Module: Dawn::Kb::DependencyCheck

Includes:

BasicCheck

Included in:

CVE_2006_2582, CVE_2006_4112, CVE_2006_6852, CVE_2006_6979, CVE_2007_0469, CVE_2007_5379, CVE_2007_5380, CVE_2007_6077, CVE_2007_6612, CVE_2008_4094, CVE_2008_5189, CVE_2008_7248, CVE_2009_4078, CVE_2009_4214, CVE_2010_3933, CVE_2011_0446, CVE_2011_0447, CVE_2011_0739, CVE_2011_0995_a, CVE_2011_2197, CVE_2011_2929, CVE_2011_2930, CVE_2011_2931, CVE_2011_2932, CVE_2011_3186, CVE_2011_3187, CVE_2011_4319, CVE_2011_5036, CVE_2012_1098, CVE_2012_1099, CVE_2012_1241, CVE_2012_2139, CVE_2012_2140, CVE_2012_2660, CVE_2012_2661, CVE_2012_2671, CVE_2012_2694, CVE_2012_2695, CVE_2012_3424, CVE_2012_3463, CVE_2012_3464, CVE_2012_3465, CVE_2012_6109, CVE_2012_6134, CVE_2012_6496, CVE_2012_6497, CVE_2012_6684, CVE_2013_0155, CVE_2013_0156, CVE_2013_0162, CVE_2013_0175, CVE_2013_0183, CVE_2013_0184, CVE_2013_0233, CVE_2013_0256_a, CVE_2013_0262, CVE_2013_0263, CVE_2013_0269, CVE_2013_0276, CVE_2013_0277, CVE_2013_0284, CVE_2013_0285, CVE_2013_0333, CVE_2013_0334, CVE_2013_1607, CVE_2013_1655_a, CVE_2013_1656, CVE_2013_1756, CVE_2013_1800, CVE_2013_1801, CVE_2013_1802, CVE_2013_1812, CVE_2013_1854, CVE_2013_1855, CVE_2013_1856, CVE_2013_1857, CVE_2013_1875, CVE_2013_1898, CVE_2013_1911, CVE_2013_1933, CVE_2013_1947, CVE_2013_1948, CVE_2013_2090, CVE_2013_2105, CVE_2013_2119, CVE_2013_2512, CVE_2013_2513, CVE_2013_2516, CVE_2013_2615, CVE_2013_2616, CVE_2013_2617, CVE_2013_3221, CVE_2013_4203, CVE_2013_4389, CVE_2013_4413, CVE_2013_4457, CVE_2013_4478, CVE_2013_4479, CVE_2013_4489, CVE_2013_4491, CVE_2013_4492, CVE_2013_4562, CVE_2013_4593, CVE_2013_5647, CVE_2013_5671, CVE_2013_6414, CVE_2013_6415, CVE_2013_6416, CVE_2013_6417, CVE_2013_6421, CVE_2013_6459, CVE_2013_6460_a, CVE_2013_6461_a, CVE_2013_7086, CVE_2014_0036, CVE_2014_0080, CVE_2014_0081, CVE_2014_0082, CVE_2014_0130, CVE_2014_1233, CVE_2014_1234, CVE_2014_2322, CVE_2014_2525_b, CVE_2014_2538, CVE_2014_3482, CVE_2014_3483, CVE_2014_7818, CVE_2014_7819, CVE_2014_7829, CVE_2014_9490, CVE_2015_1819, CVE_2015_1840_a, CVE_2015_1840_b, CVE_2015_2963, CVE_2015_3224, CVE_2015_3225, CVE_2015_3226, CVE_2015_3227, CVE_2015_3448, CVE_2015_5312, CVE_2015_7497, CVE_2015_7498, CVE_2015_7499, CVE_2015_7500, CVE_2015_7519, CVE_2015_7541, CVE_2015_7576, CVE_2015_7577, CVE_2015_7578, CVE_2015_7579, CVE_2015_7581, CVE_2015_8241, CVE_2015_8242, CVE_2015_8317, CVE_2016_0751, CVE_2016_0752, CVE_2016_0753, CVE_2016_2097, CVE_2016_2098, CVE_2016_5697, CVE_2016_6316, CVE_2016_6317, CVE_2016_6582, OSVDB_105971, OSVDB_108530, OSVDB_108563, OSVDB_108569, OSVDB_108570, OSVDB_115654, OSVDB_116010, OSVDB_117903, OSVDB_118579, OSVDB_118830, OSVDB_118954, OSVDB_119878, OSVDB_119927, OSVDB_120415, OSVDB_120857, OSVDB_121701, OSVDB_132234, SimpleForm_Xss_20131129

Defined in:

lib/dawn/kb/dependency_check.rb

Constant Summary

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary

• #aux_mitigation_gem ⇒ Object

  Returns the value of attribute aux_mitigation_gem.

• #dependencies ⇒ Object

  Returns the value of attribute dependencies.

• #not_affected ⇒ Object

  Returns the value of attribute not_affected.

• #safe_dependencies ⇒ Object

  This attribute replaces fixed_dependency in 20130521.

• #save_major ⇒ Object

  Returns the value of attribute save_major.

• #save_minor ⇒ Object

  Tells a version is not vulnerable even if in the fixes array that has a minor version number higher than the current.

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary

• #initialize(options) ⇒ Object
• #vuln? ⇒ Boolean

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Instance Attribute Details

#aux_mitigation_gem ⇒ Object

Returns the value of attribute aux_mitigation_gem.

# File 'lib/dawn/kb/dependency_check.rb', line 15

def aux_mitigation_gem
  @aux_mitigation_gem
end

#dependencies ⇒ Object

Returns the value of attribute dependencies.

# File 'lib/dawn/kb/dependency_check.rb', line 6

def dependencies
  @dependencies
end

#not_affected ⇒ Object

Returns the value of attribute not_affected.

# File 'lib/dawn/kb/dependency_check.rb', line 17

def not_affected
  @not_affected
end

#safe_dependencies ⇒ Object

This attribute replaces fixed_dependency in 20130521. There are cve checks like web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0175 that addresses two different gems firing up the vulnerability. You can read this like, “if you use gem A version A1 or if you use gem B version B1 you can occur in this issue”.

# File 'lib/dawn/kb/dependency_check.rb', line 14

def safe_dependencies
  @safe_dependencies
end

#save_major ⇒ Object

Returns the value of attribute save_major.

# File 'lib/dawn/kb/dependency_check.rb', line 26

def save_major
  @save_major
end

#save_minor ⇒ Object

Tells a version is not vulnerable even if in the fixes array that has a minor version number higher than the current. This is useful especially for rails version where 3.0.x, 3.1.y, 3.2.z are separated branches and the patch is provided for all of those. So if version 3.1.10 is safe and you have it, you don’t be prompted about 3.2.x.

# File 'lib/dawn/kb/dependency_check.rb', line 25

def save_minor
  @save_minor
end

Instance Method Details

#initialize(options) ⇒ Object

# File 'lib/dawn/kb/dependency_check.rb', line 28

def initialize(options)
  super(options)
  @save_minor ||= options[:save_minor]
  @save_major ||= options[:save_major]
end

#vuln? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/dawn/kb/dependency_check.rb', line 34

def vuln?
  ret         = false
  @mitigated  = false
  message     = ""


  @dependencies.each do |dep|
    # don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future.
    @mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil?

    @safe_dependencies.each do |safe_dep|

      if dep[:name] == safe_dep[:name]
        v = Dawn::Kb::VersionCheck.new(
          {
            :safe=>safe_dep[:version],
            :detected=>dep[:version],
            :save_minor => self.save_minor,
            :save_major => self.save_major,
          }
        )
        v.debug = self.debug
        v.excluded = self.not_affected[:version] unless self.not_affected.nil?

        vuln = v.vuln?
        if vuln && @ruby_vulnerable_versions.empty?
          message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
          ret = vuln
        end
      end
    end
  end

  if ret && @mitigated
    ret = false
    message += "Vulnerability has been mitigated by gem #{@aux_mitigation_gem[:name]}. Don't remove it from your Gemfile"
  end

  self.evidences << message unless message.empty?

  @status = ret

  ret
end