search

thesp0nge / dawnscanner

Dawn is a static analysis security scanner for ruby written web applications. It supports Sinatra, Padrino and Ruby on Rails frameworks.
MIT License
734 stars 88 forks source link

HTML Reporting Broken in 1.5.2 #177

Closed mort666 closed 8 years ago

mort666 commented 8 years ago

It seems the new reporting code for v1.5.2 is broken and unable to output HTML reports in this version.

When running a scan with the HTML report output the following is generated

$ dawn --html -F ../report.html .
I, [2016-01-21 23:01:19#81154]  INFO -- : dawn v1.5.2 is starting up
/***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:1401:in `initialize': No such file or directory @ rb_sysopen - /[Rails.root]/support/bootstrap.js (Errno::ENOENT)
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:1401:in `open'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:1401:in `copy_file'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:483:in `copy_file'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:400:in `block in cp'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:1579:in `block in fu_each_src_dest'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:1593:in `fu_each_src_dest0'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:1577:in `fu_each_src_dest'
    from /***********/.rvm/rubies/ruby-2.1.5/lib/ruby/2.1.0/fileutils.rb:399:in `cp'
    from /***********/.rvm/gems/ruby-2.1.5/bundler/gems/dawnscanner-56862e643332/lib/dawn/reporter.rb:45:in `write_html'
    from /***********/.rvm/gems/ruby-2.1.5/bundler/gems/dawnscanner-56862e643332/lib/dawn/reporter.rb:147:in `html_report'
    from /***********/.rvm/gems/ruby-2.1.5/bundler/gems/dawnscanner-56862e643332/lib/dawn/reporter.rb:20:in `report'
    from /***********/.rvm/gems/ruby-2.1.5/bundler/gems/dawnscanner-56862e643332/bin/dawn:282:in `<top (required)>'
    from /***********/.rvm/gems/ruby-2.1.5/bin/dawn:23:in `load'
    from /***********/.rvm/gems/ruby-2.1.5/bin/dawn:23:in `<main>'
    from /***********/.rvm/gems/ruby-2.1.5/bin/ruby_executable_hooks:15:in `eval'
    from /***********/.rvm/gems/ruby-2.1.5/bin/ruby_executable_hooks:15:in `<main>'

It seems that dawn is attempting to open within Rails.root directory the file 'support/bootstrap.js'.

This file doesn't exist in the source tree of the rails app, additionally I do want the support files within the source for the application, which seems to be the only way to make it work. It also occurs when scanning gems and the like.

These static assets for bootstrap it would be better to have these pulled in from a CDN such as pulling them from BootstrapCDN. It would negate the need to have random old copies of bootstrap laying around the source tree.

Secondly, it appears after inspecting the code dawn does not honour the output filename either for the output of the HTML report either. This breaks the use of dawn within our CI system (Circle CI and Travis) too as we need to be able to specify the location of the output and dawn in it's current form is attempting to drop the output within the users home directory, this will not work within the CI system.

thesp0nge commented 8 years ago

Hi there, I can reproduce the bug.

Running dawn the same parameter you used but specifying the target path, I have this execution.

$ ruby -I lib bin/dawn --html -F ../report.html ~/src/hacking/dawn-test/blogcast
I, [2016-02-03 08:00:10#35367]  INFO -- : dawn v1.5.2 is starting up
I, [2016-02-03 08:00:12#35367]  INFO -- : /Users/thesp0nge/dawnscanner/results/blogcast/20160203/report.html created (30812 bytes)
I, [2016-02-03 08:00:12#35367]  INFO -- : /Users/thesp0nge/dawnscanner/db/dawnscanner.db updated with scan infos
I, [2016-02-03 08:00:12#35367]  INFO -- : dawn is shutting down

Using '.' as target argument will raise the error.

thesp0nge commented 8 years ago

Everything should work as expected and your CI env will be back to work with next release