Fix bug caused by empty entrypoints
What does this MR do?
Fixed bug #423542
- handled empty entrypoints in AndroidManifest.xml
- added an integration test for the bug
Bug description:
When the source code is missing in the 'entrypoint' of the project being test, Mobsf cannot handle it correctly and will report an internal error. A test case is a project with only an AndroidManifest.xml
which consists only of an empty <manifest />
element.
Multiple options as suggested in #423542:
- When collecting the AndroidManifest.xml entrypoints, make sure that the manifest refers to actual entrypoints.
- When creating the scan payload, skip entrypoints without any code
- Add a environment variable
SAST_MOBSF_EXCLUDE_ENTRYPOINTS
which allows the user to skip specific entrypoints - Ignore the errors from MobSF service.
Solution: Options 1 & 2 are basically the same in implementation, which fundamentally solve the problem. Option 3 adds some work for the customer, so is the best if we can do options 1 & 2. Option 4 is workaround that wraps the problem, and changes the design of our mobsf wrapper. We go with options 1 & 2 in the fix.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Hua Yan