Thursday, 24 July 2014
0 comments

CodeSake Dawn Source Code Security Scanner For Ruby Platform


Codesake Dawn is a source code scanner designed to review your code for security issues. Codesake Dawn is able to scan your ruby standalone programs but its main usage is to deal with web applications. It supports applications written using majors MVC (Model View Controller) frameworks, like:

Installation

codesake-dawn rubygem is cryptographically signed. To be sure the gem you install hasn’t been tampered, you must first add [email protected] public signing certificate as trusted to your gem specific keyring.
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/codesake/codesake-dawn/master/certs/paolo_at_codesake_dot_com.pem)
You can install latest Codesake::Dawn version, fetching it from Rubygems by typing:
$ gem install codesake-dawn -P MediumSecurity
The MediumSecurity trust profile will verify signed gems, but allow the installation of unsigned dependencies. This is necessary because not all of Codesake::Dawn’s dependencies are signed, so we cannot use HighSecurity.
In order to install a release candidate version, the gem install command line is the following:
$ gem install codesake-dawn --pre -P MediumSecurity
If you want to add dawn to your project Gemfile, you must add the following:
group :development do
  gem 'codesake-dawn', :require=>false
end
And then upgrade your bundle
$ bundle install
You may want to build it from source, so you have to check it out from github first:
$ git clone https://github.com/codesake/codesake-dawn.git
$ cd codesake-dawn
$ bundle install
$ rake install
And the codesake-dawn gem will be built in a pkg directory and then installed on your system. Please note that you have to manage dependencies on your own this way. It makes sense only if you want to hack the code or something like that.

Usage

You can start your code review with Codesake::Dawn very easily. Simply tell the tool where the project root directory.
Underlying MVC framework is autodetected by Codesake::Dawn using target Gemfile.lock file. If autodetect fails for some reason, the tool will complain about it and you have to specify if it's a rails, sinatra or padrino web application by hand.
Basic usage is to specify some optional command line option to fit best your needs, and to specify the target directory where your code is stored.
$ dawn [options] target
In case of need, there is a quick command line option reference running dawn -h at your OS prompt.
Help Options
$ dawn -h
Usage: dawn [options] target_directory

Examples:
  $ dawn a_sinatra_webapp_directory
  $ dawn -C the_rails_blog_engine
  $ dawn -C --json a_sinatra_webapp_directory
  $ dawn --ascii-tabular-report my_rails_blog_ecommerce
  $ dawn --html -F my_report.html my_rails_blog_ecommerce

   -r, --rails          force dawn to consider the target a rails application
   -s, --sinatra        force dawn to consider the target a sinatra application
   -p, --padrino        force dawn to consider the target a padrino application
   -G, --gem-lock       force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
   -a, --ascii-tabular-report   cause dawn to format findings using table in ascii art
   -j, --json                   cause dawn to format findings using json
   -C, --count-only             dawn will only count vulnerabilities (useful for scripts)
   -z, --exit-on-warn           dawn will return number of found vulnerabilities as exit code
   -F, --file filename          tells dawn to write output to filename
   -c, --config-file filename   tells dawn to load configuration from filename

Disable security check family

       --disable-cve-bulletins  disable all CVE security checks
       --disable-code-quality   disable all code quality checks
       --disable-code-style     disable all code style checks
       --disable-owasp-ror-cheatsheet   disable all Owasp Ruby on Rails cheatsheet checks
       --disable-owasp-top-10           disable all Owasp Top 10 checks

Flags useful to query Codesake::Dawn

       -S, --search-knowledge-base [check_name]   search check_name in the knowledge base
           --list-knowledge-base                  list knowledge-base content
           --list-known-families                  list security check families contained in dawn's knowledge base
           --list-known-framework                 list ruby MVC frameworks supported by dawn

Service flags

   -D, --debug                                  enters dawn debug mode
   -V, --verbose                                the output will be more verbose
   -v, --version                                show version information
   -h, --help                                   show this help
Download

0 comments:

Post a Comment

 
Toggle Footer
Top