search

MobSF / mobsfscan

mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. mobsfscan uses MobSF static analysis rules and is powered by semgrep and libsast pattern matcher.
GNU Lesser General Public License v3.0
607 stars 97 forks source link

Empty MobSF Scan Results in Bitbucket Pipeline #89

Closed YuriBanyuwang1 closed 3 weeks ago

YuriBanyuwang1 commented 2 months ago

During the recent execution of our Bitbucket pipeline, which includes a security scan using MobSF (Mobile Security Framework), the generated scan report returned an unexpected result. The report indicates no findings, showing an empty "results": {} object, despite the absence of errors in the scan process. The MobSF CLI version used is 0.3.9, and the scan was performed on an APK generated during the pipeline's release build step.

- step: &install-mobsf
       name: Security Scan with MobSF
       image: python:3.9  # Use Python image to run MobSF
       script:
         - pip install mobsfscan  # Install MobSF CLI
         - mobsfscan --type android --json -o mobsfscan_result.json ./app/build/outputs/apk/development/debug/app-development-arm64-v8a-debug.apk  # Run MobSF scan on the armeabi-v7a APK
       artifacts:
         - mobsfscan_result.json 

      please help me fix this issue
ajinabraham commented 3 weeks ago

Doesn't work on APK, use MobSF for that. mobsfscan is only for source code.