Mobsf-sast-android missing security vulnerabilities detected in upstream MobSF

Summary

Scanning an Android App codebase using the mobsf-android-sast GitLab CI job may report significantly fewer vulnerabilities than those detected by scanning the same code using the upstream project (opensecurity/mobile-security-framework-mobsf:v3.4.3).

Steps to reproduce

Testing mobsf-sast-android

1. Import open source Android application source code into GitLab Repo (I used copy of https://gitlab.com/fdroid/fdroidclient)

2. Add the following to a new .gitlab-ci.yml file at the root of the repository:

   include:
     - template: Security/SAST.gitlab-ci.yml
   
   variables:
     SAST_EXPERIMENTAL_FEATURES: "true"
     SAST_DEFAULT_ANALYZERS: "mobsf"
     SECURE_LOG_LEVEL: "debug"
   
   mobsf-android-sast:
     artifacts:
       paths:
         - gl-sast-report.json

3. Review results, download results artifact, note few or no vulnerabilities detected.

Testing/comparing with upstream MobSF

1. Download .zip archive containing source code of open source Android repository. (I used zip archive of https://gitlab.com/greg/fdroidclient)

2. Run MobSF docker container on local machine

   docker pull opensecurity/mobile-security-framework-mobsf:v3.4.3
   docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:v3.4.3

3. Navigate to 127.0.0.1:8000 on local machine, click upload, select .zip archive.

4. Review CODE ANALYSIS section of MobSF Static Analysis Report - note that there are significantly more vulnerabilities detected than what mobsf-sast-android is picking up.

Example Project

• https://gitlab.com/greg/fdroidclient

Scan using MobSF CI job - 12 vulnerabilities detected

The gl-sast-report.json report artifact from the mobsf-android-sast job shows zero vulnerabilities detected:

• gl-sast-report.json
• CI Job log

Scan using opensecurity/mobile-security-framework-mobsf:v3.4.3 - vulnerabilities detected

• fdroidclient-mobsf-report.pdf (pages 7-11)

What is the current bug behavior?

Few, or no, vulnerabilities are detected by mobsf-sast-android CI job. Several additional vulnerabilities are detected when running MobSF upstream in Docker container on same codebase (opensecurity/mobile-security-framework-mobsf:v3.4.3)

What is the expected correct behavior?

mobsf-sast-android reports the same Critical/High/Medium vulnerabilities that are detected by opensecurity/mobile-security-framework-mobsf:v3.4.3

Relevant logs and/or screenshots

• https://gitlab.com/greg/fdroidclient/-/jobs/1553994601
• https://greg.gitlab.io/-/fdroidclient/-/jobs/1553994601/artifacts/gl-sast-report.json

Output of checks

This happens on GitLab.com

Possible fixes