eddynaka
commented
3 years ago Hi @michaelcfanning ,
looks like they already have support: https://github.com/MobSF/mobsfscan
Open michaelcfanning opened 3 years ago
eddynaka
commented
3 years ago Hi @michaelcfanning ,
looks like they already have support: https://github.com/MobSF/mobsfscan
michaelcfanning
commented
3 years ago Interesting! So, has someone taken a look at their SARIF? Is it listed in our eco-system document? Is there a GHAS action around it?
yongyan-gh
commented
3 years ago It also has published action https://github.com/marketplace/actions/mobsfscan Will generate a SARIF result using the tool and take a look.
yongyan-gh
commented
3 years ago Attached an SARIF result file produced by MobSF: SARIF results.zip
There is an GitHub ingest validation issue:
GH1004: runs[0].results[7].locations: This array contains 39 element(s), which exceeds the default limit of 10 imposed by GitHub Advanced Security code scanning. GitHub will only display information up to that limit. You can provide a configuration file at the root of your repository to specify a higher limit.
One of the Note level result ("Please ensure that sensitive information is never logged.") was found in 39 places, exceeds the limit of 10 by GHAS. But the result can still be ingested by Github, the results were ingested and displayed in security tab.
Another issue is the rules are not assigned opaque rule ids, which we can work with them to address.
https://github.com/MobSF/Mobile-Security-Framework-MobSF/
@eddynaka @yongyan-gh @shaopeng-gh
Feasible? Useful?