Commit a9bf0889 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'mobsfscan' into 'master' 

Add mobsfscan job

Closes #13

See merge request to-be-continuous/mobsf!48
parents 2dcd3637 210dcb18

README.md

+15 −6
Original line number Diff line number Diff line
@@ -52,19 +52,28 @@ The MobSF template uses some global configuration used throughout all jobs. 


Only one of the `mobsf-app-scan` and `mobsf-app-scan-service` jobs is launched depending on whenever the `MOBSF_CLIENT_IMAGE` and `MOBSF_API_KEY` are set.



### `mobsf-on-server` job

### `mobsf-pkg-xxx` jobs



It uploads the packaged mobile application (APK or IPA) to the MobSF server described by variables, requests a scan and gets the report.

Depending on whether the `server-url` / `MOBSF_SERVER_URL` configuration is set or not, 

the template will run a scan of your application package (APK or IPA), either locally (`mobsf-pkg-local` job) or remotely (`mobsf-pkg-remote` job).



It is bound to the `package-test` stage.

Both use the [official Docker image](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/), and are bound to the `package-test` stage.



### `mobsf-code` Job



### `mobsf-local` job

This job performs static analysis of the application's source code using the [mobsfscan](https://github.com/MobSF/mobsfscan) tool.



It runs a scan on a local MobSF server using the [official Docker image](https://hub.docker.com/r/opensecurity/mobile-security-framework-mobsf/).

It has the following variables:



It is bound to the `package-test` stage.

| Input / Variable                  | Description                                                      | Default value             |

| ------------------------- | ---------------------------------------------------------------- | ------------------------- |

| `sources-scan-disabled`   | Disables the job if set to `true`                              | `false`                 |

| `sources-folder`          | Path to the source code folder to analyze                        | `.` (project root)      |

| `code-image`/ `MOBSF_CODE_IMAGE`           | the Docker image used to run mobsfscan command                        | `docker.io/opensecurity/mobsfscan:latest`      |



This job can be enabled or disabled based on the `sources-scan-disabled` variable. The source folder path can be customized via `sources-folder`.



It is bound to the `package-test` stage.



### Secrets management

kicker.json

+20 −0
Original line number Diff line number Diff line
@@ -26,5 +26,25 @@ 
      "description": "Application package file (APK or IPA)",

      "mandatory": true

    }

  ],

  "features": [

    {

      "id":"mobsfscan",

      "name":"mobsfscan",

      "description":"This job performs static analysis of the application's source code using the [mobsfscan](https://github.com/MobSF/mobsfscan) tool.",

      "disable_with": "MOBSF_SOURCES_SCAN_DISABLED",

      "variables": [

        {

          "name": "MOBSF_SOURCES_FOLDER",

          "description": "Path to the source code folder to analyze",

          "default": "."

        },

        {

          "name": "MOBSF_CODE_IMAGE",

          "description": "the Docker image used to run mobsfscan command",

          "default": "docker.io/opensecurity/mobsfscan:latest"

        }

      ]

    }

  ]

}

templates/gitlab-ci-mobsf.yml

+45 −6
Original line number Diff line number Diff line
@@ -25,6 +25,17 @@ spec: 
    app-file:

      description: Application package file (APK or IPA)

      default: ''

    sources-folder:

      description: Application source folder (APK or IPA)

      default: '.'

    sources-scan-disabled:

      description: Enable scan of sources

      type: boolean

      default: false

    code-image:

      description: The Docker image used to run mobsfscan

      default: docker.io/opensecurity/mobsfscan:latest



---

workflow:

  rules:
@@ -74,6 +85,8 @@ variables: 
  MOBSF_APP_FILE: $[[ inputs.app-file ]]

  # Default Docker image (use a public image - can be overridden)

  MOBSF_CLIENT_IMAGE: $[[ inputs.client-image ]]

  MOBSF_SOURCES_FOLDER: $[[ inputs.sources-folder ]]

  MOBSF_SOURCES_SCAN_DISABLED: $[[ inputs.sources-scan-disabled ]]



  # Maximum allowed duration for a scan

  MOBSF_SCAN_TIMEOUT: 500
@@ -83,6 +96,8 @@ variables: 
  # default integration ref name (pattern)

  INTEG_REF: /^develop$/



  MOBSF_CODE_IMAGE: $[[ inputs.code-image ]]



stages:

  - build

  - test
@@ -360,11 +375,11 @@ stages: 
    do

      sleep 1

      wait_time=$((wait_time + 1))

      ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/report_json" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-report.json -w '%{http_code}')

      ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/report_json" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-pkg.native.json -w '%{http_code}')

    done



    # Get the PDF report

    ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/download_pdf" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-report.pdf -w '%{http_code}')

    ret=$(curl -s -X POST --url "${MOBSF_SERVER_URL}/api/v1/download_pdf" --data "hash=${hash}" -H "Authorization: ${MOBSF_API_KEY}" -o ./reports/mobsf-pkg.native.pdf -w '%{http_code}')

  }



  unscope_variables
@@ -384,7 +399,7 @@ stages: 
    - mkdir -p -m 777 reports



# scan a packaged app (APK or IPA) on an external instance

mobsf-on-server:

mobsf-pkg-remote:

  extends: .mobsf-base

  stage: package-test

  script:
@@ -393,14 +408,14 @@ mobsf-on-server: 
  artifacts:

    when: always

    paths:

      - "reports/mobsf-report.*"

      - "reports/mobsf-pkg.native.*"

  rules:

    - if: $MOBSF_API_KEY == null || $MOBSF_SERVER_URL == null

      when: never

    - !reference [.test-policy, rules]



# scan a packaged app (APK or IPA) with a generated instance

mobsf-local:

mobsf-pkg-local:

  extends: .mobsf-base

  stage: package-test

  services:
@@ -416,8 +431,32 @@ mobsf-local: 
  artifacts:

    when: always

    paths:

      - "reports/mobsf-report.*"

      - "reports/mobsf-pkg.native.*"

  rules:

    - if: $MOBSF_API_KEY || $MOBSF_SERVER_URL

      when: never

    - !reference [.test-policy, rules]



mobsf-code:

  extends: .mobsf-base

  stage: package-test

  image: 

    name: $MOBSF_CODE_IMAGE

    entrypoint: [""]

  script:

    - log_info "Scanning folder \\e[33;1m${MOBSF_SOURCES_FOLDER}\\e[0m"

    - |

      mkdir -p -m 777 reports

      if [[ "$DEFECTDOJO_MOBSFSCAN_REPORTS" ]]

      then

        mobsfscan ${MOBSF_SOURCES_FOLDER} --json -o reports/mobsf-code.native.json || true

      fi

    - mobsfscan ${MOBSF_SOURCES_FOLDER}

  artifacts:

    when: always

    paths:

      - "reports/mobsf-code.native.json"

  rules:

    - if: '$MOBSF_SOURCES_SCAN_DISABLED == "true"'

      when: never

    - !reference [.test-policy, rules]
 
 No newline at end of file