Closed oniram88 closed 10 years ago
Sorry @oniram88 I can't reproduce. However, after installing the gem, it should be run outside the bundle (just type dawn -h).
It seems also you didn't attach the full trace, so I can't understand if something is messing up with your environment.
Can you also provide a gem list output?
~ » dawn -v (ruby-2.0.0-p353@hacking)
09:07:30 [*] dawn v1.0.1 is starting up
1.0.1 [Lightning McQueen]
~ » dawn -h (ruby-2.0.0-p353@hacking)
09:07:33 [*] dawn v1.0.1 is starting up
Usage: dawn [options] target_directory
Examples:$ dawn a_sinatra_webapp_directory
$ dawn -C the_rails_blog_engine
$ dawn -C --output json a_sinatra_webapp_directory
-r, --rails force dawn to consider the target a rails application
-s, --sinatra force dawn to consider the target a sinatra application
-p, --padrino force dawn to consider the target a padrino application
-G, --gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
-D, --debug enters dawn debug mode
-f, --list-known-framework list ruby MVC frameworks supported by dawn
-k, --list-knowledgebase [check_name] list dawn known security checks. If check_name is specified dawn says if check is present or not
-o, --output [console, json. csv, html] the output will be in the specified format
-V, --verbose the output will be more verbose
-C, --count-only dawn will only count vulnerabilities (useful for scripts)
-z, --exit-on-warn dawn will return number of found vulnerabilities as exit code
-v, --version show version information
-h, --help show this help
Also without bundle. I'm in rvm as you can see
MarinoBook:Mediavoti marinobonetti$ dawn -v
/Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/gems/codesake-commons-0.90.0/lib/codesake/commons/logging.rb:60:in helo': undefined method
color' for "09:20:00 [*] dawn v1.0.1 is starting up\n":String (NoMethodError)
from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/gems/codesake-dawn-1.0.1/bin/dawn:14:in <top (required)>' from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/bin/dawn:23:in
load'
from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/bin/dawn:23:in `
@oniram88 can you please give also your gem list?
here is the sample app: https://dl.dropboxusercontent.com/u/723928/Mediavoti%20copia.zip
@oniram88 dawn works like a charm with your code.
Can you please give me your gem list? I think there's something messy in your environment
~ » dawn -h (ruby-2.0.0-p353@hacking)
09:59:09 [*] dawn v1.0.1 is starting up
Usage: dawn [options] target_directory
Examples:$ dawn a_sinatra_webapp_directory
$ dawn -C the_rails_blog_engine
$ dawn -C --output json a_sinatra_webapp_directory
-r, --rails force dawn to consider the target a rails application
-s, --sinatra force dawn to consider the target a sinatra application
-p, --padrino force dawn to consider the target a padrino application
-G, --gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
-D, --debug enters dawn debug mode
-f, --list-known-framework list ruby MVC frameworks supported by dawn
-k, --list-knowledgebase [check_name] list dawn known security checks. If check_name is specified dawn says if check is present or not
-o, --output [console, json. csv, html] the output will be in the specified format
-V, --verbose the output will be more verbose
-C, --count-only dawn will only count vulnerabilities (useful for scripts)
-z, --exit-on-warn dawn will return number of found vulnerabilities as exit code
-v, --version show version information
-h, --help show this help
~ » dawn ~/Downloads/Mediavoti\ copia (ruby-2.0.0-p353@hacking)
09:59:16 [*] dawn v1.0.1 is starting up
09:59:16 [$] dawn: scanning /Users/thesp0nge/Downloads/Mediavoti copia
09:59:16 [$] dawn: rails v3.2.13 detected
09:59:16 [$] dawn: applying all security checks
09:59:16 [$] dawn: 146 security checks applied - 0 security checks skipped
09:59:16 [$] dawn: 6 vulnerabilities found
09:59:16 [!] dawn: Owasp Ror CheatSheet: Security Related Headers check failed
09:59:16 [$] dawn: Description: To set a header value, simply access the response.headers object as a hash inside your controller (often in a before/after_filter). Rails 4 provides the "default_headers" functionality that will automatically apply the values supplied. This works for most headers in almost all cases.
