Class: Dawn::KnowledgeBase

Inherits:

Object

Object
Dawn::KnowledgeBase

show all

Includes:: Utils

Defined in:: lib/dawn/knowledge_base.rb

Overview

XXX: Check if it best using a singleton here

Constant Summary collapse

GEM_CHECK =

:rubygem_check

DEPENDENCY_CHECK =

:dependency_check

PATTERN_MATCH_CHECK =

:pattern_match_check

RUBY_VERSION_CHECK =

:ruby_version_check

OS_CHECK =

:os_check

COMBO_CHECK =

:combo_check

CUSTOM_CHECK =

:custom_check

Class Method Summary collapse

Instance Method Summary collapse

#all ⇒ Object
#all_by_mvc(mvc) ⇒ Object

TODO - next big refactoring will include also a change in this API.
#all_padrino_checks ⇒ Object
#all_rack_checks ⇒ Object
#all_rails_checks ⇒ Object
#all_sinatra_checks ⇒ Object
#find(name) ⇒ Object
#initialize(options = {}) ⇒ KnowledgeBase constructor

A new instance of KnowledgeBase.
#load_security_checks ⇒ Object

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Constructor Details

#initialize(options = {}) ⇒ `KnowledgeBase`

Returns a new instance of KnowledgeBase.

# File 'lib/dawn/knowledge_base.rb', line 306

def initialize(options={})
  @enabled_checks = Dawn::Kb::BasicCheck::ALLOWED_FAMILIES
  @enabled_checks = options[:enabled_checks] unless options[:enabled_checks].nil?

  @security_checks = load_security_checks
end

Class Method Details

.dump(verbose = false) ⇒ `Object`

# File 'lib/dawn/knowledge_base.rb', line 621

def self.dump(verbose=false)
  puts "Security checks currently supported:"
  i=0
  self.new.all.each do |check|
    i+=1
    if verbose
      puts "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
      puts "Description\n#{check.message}"
      puts "Remediation\n#{check.remediation}\n\n"
    else
      puts "#{check.name}"
    end
  end
  puts "-----\nTotal: #{i}"

end

.find(checks = nil, name) ⇒ `Object`

# File 'lib/dawn/knowledge_base.rb', line 313

def self.find(checks=nil, name)
  return nil if name.nil? or name.empty?
  checks = Dawn::KnowledgeBase.new.load_security_checks if checks.nil?

  checks.each do |sc|
    return sc if sc.name == name
  end
  nil
end

Instance Method Details

#all ⇒ `Object`



327
328
329

# File 'lib/dawn/knowledge_base.rb', line 327

def all
  @security_checks
end

#all_by_mvc(mvc) ⇒ `Object`

TODO - next big refactoring will include also a change in this API.

So to match Semantic Version, it must bring to a major version bump. MVC name should be passed as constructor option, so the all_by_mvc can

be called without parameter, having a nice-to-read code.

# File 'lib/dawn/knowledge_base.rb', line 338

def all_by_mvc(mvc)
  ret = []
  @security_checks.each do |sc|
    ret << sc if sc.applies_to?(mvc)
  end
  ret
end

