Commit 7240606d authored by Cédric OLIVIER's avatar Cédric OLIVIER
Browse files

feat: add epheremal instance scan

parent 61b5d0c7

README.md

+15 −12
Original line number Diff line number Diff line
@@ -21,25 +21,28 @@ include: 
The MobSF template uses some global configuration used throughout all jobs.



| Name                   | description                                                | default value                                  |

| ------------------------ | ----------------------------------------------------------- | ---------------------------------------------- |

| ---------------------- | ---------------------------------------------------------- | ---------------------------------------------- |

| `MOBSF_CLIENT_IMAGE`   | The Docker image used to send requests to the MobSF server | `kekel87/alpine-curl-jq-bash-coreutils:latest` |

| `MOBSF_SERVER_URL`       | URL of MobSF server                                         | _(none)_                                       |

| :lock: `MOBSF_API_KEY`   | API key of the MobSF server                                 | _(none)_                                       |



| `MOBSF_APP_FILE`       | Application package file (APK or IPA)                      | _none_                                         |

| `MOBSF_SERVER_URL`     | URL of MobSF server                                        | _none_ (runs the scan on a local server)       |

| :lock: `MOBSF_API_KEY` | API key of the MobSF server                                | _none_ (runs the scan on a local server)       |



## Jobs



Only one of the `mobsf-app-scan` and `mobsf-app-scan-service` jobs is launched depending on whenever the `MOBSF_CLIENT_IMAGE` and `MOBSF_API_KEY` are set.



### `mobsf-on-server` job



### `mobsf-app-scan` job

It uploads the packaged mobile application (APK or IPA) to the MobSF server described by variables, requests a scan and gets the report.



This job uploads the packaged mobile application (APK or IPA) to the MobSF server, requests a scan and gets the report.

It is bound to the `package-test` stage.



It is bound to the `package-test` stage, and uses the following variables:



| Name                      | description                               | default value                  |

| ------------------------- | ----------------------------------------- | ------------------------------ |

| `MOBSF_APP_FILE`          | Application package file (APK or IPA)     | _(none)_                       |

### `mobsf-local` job



It runs a scan on a local MobSF server using the [official Docker image](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/).



It is bound to the `package-test` stage.





### Secrets management

kicker.json

+2 −2
Original line number Diff line number Diff line
@@ -12,12 +12,12 @@ 
    {

      "name": "MOBSF_SERVER_URL",

      "description": "URL of MobSF server",

      "mandatory": true

      "mandatory": false

    },

    {

      "name": "MOBSF_API_KEY",

      "description": "API key of the MobSF server",

      "secret": true

      "secret": false

    },

    {

      "name": "MOBSF_APP_FILE",

templates/gitlab-ci-mobsf.yml

+55 −6
Original line number Diff line number Diff line
@@ -28,7 +28,6 @@ variables: 


# allowed stages depend on your template type (see: orange-opensource.gitlab.io/tbc/doc/dev-guidelines/#stages)

stages:

  - test

  - package-test



.mobsf-scripts: &mobsf-scripts |
@@ -96,6 +95,26 @@ stages: 
    fi

  }



  function wait_for_service() {

    fqdn=$1

    port=$2

    wait_limit=${3:-60}



    result=1

    counter=0



    set +e

    while [[ $result -eq 1 && $counter -le $wait_limit ]]; do

      nc -zv "$fqdn" "$port"

      result=$?

      sleep 1

      counter=$((counter + 1))

    done

    set -e



    return $result

  }



  function unscope_variables() {

    _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)

    if [[ -z "$_scoped_vars" ]]; then return; fi
@@ -319,14 +338,11 @@ stages: 
  before_script:

    - *mobsf-scripts

    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"

    - assert_defined "${MOBSF_SERVER_URL}" 'Missing required MobSF server URL'

    - assert_defined "${MOBSF_API_KEY}" 'Missing required MobSF API key'

    - mkdir -p ./reports







# scan a packaged app (APK or IPA)

mobsf-app-scan:

# scan a packaged app (APK or IPA) on an external instance

mobsf-on-server:

  extends: .mobsf-base

  stage: package-test

  script:
@@ -340,8 +356,41 @@ mobsf-app-scan: 
    # exclude merge requests

    - if: $CI_MERGE_REQUEST_ID

      when: never

    - if: $MOBSF_API_KEY == null || $MOBSF_SERVER_URL == null

      when: never

    # on production or integration branches:

    - if: '($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)'

    # else (development branches): allow failure

    - allow_failure: true



# scan a packaged app (APK or IPA) with a generated instance

mobsf-local:

  extends: .mobsf-base

  stage: package-test

  services:

    - name: opensecurity/mobile-security-framework-mobsf:latest

      alias: mobsf

  script:

    - assert_defined "${MOBSF_APP_FILE}" 'Missing required MobSF application file'

    - wait_for_service mobsf 8000

    - mobsf_scan ${MOBSF_APP_FILE}

  artifacts:

    when: always

    paths:

      - ./reports/

  rules:

    # exclude merge requests

    - if: $CI_MERGE_REQUEST_ID

      when: never

    - if: $MOBSF_API_KEY || $MOBSF_SERVER_URL

      when: never

    # on production or integration branches:

    - if: '($CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF)'

      variables:

        MOBSF_API_KEY: "apiKey"

        MOBSF_SERVER_URL: "http://mobsf:8000"

    # else (development branches): allow failure

    - allow_failure: true

      variables:

        MOBSF_API_KEY: "apiKey"

        MOBSF_SERVER_URL: "http://mobsf:8000"