09:59:16 [$] dawn: Solution: Use response headers like X-Frame-Options, X-Content-Type-Options, X-XSS-Protection in your project.
09:59:16 [$] dawn: Evidence:
09:59:16 [$] dawn: {:filename=>"/Users/thesp0nge/Downloads/Mediavoti copia/app/controllers/admins_controller.rb", :matches=>[]}
09:59:16 [$] dawn: {:filename=>"/Users/thesp0nge/Downloads/Mediavoti copia/app/controllers/application_controller.rb", :matches=>[]}
09:59:16 [$] dawn: {:filename=>"/Users/thesp0nge/Downloads/Mediavoti copia/app/controllers/esams_controller.rb", :matches=>[]}
09:59:16 [!] dawn: CVE-2013-4389 check failed
09:59:16 [$] dawn: Description: Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.
09:59:16 [$] dawn: Solution: Please upgrade rails version at least to 3.0.21, 3.1.10 or 3.2.15. As a general rule, using the latest stable rails version is recommended.
09:59:16 [$] dawn: Evidence:
09:59:16 [$] dawn: Vulnerable rails gem version found: 3.2.13
09:59:16 [!] dawn: CVE-2013-4491 check failed
09:59:16 [$] dawn: Description: Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
09:59:16 [$] dawn: Solution: Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.
09:59:16 [$] dawn: Evidence:
09:59:16 [$] dawn: Vulnerable rails gem version found: 3.2.13
09:59:16 [!] dawn: CVE-2013-6414 check failed
09:59:16 [$] dawn: Description: actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
09:59:16 [$] dawn: Solution: Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.
09:59:16 [$] dawn: Evidence:
09:59:16 [$] dawn: Vulnerable rails gem version found: 3.2.13
09:59:16 [!] dawn: CVE-2013-6415 check failed
09:59:16 [$] dawn: Description: Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
09:59:16 [$] dawn: Solution: Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.
09:59:16 [$] dawn: Evidence:
09:59:16 [$] dawn: Vulnerable rails gem version found: 3.2.13
09:59:16 [!] dawn: CVE-2013-6417 check failed
09:59:16 [$] dawn: Description: actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
09:59:16 [$] dawn: Solution: Please upgrade rails to version 3.2.16 or 4.0.2. As a general rule, using the latest stable version is recommended.
09:59:16 [$] dawn: Evidence:
09:59:16 [$] dawn: Vulnerable rails gem version found: 3.2.13
09:59:16 [*] dawn is leaving
my gem list was:
actionmailer (4.0.0, 3.2.13, 3.2.11, 3.2.6)
actionpack (4.0.0, 3.2.13, 3.2.11, 3.2.6)
activemodel (4.0.0, 3.2.13, 3.2.11, 3.2.6)
activerecord (4.0.0, 3.2.13, 3.2.11, 3.2.6)
activerecord-deprecated_finders (1.0.3)
activeresource (3.2.13, 3.2.11, 3.2.6)
activesupport (4.0.0, 3.2.13, 3.2.11, 3.2.6)
addressable (2.3.5)
ansi (1.4.3)
arel (4.0.1, 4.0.0, 3.0.3, 3.0.2)
Ascii85 (1.0.2)
ast (1.1.0)
atomic (1.1.14, 1.1.13)
backgroundrb-rails3 (1.1.6)
bcrypt-ruby (3.1.2)
bigdecimal (1.2.0)
builder (3.1.4, 3.0.4, 3.0.0)
bundler (1.3.2)
capistrano (3.0.1)
capistrano-bundler (1.1.1)
capistrano-rails (1.1.0)
capistrano-rvm (0.1.1)
capybara (2.1.0, 2.0.2)
childprocess (0.3.7)
choice (0.1.6)
chronic (0.10.1)
chunky_png (1.2.8, 1.2.6)
coderay (1.0.8)
codesake-commons (0.90.0)
codesake-dawn (1.0.1)
