 It allows a security check to be marked as positive (vulnerable), only if it matches the dependency gem name, ignoring the version.

• #priority ⇒ Object

  This is the check priority level.

• #release_date ⇒ Object readonly

  Returns the value of attribute release_date.

• #remediation ⇒ Object readonly

  Returns the value of attribute remediation.

• #ruby_version ⇒ Object

  This is the ruby version used by the target application.

• #ruby_vulnerable_versions ⇒ Object readonly

  This is an array of ruby versions that lead a parcitular version to be exploitable.

• #severity ⇒ Object

  This is the check severity level.

• #status ⇒ Object readonly

  Check status.

• #target_version ⇒ Object readonly

  The framework target version.

• #title ⇒ Object readonly

  Returns the value of attribute title.

Class Method Summary

• .families ⇒ Object

Instance Method Summary

• #applies_to?(name) ⇒ Boolean
• #cve_link ⇒ Object
• #cvss_score ⇒ Object
• #family ⇒ Object
• #family=(item) ⇒ Object
• #initialize(options = {}) ⇒ Object
• #lint ⇒ Object

  Performs a self check against some core values from being not nil.

• #mitigated? ⇒ Boolean
• #nvd_link ⇒ Object
• #osvdb_link ⇒ Object
• #rubysec_advisories_link ⇒ Object

Instance Attribute Details

#applies ⇒ Object (readonly)

Returns the value of attribute applies.

# File 'lib/dawn/kb/basic_check.rb', line 15

def applies
  @applies
end

#aux_links ⇒ Object (readonly)

Returns the value of attribute aux_links.

# File 'lib/dawn/kb/basic_check.rb', line 19

def aux_links
  @aux_links
end

#check_family ⇒ Object

This is a flag for the security check family. Valid values are:

+ generic_check
+ code_quality
+ bulletin
+ code_style
+ owasp_ror_cheatsheet
+ owasp_top_10_n (where n is a number between 1 and 10)

# File 'lib/dawn/kb/basic_check.rb', line 54

def check_family
  @check_family
end

#cve ⇒ Object (readonly)

Returns the value of attribute cve.

# File 'lib/dawn/kb/basic_check.rb', line 9

def cve
  @cve
end

#cvss ⇒ Object (readonly)

Returns the value of attribute cvss.

# File 'lib/dawn/kb/basic_check.rb', line 11

def cvss
  @cvss
end

#cwe ⇒ Object (readonly)

Returns the value of attribute cwe.

# File 'lib/dawn/kb/basic_check.rb', line 12

def cwe
  @cwe
end

#debug ⇒ Object

Put the check in debug mode

# File 'lib/dawn/kb/basic_check.rb', line 45

def debug
  @debug
end

#evidences ⇒ Object (readonly)

Vulnerability evidences

# File 'lib/dawn/kb/basic_check.rb', line 39

def evidences
  @evidences
end

#fixes_version ⇒ Object (readonly)

The versions of the framework that fixes the vulnerability

# File 'lib/dawn/kb/basic_check.rb', line 36

def fixes_version
  @fixes_version
end

#kind ⇒ Object (readonly)

Returns the value of attribute kind.

# File 'lib/dawn/kb/basic_check.rb', line 16

def kind
  @kind
end

#message ⇒ Object (readonly)

Returns the value of attribute message.

# File 'lib/dawn/kb/basic_check.rb', line 17

def message
  @message
end

#mitigated ⇒ Object (readonly)

Returns the value of attribute mitigated.

# File 'lib/dawn/kb/basic_check.rb', line 20

def mitigated
  @mitigated
end

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/dawn/kb/basic_check.rb', line 8

def name
  @name
end

#osvdb ⇒ Object (readonly)

Returns the value of attribute osvdb.

# File 'lib/dawn/kb/basic_check.rb', line 10

def osvdb
  @osvdb
end

#owasp ⇒ Object (readonly)

Returns the value of attribute owasp.

# File 'lib/dawn/kb/basic_check.rb', line 13

def owasp
  @owasp
end

#please_ignore_dep_version ⇒ Object

Introduced in 2.1.0 It allows a security check to be marked as positive (vulnerable), only if it matches the dependency gem name, ignoring the version.

Only used in DEPENDENCY and UNSAFE_DEPENDENCY checks

# File 'lib/dawn/kb/basic_check.rb', line 86

def please_ignore_dep_version
  @please_ignore_dep_version
end

#priority ⇒ Object

This is the check priority level. It tells how fast you should mitigate the vulnerability.

Valid values are:

+ :critical
+ :high
+ :medium
+ :low
+ :info
+ :none

# File 'lib/dawn/kb/basic_check.rb', line 79

def priority
  @priority
end

#release_date ⇒ Object (readonly)

Returns the value of attribute release_date.

# File 'lib/dawn/kb/basic_check.rb', line 14

def release_date
  @release_date
end

#remediation ⇒ Object (readonly)

Returns the value of attribute remediation.

# File 'lib/dawn/kb/basic_check.rb', line 18

def remediation
  @remediation
end

#ruby_version ⇒ Object

This is the ruby version used by the target application. set in Engine class around line #107

# File 'lib/dawn/kb/basic_check.rb', line 24

def ruby_version
  @ruby_version
end

#ruby_vulnerable_versions ⇒ Object (readonly)

This is an array of ruby versions that lead a parcitular version to be exploitable. In example, consider CVE-2013-1655, the Puppet rubygem version vulnerability can be exploited only if ruby version is 1.9.3 or higher

# File 'lib/dawn/kb/basic_check.rb', line 31

def ruby_vulnerable_versions
  @ruby_vulnerable_versions
end

#severity ⇒ Object

This is the check severity level. It tells how dangerous is the vulnerability for you application.

