Vulnerabilities in the gl-sast-report.json with mobsf analyzer doesn't have the full relative path

Summary

When running SAST job using mobsf analyzer, the Vulnerability Report cannot link to the file where the vulnerability is found. This seems like it is because the file path doesn't have the full path relative to the project.

Steps to reproduce

  1. Use a sample Android project with vulnerabilities
  2. Either run SAST CICD job or run locally:
docker run --rm -ti \
  -v "$(pwd):/android" \
  -e ANALYZER_TARGET_DIR=/android/ \
  -e SEARCH_MAX_DEPTH=4 \
  -e MOBSF_ADDR=http://172.17.0.3:8000/api/v1 \
  -e MOBSF_API_KEY=key \
  mobsf:latest
  1. When gl-sast-report.json file is generated, upload it to your project.
  2. Go to Security & Compliance -> Vulnerability Report.
  3. Open one of the vulnerabilities.
  4. Click on the "File" under "Location". It cannot be found.

Example Project

https://gitlab.com/gitlab-gold/emunn-test/scan-tests/android

What is the current bug behavior?

When you click the link in File, it cannot find it. Because the path is not correct. File link in vulnerability report: https://gitlab.com/gitlab-gold/emunn-test/scan-tests/android/-/blob/0d3f731ee18b8a0870e4ee22886f6527866b301f/com/appknox/testapplication/LoginActivity.java#L139 Actual file link: https://gitlab.com/gitlab-gold/emunn-test/scan-tests/android/-/blob/0d3f731ee18b8a0870e4ee22886f6527866b301f/app/src/main/java/com/appknox/testapplication/LoginActivity.java

What is the expected correct behavior?

The link should have the correct path to file.

Relevant logs and/or screenshots

mobsf_vulnerability_report mobsf-link-notfound

Output of checks

This bug happens on GitLab.com

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes