Open VainlyStrain opened 3 years ago
Do I understand this correctly, the respective OkHttp version is found but no security indicator is shown in the results?
The security-related library versions are not hardcoded in the LibScout source. Instead, the [SECURITY] flag is used in the comment section of the library.xml when profiling the library version. Upon detection, LibScout scans the comment section for the [SECURITY] flag.
For OkHttp 2.3.0 the library.xml looks like that:
<?xml version="1.0"?>
<library>
<name>OkHttp</name>
<category>Utilities</category>
<version>2.3.0</version>
<releasedate>17.03.2015</releasedate>
<comment>[SECURITY] Certificate pinning bypass vulnerability: https://medium.com/square-corner-blog/vulnerability-in-okhttps-certificate-pinner-2a7326ad073b</comment>
</library>
Dear LibScout Team
Currently, I am integrating LibScout into MobSF for a university project. In my testcase, I have an Android APK depending on OkHttp version 2.3.0. Referring to this repository's README.md, this version should be detected as vulnerable. However, this does not happen.
Specifics: Java OpenJDK 8, tested on Ubuntu 20 LTS x86-64 and macOS Mojave
How to replicate: Since the vulnerability is still present in the app's latest version, I am not going to disclose the exact APK used. Therefore, the placeholder VULN.apk
(executed in LibScout root directory, PROFILE_PATH is pointing to this):
Enabling the comments in the config file does display some information, but not the important [SECURITY] section. Has this been found after the latest update to above repo, or are we using the tool wrongly?
Yours sincerely