#all_padrino_checks ⇒ `Object`



354
355
356

# File 'lib/dawn/knowledge_base.rb', line 354

def all_padrino_checks
  self.all_by_mvc("padrino")
end

#all_rack_checks ⇒ `Object`



358
359
360

# File 'lib/dawn/knowledge_base.rb', line 358

def all_rack_checks
  self.all_by_mvc("rack")
end

#all_rails_checks ⇒ `Object`



350
351
352

# File 'lib/dawn/knowledge_base.rb', line 350

def all_rails_checks
  self.all_by_mvc("rails")
end

#all_sinatra_checks ⇒ `Object`



346
347
348

# File 'lib/dawn/knowledge_base.rb', line 346

def all_sinatra_checks
  self.all_by_mvc("sinatra")
end

#find(name) ⇒ `Object`



323
324
325

# File 'lib/dawn/knowledge_base.rb', line 323

def find(name)
  Dawn::KnowledgeBase.find(@security_checks, name)
end

#load_security_checks ⇒ `Object`

# File 'lib/dawn/knowledge_base.rb', line 362

def load_security_checks

  # START @cve_security_checks array
  @cve_security_checks =
    [
      Dawn::Kb::CVE_2004_0755.new,
      Dawn::Kb::CVE_2004_0983.new,
      Dawn::Kb::CVE_2005_1992.new,
      Dawn::Kb::CVE_2005_2337.new,
      Dawn::Kb::CVE_2006_1931.new,
      Dawn::Kb::CVE_2006_2582.new,
      Dawn::Kb::CVE_2006_3694.new,
      Dawn::Kb::CVE_2006_4112.new,
      Dawn::Kb::CVE_2006_5467.new,
      Dawn::Kb::CVE_2006_6303.new,
      Dawn::Kb::CVE_2006_6852.new,
      Dawn::Kb::CVE_2006_6979.new,
      Dawn::Kb::CVE_2007_0469.new,
      Dawn::Kb::CVE_2007_5162.new,
      Dawn::Kb::CVE_2007_5379.new,
      Dawn::Kb::CVE_2007_5380.new,
      Dawn::Kb::CVE_2007_5770.new,
      Dawn::Kb::CVE_2007_6077.new,
      Dawn::Kb::CVE_2007_6612.new,
      Dawn::Kb::CVE_2008_1145.new,
      Dawn::Kb::CVE_2008_1891.new,
      Dawn::Kb::CVE_2008_2376.new,
      Dawn::Kb::CVE_2008_2662.new,
      Dawn::Kb::CVE_2008_2663.new,
      Dawn::Kb::CVE_2008_2664.new,
      Dawn::Kb::CVE_2008_2725.new,
      Dawn::Kb::CVE_2008_3655.new,
      Dawn::Kb::CVE_2008_3657.new,
      Dawn::Kb::CVE_2008_3790.new,
      Dawn::Kb::CVE_2008_3905.new,
      Dawn::Kb::CVE_2008_4094.new,
      Dawn::Kb::CVE_2008_4310.new,
      Dawn::Kb::CVE_2008_5189.new,
      Dawn::Kb::CVE_2008_7248.new,
      Dawn::Kb::CVE_2009_4078.new,
      Dawn::Kb::CVE_2009_4124.new,
      Dawn::Kb::CVE_2009_4214.new,
      Dawn::Kb::CVE_2010_1330.new,
      Dawn::Kb::CVE_2010_2489.new,
      Dawn::Kb::CVE_2010_3933.new,
      Dawn::Kb::CVE_2011_0188.new,
      Dawn::Kb::CVE_2011_0446.new,
      Dawn::Kb::CVE_2011_0447.new,
      Dawn::Kb::CVE_2011_0739.new,
      Dawn::Kb::CVE_2011_0995.new,
      Dawn::Kb::CVE_2011_1004.new,
      Dawn::Kb::CVE_2011_1005.new,
      Dawn::Kb::CVE_2011_2197.new,
      Dawn::Kb::CVE_2011_2686.new,
      Dawn::Kb::CVE_2011_2705.new,
      Dawn::Kb::CVE_2011_2929.new,
      Dawn::Kb::CVE_2011_2930.new,
      Dawn::Kb::CVE_2011_2931.new,
      Dawn::Kb::CVE_2011_2932.new,
      Dawn::Kb::CVE_2011_3009.new,
      Dawn::Kb::CVE_2011_3186.new,
      Dawn::Kb::CVE_2011_3187.new,
      Dawn::Kb::CVE_2011_4319.new,
      Dawn::Kb::CVE_2011_4815.new,
      Dawn::Kb::CVE_2011_5036.new,
      Dawn::Kb::CVE_2012_1098.new,
      Dawn::Kb::CVE_2012_1099.new,
      Dawn::Kb::CVE_2012_1241.new,
      Dawn::Kb::CVE_2012_2139.new,
      Dawn::Kb::CVE_2012_2140.new,
      Dawn::Kb::CVE_2012_2660.new,
      Dawn::Kb::CVE_2012_2661.new,
      Dawn::Kb::CVE_2012_2671.new,
      Dawn::Kb::CVE_2012_2694.new,
      Dawn::Kb::CVE_2012_2695.new,
      Dawn::Kb::CVE_2012_3424.new,
      Dawn::Kb::CVE_2012_3463.new,
      Dawn::Kb::CVE_2012_3464.new,
      Dawn::Kb::CVE_2012_3465.new,
      Dawn::Kb::CVE_2012_4464.new,
      Dawn::Kb::CVE_2012_4466.new,
      Dawn::Kb::CVE_2012_4481.new,
      Dawn::Kb::CVE_2012_4522.new,
      Dawn::Kb::CVE_2012_5370.new,
      Dawn::Kb::CVE_2012_5371.new,
      Dawn::Kb::CVE_2012_5380.new,
      Dawn::Kb::CVE_2012_6109.new,
      Dawn::Kb::CVE_2012_6134.new,
      Dawn::Kb::CVE_2012_6496.new,
      Dawn::Kb::CVE_2012_6497.new,
      Dawn::Kb::CVE_2012_6684.new,
      Dawn::Kb::CVE_2013_0155.new,
      Dawn::Kb::CVE_2013_0156.new,
      Dawn::Kb::CVE_2013_0162.new,
      Dawn::Kb::CVE_2013_0175.new,
      Dawn::Kb::CVE_2013_0183.new,
      Dawn::Kb::CVE_2013_0184.new,
      Dawn::Kb::CVE_2013_0233.new,
      Dawn::Kb::CVE_2013_0256.new,
      Dawn::Kb::CVE_2013_0262.new,
      Dawn::Kb::CVE_2013_0263.new,
      Dawn::Kb::CVE_2013_0269.new,
      Dawn::Kb::CVE_2013_0276.new,
      Dawn::Kb::CVE_2013_0277.new,
      Dawn::Kb::CVE_2013_0284.new,
      Dawn::Kb::CVE_2013_0285.new,
      Dawn::Kb::CVE_2013_0333.new,
      Dawn::Kb::CVE_2013_0334.new,
      Dawn::Kb::CVE_2013_1607.new,
      Dawn::Kb::CVE_2013_1655.new,
      Dawn::Kb::CVE_2013_1656.new,
      Dawn::Kb::CVE_2013_1756.new,
      Dawn::Kb::CVE_2013_1800.new,
      Dawn::Kb::CVE_2013_1801.new,
      Dawn::Kb::CVE_2013_1802.new,
      Dawn::Kb::CVE_2013_1812.new,
      Dawn::Kb::CVE_2013_1821.new,
      Dawn::Kb::CVE_2013_1854.new,
      Dawn::Kb::CVE_2013_1855.new,
      Dawn::Kb::CVE_2013_1856.new,
      Dawn::Kb::CVE_2013_1857.new,
      Dawn::Kb::CVE_2013_1875.new,
      Dawn::Kb::CVE_2013_1898.new,
      Dawn::Kb::CVE_2013_1911.new,
      Dawn::Kb::CVE_2013_1933.new,
      Dawn::Kb::CVE_2013_1947.new,
      Dawn::Kb::CVE_2013_1948.new,
      Dawn::Kb::CVE_2013_2065.new,
      Dawn::Kb::CVE_2013_2090.new,
      Dawn::Kb::CVE_2013_2105.new,
      Dawn::Kb::CVE_2013_2119.new,
      Dawn::Kb::CVE_2013_2512.new,
      Dawn::Kb::CVE_2013_2513.new,
      Dawn::Kb::CVE_2013_2516.new,
      Dawn::Kb::CVE_2013_2615.new,
      Dawn::Kb::CVE_2013_2616.new,
      Dawn::Kb::CVE_2013_2617.new,
      Dawn::Kb::CVE_2013_3221.new,
      Dawn::Kb::CVE_2013_4164.new,
      Dawn::Kb::CVE_2013_4203.new,
      Dawn::Kb::CVE_2013_4389.new,
      Dawn::Kb::CVE_2013_4413.new,
      Dawn::Kb::CVE_2013_4457.new,
      Dawn::Kb::CVE_2013_4478.new,
      Dawn::Kb::CVE_2013_4479.new,
      Dawn::Kb::CVE_2013_4489.new,
      Dawn::Kb::CVE_2013_4491.new,
      Dawn::Kb::CVE_2013_4492.new,
      Dawn::Kb::CVE_2013_4562.new,
      Dawn::Kb::CVE_2013_4593.new,
      Dawn::Kb::CVE_2013_5647.new,
      Dawn::Kb::CVE_2013_5671.new,
      Dawn::Kb::CVE_2013_6414.new,
      Dawn::Kb::CVE_2013_6415.new,
      Dawn::Kb::CVE_2013_6416.new,
      Dawn::Kb::CVE_2013_6417.new,
      Dawn::Kb::CVE_2013_6421.new,
      Dawn::Kb::CVE_2013_6459.new,
      Dawn::Kb::CVE_2013_6460.new,
      Dawn::Kb::CVE_2013_6461.new,
      Dawn::Kb::CVE_2013_7086.new,
      Dawn::Kb::CVE_2014_0036.new,
      Dawn::Kb::CVE_2014_0080.new,
      Dawn::Kb::CVE_2014_0081.new,
      Dawn::Kb::CVE_2014_0082.new,
      Dawn::Kb::CVE_2014_0130.new,
      Dawn::Kb::CVE_2014_1233.new,
      Dawn::Kb::CVE_2014_1234.new,
      Dawn::Kb::CVE_2014_2322.new,
      Dawn::Kb::CVE_2014_2525.new,
      Dawn::Kb::CVE_2014_2538.new,
      Dawn::Kb::CVE_2014_3482.new,
      Dawn::Kb::CVE_2014_3483.new,
      Dawn::Kb::CVE_2014_3916.new,
      Dawn::Kb::CVE_2014_4975.new,
      Dawn::Kb::CVE_2014_7818.new,
      Dawn::Kb::CVE_2014_7819.new,
      Dawn::Kb::CVE_2014_7829.new,
      Dawn::Kb::CVE_2014_8090.new,
      Dawn::Kb::CVE_2014_9490.new,
      Dawn::Kb::CVE_2015_1819.new,
      Dawn::Kb::CVE_2015_1840_a.new,
      Dawn::Kb::CVE_2015_1840_b.new,
      Dawn::Kb::CVE_2015_2963.new,
      Dawn::Kb::CVE_2015_3224.new,
      Dawn::Kb::CVE_2015_3225.new,
      Dawn::Kb::CVE_2015_3226.new,
      Dawn::Kb::CVE_2015_3227.new,
      Dawn::Kb::CVE_2015_3448.new,
      Dawn::Kb::CVE_2015_4020.new,
      Dawn::Kb::CVE_2015_5312.new,
      Dawn::Kb::CVE_2015_7497.new,
      Dawn::Kb::CVE_2015_7498.new,
      Dawn::Kb::CVE_2015_7499.new,
      Dawn::Kb::CVE_2015_7500.new,
      Dawn::Kb::CVE_2015_7519.new,
      Dawn::Kb::CVE_2015_7541.new,
      Dawn::Kb::CVE_2015_7576.new,
      Dawn::Kb::CVE_2015_7577.new,
      Dawn::Kb::CVE_2015_7578.new,
      Dawn::Kb::CVE_2015_7579.new,
      Dawn::Kb::CVE_2015_7581.new,
      Dawn::Kb::CVE_2015_8241.new,
      Dawn::Kb::CVE_2015_8242.new,
      Dawn::Kb::CVE_2015_8317.new,
      Dawn::Kb::CVE_2016_0751.new,
      Dawn::Kb::CVE_2016_0752.new,
      Dawn::Kb::CVE_2016_0753.new,
      Dawn::Kb::CVE_2016_2097.new,
      Dawn::Kb::CVE_2016_2098.new,


      # OSVDB Checks are still here since are all about dependencies
      Dawn::Kb::OSVDB_105971.new,
      Dawn::Kb::OSVDB_108569.new,
      Dawn::Kb::OSVDB_108570.new,
      Dawn::Kb::OSVDB_108530.new,
      Dawn::Kb::OSVDB_108563.new,
      Dawn::Kb::OSVDB_115654.new,
      Dawn::Kb::OSVDB_116010.new,
      Dawn::Kb::OSVDB_117903.new,
      Dawn::Kb::OSVDB_118579.new,
      Dawn::Kb::OSVDB_118830.new,
      Dawn::Kb::OSVDB_118954.new,
      Dawn::Kb::OSVDB_119878.new,
      Dawn::Kb::OSVDB_119927.new,
      Dawn::Kb::OSVDB_120415.new,
      Dawn::Kb::OSVDB_120857.new,
      Dawn::Kb::OSVDB_121701.new,
  ]
    # END @cve_security_checks array
    # START @owasp_ror_cheatsheet_checks array
    @owasp_ror_cheatsheet_checks = [
      Dawn::Kb::OwaspRorCheatSheet::CommandInjection.new,
      Dawn::Kb::OwaspRorCheatSheet::Csrf.new,
      Dawn::Kb::OwaspRorCheatSheet::SessionStoredInDatabase.new,
      Dawn::Kb::OwaspRorCheatSheet::MassAssignmentInModel.new,
      Dawn::Kb::OwaspRorCheatSheet::SecurityRelatedHeaders.new,
      Dawn::Kb::OwaspRorCheatSheet::CheckForSafeRedirectAndForward.new,
      Dawn::Kb::OwaspRorCheatSheet::SensitiveFiles.new,
    ]
    # END @owasp_ror_cheatsheet_checks array
    @code_quality_checks = [
      Dawn::Kb::NotRevisedCode.new,
    ]
    @aux_checks =
      [
        Dawn::Kb::SimpleForm_Xss_20131129.new,
    ]

      ret = []
      ret += @aux_checks
      ret += @cve_security_checks         if @enabled_checks.include?(:cve_bulletin)
      ret += @owasp_ror_cheatsheet_checks if @enabled_checks.include?(:owasp_ror_cheatsheet)
      ret += @code_quality_checks         if @enabled_checks.include?(:code_quality)

      ret
end

Class: Dawn::KnowledgeBase

Overview

Constant Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Utils

Constructor Details

#initialize(options = {}) ⇒ KnowledgeBase

Class Method Details

.dump(verbose = false) ⇒ Object

.find(checks = nil, name) ⇒ Object

Instance Method Details

#all ⇒ Object

#all_by_mvc(mvc) ⇒ Object

#all_padrino_checks ⇒ Object

#all_rack_checks ⇒ Object

#all_rails_checks ⇒ Object

#all_sinatra_checks ⇒ Object

#find(name) ⇒ Object

#load_security_checks ⇒ Object