MobSF analyzer
GitLab Analyzer for iOS and Android projects. It's based on Mobile Security Framework (MobSF).
How it works
The analyzer uses the GitLab Analyzers Common Library as an application framework.
An analysis run has three stages:
- Match - The analyzer recursively searches the target directory for a "match" which indicates that analysis should be run on the project. The MobSF analyzer will run if the project contains an
.xcodeproj
directory, or an AndroidManifest.xml
file. It will give up on searching once it reaches SEARCH_MAX_DEPTH
.
- Analyze - The analyzer will perform analysis of project source code. The MobSF analyzer does this by zipping the project source code and uploading it to the MobSF service defined by
MOBSF_ADDR
. By default, it expects the MobSF service to be running in a sidecar container at http://mobsf:8000
. Once analysis is completed, the scan report is passed to the Convert stage.
- Convert - The MobSF scan report is converted into GitLab's JSON Report format. The resulting artifact is stored in the pipeline artifacts as
gl-sast-report.json
. GitLab is able to display findings on the merge request by parsing this artifact.
Running it locally
The MobSF analyzer has the MobSF service as a dependency, so two containers need to be run.
-
Start the MobSF service
docker run --rm -d \
-p 8000:8000 \
-e "MOBSF_API_KEY=key" \
--name mobsf \
--net=bridge \
opensecurity/mobile-security-framework-mobsf:latest
-
Get the ip of the MobSF container
docker inspect -f '{{.NetworkSettings.IPAddress}}' mobsf
-
Run the analyzer (while within the target project directory)
docker run --rm -ti \
-v "$(pwd):/target" \
-e ANALYZER_TARGET_DIR=/target/ \
-e SEARCH_MAX_DEPTH=4 \
-e MOBSF_ADDR=http://<mobsf_container_ip>:8000/api/v1 \
-e MOBSF_API_KEY=key \
mobsf:latest
Running in GitLab CI
You can easily add the analyzer to a GitLab CI job by include
ing the ci template.
Here is an example:
include:
- project: 'gitlab-org/security-products/analyzers/mobsf'
ref: master
file: '/template/mobsf.gitlab-ci.yml'
Special thanks
This feature was a generous contribution by the H-E-B
Digital team. You can read more H-E-B's contribution
integrating MobSF via the GitLab Secure Scanning integration
framework.
Contributing
Contributions are welcome, see CONTRIBUTING.md
for more details.
License
This code is distributed under the MIT Expat license, see the LICENSE file.