mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code.

Related tags

Code Analysis android static-analysis
Overview

mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

Made with Love in India Tweet

PyPI version License python platform

Language grade: Python Requirements Status Build

Support mobsfscan

Donate to MobSF

If you liked mobsfscan and find it useful, please consider donating.

e-Learning Courses & Certifications

MobSF Course Automated Mobile Application Security Assessment with MobSF -MAS

Android Security Tools Course Android Security Tools Expert -ATX

Installation

pip install mobsfscan

Requires Python 3.6+

Command Line Options

$ mobsfscan
usage: mobsfscan [-h] [--json] [--sarif] [--sonarqube] [--html] [-o OUTPUT] [-c CONFIG] [-w] [-v] [path [path ...]]

positional arguments:
  path                  Path can be file(s) or directories with source code

optional arguments:
  -h, --help            show this help message and exit
  --json                set output format as JSON
  --sarif               set output format as SARIF 2.1.0
  --sonarqube           set output format compatible with SonarQube
  --html                set output format as HTML
  -o OUTPUT, --output OUTPUT
                        output filename to save the result
  -c CONFIG, --config CONFIG
                        Location to .mobsf config file
  -w, --exit-warning    non zero exit code on warning
  -v, --version         show mobsfscan version

Example Usage

$ mobsfscan tests/assets/src/
- Pattern Match ████████████████████████████████████████████████████████████ 3
- Semantic Grep ██████ 37

mobsfscan: v0.0.2 | Ajin Abraham | opensecurity.in
╒══════════════╤════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╕
│ RULE ID      │ android_webview_ignore_ssl                                                                                                                             │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ DESCRIPTION  │ Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ TYPE         │ RegexAnd                                                                                                                                               │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ PATTERN      │ ['onReceivedSslError\\(WebView', '\\.proceed\\(\\);']                                                                                                  │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ SEVERITY     │ ERROR                                                                                                                                                   │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ INPUTCASE    │ exact                                                                                                                                                  │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CVSS         │ 7.4                                                                                                                                                    │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ CWE          │ CWE-295 Improper Certificate Validation                                                                                                                │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ OWASP-MOBILE │ M3: Insecure Communication                                                                                                                             │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ MASVS        │ MSTG-NETWORK-3                                                                                                                                         │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ REF          │ https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification                │
├──────────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ FILES        │ ╒════════════════╤═════════════════════════════════════════════════════════════════════════════════════════════╕                                       │
│              │ │ File           │ ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ Match Position │ 1480 - 1491                                                                                 │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ Line Number(s) │ 50                                                                                          │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ Match String   │ .proceed();                                                                                 │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ File           │ ../test_files/android_src/app/src/main/java/opensecurity/webviewignoressl/MainActivity.java │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ Match Position │ 1331 - 1357                                                                                 │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ Line Number(s) │ 46                                                                                          │                                       │
│              │ ├────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────┤                                       │
│              │ │ Match String   │ onReceivedSslError(WebView                                                                  │                                       │
│              │ ╘════════════════╧═════════════════════════════════════════════════════════════════════════════════════════════╛                                       │
╘══════════════╧════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╛

