LibScout doesn't detect Vulnerability

[VainlyStrain]

Dear LibScout Team

Currently, I am integrating LibScout into MobSF for a university project. In my testcase, I have an Android APK depending on OkHttp version 2.3.0. Referring to this repository's README.md, this version should be detected as vulnerable. However, this does not happen.

Specifics: Java OpenJDK 8, tested on Ubuntu 20 LTS x86-64 and macOS Mojave

How to replicate: Since the vulnerability is still present in the app's latest version, I am not going to disclose the exact APK used. Therefore, the placeholder VULN.apk

(executed in LibScout root directory, PROFILE_PATH is pointing to this):

java -jar build/libs/LibScout.jar -a <SDK_PATH> -p <PROFILE_PATH> -o match <VULN.apk>

Enabling the comments in the config file does display some information, but not the important [SECURITY] section. Has this been found after the latest update to above repo, or are we using the tool wrongly?

Yours sincerely

[reddr]

Do I understand this correctly, the respective OkHttp version is found but no security indicator is shown in the results?

The security-related library versions are not hardcoded in the LibScout source. Instead, the [SECURITY] flag is used in the comment section of the library.xml when profiling the library version. Upon detection, LibScout scans the comment section for the [SECURITY] flag.

For OkHttp 2.3.0 the library.xml looks like that:

<?xml version="1.0"?>
<library>
    <name>OkHttp</name>
    <category>Utilities</category>
    <version>2.3.0</version>
    <releasedate>17.03.2015</releasedate>
    <comment>[SECURITY] Certificate pinning bypass vulnerability: https://medium.com/square-corner-blog/vulnerability-in-okhttps-certificate-pinner-2a7326ad073b</comment>
</library>