here a error stack:
semgrep_main.main(
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/semgrep_main.py", line 202, in main
) = CoreRunner(
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/core_runner.py", line 346, in invoke_semgrep
) = self._run_rules_direct_to_semgrep_core(rules, target_manager, profiler)
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/core_runner.py", line 291, in _run_rules_direct_to_semgrep_core
core_run = sub_run(cmd, stdout=subprocess.PIPE, stderr=stderr)
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/util.py", line 130, in sub_run
result = subprocess.run(cmd, **kwargs) # nosem: python.lang.security.audit.dangerous-subprocess-use.dangerous-subprocess-use
File "/opt/homebrew/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 505, in run
with Popen(*popenargs, **kwargs) as process:
File "/opt/homebrew/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 951, in init
self._execute_child(args, executable, preexec_fn, close_fds,
File "/opt/homebrew/Cellar/[email protected]/3.9.7_1/Frameworks/Python.framework/Versions/3.9/lib/python3.9/subprocess.py", line 1821, in _execute_child
raise child_exception_type(errno_num, err_msg, err_filename)
OSError: [Errno 8] Exec format error: '/opt/homebrew/lib/python3.9/site-packages/semgrep/bin/semgrep-core'

I've noticed that my CI pipelines started timing out for a few months already. The reason is that running mobscan against my Android repo takes forever, namely the semantic greb stage.

Pattern match is done quickly, but semantic greb just keeps going on and on. The counter increases indefinitely.

I tried to output the scan results using the command line options described in README, but it didn't work.
If I try to output to HTML locally, I can see the same results in the terminal as when I run mobsfscan ..
If I try it on Circle CI, no file will be created and the result of the CI step execution also will be just as when I run mobsfscan ..
It would be great to be able to output to HTML file (or PDF file) on the CI tools using the command line.

Hi

This is not an issue itself, it would be more a feature to add :). The html report generated doesnt seem to have styles or structure. It would be nice to create at least a table or something to make it more user friendly, ideally trying to mirror the format of the html report of mobsf itself

Whenever trying to run mobsfscan on Windows (10) the Semantic Grep step fails with a traceback:

C:\src\audience-network\samples\android\AdUnitsSample\src\main\java\com\facebook\samples\AdUnitsSample>mobsfscan SampleListActivity.java
- Pattern Match ████████████████████████████████████████████████████████████ 1
- Semantic Grep  0
Traceback (most recent call last):
  File "c:\program files (x86)\python38-32\lib\runpy.py", line 192, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "c:\program files (x86)\python38-32\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Users\me\AppData\Roaming\Python\Python38\Scripts\mobsfscan.exe\__main__.py", line 7, in <module>
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\mobsfscan\__main__.py", line 65, in main
    scan_results = MobSFScan(
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\mobsfscan\mobsfscan.py", line 78, in scan
    result = scanner.scan()
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\libsast\scanner.py", line 64, in scan
    results['semantic_grep'] = SemanticGrep(
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 37, in scan
    self.format_output(sgrep_out)
  File "C:\Users\me\AppData\Roaming\Python\Python38\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 42, in format_output
    self.findings['errors'] = results['errors']
TypeError: 'NoneType' object is not subscriptable

In the current solution of this tool, when a rule is ignored on the configuration level (not on the row level, in the code comment), any items for that rule is dropped from the generated report. Would it make sense to include it in the report but with a special severity flag (such as IGNORED) instead? Yet if the rule would originally be filtered out from the report (when applying the severity filter), the ignored rows would not be included in the report either.

This feature could be helpful in cases where an existing project has been built up using some not-so-good patterns that are reported as warnings. When the project takes this tool in use by the project and the project wants to report all warnings as blockers (using the --exit-warning option), those issues will block any other changes to the project. In such a scenario, the offending rule might get marked as ignored in the configuration, and the developers might continue using that problematic pattern. If those ignored rules would be be visible in the generated report, the issue would still be nagging the developers to get fixed (hopefully).

Hi,

I have an entity in the application which is called Budget. The plural form is used for different variants of functions like, getBudgets(), enum Endpoint { case budgets }, etc.
I'm receiving logs that it is somehow banned API.

I believe the tool is mixing the ending of function with c func char *gets(char *str)

Please take a look.