Python API

>>> from mobsfscan.mobsfscan import MobSFScan
>>> src = 'tests/assets/src/java/java_vuln.java'
>>> scanner = MobSFScan([src], json=True)
>>> scanner.scan()
{
    'results': {
        'android_logging': {
            'files': [{
                'file_path': 'tests/assets/src/java/java_vuln.java',
                'match_position': (13, 73),
                'match_lines': (19, 19),
                'match_string': '            Log.d("htbridge", "getAllRecords(): " + records.toString());'
            }],
            'metadata': {
                'cwe': 'CWE-532 Insertion of Sensitive Information into Log File',
                'owasp-mobile': 'M1: Improper Platform Usage',
                'masvs': 'MSTG-STORAGE-3',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs',
                'description': 'The App logs information. Please ensure that sensitive information is never logged.',
                'severity': 'INFO'
            }
        },
        'android_certificate_pinning': {
            'metadata': {
                'cwe': 'CWE-295 Improper Certificate Validation',
                'owasp-mobile': 'M3: Insecure Communication',
                'masvs': 'MSTG-NETWORK-4',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4',
                'description': 'This App does not use TLS/SSL certificate or public key pinning to detect or prevent MITM attacks in secure communication channel.',
                'severity': 'INFO'
            }
        },
        'android_root_detection': {
            'metadata': {
                'cwe': 'CWE-919 - Weaknesses in Mobile Applications',
                'owasp-mobile': 'M8: Code Tampering',
                'masvs': 'MSTG-RESILIENCE-1',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1',
                'description': 'This App does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.',
                'severity': 'INFO'
            }
        },
        'android_prevent_screenshot': {
            'metadata': {
                'cwe': 'CWE-200 Information Exposure',
                'owasp-mobile': 'M2: Insecure Data Storage',
                'masvs': 'MSTG-STORAGE-9',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9',
                'description': 'This App does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.',
                'severity': 'INFO'
            }
        },
        'android_safetynet_api': {
            'metadata': {
                'cwe': 'CWE-353 Missing Support for Integrity Check',
                'owasp-mobile': 'M8: Code Tampering',
                'masvs': 'MSTG-RESILIENCE-1',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1',
                'description': "This App does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. ",
                'severity': 'INFO'
            }
        },
        'android_detect_tapjacking': {
            'metadata': {
                'cwe': 'CWE-200 Information Exposure',
                'owasp-mobile': 'M1: Improper Platform Usage',
                'masvs': 'MSTG-PLATFORM-9',
                'reference': 'https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9',
                'description': "This app does not has capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.",
                'severity': 'INFO'
            }
        }
    },
    'errors': []
}

Configure mobsfscan

A .mobsf file in the root of the source code directory allows you to configure mobsfscan. You can also use a custom .mobsf file using --config argument.

---
- ignore-filenames:
  - skip.java

  ignore-paths:
  - __MACOSX
  - skip_dir

  ignore-rules:
  - android_kotlin_logging
  - android_safetynet_api
  - android_prevent_screenshot
  - android_detect_tapjacking
  - android_certificate_pinning
  - android_root_detection
  - android_certificate_transparency

  severity-filter:
  - WARNING
  - ERROR

Suppress Findings

You can suppress findings from source files by adding the comment // mobsf-ignore: rule_id1, rule_id2 to the line that trigger the findings.

Example:

String password = "strong password"; // mobsf-ignore: hardcoded_password

CI/CD Integrations

You can enable mobsfscan in your CI/CD or DevSecOps pipelines.

Github Action

Add the following to the file .github/workflows/mobsfscan.yml.

name: mobsfscan

on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: mobsfscan
      uses: MobSF/mobsfscan@main
      with:
        args: '. --json'

Example: pivaa with mobsfscan github action

Github Code Scanning Integration

Add the following to the file .github/workflows/mobsfscan_sarif.yml.

name: mobsfscan sarif
on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]

jobs:
  mobsfscan:
    runs-on: ubuntu-latest
    name: mobsfscan code scanning
    steps:
    - name: Checkout the code
      uses: actions/checkout@v2
    - name: mobsfscan
      uses: MobSF/mobsfscan@main
      with:
        args: '. --sarif --output results.sarif || true'
    - name: Upload mobsfscan report
      uses: github/codeql-action/upload-sarif@v1
      with:
        sarif_file: results.sarif

mobsfscan github code scanning

Gitlab CI/CD

Add the following to the file .gitlab-ci.yml.

stages:
    - test
mobsfscan:
    image: python
    before_script:
        - pip3 install --upgrade mobsfscan
    script:
        - mobsfscan .

Example:

Travis CI

Add the following to the file .travis.yml.

language: python
install:
    - pip3 install --upgrade mobsfscan
script:
    - mobsfscan .

Circle CI

Add the following to the file .circleci/config.yaml

version: 2.1
jobs:
  mobsfscan:
    docker:
      - image: cimg/python:3.9.6
    steps:
      - checkout
      - run:
          name: Install mobsfscan
          command: pip install --upgrade mobsfscan
      - run:
           name: mobsfscan check
           command: mobsfscan .

Docker

Prebuilt image from DockerHub

docker pull opensecurity/mobsfscan
docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src

Build Locally

docker build -t mobsfscan .
docker run -v /path-to-source-dir:/src mobsfscan /src
Comments
  • Sonarqube report invalid location

    Sonarqube report invalid location

    Some vulnerabilities do not have a location, which is rejected by sonar:

    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_prevent_screenshot",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_root_detection",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_detect_tapjacking",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_certificate_pinning",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_safetynet_api",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_certificate_transparency",
      "severity": "INFO",
      "type": "VULNERABILITY"
    }

    Issues with no file location should either be removed or use a generic location.

    opened by LeoLogeart 8
  • Sonarqube report invalid columns

    Sonarqube report invalid columns

    The startColumn and endColumn attributes of the sonarqube json output are respectively the start index and end index of the vulnerabilities. Sonar is thus unable to import the vulnerabilities. The start and end column should be added to libast in order to easily get this value in mobfscan.

    opened by LeoLogeart 6
  • Filter rules pre-scan

    Filter rules pre-scan

    Currently, rules are filtered after the scan - meaning that a lot of unnecessary processing is done. For my Android codebase the semgrep rules run very slowly.

    It would be nice to have the ability to filter out rules prior to execution. I'm not sure if this should be an addition option, or if the current filter mode should be updated.

    opened by kiwiz 4
  • Include CWE information in rule tags for sarif output

    Include CWE information in rule tags for sarif output

    While CWE-related metadata is included within the source code rules, it does not make its way into the SARIF results. By making this change, if SARIF results are uploaded to GitHub Code Scanning, an alert is decorated with the appropriate CWE, as well as CWEs become tag that can be searched.

    image

    opened by david-wiggs 3
  • Kotlin and Swift scans returning differerent codes.

    Kotlin and Swift scans returning differerent codes.

    Hi, I have been digging for a while and I have not been able to find the reason why when running mobsf with a swift project, the return code is 0, and when I do it with a kotlin project, the return code is 1, even though it seems to run successfully.

    I have a docker container which clones the mobile repos and runs mobsf. I am currently calling it with the python module subprocess like this. process = subprocess.run( "mobsfscan --sarif -o report.sarif <mobilerepo>", shell=True, capture_output=True, universal_newlines=True, timeout=None )

    and when I look at the process.returncode I get 1 for the kotlin project and 0 for the swift project, even though both scans seems to run successfully. Unfortunately, I am not able to share the projects, but I was wondering if it is something that is happening at the mobsf sourcecode level, or something that I'm doing wrong.

    Thanks in advance!

    opened by OlivettiOriana 3
  • Sonarqube primary location information

    Sonarqube primary location information

    As discussed on #20, instead of returning an empty primary location we return a primary location with an empty file path, this way its possible to manipulate this information outside mobsfscan, like using bash to replace the file path with your own file path

    opened by fnxpt 3
  • Scans in json format are not reproducible

    Scans in json format are not reproducible

    When scanning the same source tree multiple times and using json output format, the results each time are coming in different order which makes it impossible to diff.

    Step to repro:

    1. git clone https://github.com/google/ground-android
    2. cd ground-android
    3. for i in {1..20}; do mobsfscan --json . > ../$i.mobsf; done
    4. cd ..
    5. md5sum *.mobsf
    6. some scan results will be different
    $ md5sum *.mobsf
b75e43b0773432f489d8c55cf4842509  10.mobsf
32c969b69ebdd28c95bc3452a52eba25  11.mobsf
8e7aadfbea3c6ff6efb04b88e03976d3  12.mobsf
423a89fe1a9d490a654d87fca754125d  13.mobsf
a3eb93de089f21074d2c7f1722fd49d2  14.mobsf
29a22271ebef7ca6cfcd8d4d08cdc38c  15.mobsf
e5264346c343756960b584b77a2c218b  16.mobsf
bf0125fc3ff3dc34d4cc29f716942d9c  17.mobsf
587de9df5c6b3d0a5a64030e3276eb07  18.mobsf
b1ce4b7786838436968b030877b8b81a  19.mobsf
096b9e788ab5be9258a4fd4860d28638  1.mobsf
592f5cdef06cee9fc42b5a806885a134  20.mobsf
a835687e06dd18fd79c359a9a234b83d  2.mobsf
1156b46954cadc1cfb163ac6f6a761d8  3.mobsf
a7d33073936f5cf25a2f31b52bf0b55d  4.mobsf
587de9df5c6b3d0a5a64030e3276eb07  5.mobsf
5e888b6fd84bf1c156c04730a8806bee  6.mobsf
9b45bf1d81dc14cdfa520a68cd1f67a2  7.mobsf
47c5213631c96f20776888177d4040e8  8.mobsf
587de9df5c6b3d0a5a64030e3276eb07  9.mobsf

    The issue is that findings are dumping inside "files": [ array The same set of issues found may come in different order causing the results to look different

    Actual behavior: findings are numbered and may come in different order on each run

