config folder not scanned in umbrella projects

[Helpys]

If I generate a default phoenix project from scratch mix phx.new simple then sobelow finds three problems in the phoenix configuration file config.exs in the first run:

mix sobelow --compact   
[+] Config.CSP: Missing Content-Security-Policy - lib/simple_web/router.ex:9
[+] Config.HTTPS: HTTPS Not Enabled - config/prod.exs:0
[+] Config.CSWH: Cross-Site Websocket Hijacking - lib/simple_web/endpoint.ex:17

But if I generate a default phoenix umbrella project from scratch mix phx.new complex --umbrella then sobelow does not find the tree problems in the phoenix configuration file config.exs in the first run. (Probably because the configuration file is in the root folder of the umbrella project not in the selected app-folder.)

mix sobelow --root apps/complex_web --compact
WARNING: Web directory was not found in the expected location.
This may be a result of non-standard directory structure, or use
of an umbrella project. All files in the "lib" directory were
scanned for vulnerabilities.

[GriffinMB]

Hi, thanks for opening this issue!

Sorry about the problem, it looks like this is related to some backwards compatibility features for some older phoenix directory structures. This will be a good time to simplify all of that since it's no longer relevant; I should have a fix on GitHub in the the next day or so :)

[GriffinMB]

This change has been pushed to master! You can check it out by installing with mix archive.install nccgroup/sobelow.

It won't flag HTTPS, since that is managed outside of the root directory, but will appropriately flag the other two findings.

I will push this to Hex later on this week, unless I hear otherwise. Thanks again!