Regards,
Kharyton

v0.2.0
scanning android project root folder and specific files using CLI. tried on multiple projects for our team.
the issue is:

• we cannot run the scan due to the error in the title. this error is on Semantic Grep 8. when running with --sonarqube the grep number is not output.
• Looking for resolution to incorporate this into CI/CD pipe line

Hi I'm running into an issue when running the scan. I have an apk file which I'm trying to scan by using the command

mobsfscan app.apk
The response is that there are no issues found, however when I use the MobSF UI it finds a bunch of issues. So I'm not sure what's going wrong here.

Unable to Setup MobSF on MAC because of below Error

ERROR: Could not find a version that satisfies the requirement yara-python-dex>=1.0.0 (from apkid==2.1.2->-r requirements.txt (line 24)) (from versions: none)
ERROR: No matching distribution found for yara-python-dex>=1.0.0 (from apkid==2.1.2->-r requirements.txt (line 24))

Getting following exception,

Here is a command that i used to generate report

mobsfscan ./ --output ./sonar-reports/mobsf_report --sonarqube

Here is an excerpt of generated file

{
  "issues": [
    {
      "engineId": "mobsfscan",
      "primaryLocation": {
        "filePath": "OTech/AppDelegate.swift",
        "message": "The App logs information. Sensitive information should never be logged. [print(\"Activity\")]",
        "textRange": {
          "endLine": 382,
          "startLine": 382
        }
      },
      "ruleId": "ios_log",

Error: This version of the CodeQL Action was deprecated on January 18th, 2023, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v2. For more information, see https://github.blog/changelog/2023-01-18-code-scanning-codeql-action-v1-is-now-deprecated/

Error: codeql/upload-sarif action failed: HttpError: Resource not accessible by integration

It would seem that in the latest pull request and with the new ANDROID_API_LEVEL_MAP there seems to be an issue where if your targetSdk = 34 all the checks will default to API lvl 26 due to 34 missing from the definition.

Hi

I have this error when scanning an android app

File "/Users/javi/Library/Python/3.9/lib/python/site-packages/semgrep/core_runner.py", line 257, in _stream_subprocess
raise SemgrepError(f"Error while running rules: {r}")
semgrep.error.SemgrepError: Error while running rules: 0 bytes read on a total of 2 expected bytes

• Semantic Grep 9
  ....
  File "/Users/javi/Library/Python/3.9/lib/python/site-packages/libsast/core_sgrep/semantic_sgrep.py", line 46, in format_output
  self.findings['errors'] = results['errors']
  TypeError: 'NoneType' object is not subscriptable

I think this exception should be controlled instead of breaking the app

Thanks

Hi,
I have been digging for a while and I have not been able to find the reason why when running mobsf with a swift project, the return code is 0, and when I do it with a kotlin project, the return code is 1, even though it seems to run successfully.

I have a docker container which clones the mobile repos and runs mobsf. I am currently calling it with the python module subprocess like this.
process = subprocess.run( "mobsfscan --sarif -o report.sarif <mobilerepo>", shell=True, capture_output=True, universal_newlines=True, timeout=None )

and when I look at the process.returncode I get 1 for the kotlin project and 0 for the swift project, even though both scans seems to run successfully.
Unfortunately, I am not able to share the projects, but I was wondering if it is something that is happening at the mobsf sourcecode level, or something that I'm doing wrong.

Thanks in advance!

Identified 4 issues related to metadata field (reference and cwe) are not in semgrep recommended format :

• the semgrep rules have reference key. This should be references to be compliant with semgrep required format
• the semgrep rules references key should be a list. This is semgrep required format
• the semgrep rules have cwe key. This should be in the format CWE-XXX: CWE_TITLEto be compliant with semgrep required format
• the semgrep rules cwe key should be a list. This is semgrep required format

-- nitin (Semgrep Solution Engineering, EMEA)

Mobsfscan failed with an error: Android XML checks failed. Please report this issue to the mobsfscan project.

We began experiencing issues with mobsfscan after adding beta support for Android XML checks. Our Android repository consists of multiple modules, including app, extensions, app-permissions, and others. Some of these submodules have their own AndroidManifest.xml files, while others do not.

mobsfscan does not throw an error when scanning only the app or any other subdirectory. However, it fails when attempting to scan the entire repository

We've recently updated our targetSdk from 33 to 34 and all was fine while using mobsfscan version v0.3.4.
Once we updated to mobsfscan version v0.3.5 we started having 2 false positives in our CI:

• android_task_hijacking1
• android_task_hijacking2

The reason I say it's a false positive is that the problem is saying this only happens on targetSdk < 28 and targetSdk < 29 respectively. Also, if I change my targetSdk version back to 33 the problems go away.

