owasp-dep-scan / blint

BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
MIT License
341 stars 35 forks source link

OkHTTP library - how to list in SBOM? #119

Open sushi2k opened 3 days ago

sushi2k commented 3 days ago

Hi,

I am evaluating at the moment how I can create SBOMs out of an APK and upload them to dependency-track to check for known vulnerabilities. I tried today blint.

I've got a simple Android app that has one vulnerable dependency that I added via build.gradle.kts.

               implementation ("com.squareup.okhttp3:okhttp:4.8.0")

The library is imported and I am creating a simple GET request by using OkHTTP. Afterwards I created an APK and scanned it with blint (without and with --deep):

$ blint sbom -i app-debug.apk -o app-debug.sbom
$ blint sbom -i app-debug.apk -o app-debug-deep.sbom --deep

When I search now for OkHttp in the 1st scan it cannot be found and there is no result.

$ grep -iRn okhttp app-debug.sbom

In the sbom generated with deep scan there are 1,854 matches for "okhttp". If I upload the SBOM with deepscan into dependency-track it will show me 51 dependencies, but it will not list OkHttp. So I hasn't identified OkHTTP as dependency in the APK.

My understanding is that the --deep is grepping through the DEX files to identify classes for dependencies, would this help to create an SBOM? Or is --deep not useful to create a SBOM?

SCR-20241027-naev image

And is it possible in this scenario to list a dependency that was added by Gradle into the SBOM created by blint?

prabhu commented 3 days ago

@sushi2k could you kindly share the apk and the generated sbom. Also try cdxgen to generate an sbom from the source.

sushi2k commented 2 days ago

@prabhu Here you go: