Open sushi2k opened 3 days ago
@sushi2k could you kindly share the apk and the generated sbom. Also try cdxgen to generate an sbom from the source.
@prabhu Here you go:
SBOM created with $ blint sbom -i app-debug.apk -o app-debug.sbom
app-debug.sbom.txt
SBOM created with $ blint sbom -i app-debug.apk -o app-debug-deep.sbom --deep
app-debug-deep.sbom.txt
And with cdxgen
sbom.json.txt
$ cdxgen -t java -o sbom.json
Executing /Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/gradlew --build-cache --console plain --no-parallel properties in .
Executing /Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/gradlew --build-cache --console plain --no-parallel :app:properties in .
Executing /Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/gradlew --build-cache --console plain --no-parallel dependencies :app:dependencies in .
Obtained 203 from this gradle project. De-duping this list ...
Hi,
I am evaluating at the moment how I can create SBOMs out of an APK and upload them to dependency-track to check for known vulnerabilities. I tried today blint.
I've got a simple Android app that has one vulnerable dependency that I added via
build.gradle.kts
.The library is imported and I am creating a simple GET request by using OkHTTP. Afterwards I created an APK and scanned it with blint (without and with
--deep
):When I search now for OkHttp in the 1st scan it cannot be found and there is no result.
In the sbom generated with deep scan there are 1,854 matches for "okhttp". If I upload the SBOM with deepscan into dependency-track it will show me 51 dependencies, but it will not list OkHttp. So I hasn't identified OkHTTP as dependency in the APK.
My understanding is that the
--deep
is grepping through the DEX files to identify classes for dependencies, would this help to create an SBOM? Or is--deep
not useful to create a SBOM?And is it possible in this scenario to list a dependency that was added by Gradle into the SBOM created by blint?