In accept_self_signed.yaml there is:

          - pattern: |
              $Y = SSLContext.getInstance(...);
              ...
              $Y.init(null, ...);
          - pattern: |
              $Y = $S.SSLContext.getInstance(...);
              ...
              $Y.init(null, ...);

However, setting null as the first parameter just means that no KeyManagers are configured, which is the normal case for TLS clients https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html#init-javax.net.ssl.KeyManager:A-javax.net.ssl.TrustManager:A-java.security.SecureRandom-
I would recommend just removing these two patterns - I can submit a PR if you agree.

I'm encountering this error.

Run github/codeql-action/upload-sarif@v2
  with:
    sarif_file: results.sarif
    checkout_path: /home/runner/work/test-ghas-ios/test-ghas-ios
    token: ***
    matrix: null
    wait-for-processing: true
RequestError [HttpError]: Resource not accessible by integration
    at /home/runner/work/_actions/github/codeql-action/v[2](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:2)/node_modules/@octokit/request/dist-node/index.js:66:2[3](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:3)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Job.doExecute (/home/runner/work/_actions/github/codeql-action/v2/node_modules/bottleneck/light.js:[4](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:4)0[5](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:5):18) {
  status: 403,
  headers: {
    'access-control-allow-origin': '*',
    'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
    connection: 'close',
    'content-encoding': 'gzip',
    'content-security-policy': "default-src 'none'",
    'content-type': 'application/json; charset=utf-8',
    date: 'Thu, 09 Feb 2023 03:32:1[6](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:6) GMT',
    'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
    server: 'GitHub.com',
    'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
    'transfer-encoding': 'chunked',
    vary: 'Accept-Encoding, Accept, X-Requested-With',
    'x-content-type-options': 'nosniff',
    'x-frame-options': 'deny',
    'x-github-api-version-selected': '2022-11-28',
    'x-github-media-type': 'github.v3; format=json',
    'x-github-request-id': 'F402:66AF:1[7](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:7)4C779:2F9AE1C:63E46940',
    'x-ratelimit-limit': '1000',
    'x-ratelimit-remaining': '950',
    'x-ratelimit-reset': '1675915403',
    'x-ratelimit-resource': 'core',
    'x-ratelimit-used': '50',
    'x-xss-protection': '0'
  },
  request: {
    method: 'PUT',
    url: 'https://api.github.com/repos/mvineza/test-ghas-ios/code-scanning/analysis/status',
    headers: {
      accept: 'application/vnd.github.v3+json',
      'user-agent': 'CodeQL-Action/2.2.3 octokit-core.js/3.1.2 Node.js/16.16.0 (linux; x64)',
      authorization: 'token [REDACTED]',
      'content-type': 'application/json; charset=utf-[8](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:9)'
    },
    body: '{"workflow_run_id":41306[9](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:10)08[10](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:11),"workflow_name":"mobsfscan sarif","job_name":"mobsfscan","analysis_key":".github/workflows/mobfs.yml:mobsfscan","commit_oid":"4f5e[11](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:12)f4c65d7d866ffa53eb3c4e72dd1634b384","ref":"refs/heads/main","action_name":"upload-sarif","action_ref":"v2","action_oid":"unknown","started_at":"2023-02-09T03:32:[15](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:16).645Z","action_started_at":"[20](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:21)[23](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:24)-02-09T03:[32](https://github.com/mvineza/test-ghas-ios/actions/runs/4130690810/jobs/7137620369#step:4:33):15.645Z","status":"starting","testing_environment":"","runner_os":"Linux","action_version":"2.2.3","matrix_vars":"null","runner_arch":"X64"}',
    request: { agent: [Agent], hook: [Function: bound bound register] }
  },
  documentation_url: 'https://docs.github.com/rest'
}
Error: Resource not accessible by integration

Here is my workflow file.

name: mobsfscan sarif
on:
  push:
    branches: [ master, main ]
  pull_request:
    branches: [ master, main ]

jobs:
  mobsfscan:
    runs-on: ubuntu-latest
    name: mobsfscan code scanning
    steps:
    - name: Checkout the code
      uses: actions/checkout@v2
    - name: mobsfscan
      uses: MobSF/mobsfscan@main
      with:
        args: '. --sarif --output results.sarif || true'
    - name: Upload mobsfscan report
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: results.sarif

Hi Ajin

I'm trying to integrate the mobsfscan in my CI/CD by GitActions, however, I can't see anywhere how to send the output to my SonarQube instance, Is there somewhere a tutorial that teaches how to send the scan's results to SonarQube?

