Support multi-module Android project scanning in MobSF
Problem to solve
As noted in #337743 (comment 1215644876)
I do think it's worthwhile though to improve on MobSF's capabilities by identifying each module of an Android application, scanning each of them, and merging the findings into a final
gl-sast-report.json
. Consider this test project that I threw together containing anapp/
directory for the phone and tablet app, and aandroidautomodule/
directory for the Android Auto app. Vanilla MobSF would only scan the phone and tablet app.
AntennaPod is another example of a multi-module app. Code is split between
app/
andcore/
. If MobSF were to scan this I'm unsure if it'll scan anything withincore/
(or at least anything that's not imported code withincore/
that's not imported.
Also see the description of gitlab-org/security-products/analyzers/mobsf!63 (merged)
Proposal
Option 1
Modify the mobsf analyser so it can upload and scan each module of an Android application separately, and combine the results into a single gl-sast-report.json
artefact.
MobSF only scans modules at predefined paths by default, so projects with multiple modules (such as an Android app with a WearOS and Android Auto component) may not be fully scanned.
Option 2
Use mobsfscan instead of MobSF proper. mobsfscan
is maintained by the same person as njsscan, which is the underlying scanner of our nodejs-scan analyser.
This option is beneficial in many ways:
- Reduces the number of components running in the
mobsf
analyser. The current approach starts a web server and makes several API calls to initiate scanning and download results. - Uses Semgrep rules under the hood, which makes any future transition to Semgrep simpler.
- Works around OS and language-specific quirks because compilation is not necessary.