coffee-rails (4.0.1, 4.0.0, 3.2.2)
coffee-script (2.2.0)
coffee-script-source (1.6.3, 1.6.2, 1.4.0, 1.3.3)
columnize (0.3.6)
commonjs (0.2.6)
compass (0.12.2)
compass-rails (1.0.3)
coveralls (0.7.0)
cvss (0.99.0)
daemons (1.1.9)
database_cleaner (0.9.1)
delayed_job (4.0.0)
delayed_job_active_record (4.0.0)
devise (3.2.0)
diff-lcs (1.2.5, 1.2.4, 1.2.2, 1.1.3)
docile (1.1.2)
domain_name (0.5.15)
erd (0.1.6)
erubis (2.7.0)
eventmachine (1.0.3)
execjs (2.0.2, 2.0.1, 1.4.0)
factory_girl (4.2.0, 4.1.0)
factory_girl_rails (4.2.1, 4.2.0, 4.1.0)
faraday (0.8.8)
ffi (1.9.3, 1.3.1)
fssm (0.2.10, 0.2.9)
gem-wrappers (1.2.4)
grit (2.5.0)
haml (4.0.5, 3.1.7)
hashery (2.0.1)
hashie (2.0.5)
hike (1.2.3, 1.2.1)
http-cookie (1.0.2)
httpauth (0.2.0)
i18n (0.6.9, 0.6.5, 0.6.1, 0.6.0)
io-console (0.4.2)
jbuilder (1.5.2, 1.5.1)
journey (1.0.4)
jquery-rails (3.0.4, 3.0.2, 2.2.1, 2.2.0, 2.0.2)
json (1.8.1, 1.8.0, 1.7.7, 1.7.6, 1.7.3)
jwt (0.1.8)
koala (1.8.0rc1)
less (2.2.1)
less-rails (2.2.3)
lexr (0.3.1)
libv8 (3.16.14.3 x86_64-darwin-12, 3.11.8.17 x86_64-darwin-12, 3.3.10.4 x86_64-darwin-12)
mail (2.5.4, 2.5.3, 2.4.4)
math_engine (0.6.4)
mechanize (2.7.2)
method_source (0.8.1)
mime-types (1.25.1, 1.25, 1.23, 1.22, 1.21, 1.20.1, 1.19)
mini_portile (0.5.2, 0.5.1)
minitest (4.7.5, 4.3.2)
multi_json (1.8.4, 1.8.2, 1.8.0, 1.7.7, 1.7.2, 1.6.1, 1.5.0, 1.3.6)
multipart-post (1.2.0)
net-http-digest_auth (1.4)
net-http-persistent (2.9.1)
net-scp (1.1.2)
net-ssh (2.7.0)
newrelic_rpm (3.6.3.106)
nokogiri (1.6.1, 1.6.0, 1.5.9, 1.5.6)
ntlm-http (0.1.1)
oauth2 (0.8.1)
omniauth (1.1.4)
omniauth-facebook (1.4.1)
omniauth-oauth2 (1.1.1)
orm_adapter (0.4.0)
packet (0.1.15)
parser (2.1.4)
pdf-reader (1.2.0)
pg (0.17.1, 0.14.1, 0.14.0)
polyglot (0.3.3)
posix-spawn (0.3.8)
prawn (0.12.0)
prawnto (0.1.1)
pry (0.9.11.4)
psych (2.0.0)
ptools (1.2.2)
rack (1.5.2, 1.4.5, 1.4.4, 1.4.1)
rack-cache (1.2)
rack-ssl (1.3.3, 1.3.2)
rack-test (0.6.2, 0.6.1)
rails (4.0.0, 3.2.13, 3.2.11, 3.2.6)
rails-erd (1.1.0, 1.0.0)
railties (4.0.0, 3.2.13, 3.2.11, 3.2.6)
rainbow (2.0.0)
rake (10.1.1, 10.1.0, 10.0.4, 10.0.3, 0.9.6, 0.9.2.2)
rbx-require-relative (0.0.9)
rdoc (4.0.0, 3.12.2, 3.12.1, 3.12)
ref (1.0.5, 1.0.4)
rest-client (1.6.7)
rspec (2.11.0)
rspec-core (2.14.2, 2.13.1, 2.12.2, 2.11.1)
rspec-expectations (2.14.0, 2.13.0, 2.12.1, 2.11.3)
rspec-mocks (2.14.1, 2.13.0, 2.12.1, 2.11.3)
rspec-rails (2.14.0, 2.13.0, 2.12.2, 2.11.4)
ruby-graphviz (1.0.8)
ruby-rc4 (0.1.5)
ruby_parser (3.3.0)
rubygems-bundler (1.1.1)
rubyzip (0.9.9)
rvm (1.11.3.6)
sass (3.2.14, 3.2.12, 3.2.10, 3.2.7, 3.2.2, 3.1.20)
sass-rails (4.0.1, 4.0.0, 3.2.6, 3.2.5)
sdoc (0.3.20)
selenium-webdriver (2.29.0)
serialport (1.1.0)
sexp_processor (4.4.1)
shoulda-matchers (1.4.1)
simplecov (0.8.2)
simplecov-html (0.8.0)
slop (3.4.7, 3.4.3)
sprockets (2.10.0, 2.2.2, 2.1.3)
sprockets-rails (2.0.1, 2.0.0)
sqlite3 (1.3.8, 1.3.7, 1.3.6)
sshkit (1.3.0)
sys-uname (0.9.2)
term-ansicolor (1.2.2)
test-unit (2.0.0.0)
therubyracer (0.12.0, 0.11.4)
thin (1.6.1)
thor (0.18.1, 0.17.0, 0.15.4)
thread_safe (0.1.3, 0.1.2)