Hello, I'm new using this tool.

So I'd like to know if it's possible to configure the CVSS parameters in the configuration file. How does the tool make this calculation?

Good afternoon.
I would like to have a flag that I can use to ignore INFO level errors. Is there such a feature? Is it planned? Or what part of the code should I look into to add such a function?

Thank you very much.

Here is the issue, our app is written by flutter.
And I want to scan the third-party code, which includes both ios and android
while the scan output only includes android

I have no idea why this happen, could you please help me?

The startColumn and endColumn attributes of the sonarqube json output are respectively the start index and end index of the vulnerabilities. Sonar is thus unable to import the vulnerabilities.
The start and end column should be added to libast in order to easily get this value in mobfscan.

Some vulnerabilities do not have a location, which is rejected by sonar:

{
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_prevent_screenshot",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_root_detection",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_detect_tapjacking",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_certificate_pinning",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_safetynet_api",
      "severity": "INFO",
      "type": "VULNERABILITY"
    },
    {
      "engineId": "mobsfscan",
      "primaryLocation": null,
      "ruleId": "android_certificate_transparency",
      "severity": "INFO",
      "type": "VULNERABILITY"
    }

Issues with no file location should either be removed or use a generic location.

Scanning the iPhone app may output the same result twice.

Currently, rules are filtered after the scan - meaning that a lot of unnecessary processing is done. For my Android codebase the semgrep rules run very slowly.

It would be nice to have the ability to filter out rules prior to execution. I'm not sure if this should be an addition option, or if the current filter mode should be updated.

I would like to set up an exclusion so that all paths under a subdirectory named tests are ignored without explicitly setting up each exclusion.

Given filepaths:
./module/tests
./module/source
./another-module/tests
./another-module/source

And given ignore-paths:
./*/tests

MobSFScan should only run against ./module/source and ./another-module/source

I should port pattern matcher kotlin rules to semgrep.

Hello,

Is there a way to only output issues exceeding a severity threshold. For instance, if you are only interested in outputting results above high/critical severity is the a CLI parameter you can pass or something to that extent?

Can mobsfscan be updated to support semgrep v0.84.0?

Interested in using mobsfscan for an existing project that already uses semgrep v0.84.0

• Pattern Match ████████████████████████████████████████████████████████████ 8
• Semantic Grep 1
  Traceback (most recent call last):
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\runpy.py", line 197, in _run_module_as_main
  return run_code(code, main_globals, None,
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\runpy.py", line 87, in run_code
  exec(code, run_globals)
  File "C:\Users\amitp\AppData\Local\Programs\Python\Python39\Scripts\mobsfscan.exe_main.py", line 7, in
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\mobsfscan_main.py", line 65, in main
  scan_results = MobSFScan(
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\mobsfscan\mobsfscan.py", line 79, in scan
  result = scanner.scan()
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\libsast\scanner.py", line 64, in scan
  results['semantic_grep'] = SemanticGrep(
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 41, in scan
  self.format_output(sgrep_out)
  File "c:\users\amitp\appdata\local\programs\python\python39\lib\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 46, in format_output
  self.findings['errors'] = results['errors']
  TypeError: 'NoneType' object is not subscriptable

Hi! 👋 - I'm trying to use the GH Action you reference in the workflow, but it appears the repository is private still. Could I be added as a contributor as I'm interested in getting this working for a project I'm working on.

If you're able to make it public as well that's even better!

My Test Repository

My first scan reported four issues, which sound irrelevant, but I cannot find out what they actually mean. There should be a link in, e.g. ‘This app does not have Jailbreak detection capabilities’ to what the rule means and why I should worry; but not even a DuckDuckGo or Google search for ‘"mobsf" "ios_jailbreak_detect"’ turned up anything.

file: webview_debugging.yaml
line: 10

MobSF/Mobile-Security-Framework-MobSF#2195

Hi, recently I work on a collection of Semgrep rules to cover the static tests described by the OWASP MASTG.
This is the official repo: https://github.com/mindedsecurity/semgrep-rules-android-security

Why not include these rules in MobFS? 😃
Hope you like it! 👍

Reported by :@gand3lf

When scanning the same source tree multiple times and using json output format, the results each time are coming in different order which makes it impossible to diff.

Step to repro:

1. git clone https://github.com/google/ground-android
2. cd ground-android
3. for i in {1..20}; do mobsfscan --json . > ../$i.mobsf; done
4. cd ..
5. md5sum *.mobsf
6. some scan results will be different

$ md5sum *.mobsf
b75e43b0773432f489d8c55cf4842509  10.mobsf
32c969b69ebdd28c95bc3452a52eba25  11.mobsf
8e7aadfbea3c6ff6efb04b88e03976d3  12.mobsf
423a89fe1a9d490a654d87fca754125d  13.mobsf
a3eb93de089f21074d2c7f1722fd49d2  14.mobsf
29a22271ebef7ca6cfcd8d4d08cdc38c  15.mobsf
e5264346c343756960b584b77a2c218b  16.mobsf
bf0125fc3ff3dc34d4cc29f716942d9c  17.mobsf
587de9df5c6b3d0a5a64030e3276eb07  18.mobsf
b1ce4b7786838436968b030877b8b81a  19.mobsf
096b9e788ab5be9258a4fd4860d28638  1.mobsf
592f5cdef06cee9fc42b5a806885a134  20.mobsf
a835687e06dd18fd79c359a9a234b83d  2.mobsf
1156b46954cadc1cfb163ac6f6a761d8  3.mobsf
a7d33073936f5cf25a2f31b52bf0b55d  4.mobsf
587de9df5c6b3d0a5a64030e3276eb07  5.mobsf
5e888b6fd84bf1c156c04730a8806bee  6.mobsf
9b45bf1d81dc14cdfa520a68cd1f67a2  7.mobsf
47c5213631c96f20776888177d4040e8  8.mobsf
587de9df5c6b3d0a5a64030e3276eb07  9.mobsf

The issue is that findings are dumping inside "files": [ array
The same set of issues found may come in different order causing the results to look different

Actual behavior: findings are numbered and may come in different order on each run

Expected behavior: reproducible scan, when multiple runs produce the same results in the same order

In a Windows 10 x64, I install the mobsfscan by: pip3 install mobsfscan
and then try to scan an android app source code, but failed according to the error:
Traceback (most recent call last):
File "d:\python380\lib\runpy.py", line 192, in _run_module_as_main
return run_code(code, main_globals, None,
File "d:\python380\lib\runpy.py", line 85, in run_code
exec(code, run_globals)
File "D:\Python380\Scripts\mobsfscan.exe_main.py", line 7, in
File "d:\python380\lib\site-packages\mobsfscan_main.py", line 65, in main
scan_results = MobSFScan(
File "d:\python380\lib\site-packages\mobsfscan\mobsfscan.py", line 79, in scan
result = scanner.scan()
File "d:\python380\lib\site-packages\libsast\scanner.py", line 64, in scan
results['semantic_grep'] = SemanticGrep(
File "d:\python380\lib\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 37, in scan
self.format_output(sgrep_out)
File "d:\python380\lib\site-packages\libsast\core_sgrep\semantic_sgrep.py", line 42, in format_output
self.findings['errors'] = results['errors']
TypeError: 'NoneType' object is not subscriptable

The semgrep has upgraded to 0.69.1. I'm not sure this issue related to the semgrep not surpport x64 or not.

Error in mobsfscan 0.2.2 output:

{"code":3,"level":"warn","message":"Syntax error at line file.xml:1:\n `?` was unexpected" ...snip...

The file looks like this:

<?xml version="1.0" encoding="utf-8"?>
...snip...

Which looks like a valid XML

Also another error:

{"code":3,"level":"warn","message":"Syntax error at line styles.xml:1:\n `\u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n\u003cresources\u003e...snip...

That files is also a valid XML

I am unable to run mobsfscan on android (Kotlin) project. Seems like a semsgrep issue, but not sure how I could further diagnose and potentially resolve this.

