Module: Dawn::Kb::BasicCheck

Constant Summary collapse

ALLOWED_FAMILIES =
[:generic_check, :code_quality, :bulletin, :code_style, :owasp_ror_cheatsheet, :owasp_top_10]

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Instance Attribute Details

#appliesObject (readonly)

Returns the value of attribute applies


17
18
19
# File 'lib/dawn/kb/basic_check.rb', line 17

def applies
  @applies
end

Returns the value of attribute aux_links


21
22
23
# File 'lib/dawn/kb/basic_check.rb', line 21

def aux_links
  @aux_links
end

#check_familyObject

This is a flag for the security check family. Valid values are:

+ generic_check
+ code_quality
+ bulletin
+ code_style
+ owasp_ror_cheatsheet
+ owasp_top_10_n (where n is a number between 1 and 10)

56
57
58
# File 'lib/dawn/kb/basic_check.rb', line 56

def check_family
  @check_family
end

#cveObject (readonly)

Returns the value of attribute cve


11
12
13
# File 'lib/dawn/kb/basic_check.rb', line 11

def cve
  @cve
end

#cvssObject (readonly)

Returns the value of attribute cvss


13
14
15
# File 'lib/dawn/kb/basic_check.rb', line 13

def cvss
  @cvss
end

#cweObject (readonly)

Returns the value of attribute cwe


14
15
16
# File 'lib/dawn/kb/basic_check.rb', line 14

def cwe
  @cwe
end

#debugObject

Put the check in debug mode


47
48
49
# File 'lib/dawn/kb/basic_check.rb', line 47

def debug
  @debug
end

#evidencesObject (readonly)

Vulnerability evidences


41
42
43
# File 'lib/dawn/kb/basic_check.rb', line 41

def evidences
  @evidences
end

#fixes_versionObject (readonly)

The versions of the framework that fixes the vulnerability


38
39
40
# File 'lib/dawn/kb/basic_check.rb', line 38

def fixes_version
  @fixes_version
end

#kindObject (readonly)

Returns the value of attribute kind


18
19
20
# File 'lib/dawn/kb/basic_check.rb', line 18

def kind
  @kind
end

#messageObject (readonly)

Returns the value of attribute message


19
20
21
# File 'lib/dawn/kb/basic_check.rb', line 19

def message
  @message
end

#mitigatedObject (readonly)

Returns the value of attribute mitigated


22
23
24
# File 'lib/dawn/kb/basic_check.rb', line 22

def mitigated
  @mitigated
end

#nameObject (readonly)

Returns the value of attribute name


10
11
12
# File 'lib/dawn/kb/basic_check.rb', line 10

def name
  @name
end

#osvdbObject (readonly)

Returns the value of attribute osvdb


12
13
14
# File 'lib/dawn/kb/basic_check.rb', line 12

def osvdb
  @osvdb
end

#owaspObject (readonly)

Returns the value of attribute owasp


15
16
17
# File 'lib/dawn/kb/basic_check.rb', line 15

def owasp
  @owasp
end

#priorityObject

This is the check priority level. It tells how fast you should mitigate the vulnerability.

Valid values are:

+ :critical
+ :high
+ :medium
+ :low
+ :info
+ :none

81
82
83
# File 'lib/dawn/kb/basic_check.rb', line 81

def priority
  @priority
end

#release_dateObject (readonly)

Returns the value of attribute release_date


16
17
18
# File 'lib/dawn/kb/basic_check.rb', line 16

def release_date
  @release_date
end

#remediationObject (readonly)

Returns the value of attribute remediation


20
21
22
# File 'lib/dawn/kb/basic_check.rb', line 20

def remediation
  @remediation
end

#ruby_versionObject

This is the ruby version used by the target application. set in Engine class around line #107


26
27
28
# File 'lib/dawn/kb/basic_check.rb', line 26

def ruby_version
  @ruby_version
end

#ruby_vulnerable_versionsObject (readonly)

This is an array of ruby versions that lead a parcitular version to be exploitable. In example, consider CVE-2013-1655, the Puppet rubygem version vulnerability can be exploited only if ruby version is 1.9.3 or higher


33
34
35
# File 'lib/dawn/kb/basic_check.rb', line 33

def ruby_vulnerable_versions
  @ruby_vulnerable_versions
end

#severityObject

This is the check severity level. It tells how dangerous is the vulnerability for you application.

