mobsf-ios-sast couldn't get the correct report analysis
Summary
Steps to reproduce
- To reproduce:-
docker run --rm -it -v "$(pwd):/target" -e ANALYZER_TARGET_DIR=/target/ -e SEARCH_MAX_DEPTH=50 -e MOBSF_API_KEY=key -e SECURE_LOG_LEVEL="debug" -e MOBSF_ADDR=http://localhost:8000/api/v1 registry.gitlab.com/security-products/mobsf:2
- Second way to reproduce via pipeline
mobsf-ios-sast:
image: registry.gitlab.com/security-products/mobsf:latest
services:
- name: repo.saudidigitalbank.com/docker-hub/opensecurity/mobile-security-framework-mobsf:latest
alias: mobfs
command: ["/home/mobsf/Mobile-Security-Framework-MobSF/scripts/entrypoint.sh"]
variables:
MOBSF_ADDR: "http://mobfs:8000/api/v1"
MOBSF_API_KEY: "12345"
SECURE_LOG_LEVEL: "debug"
SEARCH_MAX_DEPTH: "10"
SAST_ANALYZER_IMAGE_TAG: "latest"
script:
- sleep 10 && cd ./build && /analyzer run
artifacts:
reports:
sast: gl-sast-report.json
cat gl-sast-report.json
{"version":"14.0.4","vulnerabilities":[],"scan":{"scanner":{"id":"mobsf","name":"MobSF","url":"https://github.com/MobSF/Mobile-Security-Framework-MobSF","vendor":{"name":"GitLab"},"version":"3.5.0"},"type":"sast","start_time":"2023-03-27T09:37:31","end_time":"2023-03-27T09:39:07","status":"success"}}
P.S. When manually uploaded the build to mmobfs-server there are vulnerabilities
Tried to use mobfs-ios-sast in my gitlab-ultimate instance using
include:
- template: Security/SAST.gitlab-ci.yml
variable:SAST_EXPERIMENTAL_FEATURES: "true"
What is the current bug behavior?
gl-sast-report.json showing NO vulnerabilities .
What is the expected correct behavior?
vulnerabilities should be listed in report .
Relevant logs and/or screenshots
'
docker run --rm -it -v "$(pwd):/target" -e ANALYZER_TARGET_DIR=/target/ -e SEARCH_MAX_DEPTH=50 -e MOBSF_API_KEY=key -e SECURE_LOG_LEVEL="debug" -e MOBSF_ADDR=http://172.17.0.2:8000/api/v1 registry.gitlab.com/security-products/mobsf:2
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
[INFO] [MobSF] [2023-03-27T09:26:35Z] ▶ GitLab MobSF analyzer v2.15.1
[INFO] [MobSF] [2023-03-27T09:26:35Z] ▶ Detecting project
[INFO] [MobSF] [2023-03-27T09:26:35Z] ▶ Found relevant files in project, analyzing entire repository
[INFO] [MobSF] [2023-03-27T09:26:35Z] ▶ Running analyzer
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ Excluded directories: []
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ AnalysisType: packageFile
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ AnalysisType: packageFile
[INFO] [MobSF] [2023-03-27T09:26:35Z] ▶ Starting scan. Type: ipa, Upload Hash: 665546eab0c1e1eea743f787b8620999
[INFO] [MobSF] [2023-03-27T09:26:35Z] ▶ Creating report
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ custom rulesets not enabled
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ Applying report overrides
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ custom rulesets not enabled
[DEBU] [MobSF] [2023-03-27T09:26:35Z] ▶ Optimizing JSON Output
Output of checks
Results of GitLab environment info
Running on Gitlab ultimate 14.15
Edited by Kate Grechishkina