0 vulnerabilities found in Android library project
malenalbc opened this issue · 4 comments
Describe the bug
I've run version 2.0.5 of Insider from the precompiled binaries on my MacOS Mojave 10.14.6. The project should have at least one known vulnerability I was trying the tool with, but the report returned 0.
To Reproduce
Steps to reproduce the behavior:
- Was in folder
/Users/me/Downloads/insider_2.0.5_darwin_x86_64/ - Run
./insider -force --tech android --target /Users/me/Documents/company/androidlibrary - The logs were successful:
Starting analysis for Android target /Users/me/Documents/company/androidlibrary
Starting Android source code analysis
Starting Android Manifest analysis
Loading manifest permission
198
Finished Android Manifest analysis
Starting Android Source Code Analysis
Removing: [] from file list from android tech
Removing: [] from file list from android tech
Found 927 files to analyze.
loading core rules
Rules 8
loading android rules
Rules 8
Starting extracting hardcoded information
Finished hardcoded information extraction
Starting main source code analysis
Finished main source code analysis
Scanned 166616 lines
Finished Android source Code analysis
Report Done
Json Report /Users/me/Downloads/insider_2.0.5_darwin_x86_64/report.json
Json Report 63.1 kB bytes written successfully
Html Report /Users/me/Downloads/insider_2.0.5_darwin_x86_64/report.html
Html Report 134.7 kB bytes written successfully
Found 0 warnings
-----------------------------------------------
Score Security 100/100
Vulnerability Number
High 0
Medium 0
Low 0
Total 0
-----------------------------------------------------------------------------------------------------------------------
You are using the Insider open source version. If you like the product and want more features,
visit http://insidersec.io and get to know our enterprise version.
If you are a developer, then you can contribute to the improvement of the software while using an open source version
-----------------------------------------------------------------------------------------------------------------------
Finished analysis for Android app #/Users/me/Documents/company/androidlibrary
Expected behavior
I have an insecure use of java.util.Random on a Kotlin object and it wasn't found.
Desktop (please complete the following information):
- OS: MacOS
- Version: Mojave 10.14.6.
- Commit 2.0.5...master
Additional context
I don't know if this is relevant but: The report came back with a list of files, but not all the project .kt and .java files were listed. The one that has the known vulnerability was not listed, for example.
Hello @malenalbc, thank you very much for reporting, we are currently working on improvements for the ruleset and the way insider analyzes, meanwhile, we have the enterprise version with 2 free analysis if want to check it out: https://console.insidersec.io/en/register.
Hello @omatron Thanks for your answer. Just tried the enterprise version and it didn't report the vulnerability either. Will check the tool back on next updates. Closing this.
@malenalbc Thank you for trying the enterprise, it's very strange because we have the rules for the java.util.Random, we will investigate further.
The expected result is:
The application uses a predictable, therefore insecure, random number generator.
Instances of java.util.Random are not cryptographically secure. Consider instead using SecureRandom to get a cryptographically secure pseudo-random number generator for use by security-sensitive applications.
Thanks again for taking the time to evaluate!