mobsf

command module

v2.15.1 Latest Latest Go to latest Published: Mar 13, 2022 License: MIT Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

gitlab.com/gitlab-org/security-products/analyzers/mobsf/v2

Links

Open Source Insights

README ¶

MobSF analyzer

GitLab Analyzer for iOS and Android projects. It's based on Mobile Security Framework (MobSF).

How it works

The analyzer uses the GitLab Analyzers Common Library as an application framework.

An analysis run has three stages:

Match - The analyzer recursively searches the target directory for a "match" which indicates that analysis should be run on the project. The MobSF analyzer will run if the project contains an .xcodeproj directory, or an AndroidManifest.xml file. It will give up on searching once it reaches SEARCH_MAX_DEPTH.
Analyze - The analyzer will perform analysis of project source code. The MobSF analyzer does this by zipping the project source code and uploading it to the MobSF service defined by MOBSF_ADDR. By default, it expects the MobSF service to be running in a sidecar container at http://mobsf:8000. Once analysis is completed, the scan report is passed to the Convert stage.
Convert - The MobSF scan report is converted into GitLab's JSON Report format. The resulting artifact is stored in the pipeline artifacts as gl-sast-report.json. GitLab is able to display findings on the merge request by parsing this artifact.

Running it locally

The MobSF analyzer has the MobSF service as a dependency, so two containers need to be run.

Start the MobSF service

docker run --rm -d \
  -p 8000:8000 \
  -e "MOBSF_API_KEY=key" \
  --name mobsf \
  --net=bridge \
  opensecurity/mobile-security-framework-mobsf:latest

Get the ip of the MobSF container

docker inspect -f '{{.NetworkSettings.IPAddress}}' mobsf

Run the analyzer (while within the target project directory)

docker run --rm -ti \
  -v "$(pwd):/target" \
  -e ANALYZER_TARGET_DIR=/target/ \
  -e SEARCH_MAX_DEPTH=4 \
  -e MOBSF_ADDR=http://<mobsf_container_ip>:8000/api/v1 \
  -e MOBSF_API_KEY=key \
  mobsf:latest

Running in GitLab CI

You can easily add the analyzer to a GitLab CI job by includeing the ci template.

Here is an example:

include:
  - project: 'gitlab-org/security-products/analyzers/mobsf'
    ref: master
    file: '/template/mobsf.gitlab-ci.yml'

Special thanks

This feature was a generous contribution by the H-E-B Digital team. You can read more H-E-B's contribution integrating MobSF via the GitLab Secure Scanning integration framework.

Contributing

Contributions are welcome, see CONTRIBUTING.md for more details.

License

This code is distributed under the MIT Expat license, see the LICENSE file.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
metadata
plugin

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL