MobSF analyzer fails for "empty" entrypoints
Summary
One customer has a project in which one of the dependencies committed in their repository provides only resources, no Java code. The corresponding AndroidManifest.xml
consists only of an empty <manifest />
element.
The analyzer happily packs the "source code" into an archive and upload it to the MobSF service. Since it doesn't contain any code, MobSF fails with an error, and in turn the analyzer fails with an error.
Steps to reproduce
Steps described above, conclusively.
What is the current bug behavior?
Analyzer fails.
What is the expected correct behavior?
Analyzer doesn't fail.
Output of checks
Possible fixes
Multiple options:
- When collecting the AndroidManifest.xml entrypoints, make sure that the manifest refers to actual entrypoints.
- When creating the scan payload, skip entrypoints without any code
- Add a environment variable
SAST_MOBSF_EXCLUDE_ENTRYPOINTS
which allows the user to skip specific entrypoints - Ignore the errors from MobSF service.
Implementation plan
Options 1 & 2 are basically the same in implementation, which fundamentally solve the problem. Option 3 adds some work for the customer, so is the best if we can do options 1 & 2. Option 4 is workaround that wraps the problem, and changes the design of our mobsf wrapper. We go with options 1 & 2 in the fix.
-
Reproduce: Create a test case that reproduces the bug. -
Fix: Before creating scan payload and feeding it to MobSF, check if the 'entrypoint' contains Android source code. -
Validate: Update the integration test.