Android API 34 missing from ANDROID_API_LEVEL_MAP

MobSF / mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.

GNU Lesser General Public License v3.0

607 stars 97 forks source link

Android API 34 missing from ANDROID_API_LEVEL_MAP #76

Closed arttujo closed 10 months ago

arttujo commented 10 months ago

It would seem that in the latest pull request and with the new ANDROID_API_LEVEL_MAP there seems to be an issue where if your targetSdk = 34 all the checks will default to API lvl 26 due to 34 missing from the definition.

ajinabraham commented 10 months ago

Thanks for reporting this, I will update the ANDROID_API_LEVEL_MAP.

It seems like if the targetSdk is not determined from the manifest file, minSdk is used as target SDK. ANDROID_API_LEVEL_MAP is not considered for determining targetSdk

ajinabraham commented 10 months ago

Addressed in https://github.com/MobSF/mobsfscan/pull/77

phileo commented 10 months ago

It seems like if the targetSdk is not determined from the manifest file, minSdk is used as target SDK.

This will lead to a false failure in TaskHijackingChecks if minSdk=26 but targetSdk=34 defined in build.gradle.

Both minSdk and targetSdk really should come from build.gradle because it is no longer defined in Manifest. @ajinabraham Is there a way to have scan_manifest or TaskHijackingChecks instead read from build.gradle in order to obtain the correct minSdk/targetSdk version?

phcannesson commented 4 months ago

Hello @ajinabraham,

I'm seeing the same false positives for TaskHijackingChecks because my target SDK is set in build.gradle.

Could this be reopened ? Or maybe reopened the linked issue https://github.com/MobSF/mobsfscan/issues/78