Make MobSF binary scanning optional
Context
#269915 (closed) added support for automatically scanning binaries with MobSF, such as .ipa
(iOS) or .apk
(Android) apps. When the analyser walks the source tree and detects these binaries, they're automatically scanned and the rest of the repository is bypassed. It's very likely, in a repository containing iOS or Android source code and a binary, that the binary is detected first and scanned. This results in a less effective scan with findings that have incorrect location (file + line) data. Elaborated on here and is the root cause of #337217 (closed)
According to the MR that added binary scanning, it was added due to the lack of multi-module support for Android projects containing many AndroidManifest.xml
files. These are apparently fairly common in larger applications distributed for various Android platforms. #386549 (closed) was created some months ago to address this limitation without resorting to binary scanning.
Proposal
Make binary scanning optional via an environment variable called MOBSF_BINARY_SCAN_ENABLED
, which is "false"
by default.