MobSf report exclusion does not work --finding-file-path for glue_ignore.json

`# copy report.json from scan container docker cp mobsfci_scan_1:/app/output .

      # copy report.json and glue_ignore.json to glue container
      docker run --name glue -d owasp/glue:raw-latest /bin/sh -c "while true; do echo hello world; sleep 1; done"
      GLUE_CONTAINER_ID=$(docker ps -a -f name=glue --format "{{.ID}}")
      docker cp output $GLUE_CONTAINER_ID:/glue

      # run glue command
      docker exec -it $GLUE_CONTAINER_ID ruby bin/glue name="glue" -t Dynamic -T /glue/output/report.json --mapping-file mobsf --finding-file-path  /glue/output/glue_ignore.json -z 3`

`^@^@Setting severity_threshold to 3 Logfile nil? calling scan Running scanner Loading scanner... Processing target.../glue/output/report.json Running tasks in stage: wait Running tasks in stage: mount Running tasks in stage: file Running tasks in stage: code code - Dynamic - # Running tasks in stage: live Running tasks in stage: done Running base report...

Description: Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.

Timestamp: 2019-11-27 20:44:20 +0000

Source: Debug Enabled For App <br>[android:debuggable=true]

Severity: 3

Fingerprint:  Debug Enabled For App <br>[android:debuggable=true]

Found by:  MobSF

Detail:  Debug Enabled For App <br>[android:debuggable=true]

Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Timestamp: 2019-11-27 20:44:20 +0000

Source: <strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]

Severity: 3

Fingerprint:  <strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]

Found by:  MobSF

Detail:  <strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]

Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Timestamp: 2019-11-27 20:44:20 +0000

Source: <strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]

Severity: 3

Fingerprint:  <strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]

Found by:  MobSF

Detail:  <strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]

Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.

Timestamp: 2019-11-27 20:44:20 +0000

Source: <strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]

Severity: 3

Fingerprint:  <strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]

Found by:  MobSF

Detail:  <strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]

Worst finding (3) meets severity threshold (3) Exited with code 3`

OWASP / glue

MobSf report exclusion does not work --finding-file-path for glue_ignore.json #172