MobSf report exclusion does not work --finding-file-path for glue_ignore.json
Closed this issue · 2 comments
bc-venkata commented
`# copy report.json from scan container
docker cp mobsfci_scan_1:/app/output .
# copy report.json and glue_ignore.json to glue container
docker run --name glue -d owasp/glue:raw-latest /bin/sh -c "while true; do echo hello world; sleep 1; done"
GLUE_CONTAINER_ID=$(docker ps -a -f name=glue --format "{{.ID}}")
docker cp output $GLUE_CONTAINER_ID:/glue
# run glue command
docker exec -it $GLUE_CONTAINER_ID ruby bin/glue name="glue" -t Dynamic -T /glue/output/report.json --mapping-file mobsf --finding-file-path /glue/output/glue_ignore.json -z 3`
`^@^@setting severity_threshold to 3
Logfile nil?
calling scan
Running scanner
Loading scanner...
Processing target.../glue/output/report.json
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file
Running tasks in stage: code
code - Dynamic - #Set:0x0000560db0809eb8
Running tasks in stage: live
Running tasks in stage: done
Running base report...
Description: Debugging was enabled on the app which makes it easier for reverse engineers to hook a debugger to it. This allows dumping a stack trace and accessing debugging helper classes.
Timestamp: 2019-11-27 20:44:20 +0000
Source: Debug Enabled For App <br>[android:debuggable=true]
Severity: 3
Fingerprint: Debug Enabled For App <br>[android:debuggable=true]
Found by: MobSF
Detail: Debug Enabled For App <br>[android:debuggable=true]
Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
Timestamp: 2019-11-27 20:44:20 +0000
Source: <strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]
Severity: 3
Fingerprint: <strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]
Found by: MobSF
Detail: <strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]
Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
Timestamp: 2019-11-27 20:44:20 +0000
Source: <strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]
Severity: 3
Fingerprint: <strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]
Found by: MobSF
Detail: <strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]
Description: A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
Timestamp: 2019-11-27 20:44:20 +0000
Source: <strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]
Severity: 3
Fingerprint: <strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]
Found by: MobSF
Detail: <strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]
Worst finding (3) meets severity threshold (3)
Exited with code 3`
omerlh commented
What did you expect to happen? look like it worked...
bc-venkata commented
ignore it, I have this working fine now. Thank you!