MobSF Error: "This ZIP Format is not supported"

Summary

When trying to execute SAST scan on a large Android project got status code (500): {"error": "This ZIP Format is not supported"}.

API Key read from environment variable
1116[INFO] 07/Nov/2023 08:48:22 - MIME Type: application/octet-stream FILE: archive.zip
1117[INFO] 07/Nov/2023 08:48:22 - Performing Static Analysis of Android/iOS Source Code
1118[INFO] [MobSF] [2023-11-07T08:48:22Z] ▶ Starting scan. Type: zip, Upload Hash: 0f1b62f69e225a7d4a2a79e3acea12a4
1119[INFO] 07/Nov/2023 08:48:22 -
1120API Key read from environment variable
1121[INFO] 07/Nov/2023 08:48:22 - Scan Hash: 0f1b62f69e225a7d4a2a79e3acea12a4
1122[INFO] 07/Nov/2023 08:48:22 - Starting Analysis on: archive.zip
1123[INFO] 07/Nov/2023 08:48:22 - Extracting ZIP
1124[INFO] 07/Nov/2023 08:48:22 - Unzipping
1125[INFO] 07/Nov/2023 08:48:22 - Detecting source code type
1126[INFO] 07/Nov/2023 08:48:22 - Source code type - studio
1127[INFO] 07/Nov/2023 08:48:22 - Getting Hardcoded Certificates/Keystores
1128[INFO] 07/Nov/2023 08:48:22 - Generating Hashes
1129[INFO] 07/Nov/2023 08:48:22 - Getting AndroidManifest.xml from Source Code
1130[INFO] 07/Nov/2023 08:48:22 - Parsing AndroidManifest.xml
1131[INFO] 07/Nov/2023 08:48:22 - Extracting Manifest Data
1132[INFO] 07/Nov/2023 08:48:22 - Fetching Details from Play Store:
1133[INFO] 07/Nov/2023 08:48:22 - Manifest Analysis Started
1134[INFO] 07/Nov/2023 08:48:22 - Guessing icon path
1135[INFO] 07/Nov/2023 08:48:22 - Code Analysis Started on - java
1136[INFO] 07/Nov/2023 08:48:23 - Running NIAP Analyzer
1137[INFO] 07/Nov/2023 08:48:23 - Finished Code Analysis, Email and URL Extraction
1138[INFO] 07/Nov/2023 08:48:23 - Detecting Firebase URL(s)
1139[INFO] 07/Nov/2023 08:48:23 - Performing Malware Check on extracted Domains
1140[INFO] 07/Nov/2023 08:48:23 - Trackers Database is up-to-date
1141[INFO] 07/Nov/2023 08:48:23 - Detecting Trackers from Domains
1142[INFO] 07/Nov/2023 08:48:23 - Connecting to Database
1143[INFO] 07/Nov/2023 08:48:23 - Saving to Database
1144[INFO] 07/Nov/2023 08:48:23 -
1145API Key read from environment variable
1146[INFO] 07/Nov/2023 08:48:23 - MIME Type: application/octet-stream FILE: archive.zip
1147[INFO] 07/Nov/2023 08:48:23 - Performing Static Analysis of Android/iOS Source Code
1148[INFO] [MobSF] [2023-11-07T08:48:23Z] ▶ Starting scan. Type: zip, Upload Hash: eef6af3fe2ad083d7eed79d34f2e567e
1149[INFO] 07/Nov/2023 08:48:23 -
1150API Key read from environment variable
1151[INFO] 07/Nov/2023 08:48:23 - Scan Hash: eef6af3fe2ad083d7eed79d34f2e567e
1152[INFO] 07/Nov/2023 08:48:23 - Starting Analysis on: archive.zip
1153[INFO] 07/Nov/2023 08:48:23 - Extracting ZIP
1154[INFO] 07/Nov/2023 08:48:23 - Unzipping
1155[INFO] 07/Nov/2023 08:48:23 - Detecting source code type
1156[INFO] 07/Nov/2023 08:48:23 - Source code type -
1157[INFO] 07/Nov/2023 08:48:23 - Getting Hardcoded Certificates/Keystores
1158[ERROR] 07/Nov/2023 08:48:23 - This ZIP Format is not supported
1159[ERROR] 07/Nov/2023 08:48:23 - Internal Server Error: /api/v1/scan
1160[ERRO] [MobSF] [2023-11-07T08:48:23Z] ▶ Analyzer has exited with error: 'scan failed: scan responded with unexpected status code (500): {"error": "This ZIP Format is not supported"}'. To debug, set 'SECURE_LOG_LEVEL' CI variable to "debug". See https://docs.gitlab.com/ee/user/application_security/#secure-job-failing-with-exit-code-1 for more details.
1161[FATA] [MobSF] [2023-11-07T08:48:23Z] ▶ scan failed: scan responded with unexpected status code (500): {"error": "This ZIP Format is not supported"}

Steps to reproduce

Run the mobsf scanner for a large project containing Java (Android) code.

Example Project

What is the current bug behavior?

Scan fails with the error "This ZIP Format is not supported"

What is the expected correct behavior?

The MobSF scanner should be able to handle scanning of this project.

Relevant logs above. internal link to view --verbose logs

Output of checks

Results of GitLab environment info

Gitlab v16.5.0 [INFO] [MobSF] [2023-11-13T11:18:32Z] GitLab MobSF analyzer v4.5.4 [INFO] 13/Nov/2023 11:18:33 - Mobile Security Framework v3.6.8 Beta

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes