search

MobSF / mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
GNU Lesser General Public License v3.0
583 stars 92 forks source link

Erroneous detection of ios_banned_api. "Match String gets(" #34

Closed batkov closed 2 years ago

batkov commented 2 years ago

Hi,

I have an entity in the application which is called Budget. The plural form is used for different variants of functions like, getBudgets(), enum Endpoint { case budgets }, etc. I'm receiving logs that it is somehow banned API.

I believe the tool is mixing the ending of function with c func char *gets(char *str)

Please take a look.

Regards, Kharyton

ajinabraham commented 2 years ago

Hi @batkov Can you share the false positive result produced by mobsfscan?

TimothyChilvers commented 2 years ago

I have a few of these:

RULE ID | ios_banned_api CWE | CWE-676: Use of Potentially Dangerous Function MASVS | MSTG-CODE-8 OWASP-MOBILE | M7: Client Code Quality REFERENCE | https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/BufferOverflows.html#//apple_ref/doc/uid/TP40002577-SW1 DESCRIPTION | The App may contain banned API(s). These API(s) are insecure and must not be used. SEVERITY | WARNING FILES | File Modules/Simulation/Simulation/Unit Tests/Source/Widgets/Tutorials/Swipe Tutorial Widget/View Model/TutorialStateTests.swift Match Position519 - 524 Line Number(s)21 Match String gets(File Modules/Simulation/Simulation/Source/Widgets/Tutorials/Base/TutorialWidgetViewModelFactory.swift Match Position565 - 570 Line Number(s)20 Match String gets( | File | Modules/Simulation/Simulation/Unit Tests/Source/Widgets/Tutorials/Swipe Tutorial Widget/View Model/TutorialStateTests.swift | Match Position | 519 - 524 | Line Number(s) | 21 | Match String | gets( | File | Modules/Simulation/Simulation/Source/Widgets/Tutorials/Base/TutorialWidgetViewModelFactory.swift | Match Position | 565 - 570 | Line Number(s) | 20 | Match String | gets( File | Modules/Simulation/Simulation/Unit Tests/Source/Widgets/Tutorials/Swipe Tutorial Widget/View Model/TutorialStateTests.swift Match Position | 519 - 524 Line Number(s) | 21 Match String | gets( File | Modules/Simulation/Simulation/Source/Widgets/Tutorials/Base/TutorialWidgetViewModelFactory.swift Match Position | 565 - 570 Line Number(s) | 20 Match String | gets(

However we have a lot of widgets, so any method named widgets gets flagged e.g. testShouldNotShowObjectiveTutorialForNonTextWidgets