    Expected behavior: reproducible scan, when multiple runs produce the same results in the same order

    opened by antnks 3
  • Link to documentation for rules (re-open)

    Link to documentation for rules (re-open)

    My first scan reported four issues, which sound irrelevant, but I cannot find out what they actually mean. There should be a link in, e.g. ‘This app does not have Jailbreak detection capabilities’ to what the rule means and why I should worry; but not even a DuckDuckGo or Google search for ‘"mobsf" "ios_jailbreak_detect"’ turned up anything.

    opened by FlashSheridan 3
  • remove columns

    remove columns

    scanner.scan() results is retrieving wrong numbers for the columns, until we find the issue with the columns we can remove this (columns are not mandatory)

    opened by fnxpt 3
  • mobsfscan doesn't work on Windows

    mobsfscan doesn't work on Windows

    Whenever trying to run mobsfscan on Windows (10) the Semantic Grep step fails with a traceback:

    C:\src\audience-network\samples\android\AdUnitsSample\src\main\java\com\facebook\samples\AdUnitsSample>mobsfscan SampleListActivity.java
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep  0
Traceback (most recent call last):
  File "c:\program files (x86)\python38-32\lib\runpy.py", line 192, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "c:\program files (x86)\python38-32\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Users\me\AppData\Roaming\Python\Python38\Scripts\mobsfscan.exe\__main__.py", line 7, in <module>
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\mobsfscan\__main__.py", line 65, in main
    scan_results = MobSFScan(
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\mobsfscan\mobsfscan.py", line 78, in scan
    result = scanner.scan()
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\libsast\scanner.py", line 64, in scan
    results['semantic_grep'] = SemanticGrep(
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 37, in scan
    self.format_output(sgrep_out)
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 42, in format_output
    self.findings['errors'] = results['errors']
TypeError: 'NoneType' object is not subscriptable
    opened by nibarius 3
  • Error !!! TypeError: 'NoneType' object is not subscriptable

    Error !!! TypeError: 'NoneType' object is not subscriptable

    • Pattern Match ████████████████████████████████████████████████████████████ 8
    • Semantic Grep 1 Traceback (most recent call last): File "c:\users\amitp\appdata\local\programs\python\python39\lib\runpy.py", line 197, in _run_module_as_main return run_code(code, main_globals, None, File "c:\users\amitp\appdata\local\programs\python\python39\lib\runpy.py", line 87, in run_code exec(code, run_globals) File "C:\Users\amitp\AppData\Local\Programs\Python\Python39\Scripts\mobsfscan.exe_main.py", line 7, in File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\mobsfscan_main.py", line 65, in main scan_results = MobSFScan( File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\mobsfscan\mobsfscan.py", line 79, in scan result = scanner.scan() File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\libsast\scanner.py", line 64, in scan results['semantic_grep'] = SemanticGrep( File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 41, in scan self.format_output(sgrep_out) File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 46, in format_output self.findings['errors'] = results['errors'] TypeError: 'NoneType' object is not subscriptable
    opened by effortlessdevsec 2
  • Add CodeQL workflow for GitHub code scanning

    Add CodeQL workflow for GitHub code scanning

    Hi MobSF/mobsfscan!

    This is a one-off automatically generated pull request from LGTM.com :robot:. You might have heard that we’ve integrated LGTM’s underlying CodeQL analysis engine natively into GitHub. The result is GitHub code scanning!

    With LGTM fully integrated into code scanning, we are focused on improving CodeQL within the native GitHub code scanning experience. In order to take advantage of current and future improvements to our analysis capabilities, we suggest you enable code scanning on your repository. Please take a look at our blog post for more information.

    This pull request enables code scanning by adding an auto-generated codeql.yml workflow file for GitHub Actions to your repository — take a look! We tested it before opening this pull request, so all should be working :heavy_check_mark:. In fact, you might already have seen some alerts appear on this pull request!

    Where needed and if possible, we’ve adjusted the configuration to the needs of your particular repository. But of course, you should feel free to tweak it further! Check this page for detailed documentation.

    Questions? Check out the FAQ below!

    FAQ

    Click here to expand the FAQ section

    How often will the code scanning analysis run?

    By default, code scanning will trigger a scan with the CodeQL engine on the following events:

    • On every pull request — to flag up potential security problems for you to investigate before merging a PR.
    • On every push to your default branch and other protected branches — this keeps the analysis results on your repository’s Security tab up to date.
    • Once a week at a fixed time — to make sure you benefit from the latest updated security analysis even when no code was committed or PRs were opened.

