Codesake Dawn is a source code scanner designed to review your code for security issues. Codesake Dawn is able to scan your ruby standalone programs but its main usage is to deal with web applications. It supports applications written using majors MVC (Model View Controller) frameworks, like:
codesake-dawn rubygem is cryptographically signed. To be sure the gem you install hasn’t been tampered, you must first add
[email protected]public signing certificate as trusted to your gem specific keyring.
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/codesake/codesake-dawn/master/certs/paolo_at_codesake_dot_com.pem)
You can install latest Codesake::Dawn version, fetching it from Rubygems by typing:
$ gem install codesake-dawn -P MediumSecurity
The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of Codesake::Dawn’s dependencies are signed, so we cannot use HighSecurity.
In order to install a release candidate version, the gem install command line is the following:
$ gem install codesake-dawn --pre -P MediumSecurity
If you want to add dawn to your project Gemfile, you must add the following:
group :development do gem 'codesake-dawn', :require=>false end
And then upgrade your bundle
$ bundle install
You may want to build it from source, so you have to check it out from github first:
$ git clone https://github.com/codesake/codesake-dawn.git $ cd codesake-dawn $ bundle install $ rake install
And the codesake-dawn gem will be built in a pkg directory and then installed on your system. Please note that you have to manage dependencies on your own this way. It makes sense only if you want to hack the code or something like that.
You can start your code review with Codesake::Dawn very easily. Simply tell the tool where the project root directory.
Underlying MVC framework is autodetected by Codesake::Dawn using target Gemfile.lock file. If autodetect fails for some reason, the tool will complain about it and you have to specify if it's a rails, sinatra or padrino web application by hand.
Basic usage is to specify some optional command line option to fit best your needs, and to specify the target directory where your code is stored.
$ dawn [options] target
In case of need, there is a quick command line option reference runningHelp Options
dawn -hat your OS prompt.
$ dawn -h Usage: dawn [options] target_directory Examples: $ dawn a_sinatra_webapp_directory $ dawn -C the_rails_blog_engine $ dawn -C --json a_sinatra_webapp_directory $ dawn --ascii-tabular-report my_rails_blog_ecommerce $ dawn --html -F my_report.html my_rails_blog_ecommerce -r, --rails force dawn to consider the target a rails application -s, --sinatra force dawn to consider the target a sinatra application -p, --padrino force dawn to consider the target a padrino application -G, --gem-lock force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock -a, --ascii-tabular-report cause dawn to format findings using table in ascii art -j, --json cause dawn to format findings using json -C, --count-only dawn will only count vulnerabilities (useful for scripts) -z, --exit-on-warn dawn will return number of found vulnerabilities as exit code -F, --file filename tells dawn to write output to filename -c, --config-file filename tells dawn to load configuration from filename Disable security check family --disable-cve-bulletins disable all CVE security checks --disable-code-quality disable all code quality checks --disable-code-style disable all code style checks --disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks --disable-owasp-top-10 disable all Owasp Top 10 checks Flags useful to query Codesake::Dawn -S, --search-knowledge-base [check_name] search check_name in the knowledge base --list-knowledge-base list knowledge-base content --list-known-families list security check families contained in dawn's knowledge base --list-known-framework list ruby MVC frameworks supported by dawn Service flags -D, --debug enters dawn debug mode -V, --verbose the output will be more verbose -v, --version show version information -h, --help show this help
Post a Comment
Note: only a member of this blog may post a comment.