Welcome version 1.5.0
On December 9th, 2015, the the fifth, and last, minor dawnscanner rubygem
version it has been released.
dawnscanner version 1.5.0 has 209 security checks loaded in its knowledge
base. Most of them are CVE bulletins applying to gems or the ruby interpreter
itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
This release introduces 8 new security checks to the knowledge base, raising the number
of supported CVE or OSVDB bulletins to 209. dawnscanner version 1.5.0
fixes also a lot of bugs mostly in vulnerability reporting. Now for
each scan, a directory in $HOME/dawnscanner it has been
created storing text files with scan result. This improves how
dawnscanner organize your workspace and it leads also to having clean
messages on standard output.
A key new feature is the SQLite3 database, stored under
$HOME/dawnscanner that makes you able to save each scans you
perform in a registry. Information saved are the target project, the scan status (if it has been completed or not), the number of issues found and the directory where results were stored.
[2015-11-26 08:31:57] COMPLETED -- : blogcast: 50 issues found - $HOME/dawnscanner/results/blogcast/20151126
This is the comprehensive list of changes introduced in version 1.5.0
- Issue #92 - Fix CVE-2014-3483 incorrectly triggers for a Rails 3 app.
- Issue #94 - dawn: Owasp Ror CheatSheet: Session management check failed
- Adding a check for CVE-2015-1819 : DoS in libxml embedded in nokogiri versions prior to 220.127.116.11
- Issue #129 - Adding a check for OSVDB 118954 : Ruby on Rails ActiveModel::Name to_json Call Infinite Loop Remote DoS
- VersionCheck - fixed an issue about minor versioning logic, mostly used for ‘rails’ gem.
- Issue #130 - Adding a check for OSVDB 119878 : rest-client Gem for Ruby abstract_response.rb Redirection Response Set-Cookie Headers Handling Session Fixation
- Issue #123 - Adding a check for OSVDB 116010 : Doorkeeper Gem for Ruby access_token Disclosure CSRF
- Issue #124 - Adding a check for OSVDB 115654 : Sentry raven-ruby lib/raven/okjson.rb Exponent / Scientific Notation Value Handling Resource Consumption DoS
- Issue #126 - Adding a check for OSVDB 117903 : ruby-saml URI SAML Response
Handling Remote Command Execution
- Issue #163 - Adding a check for OSVDB 122162 : RubyGems remote_fetcher.rb
api_endpoint() Function Missing SRV Record Hostname Validation Request
- Introduced a new core check Dawn::Kb::GemCheck for all checks related to
- Issue #164 - Adding a check for OSVDB 121701 : open-uri-cached Gem for Ruby
Unsafe Temporary File Creation Local Privilege Escalation
- Issue #165 - Adding a check for OSVDB 120857 : refile Gem for Ruby
remote_image_url Attachment Remote Command Execution
- Issue #166 - Adding a check for OSVDB 120415 : redcarpet Gem for Ruby
markdown.c parse_inline() Function XSS
- Issue #161 - Mark as deprecated –rails, –padrino and –sinatra flags. MVC
detection will be automatic.
- Marked –gem-lock flag as deprecated. The dependencies check now is done
using –dependencies flag
- Engine apply method it has been refactored to delete duplicated code
- Engine _do_apply method it has been marked as private with some touch of
- Issue #146 - Dependency check for installation troubles. Removed ‘parser’ and
‘ptools’ gem from Gemfile and commented out ‘grit’ until version 2.0.0.
Unfortunately I can’t handle signed third party gems with an expired
- Ascii Table Reporting: now reports in ascii table are the default and now
tables are written in separated text files under a
dawnscanner/results/target/timestamp specific folder in $HOME directory.
- HTML Reporting: now reports are saved in their own folder (please, refere
yourself to Ascii Table point for folder naming convention) with their own JS
and CSS folder. This will lead customers to easy organize HTML output fitting
their needs. Issue #149.
- HTML Reporting: fixing up link and findings in report body. Issue #149
- Reports: removed ‘priority’ from all reports. Pretty useless, it can be
removed in future release. Issue #149.
- Added ‘–console’ to ask report in ascii text, no tables. Before this release
this flag was useless since ascii text was the standard format. Issue #149.
- Deprecated ‘–ascii-tabular-report’. It takes ages for writing… better
‘–tabular’. Issue #149.
- -C, vulnerability count: now output is written to STDERR and fixed an issue
causing output to be written always in JSON, even when not requested’
- Adding SQLite3 and Data Mapper dependencies
- Created a scan registry stored in $HOME/dawnscanner/db directory
- Added a ‘–list-scan-registry’ flag to print all registry entries
- Changed config filename to dawnscanner.yaml
- Kb dump method moved from Dawn::Core to Dawn::KnowledgeBase
- Added a title for checks, useful for quick reporting