Converted MobSF iOS Analyzer for DVIA project doesn't include the full output
Summary
When running the MobSF Analyzer against the "Damn Vulnerable iOS App" the converted gl-sast-report.json merely shows:
{
"version": "14.0.0",
"vulnerabilities": [],
"remediations": [],
"scan": {
"scanner": {
"id": "mobsf",
"name": "MobSF",
"url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF",
"vendor": {
"name": "GitLab"
},
"version": "3.4.3"
},
"type": "sast",
"start_time": "2021-07-29T14:21:44",
"end_time": "2021-07-29T14:22:39",
"status": "success"
}
}
Steps to reproduce
- Clone the "Damn Vulnerable iOS App"
- Create a simple
.gitlab-ci.yml
to run the MobSF SAST Analyzer:
stages:
- test
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_EXPERIMENTAL_FEATURES: "true"
SAST_EXCLUDED_ANALYZERS: "flawfinder"
SECURE_LOG_LEVEL: "debug"
- Examine the
gl-sast-report.json
Example Project
I've created an example project here:
https://gitlab.com/gitlab-silver/jayo-silver/dvia-test-project
https://gitlab.com/gitlab-gold/kategrechishkinatestgroup/sast-tests/ios-swift-dvia
There are two MR examples:
The second MR/Pipeline installs curl in the build container, and does a curl against the generated MobSF report:
curl -H "AUTHORIZATION: key" -X POST --url http://localhost:8000/api/v1/report_json --data "hash=35469622303ba10a2195557a3ad1810a" --output mobsf_report_json.json
Which shows a 452KB json report containing a number of found vulnerabilities. That report is attached to this issue as mobsf_report_json.json
What is the current bug behavior?
The gl-sast-report.json
does not have any of the Vulnerability output produced by the MobSF analyzer
What is the expected correct behavior?
We should see converted output from the MobSF report.