Only match on Android manifests at MobSF-friendly paths
What does this MR do?
- Removes logic that attempted to reshape the structure of the repository being scanned to conform to MobSF's requirements.
- Adds an integration test spec that executes against an Android project containing two modules. Both modules contain an
AndroidManifest.xml
but the first module (in lexical order, since that's how the search works) does not contain any vulnerable code. This test confirms that the second module (in the expectedapp/src/main/AndroidManifest.xml
location) is used.
This change is a double-edged sword:
- It resolves an issue that prevents Android projects with multiple
AndroidManifest.xml
files from being scanned properly. The previous logic chose the first manifest file it finds, which is likely not the main manifest. This results in little to no vulnerabilities being found because the majority of the source code isn't being scanned. - It removes support for non-standard Android project layouts. Projects that do not have an
AndroidManifest.xml
file in the root (common with Eclipse projects) or at/app/src/main/AndroidManifest.xml
(the default Android Studio layout) will no longer be scanned. This can happen if the top-levelapp
folder is renamed to something else, which can be handy in multi-module projects.
I think this is a worthwhile tradeoff for now, since the previous support for non-standard project layouts would only work in specific cases. The next step would be fleshing out support for multi-module projects that enables each module to be identified and scanned individually, and combined into a single gl-sast-report.json
artefact.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Lucas Charles