Soluto/mobsf-ci

report does not contains key 'manifest''

bc-venkata opened this issue · 2 comments

bc-venkata commented

I am running mobsf in circleci and I'm having an error from last two days
Status: Downloaded newer image for owasp/glue:raw-latest
6f430ff20d87ad56e11aa8fffab8f600029b7cc33ddf59de2dee075663fefce3
^@^@setting severity_threshold to 2
Logfile nil?
calling scan
Running scanner
Loading scanner...
Processing target.../glue/output/report.json
Running tasks in stage: wait
Running tasks in stage: mount
Running tasks in stage: file
Running tasks in stage: code
code - Dynamic - #Set:0x000055ec11a11f00
report does not contains key 'manifest''

The REST API schemas has changed with MobSF v3
manifest is replaced with manifest_analysis
So is couple of other fields.

- run: name: MobSF command: | git clone https://github.com/Soluto/mobsf-ci.git mkdir ~/code/output/ sudo echo '{"Debug Enabled For App <br>[android:debuggable=true]":"ignore","<strong>Broadcast Receiver</strong> (com.bigcommerce.heartbeat.firebase.messaging.MessagingReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]":"ignore","<strong>Broadcast Receiver</strong> (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>com.google.android.c2dm.permission.SEND <br>[android:exported=true]":"ignore","<strong>Broadcast Receiver</strong> (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.INSTALL_PACKAGES <br>[android:exported=true]":"ignore", "<strong>Activity</strong> (androidx.biometric.DeviceCredentialHandlerActivity) is not Protected. <br>[android:exported=true]":"ignore", "<strong>Service</strong> (androidx.work.impl.background.systemjob.SystemJobService) is Protected by a permission, but the protection level of the permission should be checked.</br><strong>Permission: </strong>android.permission.BIND_JOB_SERVICE <br>[android:exported=true]":"ignore"}' > ~/code/output/glue_ignore.json mv ~/code/bcapp.apk mobsf-ci/scan/ cd mobsf-ci TARGET_PATH='/app/bcapp.apk' docker-compose up --build --exit-code-from scan # copy report.json from scan container docker cp mobsfci_scan_1:/app/output . # copy report.json and glue_ignore.json to glue container docker run --name glue -d owasp/glue:raw-latest /bin/sh -c "while true; do echo hello world; sleep 1; done" GLUE_CONTAINER_ID=$(docker ps -a -f name=glue --format "{{.ID}}") docker cp ~/code/output/glue_ignore.json $GLUE_CONTAINER_ID:/tmp/glue_ignore.json docker cp output $GLUE_CONTAINER_ID:/glue # run glue command docker exec -it $GLUE_CONTAINER_ID ruby bin/glue name="glue" -t Dynamic -T /glue/output/report.json --mapping-file mobsf --finding-file-path /tmp/glue_ignore.json -z 2

omerlh commented

I think that MobSF API was changed recently, see the issue OWASP/glue#174, can you try changing the schema like proposed in the PR?

ebickle commented

Hi there! The maintainer of this repository left the company some time ago and we archived the repository at that time. I'm closing out some old issues as part of a cleanup to our GitHub repositories.

If you're still using this solution, please migrate to an alternative as soon as possible. Thanks!