    What will this cost?

    Nothing! The CodeQL engine will run inside GitHub Actions, making use of your unlimited free compute minutes for public repositories.

    What types of problems does CodeQL find?

    The CodeQL engine that powers GitHub code scanning is the exact same engine that powers LGTM.com. The exact set of rules has been tweaked slightly, but you should see almost exactly the same types of alerts as you were used to on LGTM.com: we’ve enabled the security-and-quality query suite for you.

    How do I upgrade my CodeQL engine?

    No need! New versions of the CodeQL analysis are constantly deployed on GitHub.com; your repository will automatically benefit from the most recently released version.

    The analysis doesn’t seem to be working

    If you get an error in GitHub Actions that indicates that CodeQL wasn’t able to analyze your code, please follow the instructions here to debug the analysis.

    How do I disable LGTM.com?

    If you have LGTM’s automatic pull request analysis enabled, then you can follow these steps to disable the LGTM pull request analysis. You don’t actually need to remove your repository from LGTM.com; it will automatically be removed in the next few months as part of the deprecation of LGTM.com (more info here).

    Which source code hosting platforms does code scanning support?

    GitHub code scanning is deeply integrated within GitHub itself. If you’d like to scan source code that is hosted elsewhere, we suggest that you create a mirror of that code on GitHub.

    How do I know this PR is legitimate?

    This PR is filed by the official LGTM.com GitHub App, in line with the deprecation timeline that was announced on the official GitHub Blog. The proposed GitHub Action workflow uses the official open source GitHub CodeQL Action. If you have any other questions or concerns, please join the discussion here in the official GitHub community!

    I have another question / how do I get in touch?

    Please join the discussion here to ask further questions and send us suggestions!

    opened by lgtm-com[bot] 0
  • Include `security-severity` as property of each rule

    Include `security-severity` as property of each rule

    Overview

    This PR includes changes to support the security-severity property of a given code scanning alert. By doing this, a given alert will be assigned a severity of low, medium, high, or critical.

    image

    Details

    To calculate the security-severity of an alert, first all the CVEs reported by the CWE assigned to the given rule are grouped. Then the 75th percentile of the CVSS score for those CVEs is calculated.

    The data files from https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz (replacing 2020 with the years 2004-2020) are used to get a list of CVEs for a CWE. This list is then sorted by score (ascending), and the 75th percentile score of that list is used as the rule security-severity. Numerical scores translate to the below severities in the Security tab.

    Severity | Score Range -- | -- None | 0.0 Low | 0.1 – 3.9 Medium | 4.0 – 6.9 High | 7.0 – 8.9 Critical | 9.0 – 10.0

    Notes

    In some cases a given CWE does not have any particular CVEs associated with it. This is likely due to the CWE being a parent or reference for others. In particular CWE-919 is a commonly referenced CWE in mobsfscan rules, but does not have any CVEs associated with it. In this case, a security-severity of 6.5 is assigned.

    opened by david-wiggs 3
  • Rules for the manifest and network-security-config files

    Rules for the manifest and network-security-config files

    I noticed that the full framework has rules dealing with the network-security-config.xml file, which are implemented in Python and seem to not be included in mobsfscan (unless mobsfscan somehow includes the relevant stuff from the full framework and I missed this). I just wanted to let you know that I just submitted a few basic rules for these file types to the semgrep-rules repository. If these are also of interest to mobsfscan, you are very welcome to use them as well.

    Note: They rely on the generic parser as no specialized XML parser exists. This means, for example, that "..." only matches up to 10 lines. Thus, the rules may fail for very long network-security-config files and are generally not 100% reliable.

    If this type of linting is already supported by mobsfscan, feel free to simply close this issue.

    opened by malexmave 1
Releases(0.1.2)
Owner
Mobile Security Framework
Automated pentesting framework for Android, iOS and Windows Apps
Mobile Security Framework
GitHub
Java library for parsing report files from static code analysis.

Violations Lib This is a Java library for parsing report files like static code analysis. Example of supported reports are available here. A number of

Tomas Bjerre 127 Nov 23, 2022
Spoon is a metaprogramming library to analyze and transform Java source code (up to Java 15). :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

Spoon Spoon is an open-source library to analyze, rewrite, transform, transpile Java source code. It parses source files to build a well-designed AST

Inria 1.4k Dec 29, 2022
Checkstyle is a development tool to help programmers write Java code that adheres to a coding standard. By default it supports the Google Java Style Guide and Sun Code Conventions, but is highly configurable. It can be invoked with an ANT task and a command line program.

