feat: add mobsfscan support (SAST)

Only one of the `mobsf-app-scan` and `mobsf-app-scan-service` jobs is launched depending on whenever the `MOBSF_CLIENT_IMAGE` and `MOBSF_API_KEY` are set.

### `mobsf-on-server` job

### `mobsf-pkg-xxx` jobs

It uploads the packaged mobile application (APK or IPA) to the MobSF server described by variables, requests a scan and gets the report.

Depending on whether the `server-url` / `MOBSF_SERVER_URL` configuration is set or not, 

the template will run a scan of your application package (APK or IPA), either locally (`mobsf-pkg-local` job) or remotely (`mobsf-pkg-remote` job).

It is bound to the `package-test` stage.

Both use the [official Docker image](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/), and are bound to the `package-test` stage.

### `mobsf-code` Job

### `mobsf-local` job

This job performs static analysis of the application's source code using the [mobsfscan](https://github.com/MobSF/mobsfscan) tool.

It runs a scan on a local MobSF server using the [official Docker image](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/).

It has the following variables:

It is bound to the `package-test` stage.

| Input / Variable                  | Description                                                      | Default value             |

| ------------------------- | ---------------------------------------------------------------- | ------------------------- |

| `sources-scan-disabled`   | Disables the job if set to `true`                              | `false`                 |

| `sources-folder`          | Path to the source code folder to analyze                        | `.` (project root)      |

| `code-image`/ `MOBSF_CODE_IMAGE`           | the Docker image used to run mobsfscan command                        | `docker.io/opensecurity/mobsfscan:latest`      |

This job can be enabled or disabled based on the `sources-scan-disabled` variable. The source folder path can be customized via `sources-folder`.

It is bound to the `package-test` stage.

### Secrets management

      "description": "Application package file (APK or IPA)",

      "mandatory": true

    }

  ],

  "features": [

    {

      "id":"mobsfscan",

      "name":"mobsfscan",

      "description":"This job performs static analysis of the application's source code using the [mobsfscan](https://github.com/MobSF/mobsfscan) tool.",

      "disable_with": "MOBSF_SOURCES_SCAN_DISABLED",

      "variables": [

        {

          "name": "MOBSF_SOURCES_FOLDER",

          "description": "Path to the source code folder to analyze",

          "default": "."

        },

        {

          "name": "MOBSF_CODE_IMAGE",

          "description": "the Docker image used to run mobsfscan command",

          "default": "docker.io/opensecurity/mobsfscan:latest"

        }

      ]

    }

  ]

}

    app-file:

      description: Application package file (APK or IPA)

      default: ''

    sources-folder:

      description: Application source folder (APK or IPA)

      default: '.'

    sources-scan-disabled:

      description: Enable scan of sources

      type: boolean

      default: false

    code-image:

      description: The Docker image used to run mobsfscan

      default: docker.io/opensecurity/mobsfscan:latest

---

workflow:

  rules:

  MOBSF_APP_FILE: $[[ inputs.app-file ]]

  # Default Docker image (use a public image - can be overridden)

  MOBSF_CLIENT_IMAGE: $[[ inputs.client-image ]]

  MOBSF_SOURCES_FOLDER: $[[ inputs.sources-folder ]]

  MOBSF_SOURCES_SCAN_DISABLED: $[[ inputs.sources-scan-disabled ]]

  # Maximum allowed duration for a scan

  MOBSF_SCAN_TIMEOUT: 500

  # default integration ref name (pattern)

  INTEG_REF: /^develop$/

  MOBSF_CODE_IMAGE: $[[ inputs.code-image ]]

stages:

  - build

  - test

    do

      sleep 1

      wait_time=$((wait_time + 1))

      ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/report_json" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-report.json -w '%{http_code}')

      ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/report_json" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-pkg.native.json -w '%{http_code}')

    done

    # Get the PDF report

    ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/download_pdf" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-report.pdf -w '%{http_code}')

    ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/download_pdf" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-pkg.native.pdf -w '%{http_code}')

  }

  unscope_variables

    - mkdir -p -m 777 reports

# scan a packaged app (APK or IPA) on an external instance

mobsf-on-server:

mobsf-pkg-remote:

  extends: .mobsf-base

  stage: package-test

  script:

  artifacts:

    when: always

    paths:

      - "reports/mobsf-report.*"

      - "reports/mobsf-pkg.native.*"

  rules:

    - if: $MOBSF_API_KEY == null || $MOBSF_SERVER_URL == null

      when: never

    - !reference [.test-policy, rules]

# scan a packaged app (APK or IPA) with a generated instance

mobsf-local:

mobsf-pkg-local:

  extends: .mobsf-base

  stage: package-test

  services:

  artifacts:

    when: always

    paths:

      - "reports/mobsf-report.*"

      - "reports/mobsf-pkg.native.*"

  rules:

    - if: $MOBSF_API_KEY || $MOBSF_SERVER_URL

      when: never

    - !reference [.test-policy, rules]

mobsf-code:

  extends: .mobsf-base

  stage: package-test

  image: 

    name: $MOBSF_CODE_IMAGE

    entrypoint: [""]

  script:

    - log_info "Scanning folder \\e[33;1m${MOBSF_SOURCES_FOLDER}\\e[0m"

    - |

      mkdir -p -m 777 reports

      if [[ "$DEFECTDOJO_MOBSFSCAN_REPORTS" ]]

      then

        mobsfscan ${MOBSF_SOURCES_FOLDER} --json -o reports/mobsf-code.native.json || true

      fi

    - mobsfscan ${MOBSF_SOURCES_FOLDER}

  artifacts:

    when: always

    paths:

      - "reports/mobsf-code.native.json"

  rules:

    - if: '$MOBSF_SOURCES_SCAN_DISABLED == "true"'

      when: never

    - !reference [.test-policy, rules]

 No newline at end of file