tilt (1.4.1, 1.3.6, 1.3.3)
tins (0.13.1)
treetop (1.4.15, 1.4.14, 1.4.12, 1.4.10)
ttfunk (1.0.3)
turbolinks (1.3.0)
turn (0.8.2)
twitter-bootstrap-rails (2.2.8, 2.2.6)
tzinfo (0.3.38, 0.3.37, 0.3.35, 0.3.33)
uglifier (2.4.0, 2.3.0, 2.2.1, 1.3.0)
unf (0.1.3)
unf_ext (0.0.6)
warden (1.2.3)
webrobots (0.1.1)
websocket (1.0.6)
xmpp4r (0.5.5)
xmpp4r_facebook (0.1.1)
xpath (2.0.0, 1.0.0)
i create now a new gemset in rvm and this is my new clear gem list with same error:
* LOCAL GEMS *
actionmailer (3.2.13) actionpack (3.2.13) activemodel (3.2.13) activerecord (3.2.13) activeresource (3.2.13) activesupport (3.2.13) arel (3.0.3) ast (1.1.0) bigdecimal (1.2.0) builder (3.0.4) bundler (1.5.2) bundler-unload (1.0.2) capistrano (3.0.1) capistrano-bundler (1.1.1) capistrano-rails (1.1.0) capistrano-rvm (0.1.1) codesake-commons (0.90.0) codesake-dawn (1.0.1) coffee-rails (3.2.2) coffee-script (2.2.0) coffee-script-source (1.6.3) coveralls (0.7.0) cvss (0.99.0) diff-lcs (1.2.5) docile (1.1.2) domain_name (0.5.15) erubis (2.7.0) execjs (2.0.2) executable-hooks (1.3.1) ffi (1.9.3) gem-wrappers (1.2.4) grit (2.5.0) haml (4.0.5) hike (1.2.3) http-cookie (1.0.2) i18n (0.6.1) io-console (0.4.2) journey (1.0.4) jquery-rails (3.0.4) json (1.8.1, 1.7.7) mail (2.5.4) mechanize (2.7.2) mime-types (1.25.1) mini_portile (0.5.2) minitest (4.3.2) multi_json (1.8.4) net-http-digest_auth (1.4) net-http-persistent (2.9.1) net-scp (1.1.2) net-ssh (2.7.0) nokogiri (1.6.1) ntlm-http (0.1.1) parser (2.1.4) polyglot (0.3.3) posix-spawn (0.3.8) psych (2.0.0) ptools (1.2.2) rack (1.4.5) rack-cache (1.2) rack-ssl (1.3.3) rack-test (0.6.2) rails (3.2.13) railties (3.2.13) rainbow (2.0.0) rake (10.1.1, 0.9.6) rdoc (4.0.0, 3.12.2) rest-client (1.6.7) ruby_parser (3.3.0) rubygems-bundler (1.4.2) rvm (1.11.3.8) sass (3.2.14) sass-rails (3.2.6) sexp_processor (4.4.1) simplecov (0.8.2) simplecov-html (0.8.0) slop (3.4.7) sprockets (2.2.2) sqlite3 (1.3.8) sshkit (1.3.0) sys-uname (0.9.2) term-ansicolor (1.2.2) test-unit (2.0.0.0) thor (0.18.1) tilt (1.4.1) tins (0.13.1) treetop (1.4.15) twitter-bootstrap-rails (2.2.8) tzinfo (0.3.38) uglifier (2.4.0) unf (0.1.3) unf_ext (0.0.6) webrobots (0.1.1)
FULL TRACE:
/Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@mediavoti/gems/codesake-commons-0.90.0/lib/codesake/commons/logging.rb:60:in helo': undefined method
color' for "12:05:34 [*] dawn v1.0.1 is starting up\n":String (NoMethodError)
from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@mediavoti/gems/codesake-dawn-1.0.1/bin/dawn:14:in <top (required)>' from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@mediavoti/bin/dawn:23:in
load'
from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@mediavoti/bin/dawn:23:in <main>' from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@mediavoti/bin/ruby_executable_hooks:15:in
eval'
from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@mediavoti/bin/ruby_executable_hooks:15:in `
I got it. It's happening with rainbow gem version 2.0.0. As a very quickfix you can downgrade rainbow gem to 1.1.4 and it will work.
