Module: Dawn::Kb::DependencyCheck

Includes:
BasicCheck
Included in:
CVE_2006_2582, CVE_2006_4112, CVE_2006_6852, CVE_2006_6979, CVE_2007_0469, CVE_2007_5379, CVE_2007_5380, CVE_2007_6077, CVE_2007_6612, CVE_2008_4094, CVE_2008_5189, CVE_2008_7248, CVE_2009_4078, CVE_2009_4214, CVE_2010_3933, CVE_2011_0446, CVE_2011_0447, CVE_2011_0739, CVE_2011_0995_a, CVE_2011_2197, CVE_2011_2929, CVE_2011_2930, CVE_2011_2931, CVE_2011_2932, CVE_2011_3186, CVE_2011_3187, CVE_2011_4319, CVE_2011_5036, CVE_2012_1098, CVE_2012_1099, CVE_2012_1241, CVE_2012_2139, CVE_2012_2140, CVE_2012_2660, CVE_2012_2661, CVE_2012_2671, CVE_2012_2694, CVE_2012_2695, CVE_2012_3424, CVE_2012_3463, CVE_2012_3464, CVE_2012_3465, CVE_2012_6109, CVE_2012_6134, CVE_2012_6496, CVE_2012_6497, CVE_2012_6684, CVE_2013_0155, CVE_2013_0156, CVE_2013_0162, CVE_2013_0175, CVE_2013_0183, CVE_2013_0184, CVE_2013_0233, CVE_2013_0256_a, CVE_2013_0262, CVE_2013_0263, CVE_2013_0269, CVE_2013_0276, CVE_2013_0277, CVE_2013_0284, CVE_2013_0285, CVE_2013_0333, CVE_2013_0334, CVE_2013_1607, CVE_2013_1655_a, CVE_2013_1656, CVE_2013_1756, CVE_2013_1800, CVE_2013_1801, CVE_2013_1802, CVE_2013_1812, CVE_2013_1854, CVE_2013_1855, CVE_2013_1856, CVE_2013_1857, CVE_2013_1875, CVE_2013_1898, CVE_2013_1911, CVE_2013_1933, CVE_2013_1947, CVE_2013_1948, CVE_2013_2090, CVE_2013_2105, CVE_2013_2119, CVE_2013_2512, CVE_2013_2513, CVE_2013_2516, CVE_2013_2615, CVE_2013_2616, CVE_2013_2617, CVE_2013_3221, CVE_2013_4203, CVE_2013_4389, CVE_2013_4413, CVE_2013_4457, CVE_2013_4478, CVE_2013_4479, CVE_2013_4489, CVE_2013_4491, CVE_2013_4492, CVE_2013_4562, CVE_2013_4593, CVE_2013_5647, CVE_2013_5671, CVE_2013_6414, CVE_2013_6415, CVE_2013_6416, CVE_2013_6417, CVE_2013_6421, CVE_2013_6459, CVE_2013_6460_a, CVE_2013_6461_a, CVE_2013_7086, CVE_2014_0036, CVE_2014_0080, CVE_2014_0081, CVE_2014_0082, CVE_2014_0130, CVE_2014_1233, CVE_2014_1234, CVE_2014_2322, CVE_2014_2525_b, CVE_2014_2538, CVE_2014_3482, CVE_2014_3483, CVE_2014_7818, CVE_2014_7819, CVE_2014_7829, CVE_2014_9490, CVE_2015_1819, CVE_2015_1840_a, CVE_2015_1840_b, CVE_2015_2963, CVE_2015_3224, CVE_2015_3225, CVE_2015_3226, CVE_2015_3227, CVE_2015_3448, CVE_2015_5312, CVE_2015_7497, CVE_2015_7498, CVE_2015_7499, CVE_2015_7500, CVE_2015_7519, CVE_2015_7541, CVE_2015_7576, CVE_2015_7577, CVE_2015_7578, CVE_2015_7579, CVE_2015_7581, CVE_2015_8241, CVE_2015_8242, CVE_2015_8317, CVE_2016_0751, CVE_2016_0752, CVE_2016_0753, CVE_2016_2097, CVE_2016_2098, CVE_2016_5697, CVE_2016_6316, CVE_2016_6317, CVE_2016_6582, OSVDB_105971, OSVDB_108530, OSVDB_108563, OSVDB_108569, OSVDB_108570, OSVDB_115654, OSVDB_116010, OSVDB_117903, OSVDB_118579, OSVDB_118830, OSVDB_118954, OSVDB_119878, OSVDB_119927, OSVDB_120415, OSVDB_120857, OSVDB_121701, OSVDB_132234, SimpleForm_Xss_20131129
Defined in:
lib/dawn/kb/dependency_check.rb

