Module: Dawn::Kb::DependencyCheck
- Includes:
- BasicCheck
- Included in:
- CVE_2006_2582, CVE_2006_4112, CVE_2006_6852, CVE_2006_6979, CVE_2007_0469, CVE_2007_5379, CVE_2007_5380, CVE_2007_6077, CVE_2007_6612, CVE_2008_4094, CVE_2008_5189, CVE_2008_7248, CVE_2009_4078, CVE_2009_4214, CVE_2010_3933, CVE_2011_0446, CVE_2011_0447, CVE_2011_0739, CVE_2011_0995_a, CVE_2011_2197, CVE_2011_2929, CVE_2011_2930, CVE_2011_2931, CVE_2011_2932, CVE_2011_3186, CVE_2011_3187, CVE_2011_4319, CVE_2011_5036, CVE_2012_1098, CVE_2012_1099, CVE_2012_1241, CVE_2012_2139, CVE_2012_2140, CVE_2012_2660, CVE_2012_2661, CVE_2012_2671, CVE_2012_2694, CVE_2012_2695, CVE_2012_3424, CVE_2012_3463, CVE_2012_3464, CVE_2012_3465, CVE_2012_6109, CVE_2012_6134, CVE_2012_6496, CVE_2012_6497, CVE_2012_6684, CVE_2013_0155, CVE_2013_0156, CVE_2013_0162, CVE_2013_0175, CVE_2013_0183, CVE_2013_0184, CVE_2013_0233, CVE_2013_0256_a, CVE_2013_0262, CVE_2013_0263, CVE_2013_0269, CVE_2013_0276, CVE_2013_0277, CVE_2013_0284, CVE_2013_0285, CVE_2013_0333, CVE_2013_0334, CVE_2013_1607, CVE_2013_1655_a, CVE_2013_1656, CVE_2013_1756, CVE_2013_1800, CVE_2013_1801, CVE_2013_1802, CVE_2013_1812, CVE_2013_1854, CVE_2013_1855, CVE_2013_1856, CVE_2013_1857, CVE_2013_1875, CVE_2013_1898, CVE_2013_1911, CVE_2013_1933, CVE_2013_1947, CVE_2013_1948, CVE_2013_2090, CVE_2013_2105, CVE_2013_2119, CVE_2013_2512, CVE_2013_2513, CVE_2013_2516, CVE_2013_2615, CVE_2013_2616, CVE_2013_2617, CVE_2013_3221, CVE_2013_4203, CVE_2013_4389, CVE_2013_4413, CVE_2013_4457, CVE_2013_4478, CVE_2013_4479, CVE_2013_4489, CVE_2013_4491, CVE_2013_4492, CVE_2013_4562, CVE_2013_4593, CVE_2013_5647, CVE_2013_5671, CVE_2013_6414, CVE_2013_6415, CVE_2013_6416, CVE_2013_6417, CVE_2013_6421, CVE_2013_6459, CVE_2013_6460_a, CVE_2013_6461_a, CVE_2013_7086, CVE_2014_0036, CVE_2014_0080, CVE_2014_0081, CVE_2014_0082, CVE_2014_0130, CVE_2014_1233, CVE_2014_1234, CVE_2014_2322, CVE_2014_2525_b, CVE_2014_2538, CVE_2014_3482, CVE_2014_3483, CVE_2014_7818, CVE_2014_7819, CVE_2014_7829, CVE_2014_9490, CVE_2015_1819, CVE_2015_1840_a, CVE_2015_1840_b, CVE_2015_2963, CVE_2015_3224, CVE_2015_3225, CVE_2015_3226, CVE_2015_3227, CVE_2015_3448, CVE_2015_5312, CVE_2015_7497, CVE_2015_7498, CVE_2015_7499, CVE_2015_7500, CVE_2015_7519, CVE_2015_7541, CVE_2015_7576, CVE_2015_7577, CVE_2015_7578, CVE_2015_7579, CVE_2015_7581, CVE_2015_8241, CVE_2015_8242, CVE_2015_8317, CVE_2016_0751, CVE_2016_0752, CVE_2016_0753, CVE_2016_2097, CVE_2016_2098, CVE_2016_5697, CVE_2016_6316, CVE_2016_6317, CVE_2016_6582, OSVDB_105971, OSVDB_108530, OSVDB_108563, OSVDB_108569, OSVDB_108570, OSVDB_115654, OSVDB_116010, OSVDB_117903, OSVDB_118579, OSVDB_118830, OSVDB_118954, OSVDB_119878, OSVDB_119927, OSVDB_120415, OSVDB_120857, OSVDB_121701, OSVDB_132234, SimpleForm_Xss_20131129
- Defined in:
- lib/dawn/kb/dependency_check.rb
Constant Summary
Constants included from BasicCheck
Instance Attribute Summary collapse
-
#aux_mitigation_gem ⇒ Object
Returns the value of attribute aux_mitigation_gem.
