Environment variable `SAST_EXCLUDED_PATHS` is not working for SAST experimental feature (MobSF Analyzer)
Summary
Environment variable SAST_EXCLUDED_PATHS
is not working for SAST experimental feature.
- Scanning Android apps using the MobSF analyzer
Steps to reproduce
.gitlab-ci.ym
include:
- template: Security/SAST.gitlab-ci.yml
variables:
SAST_EXPERIMENTAL_FEATURES: "true"
SAST_EXCLUDED_PATHS: **/androidTest
What is the current bug behavior?
Pipeline's Job mobsf-android-sast failed.
What is the expected correct behavior?
Pipeline Passed which the MobSF analyzer supports exclusion by the variable SAST_EXCLUDED_PATHS
Relevant logs and/or screenshots
Logs:
[DEBU] [MobSF] [2023-11-15T22:12:12Z] [/go/pkg/mod/gitlab.com/gitlab-org/security-products/analyzers/command/v2@v2.2.0/run.go:256] ▶ SAST_EXCLUDED_PATHS=**/androidTest
....
[DEBU] [MobSF] [2023-11-15T22:42:37Z] [/go/src/app/analyze.go:246] ▶ About to scan an Android OR iOS binary found at "/builds/app/build/outputs/apk/debug/app-debug-androidTest.apk"
[INFO] [MobSF] [2023-11-15T22:42:37Z] [/go/src/app/analyze.go:110] ▶ Starting scan. Type: apk, Upload Hash: 3b2cdf8b24725ebcd7de48e1607f898b
[INFO] 15/Nov/2023 22:42:37 -
API Key read from environment variable
[INFO] 15/Nov/2023 22:42:37 - Scan Hash: 3b2cdf8b24725ebcd7de48e1607f898b
[INFO] 15/Nov/2023 22:42:37 - Starting Analysis on: app-debug-androidTest.apk
[INFO] 15/Nov/2023 22:42:37 - Generating Hashes
[INFO] 15/Nov/2023 22:42:37 - Unzipping
[INFO] 15/Nov/2023 22:42:37 - APK Extracted
[INFO] 15/Nov/2023 22:42:37 - Getting Hardcoded Certificates/Keystores
[INFO] 15/Nov/2023 22:42:37 - Getting AndroidManifest.xml from APK
[INFO] 15/Nov/2023 22:42:37 - Converting AXML to XML
Exception in thread "main" brut.androlib.AndrolibException: arsc files with zero packages or no arsc file found.
at brut.androlib.res.AndrolibResources.loadMainPkg(AndrolibResources.java:84)
at brut.androlib.res.AndrolibResources.getResTable(AndrolibResources.java:56)
at brut.androlib.Androlib.getResTable(Androlib.java:74)
at brut.androlib.ApkDecoder.getResTable(ApkDecoder.java:251)
at brut.androlib.ApkDecoder.decode(ApkDecoder.java:109)
at brut.apktool.Main.cmdDecode(Main.java:175)
at brut.apktool.Main.main(Main.java:79)
[ERROR] 15/Nov/2023 22:42:37 - Getting Manifest file
Traceback (most recent call last):
File "/home/mobsf/Mobile-Security-Framework-MobSF/mobsf/StaticAnalyzer/views/android/manifest_analysis.py", line 918, in get_manifest_apk
subprocess.check_output(args) # lgtm [py/command-line-injection] md5 hash
File "/usr/lib/python3.8/subprocess.py", line 415, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/lib/python3.8/subprocess.py", line 516, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['/jdk-16.0.1/bin/java', '-jar', '/home/mobsf/Mobile-Security-Framework-MobSF/mobsf/StaticAnalyzer/tools/apktool_2.7.0.jar', '--match-original', '--frame-path', '/tmp', '-f', '-s', 'd', '/root/.MobSF/uploads/3b2cdf8b24725ebcd7de48e1607f898b/3b2cdf8b24725ebcd7de48e1607f898b.apk', '-o', '/root/.MobSF/uploads/3b2cdf8b24725ebcd7de48e1607f898b/apktool_out']' returned non-zero exit status 1.
[ERROR] 15/Nov/2023 22:42:37 - Parsing Manifest file
Traceback (most recent call last):
File "/home/mobsf/Mobile-Security-Framework-MobSF/mobsf/StaticAnalyzer/views/android/manifest_analysis.py", line 41, in get_manifest
mfile = Path(manifest_file)
File "/usr/lib/python3.8/pathlib.py", line 1042, in __new__
self = cls._from_parts(args, init=False)
File "/usr/lib/python3.8/pathlib.py", line 683, in _from_parts
drv, root, parts = self._parse_args(args)
File "/usr/lib/python3.8/pathlib.py", line 667, in _parse_args
a = os.fspath(a)
TypeError: expected str, bytes or os.PathLike object, not NoneType
[ERROR] 15/Nov/2023 22:42:37 - Error Performing Static Analysis
Traceback (most recent call last):
File "/home/mobsf/Mobile-Security-Framework-MobSF/mobsf/StaticAnalyzer/views/android/static_analyzer.py", line 159, in static_analyzer
mani_file, mani_xml = get_manifest(
TypeError: cannot unpack non-iterable NoneType object
[ERROR] 15/Nov/2023 22:42:37 - cannot unpack non-iterable NoneType object
[ERROR] 15/Nov/2023 22:42:37 - Internal Server Error: /api/v1/scan
[FATA] [MobSF] [2023-11-15T22:42:37Z] [/go/src/app/main.go:29] ▶ scan failed: scan responded with unexpected status code (500): {"error": "cannot unpack non-iterable NoneType object"}
Uploading artifacts for failed job
00:01
Cleaning up project directory and file based variables
00:01
ERROR: Job failed: exit code 1
Investigation
Code analysis: git repo: https://gitlab.com/gitlab-org/security-products/analyzers/mobsf.git
Finding 1
My use case falls to case scanKindBinaryAndroid
in which there is no process of variable excludedDirs
.
func createScanPayload(job scanJob, excludedDirs []string) (file io.Reader, uploadFilename string, err error) {
switch job.Kind {
case scanKindManifestAndroidStudio:
......
......
case scanKindManifestAndroidEclipse, scanKindManifestIOS:
log.Debugf("About to scan an Android Eclipse OR iOS XCode project found at %q...", job.EntrypointPath)
file, err = createArchive(job.EntrypointPath, excludedDirs)
if err != nil {
return nil, "", fmt.Errorf("could not create zip archive of project: %w", err)
}
uploadFilename = "archive.zip"
case scanKindBinaryIOS, scanKindBinaryAndroid:
log.Debugf("About to scan an Android OR iOS binary found at %q...", job.EntrypointPath)
file, err = os.Open(job.EntrypointPath)
if err != nil {
return nil, "", fmt.Errorf("could not open package file of project: %w", err)
}
uploadFilename = filepath.Base(job.EntrypointPath)
}
return file, uploadFilename, nil
}
Finding 2
Environment SAST_MOBSF_EXCLUDE_DIRS
is used to define excludeDirs and there is no link between this variable and the documented variable SAST_EXCLUDED_PATHS
. SAST_MOBSF_EXCLUDE_DIRS
shall be documented on GitLab SAST documentation.
func analyzeFlags() []cli.Flag {
return []cli.Flag{
&cli.StringSliceFlag{
Name: excludeDirs,
Usage: "List of directories to exclude from scan",
EnvVars: []string{"SAST_MOBSF_EXCLUDE_DIRS"},
},
}
}
GitLab environment info
GitLab Enterprise Edition v16.4.2-ee