Constant Summary

Constants included from BasicCheck

BasicCheck::ALLOWED_FAMILIES

Instance Attribute Summary collapse

Attributes included from BasicCheck

#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title

Instance Method Summary collapse

Methods included from BasicCheck

#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link

Methods included from Utils

#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true

Instance Attribute Details

#aux_mitigation_gemObject

Returns the value of attribute aux_mitigation_gem


15
16
17
# File 'lib/dawn/kb/dependency_check.rb', line 15

def aux_mitigation_gem
  @aux_mitigation_gem
end

#dependenciesObject

Returns the value of attribute dependencies


6
7
8
# File 'lib/dawn/kb/dependency_check.rb', line 6

def dependencies
  @dependencies
end

#not_affectedObject

Returns the value of attribute not_affected


17
18
19
# File 'lib/dawn/kb/dependency_check.rb', line 17

def not_affected
  @not_affected
end

#safe_dependenciesObject

This attribute replaces fixed_dependency in 20130521. There are cve checks like web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0175 that addresses two different gems firing up the vulnerability. You can read this like, “if you use gem A version A1 or if you use gem B version B1 you can occur in this issue”.


14
15
16
# File 'lib/dawn/kb/dependency_check.rb', line 14

def safe_dependencies
  @safe_dependencies
end

#save_majorObject

Returns the value of attribute save_major


26
27
28
# File 'lib/dawn/kb/dependency_check.rb', line 26

def save_major
  @save_major
end

#save_minorObject

Tells a version is not vulnerable even if in the fixes array that has a minor version number higher than the current. This is useful especially for rails version where 3.0.x, 3.1.y, 3.2.z are separated branches and the patch is provided for all of those. So if version 3.1.10 is safe and you have it, you don't be prompted about 3.2.x.


25
26
27
# File 'lib/dawn/kb/dependency_check.rb', line 25

def save_minor
  @save_minor
end

Instance Method Details

#initialize(options) ⇒ Object


28
29
30
31
32
# File 'lib/dawn/kb/dependency_check.rb', line 28

def initialize(options)
  super(options)
  @save_minor ||= options[:save_minor]
  @save_major ||= options[:save_major]
end

#vuln?Boolean

Returns:

  • (Boolean)

34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# File 'lib/dawn/kb/dependency_check.rb', line 34

def vuln?
  ret         = false
  @mitigated  = false
  message     = ""


  @dependencies.each do |dep|
    # don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future.
    @mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil?

    @safe_dependencies.each do |safe_dep|

      if dep[:name] == safe_dep[:name]
        v = Dawn::Kb::VersionCheck.new(
          {
            :safe=>safe_dep[:version],
            :detected=>dep[:version],
            :save_minor => self.save_minor,
            :save_major => self.save_major,
          }
        )
        v.debug = self.debug
        v.excluded = self.not_affected[:version] unless self.not_affected.nil?

        vuln = v.vuln?
        if vuln && @ruby_vulnerable_versions.empty?
          message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}"
          ret = vuln
        end
      end
    end
  end

  if ret && @mitigated
    ret = false
    message += "Vulnerability has been mitigated by gem #{@aux_mitigation_gem[:name]}. Don't remove it from your Gemfile"
  end

  self.evidences << message unless message.empty?

  @status = ret

  ret
end