-
#dependencies ⇒ Object
Returns the value of attribute dependencies.
-
#not_affected ⇒ Object
Returns the value of attribute not_affected.
-
#safe_dependencies ⇒ Object
This attribute replaces fixed_dependency in 20130521.
-
#save_major ⇒ Object
Returns the value of attribute save_major.
-
#save_minor ⇒ Object
Tells a version is not vulnerable even if in the fixes array that has a minor version number higher than the current.
Attributes included from BasicCheck
#applies, #aux_links, #check_family, #cve, #cvss, #cwe, #debug, #evidences, #fixes_version, #kind, #message, #mitigated, #name, #osvdb, #owasp, #priority, #release_date, #remediation, #ruby_version, #ruby_vulnerable_versions, #severity, #status, #target_version, #title
Instance Method Summary collapse
Methods included from BasicCheck
#applies_to?, #cve_link, #cvss_score, families, #family, #family=, #lint, #mitigated?, #nvd_link, #osvdb_link, #rubysec_advisories_link
Methods included from Utils
#__debug_me_and_return, #debug_me, #debug_me_and_return_false, #debug_me_and_return_true
Instance Attribute Details
#aux_mitigation_gem ⇒ Object
Returns the value of attribute aux_mitigation_gem.
15 16 17 |
# File 'lib/dawn/kb/dependency_check.rb', line 15 def aux_mitigation_gem @aux_mitigation_gem end |
#dependencies ⇒ Object
Returns the value of attribute dependencies.
6 7 8 |
# File 'lib/dawn/kb/dependency_check.rb', line 6 def dependencies @dependencies end |
#not_affected ⇒ Object
Returns the value of attribute not_affected.
17 18 19 |
# File 'lib/dawn/kb/dependency_check.rb', line 17 def not_affected @not_affected end |
#safe_dependencies ⇒ Object
This attribute replaces fixed_dependency in 20130521. There are cve checks like web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0175 that addresses two different gems firing up the vulnerability. You can read this like, “if you use gem A version A1 or if you use gem B version B1 you can occur in this issue”.
14 15 16 |
# File 'lib/dawn/kb/dependency_check.rb', line 14 def safe_dependencies @safe_dependencies end |
#save_major ⇒ Object
Returns the value of attribute save_major.
26 27 28 |
# File 'lib/dawn/kb/dependency_check.rb', line 26 def save_major @save_major end |
#save_minor ⇒ Object
Tells a version is not vulnerable even if in the fixes array that has a minor version number higher than the current. This is useful especially for rails version where 3.0.x, 3.1.y, 3.2.z are separated branches and the patch is provided for all of those. So if version 3.1.10 is safe and you have it, you don’t be prompted about 3.2.x.
25 26 27 |
# File 'lib/dawn/kb/dependency_check.rb', line 25 def save_minor @save_minor end |
Instance Method Details
#initialize(options) ⇒ Object
28 29 30 31 32 |
# File 'lib/dawn/kb/dependency_check.rb', line 28 def initialize() super() @save_minor ||= [:save_minor] @save_major ||= [:save_major] end |
#vuln? ⇒ Boolean
34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
# File 'lib/dawn/kb/dependency_check.rb', line 34 def vuln? ret = false @mitigated = false = "" @dependencies.each do |dep| # don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future. @mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil? @safe_dependencies.each do |safe_dep| if dep[:name] == safe_dep[:name] v = Dawn::Kb::VersionCheck.new( { :safe=>safe_dep[:version], :detected=>dep[:version], :save_minor => self.save_minor, :save_major => self.save_major, } ) v.debug = self.debug v.excluded = self.not_affected[:version] unless self.not_affected.nil? vuln = v.vuln? if vuln && @ruby_vulnerable_versions.empty? = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}" ret = vuln end end end end if ret && @mitigated ret = false += "Vulnerability has been mitigated by gem #{@aux_mitigation_gem[:name]}. Don't remove it from your Gemfile" end self.evidences << unless .empty? @status = ret ret end |