Support multi-module Android project scanning in MobSF

Problem to solve

As noted in #337743 (comment 1215644876)

I do think it's worthwhile though to improve on MobSF's capabilities by identifying each module of an Android application, scanning each of them, and merging the findings into a final gl-sast-report.json. Consider this test project that I threw together containing an app/ directory for the phone and tablet app, and a androidautomodule/ directory for the Android Auto app. Vanilla MobSF would only scan the phone and tablet app.

AntennaPod is another example of a multi-module app. Code is split between app/ and core/. If MobSF were to scan this I'm unsure if it'll scan anything within core/ (or at least anything that's not imported code within core/ that's not imported.

Also see the description of gitlab-org/security-products/analyzers/mobsf!63 (merged)

Proposal

Option 1

Modify the mobsf analyser so it can upload and scan each module of an Android application separately, and combine the results into a single gl-sast-report.json artefact.

MobSF only scans modules at predefined paths by default, so projects with multiple modules (such as an Android app with a WearOS and Android Auto component) may not be fully scanned.

Option 2

Use mobsfscan instead of MobSF proper. mobsfscan is maintained by the same person as njsscan, which is the underlying scanner of our nodejs-scan analyser.

This option is beneficial in many ways:

• Reduces the number of components running in the mobsf analyser. The current approach starts a web server and makes several API calls to initiate scanning and download results.
• Uses Semgrep rules under the hood, which makes any future transition to Semgrep simpler.
• Works around OS and language-specific quirks because compilation is not necessary.