search

fluidattacks / makes

A software supply chain framework powered by Nix.
https://makes.fluidattacks.tech/
MIT License
454 stars 43 forks source link

Issues with APK scan #1380

Open MathieuBrousseIDO opened 1 month ago

MathieuBrousseIDO commented 1 month ago

Hi,

I'm running into an issue while trying to scan my project for a casa tiers 2 assesments. SAST and SCA scan are working fine but APK scan is not. I'm using the latest docker image on Mac OS.

docker run -v {path_to_project}:/src fluidattacks/cli:latest skims scan /src/config-apk.yaml

The configuration is really basic config-apk.txt

The process runs during four days and then i got some errors. With my full project i've got a timeout during decompilation, and then the process stopped when generating the SBOM apkscanfullproject.log I tried several times with few config changes but got the same result.

Then i tried with an empty android project that just include the full project gradle dependencies : apkscan.log

There are some results but still a timeout so i'm not sure that all the tests were run successfully.

Is there a mis-configuration that can explain both decompilation timeout and sbom generation "crash" ?

Regards,

lpatinoatfluid commented 4 weeks ago

Hi!

Let's try the following workaround to resolve this.

Using the fluid_attacks_scanner_config.yaml as a base, please modify it according to the results you need, following the configuration guidelines.

Changes from the config you shared:

  • Updated working_dir attribute to /src since that is where the binding is pointed inside the container's filesystem.
  • Removed checks section due to an indentation issue. The default setting will include all checks for target files (in this case, .apk files).
  • Deleted file_size_limit: false as it is not a standard configuration.
  • Deleted tracing_opt_out: true as it is also not a standard configuration.

Next, place fluid_attacks_scanner_config.yaml in {path_to_config} and run the command below:

docker run --rm -v {path_to_project}:/src -v {path_to_config}/fluid_attacks_scanner_config.yaml:/config.yaml fluidattacks/cli:latest skims scan /config.yaml

Try this and let us know how it goes!

Additional Note: There may have been a bug related to SBOM generation in the latest version of the CLI image around the time you encountered this issue. Based on the logs, it’s likely this affected your scan, but it has been patched in recent updates.

If you encounter any further issues, feel free to reach out again with more details. We’re here to help!

MathieuBrousseIDO commented 2 weeks ago

Hi,

I run new tests.

docker run --rm -v /Users/***/Documents/workspace/***/android/android/:/src -v /Users/****/Documents/workspace/***/android/android/config.yaml:/config.yaml fluidattacks/cli:latest skims scan /src/config.yaml

I'm joining the config and console logs, i still have the same issues. Is there any other logs i can provide to help you an analyze this ?

config.txt I just exclude few paths for sast and sca.

scan.log -> No results after the sbom generation failure.

I have an other analyze running since 3 days i'll let you know if the result is different.

MathieuBrousseIDO commented 2 weeks ago

Hi,

My other test passed, the config file is basically the same so it's really strange, but i finally have a full scan result and that is really great ! It will help me a lot. Sadly the App Defense Alliance has made the self scanning process deprecated (yesterday) so the scan will not be enough to get the assessment. Thank you for your advices, i hope my futures scans will be fine too.

Regards,