The --json output is adding some logging information that shouldn't be there (two lines with INFO, one line with Skipping pattern match).
$ dawn --json . 2> /dev/null
I, [2021-06-30 17:57:57#27297] INFO -- : dawn v1.6.9 is starting up
Skipping pattern match check for /Users/fnando/Projects/personal/sample/dump.rdb: invalid byte sequence in UTF-8
{"status":"OK","dawn_version":"1.6.9","scan_started":"2021-06-30 17:57:57 -0700","scan_duration":"1.166 sec","target":"/Users/fnando/Projects/personal/sample","mvc":"rails","mvc_version":"5.2.5","applied_checks_count":235,"skipped_checks_count":0,"vulnerabilities_count":3,"mitigated_issues_count":0,"reflected_xss_count":0,"vulnerabilities":[{"name":"Owasp Ror CheatSheet: Cross Site Request Forgery","cve_link":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=Owasp Ror CheatSheet: Cross Site Request Forgery","severity":"info","cvss_score":" ","message":"Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request.","remediation":"Make sure you are using Rails protect_from_forgery facilities in application_controller.rMake sure you are using Rails protect_from_forgery facilities in application_controller.rb"},{"name":"Owasp Ror CheatSheet: Session management","cve_link":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=Owasp Ror CheatSheet: Session management","severity":"info","cvss_score":" ","message":"By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.","remediation":"Use ActiveRecord or the ORM you love most to handle your code session_store. Add \"Application.config.session_store :active_record_store\" to your session_store.rb file."},{"name":"Owasp Ror CheatSheet: Security Related Headers","cve_link":"http://cve.mitre.org/cgi-bin/cvename.cgi?name=Owasp Ror CheatSheet: Security Related Headers","severity":"info","cvss_score":" ","message":"To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the \"default_headers\" functionality that will automatically apply the values supplied. This works for most headers in almost all cases.","remediation":"Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project."}],"mitigated_vuln":[],"reflected_xss":[]}
I, [2021-06-30 17:57:58#27297] INFO -- : dawn is shutting down
Ideally, anything not related to the actual json output should go to stderr instead (like many other linters).
The
--jsonoutput is adding some logging information that shouldn't be there (two lines withINFO, one line withSkipping pattern match).Ideally, anything not related to the actual json output should go to stderr instead (like many other linters).