module Dawn::Kb::DependencyCheck
Attributes
aux_mitigation_gem[RW]
dependencies[RW]
not_affected[RW]
safe_dependencies[RW]
This attribute replaces fixed_dependency in 20130521. There are cve checks like web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0175 that addresses two different gems firing up the vulnerability. You can read this like, “if you use gem A version A1 or if you use gem B version B1 you can occur in this issue”.
save_major[RW]
save_minor[RW]
Tells a version is not vulnerable even if in the fixes array that has a minor version number higher than the current. This is useful especially for rails version where 3.0.x, 3.1.y, 3.2.z are separated branches and the patch is provided for all of those. So if version 3.1.10 is safe and you have it, you don't be prompted about 3.2.x.
Public Class Methods
new(options)
click to toggle source
Calls superclass method
Dawn::Kb::BasicCheck::new
# File lib/dawn/kb/dependency_check.rb, line 28 def initialize(options) super(options) @save_minor ||= options[:save_minor] @save_major ||= options[:save_major] end
Public Instance Methods
vuln?()
click to toggle source
# File lib/dawn/kb/dependency_check.rb, line 34 def vuln? ret = false @mitigated = false message = "" @dependencies.each do |dep| # don't care about gem version when it mitigates a vulnerability... this can be risky, maybe I would reconsider in the future. @mitigated = true if dep[:name] == @aux_mitigation_gem[:name] unless @aux_mitigation_gem.nil? @safe_dependencies.each do |safe_dep| if dep[:name] == safe_dep[:name] v = Dawn::Kb::VersionCheck.new( { :safe=>safe_dep[:version], :detected=>dep[:version], :save_minor => self.save_minor, :save_major => self.save_major, } ) v.debug = self.debug v.excluded = self.not_affected[:version] unless self.not_affected.nil? vuln = v.vuln? if vuln && @ruby_vulnerable_versions.empty? message = "Vulnerable #{dep[:name]} gem version found: #{dep[:version]}" ret = vuln end end end end if ret && @mitigated ret = false message += "Vulnerability has been mitigated by gem #{@aux_mitigation_gem[:name]}. Don't remove it from your Gemfile" end self.evidences << message unless message.empty? @status = ret ret end