Mobsf-sast-android missing security vulnerabilities detected in upstream MobSF
Summary
Scanning an Android App codebase using the mobsf-android-sast
GitLab CI job may report significantly fewer vulnerabilities than those detected by scanning the same code using the upstream project (opensecurity/mobile-security-framework-mobsf:v3.4.3
).
Steps to reproduce
mobsf-sast-android
Testing -
Import open source Android application source code into GitLab Repo (I used copy of
https://gitlab.com/fdroid/fdroidclient
) -
Add the following to a new
.gitlab-ci.yml
file at the root of the repository:include: - template: Security/SAST.gitlab-ci.yml variables: SAST_EXPERIMENTAL_FEATURES: "true" SAST_DEFAULT_ANALYZERS: "mobsf" SECURE_LOG_LEVEL: "debug" mobsf-android-sast: artifacts: paths: - gl-sast-report.json
-
Review results, download results artifact, note few or no vulnerabilities detected.
Testing/comparing with upstream MobSF
-
Download
.zip
archive containing source code of open source Android repository. (I used zip archive ofhttps://gitlab.com/greg/fdroidclient
) -
Run MobSF docker container on local machine
docker pull opensecurity/mobile-security-framework-mobsf:v3.4.3 docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf:v3.4.3
-
Navigate to
127.0.0.1:8000
on local machine, click upload, select.zip
archive. -
Review CODE ANALYSIS section of MobSF Static Analysis Report - note that there are significantly more vulnerabilities detected than what
mobsf-sast-android
is picking up.
Example Project
Scan using MobSF CI job - 12 vulnerabilities detected
The gl-sast-report.json
report artifact from the mobsf-android-sast
job shows zero vulnerabilities detected:
opensecurity/mobile-security-framework-mobsf:v3.4.3
- vulnerabilities detected
Scan using - fdroidclient-mobsf-report.pdf (pages 7-11)
What is the current bug behavior?
Few, or no, vulnerabilities are detected by mobsf-sast-android
CI job.
Several additional vulnerabilities are detected when running MobSF upstream in Docker container on same codebase (opensecurity/mobile-security-framework-mobsf:v3.4.3
)
What is the expected correct behavior?
mobsf-sast-android
reports the same Critical/High/Medium vulnerabilities that are detected by opensecurity/mobile-security-framework-mobsf:v3.4.3
Relevant logs and/or screenshots
- https://gitlab.com/greg/fdroidclient/-/jobs/1553994601
- https://greg.gitlab.io/-/fdroidclient/-/jobs/1553994601/artifacts/gl-sast-report.json
Output of checks
This happens on GitLab.com