Checkstyle is a tool for checking Java source code for adherence to a Code Standard or set of validation rules (best practices). Members chat: Contrib

Checkstyle 7.5k Jan 8, 2023
:coffee: SonarSource Static Analyzer for Java Code Quality and Security

Code Quality and Security for Java This SonarSource project is a code analyzer for Java projects. Information about the analysis of Java features is a

SonarSource 976 Jan 5, 2023
An extensible multilanguage static code analyzer.

PMD About PMD is a source code analyzer. It finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and

PMD 4.1k Jan 2, 2023
A static analyzer for Java, C, C++, and Objective-C

Infer Infer is a static analysis tool for Java, C++, Objective-C, and C. Infer is written in OCaml. Installation Read our Getting Started page for det

Facebook 13.7k Dec 28, 2022
Java bytecode static analyzer

This project is abandoned and unlikely will be supported in future HuntBugs 0.0.11 New Java bytecode static analyzer tool based on Procyon Compiler To

Tagir Valeev 302 Aug 13, 2022
Astra: a Java tool for analysing and refactoring Java source code

What is Astra? Astra is a Java tool for analysing and refactoring Java source code. For example: "References to type A should instead reference type B

Alfa 51 Dec 26, 2022
A tool to help eliminate NullPointerExceptions (NPEs) in your Java code with low build-time overhead

NullAway: Fast Annotation-Based Null Checking for Java NullAway is a tool to help eliminate NullPointerExceptions (NPEs) in your Java code. To use Nul

Uber Open Source 3.2k Dec 29, 2022
Your Software. Your Structures. Your Rules.

jQAssistant Master Repository We splitted jQAssistant in multiple single repositories to be able to build a better and more flexible build an release

null 179 Dec 19, 2022
Sourcetrail - free and open-source interactive source explorer

Sourcetrail Sourcetrail is a free and open-source cross-platform source explorer that helps you get productive on unfamiliar source code. Windows: Lin

Coati Software 13.2k Jan 5, 2023
OpenGrok is a fast and usable source code search and cross reference engine, written in Java

Copyright (c) 2006, 2020 Oracle and/or its affiliates. All rights reserved. OpenGrok - a wicked fast source browser OpenGrok - a wicked fast source br

Oracle 3.8k Jan 8, 2023
Reformats Java source code to comply with Google Java Style.

google-java-format google-java-format is a program that reformats Java source code to comply with Google Java Style. Using the formatter from the comm

Google 4.8k Dec 31, 2022
🌄 Image editor using native modules for iOS and Android. Inherit from 2 available libraries, Brightroom (iOS) and PhotoEditor (Android)

React Native Photo Editor (RNPE) ?? Image editor using native modules for iOS and Android. Inherit from 2 available libraries, Brightroom (iOS) and Ph

Baron Ha. 243 Jan 4, 2023
Android Resource Manager application to manage and analysis your app resources with many features like image resize, Color, Dimens and code Analysis

AndroidResourceManager Cross-Platform tools to manage your resources as an Android Developer, AndroidResourceManager - ARM provide five main services

Amr Hesham 26 Nov 16, 2022
SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off with support of its community. SpotBugs is licensed unde

null 2.9k Jan 4, 2023
Code metrics for Java code by means of static analysis

CK CK calculates class-level and method-level code metrics in Java projects by means of static analysis (i.e. no need for compiled code). Currently, i

Maurício Aniche 286 Jan 4, 2023
Java library for parsing report files from static code analysis.

Violations Lib This is a Java library for parsing report files like static code analysis. Example of supported reports are available here. A number of

Tomas Bjerre 127 Nov 23, 2022
By this package we can get sim info, call logs and sms logs.Also we can find for specific sim info and call logs as well.

sim_sms_call_info A new flutter plugin project. Getting Started This project is a starting point for a Flutter plug-in package, a specialized package

Hasib Akon 3 Sep 17, 2022
Spoon is a metaprogramming library to analyze and transform Java source code (up to Java 15). :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

Spoon Spoon is an open-source library to analyze, rewrite, transform, transpile Java source code. It parses source files to build a well-designed AST

Inria 1.4k Dec 29, 2022