Skip to content

Only match on Android manifests at MobSF-friendly paths

James Liu requested to merge jliu-android-manifest into master

What does this MR do?

  • Removes logic that attempted to reshape the structure of the repository being scanned to conform to MobSF's requirements.
  • Adds an integration test spec that executes against an Android project containing two modules. Both modules contain an AndroidManifest.xml but the first module (in lexical order, since that's how the search works) does not contain any vulnerable code. This test confirms that the second module (in the expected app/src/main/AndroidManifest.xml location) is used.

This change is a double-edged sword:

  1. It resolves an issue that prevents Android projects with multiple AndroidManifest.xml files from being scanned properly. The previous logic chose the first manifest file it finds, which is likely not the main manifest. This results in little to no vulnerabilities being found because the majority of the source code isn't being scanned.
  2. It removes support for non-standard Android project layouts. Projects that do not have an AndroidManifest.xml file in the root (common with Eclipse projects) or at /app/src/main/AndroidManifest.xml (the default Android Studio layout) will no longer be scanned. This can happen if the top-level app folder is renamed to something else, which can be handy in multi-module projects.

I think this is a worthwhile tradeoff for now, since the previous support for non-standard project layouts would only work in specific cases. The next step would be fleshing out support for multi-module projects that enables each module to be identified and scanned individually, and combined into a single gl-sast-report.json artefact.

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Edited by Lucas Charles

Merge request reports