I'll fix it soon
@oniram88 you can try now with codesake-dawn version 1.0.2. It should fixes this.
~ » dawn -v (ruby-2.0.0-p353@hacking)
12:43:26 [*] dawn v1.0.1 is starting up
1.0.1 [Lightning McQueen]
~ » gem install rainbow (ruby-2.0.0-p353@hacking)
Fetching: rainbow-2.0.0.gem (100%)
Successfully installed rainbow-2.0.0
Parsing documentation for rainbow-2.0.0
Installing ri documentation for rainbow-2.0.0
1 gem installed
~ » dawn -v (ruby-2.0.0-p353@hacking)
/Users/thesp0nge/.rvm/gems/ruby-2.0.0-p353@hacking/gems/codesake-commons-0.90.0/lib/codesake/commons/logging.rb:60:in `helo': undefined method `color' for "12:44:01 [*] dawn v1.0.1 is starting up\n":String (NoMethodError)
from /Users/thesp0nge/.rvm/gems/ruby-2.0.0-p353@hacking/gems/codesake-dawn-1.0.1/bin/dawn:14:in `<top (required)>'
from /Users/thesp0nge/.rvm/gems/ruby-2.0.0-p353@hacking/bin/dawn:23:in `load'
from /Users/thesp0nge/.rvm/gems/ruby-2.0.0-p353@hacking/bin/dawn:23:in `<main>'
from /Users/thesp0nge/.rvm/gems/ruby-2.0.0-p353@hacking/bin/ruby_executable_hooks:15:in `eval'
from /Users/thesp0nge/.rvm/gems/ruby-2.0.0-p353@hacking/bin/ruby_executable_hooks:15:in `<main>'
~ » gem install codesake-dawn (ruby-2.0.0-p353@hacking)
Fetching: codesake-commons-0.95.0.gem (100%)
Successfully installed codesake-commons-0.95.0
Fetching: codesake-dawn-1.0.2.gem (100%)
Successfully installed codesake-dawn-1.0.2
Parsing documentation for codesake-commons-0.95.0
Installing ri documentation for codesake-commons-0.95.0
Parsing documentation for codesake-dawn-1.0.2
Installing ri documentation for codesake-dawn-1.0.2
2 gems installed
~ » dawn -v (ruby-2.0.0-p353@hacking)
12:45:16 [*] dawn v1.0.2 is starting up
1.0.2 [Lightning McQueen]
~ »
perfect, its works!!! thanks
after installino I run bundle exec dawn -h and the output was:
/Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/gems/codesake-commons-0.90.0/lib/codesake/commons/logging.rb:60:in'
helo': undefined method
color' for "09:01:04 [*] dawn v1.0.1 is starting up\n":String (NoMethodError) from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/gems/codesake-dawn-1.0.1/bin/dawn:14:in<top (required)>' from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/bin/dawn:23:in
load' from /Users/marinobonetti/.rvm/gems/ruby-2.0.0-p0@global/bin/dawn:23:in `