Valid values are:

+ :critical
+ :high
+ :medium
+ :low
+ :info
+ :none

69
70
71
# File 'lib/dawn/kb/basic_check.rb', line 69

def severity
  @severity
end

#statusObject (readonly)

Check status. Returns the latest vuln? call result


44
45
46
# File 'lib/dawn/kb/basic_check.rb', line 44

def status
  @status
end

#target_versionObject (readonly)

The framework target version


36
37
38
# File 'lib/dawn/kb/basic_check.rb', line 36

def target_version
  @target_version
end

#titleObject (readonly)

Returns the value of attribute title


9
10
11
# File 'lib/dawn/kb/basic_check.rb', line 9

def title
  @title
end

Class Method Details

.familiesObject


142
143
144
# File 'lib/dawn/kb/basic_check.rb', line 142

def self.families
  return ALLOWED_FAMILIES.map { |x| x.to_s }
end

Instance Method Details

#applies_to?(name) ⇒ Boolean

Returns:

  • (Boolean)

203
204
205
# File 'lib/dawn/kb/basic_check.rb', line 203

def applies_to?(name)
  ! @applies.find_index(name).nil?
end

206
207
208
# File 'lib/dawn/kb/basic_check.rb', line 206

def cve_link
  "http://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@name}"
end

#cvss_scoreObject


219
220
221
222
# File 'lib/dawn/kb/basic_check.rb', line 219

def cvss_score
  return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
  "    "
end

#familyObject


157
158
159
160
161
162
163
164
# File 'lib/dawn/kb/basic_check.rb', line 157

def family
  return "CVE or OSVDB bulletin"          if @check_family == :bulletin
  return "Ruby coding style"              if @check_family == :code_style
  return "Ruby code quality check"        if @check_family == :code_quality
  return "Owasp Ruby on Rails cheatsheet" if @check_family == :owasp_ror_cheatsheet
  return "Owasp Top 10"                   if @check_family.== :owasp_top_10
  return "Unknown"
end

#family=(item) ⇒ Object


146
147
148
149
150
151
152
153
154
155
# File 'lib/dawn/kb/basic_check.rb', line 146

def family=(item)
  if ! ALLOWED_FAMILIES.find_index(item.to_sym).nil?
    instance_variable_set(:@check_family, item.to_sym)
    return item
  else
    $logger.err("invalid check family: #{item}")
    instance_variable_set(:@check_family, :generic_check)
    return @family
  end
end

#initialize(options = {}) ⇒ Object


83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
# File 'lib/dawn/kb/basic_check.rb', line 83

def initialize(options={})
  @applies                  = []
  @ruby_version             = ""
  @ruby_vulnerable_versions = []

  @title        = options[:title]
  @name         = options[:name]
  @cvss         = options[:cvss]
  @cwe          = options[:cwe]
  @cve          = options[:cve]
  @osvdb        = options[:osvdb]
  @owasp        = options[:owasp]
  @release_date = options[:release_date]
  @applies      = options[:applies] unless options[:applies].nil?
  @kind         = options[:kind]
  @message      = options[:message]
  @remediation  = options[:mitigation]
  @aux_links    = options[:aux_links]

  @target_version = options[:target_version]
  @fixes_version  = options[:fixes_version]
  @ruby_version   = options[:ruby_version]

  @evidences    = []
  @evidences    = options[:evidences] unless options[:evidences].nil?
  @mitigated    = false
  @status       = false
  @debug        = false
  @severity     = :none
  @priority     = :none
  @check_family = :generic_check

  @severity         = options[:severity] unless options[:severity].nil?
  @priority         = options[:priority] unless options[:priority].nil?
  @check_family     = options[:check_family] unless options[:check_family].nil?

  # FIXME.20140325
  #
  # I don't want to manually fix 150+ ruby files to add something I can
  # deal here
  @check_family = :bulletin if !options[:name].nil? && (options[:name].start_with?('CVE-') || options[:name].start_with?('OSVDB'))

  if $logger.nil?
    # This is the old codesake-commons logging.
    #
    # Starting from 20150720 we will use the standard library Logger
    # class. This is mainly to remove codesake-commons dependency and to
    # have a clean API
    #
    # require 'codesake-commons'
    # $logger  = Codesake::Commons::Logging.instance
    # $logger.helo "dawn-basic-check", Dawn::VERSION

    require 'dawn/logger'
    $logger = Logger.new(STDOUT)
    $logger.helo "dawn-basic-check", Dawn::VERSION
  end
end

#lintObject

Performs a self check against some core values from being not nil

Returns:

  • an Array with attributes with a nil value


231
232
233
234
235
236
237
238
239
240
241
# File 'lib/dawn/kb/basic_check.rb', line 231

def lint
  ret = []
  ret << :cve if self.cve.nil?
  ret << :osvdb if @osvdb.nil?
  ret << :cvss if self.cvss.nil? || self.cvss.empty? || self.cvss == "not assigned"
  ret << :severity if self.severity == "unknown"
  ret << :priority if self.priority == "unknown"
  ret << :title if self.title.nil?

  ret
end

#mitigated?Boolean

Returns:

  • (Boolean)

224
225
226
# File 'lib/dawn/kb/basic_check.rb', line 224

def mitigated?
  self.mitigated
end

209
210
211
# File 'lib/dawn/kb/basic_check.rb', line 209

def nvd_link
  "http://web.nvd.nist.gov/view/vuln/detail?vulnId=#{@name}"
end

215
216
217
# File 'lib/dawn/kb/basic_check.rb', line 215

def osvdb_link
  "http://osvdb.org/show/osvdb/#{@osvdb}"
end

212
213
214
# File 'lib/dawn/kb/basic_check.rb', line 212

def rubysec_advisories_link
  "http://www.rubysec.com/advisories/#{@name}/"
end