Valid values are:

+ :critical
+ :high
+ :medium
+ :low
+ :info
+ :none

# File 'lib/dawn/kb/basic_check.rb', line 67

def severity
  @severity
end

#status ⇒ Object (readonly)

Check status. Returns the latest vuln? call result

# File 'lib/dawn/kb/basic_check.rb', line 42

def status
  @status
end

#target_version ⇒ Object (readonly)

The framework target version

# File 'lib/dawn/kb/basic_check.rb', line 34

def target_version
  @target_version
end

#title ⇒ Object (readonly)

Returns the value of attribute title.

# File 'lib/dawn/kb/basic_check.rb', line 7

def title
  @title
end

Class Method Details

.families ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 149

def self.families
  return ALLOWED_FAMILIES.map { |x| x.to_s }
end

Instance Method Details

#applies_to?(name) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dawn/kb/basic_check.rb', line 210

def applies_to?(name)
  ! @applies.find_index(name).nil?
end

#cve_link ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 213

def cve_link
  "http://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@name}"
end

#cvss_score ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 226

def cvss_score
  return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
  "    "
end

#family ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 164

def family
  return "CVE or OSVDB bulletin"          if @check_family == :bulletin
  return "Ruby coding style"              if @check_family == :code_style
  return "Ruby code quality check"        if @check_family == :code_quality
  return "Owasp Ruby on Rails cheatsheet" if @check_family == :owasp_ror_cheatsheet
  return "Owasp Top 10"                   if @check_family.== :owasp_top_10
  return "Unknown"
end

#family=(item) ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 153

def family=(item)
  if ! ALLOWED_FAMILIES.find_index(item.to_sym).nil?
    instance_variable_set(:@check_family, item.to_sym)
    return item
  else
    $logger.err("invalid check family: #{item}")
    instance_variable_set(:@check_family, :generic_check)
    return @family
  end
end

#initialize(options = {}) ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 88

def initialize(options={})
  @applies                  = []
  @ruby_version             = ""
  @ruby_vulnerable_versions = []

  @title        = options[:title]
  @name         = options[:name]
  @cvss         = options[:cvss]
  @cwe          = options[:cwe]
  @cve          = options[:cve]
  @osvdb        = options[:osvdb]
  @owasp        = options[:owasp]
  @release_date = options[:release_date]
  @applies      = options[:applies] unless options[:applies].nil?
  @kind         = options[:kind]
  @message      = options[:message]
  @remediation  = options[:mitigation]
  @aux_links    = options[:aux_links]

  @target_version = options[:target_version]
  @fixes_version  = options[:fixes_version]
  @ruby_version   = options[:ruby_version]

  @evidences    = []
  @evidences    = options[:evidences] unless options[:evidences].nil?
  @mitigated    = false
  @status       = false
  @debug        = false
  @severity     = :none
  @priority     = :none
  @check_family = :generic_check

  @severity         = options[:severity] unless options[:severity].nil?
  @priority         = options[:priority] unless options[:priority].nil?
  @check_family     = options[:check_family] unless options[:check_family].nil?

  @please_ignore_dep_version = false

  # FIXME.20140325
  #
  # I don't want to manually fix 150+ ruby files to add something I can
  # deal here
  @check_family = :bulletin if !options[:name].nil? && (options[:name].start_with?('CVE-') || options[:name].start_with?('OSVDB'))

  if $logger.nil?
    # This is the old codesake-commons logging.
    #
    # Starting from 20150720 we will use the standard library Logger
    # class. This is mainly to remove codesake-commons dependency and to
    # have a clean API
    #
    # require 'codesake-commons'
    # $logger  = Codesake::Commons::Logging.instance
    # $logger.helo "dawn-basic-check", Dawn::VERSION

    require 'dawn/logger'
    $logger = Logger.new(STDOUT)
    $logger.helo "dawn-basic-check", Dawn::VERSION
  end
end

#lint ⇒ Object

Performs a self check against some core values from being not nil

Returns:

• an Array with attributes with a nil value

# File 'lib/dawn/kb/basic_check.rb', line 238

def lint
  ret = []
  ret << :cve if self.cve.nil?
  ret << :osvdb if @osvdb.nil?
  ret << :cvss if self.cvss.nil? || self.cvss.empty? || self.cvss == "not assigned"
  ret << :severity if self.severity == "unknown"
  ret << :priority if self.priority == "unknown"
  ret << :title if self.title.nil?

  ret
end

#mitigated? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dawn/kb/basic_check.rb', line 231

def mitigated?
  self.mitigated
end

#nvd_link ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 216

def nvd_link
  "http://web.nvd.nist.gov/view/vuln/detail?vulnId=#{@name}"
end

#osvdb_link ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 222

def osvdb_link
  "http://osvdb.org/show/osvdb/#{@osvdb}"
end

#rubysec_advisories_link ⇒ Object

# File 'lib/dawn/kb/basic_check.rb', line 219

def rubysec_advisories_link
  "http://www.rubysec.com/advisories/#{@name}/"
end