Vulnerabilities in the gl-sast-report.json with mobsf analyzer doesn't have the full relative path
Summary
When running SAST job using mobsf analyzer, the Vulnerability Report cannot link to the file where the vulnerability is found. This seems like it is because the file path doesn't have the full path relative to the project.
Steps to reproduce
- Use a sample Android project with vulnerabilities
- Either run SAST CICD job or run locally:
docker run --rm -ti \
-v "$(pwd):/android" \
-e ANALYZER_TARGET_DIR=/android/ \
-e SEARCH_MAX_DEPTH=4 \
-e MOBSF_ADDR=http://172.17.0.3:8000/api/v1 \
-e MOBSF_API_KEY=key \
mobsf:latest
- When
gl-sast-report.json
file is generated, upload it to your project. - Go to Security & Compliance -> Vulnerability Report.
- Open one of the vulnerabilities.
- Click on the "File" under "Location". It cannot be found.
Example Project
https://gitlab.com/gitlab-gold/emunn-test/scan-tests/android
What is the current bug behavior?
When you click the link in File, it cannot find it. Because the path is not correct. File link in vulnerability report: https://gitlab.com/gitlab-gold/emunn-test/scan-tests/android/-/blob/0d3f731ee18b8a0870e4ee22886f6527866b301f/com/appknox/testapplication/LoginActivity.java#L139 Actual file link: https://gitlab.com/gitlab-gold/emunn-test/scan-tests/android/-/blob/0d3f731ee18b8a0870e4ee22886f6527866b301f/app/src/main/java/com/appknox/testapplication/LoginActivity.java
What is the expected correct behavior?
The link should have the correct path to file.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)