[FR]: Provide task for manual AAB upload

Guardsquare / appsweep-gradle

This Gradle plugin can be used to continuously integrate app scanning using AppSweep into your Android app build process

http://guardsquare.com/appsweep-mobile-application-security-testing

Apache License 2.0

47 stars 3 forks source link

[FR]: Provide task for manual AAB upload #14

Closed G00fY2 closed 3 months ago

G00fY2 commented 3 months ago

We currently see a lot of issues while trying to simply integrate AppSweep AAB upload step into our CI (see #12 and #13).

Instead of tightly coupling this plugin to the AGP build process and the Gradle internals, we would love to have a simple file upload task to scan AAB artifacts from a defined filepath. This feature was also requested in https://github.com/Guardsquare/appsweep-gradle/issues/4#issuecomment-1160655706.

Basically we want to make sure that the exact same AAB used for e.g. our Play Store upload step will be send to AppSweep without any further builds or Gradle magic happening.

I know that there is also an AppSweep CLI. But the install script currently requires sudo rights, which are not available on our build machines.

titze commented 3 months ago

Hey @G00fY2,

at the moment, more Gradle tasks are not planned (btw, the other issues you posted would have prevented you from using this anyway, unfortunately).

But you should be able to use the CLI script without sudo.

You can either use the bin_dir option of the script:

curl -sS https://platform.guardsquare.com/cli/install.sh | sh -s -- --bin-dir /tmp/bla

or download the binary it directly from

https://platform.guardsquare.com/cli/latest_linux_amd64

I suppose calling the CLI from Gradle should also work then.

G00fY2 commented 3 months ago

Hi @titze ,

thanks for your detailed answer. I see that this plugin serves a different purpose. Therefore I understand that you don't like to add any new tasks (feel free to close this FR).

In the end we ended up manually setting up the CLI on our CI. Unfortunately there was not a lot of resources or guidance about how to download and setup the cli. We copied the relevant parts from the install script (https://platform.guardsquare.com/cli/install.sh).

In the end it looks like this in our Jenkins pipeline:

String guardsquareCliVersion = "0.7.0"
String downloadUrl = "https://platform.guardsquare.com/cli/${guardsquareCliVersion}_linux_amd64"

sh "mkdir -p \"$HOME/.guardsquare\""
sh "curl --fail --silent --location $downloadUrl | tar -xvz -C \"$HOME/.guardsquare\""

String releaseAAB = sh(
    script: "find ./app/build/outputs/bundle/release/*.aab",
    returnStdout: true
).trim()
sh "$HOME/.guardsquare/guardsquare scan \"$releaseAAB\""

titze commented 3 months ago

Ah, great! I'll see that we document this better.

For the version you can also use latest, but pinning the version is good ofc as well.

Btw, if you want to get into (more) direct contact with us, you can use the chat on the bottom right in AS, that is a bit more interactive (and you'll end up with one of the engineers directly as well).

titze commented 3 months ago

To give you a bit more context here as well, the AS Gradle plugin does more than just upload the aab.

The biggest benefit when using it is that it also uploads Library information, so that AppSweep knows which parts of the aab come from where. Using this, we can show you which issues are in your code, and which are in some library (that you might have very little control over).

Once the bugs in the Gradle plugin are fixed, do you see any reasons in not using it in your use-case?