Exception in thread Thread-1:
Traceback (most recent call last):
File "/opt/homebrew/Cellar/[email protected]/3.9.16/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 980, in _bootstrap_inner
self.run()
File "/opt/homebrew/Cellar/[email protected]/3.9.16/Frameworks/Python.framework/Versions/3.9/lib/python3.9/threading.py", line 917, in run
self._target(*self._args, **self._kwargs)
File "/opt/homebrew/lib/python3.9/site-packages/libsast/common.py", line 45, in myrunner
ret[0] = function(*args, **kwargs)
File "/opt/homebrew/lib/python3.9/site-packages/libsast/core_sgrep/helpers.py", line 50, in invoke_semgrep
) = semgrep_main.main(
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/semgrep_main.py", line 363, in main
rule_matches_by_rule, semgrep_errors, all_targets, profiling_data = run_rules(
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/semgrep_main.py", line 154, in run_rules
) = core_runner.invoke_semgrep(
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/core_runner.py", line 758, in invoke_semgrep
) = self._run_rules_direct_to_semgrep_core(
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/core_runner.py", line 703, in _run_rules_direct_to_semgrep_core
returncode = runner.execute()
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/core_runner.py", line 283, in execute
rc = asyncio.run(self._stream_subprocess())
File "/opt/homebrew/Cellar/[email protected]/3.9.16/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/opt/homebrew/Cellar/[email protected]/3.9.16/Frameworks/Python.framework/Versions/3.9/lib/python3.9/asyncio/base_events.py", line 647, in run_until_complete
return future.result()
File "/opt/homebrew/lib/python3.9/site-packages/semgrep/core_runner.py", line 257, in _stream_subprocess
raise SemgrepError(f"Error while running rules: {r}")
semgrep.error.SemgrepError: Error while running rules: 0 bytes read on a total of 2 expected bytes

• Semantic Grep 28
  Traceback (most recent call last):
  File "/opt/homebrew/bin/mobsfscan", line 8, in
  sys.exit(main())
  File "/opt/homebrew/lib/python3.9/site-packages/mobsfscan/main.py", line 74, in main
  scan_results = MobSFScan(
  File "/opt/homebrew/lib/python3.9/site-packages/mobsfscan/mobsfscan.py", line 98, in scan
  result = scanner.scan()
  File "/opt/homebrew/lib/python3.9/site-packages/libsast/scanner.py", line 64, in scan
  results['semantic_grep'] = SemanticGrep(
  File "/opt/homebrew/lib/python3.9/site-packages/libsast/core_sgrep/semantic_sgrep.py", line 41, in scan
  self.format_output(sgrep_out)
  File "/opt/homebrew/lib/python3.9/site-packages/libsast/core_sgrep/semantic_sgrep.py", line 46, in format_output
  self.findings['errors'] = results['errors']
  TypeError: 'NoneType' object is not subscriptable

I noticed that the full framework has rules dealing with the network-security-config.xml file, which are implemented in Python and seem to not be included in mobsfscan (unless mobsfscan somehow includes the relevant stuff from the full framework and I missed this). I just wanted to let you know that I just submitted a few basic rules for these file types to the semgrep-rules repository. If these are also of interest to mobsfscan, you are very welcome to use them as well.

Note: They rely on the generic parser as no specialized XML parser exists. This means, for example, that "..." only matches up to 10 lines. Thus, the rules may fail for very long network-security-config files and are generally not 100% reliable.

If this type of linting is already supported by mobsfscan, feel free to simply close this issue.

Hi there,

First of all, thanks for this tool.

I have an issue while running it on an Android/Kotlin project with the following error.

Environment:

• macOS Monterey
• proc M1 Ultra
• Python 3.8.9 (default, May 17 2022, 12:55:41) [Clang 13.1.6 (clang-1316.0.21.2.5)] on darwin
• mobsfscan: v0.1.1

Does this ring a bell to you ?

Thanks a lot.

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 932, in _bootstrap_inner
    self.run()
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/libsast/common.py", line 45, in myrunner
    ret[0] = function(*args, **kwargs)
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/libsast/core_sgrep/helpers.py", line 50, in invoke_semgrep
    ) = semgrep_main.main(
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/semgrep/semgrep_main.py", line 363, in main
    rule_matches_by_rule, semgrep_errors, all_targets, profiling_data = run_rules(
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/semgrep/semgrep_main.py", line 154, in run_rules
    ) = core_runner.invoke_semgrep(
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/semgrep/core_runner.py", line 758, in invoke_semgrep
    ) = self._run_rules_direct_to_semgrep_core(
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/semgrep/core_runner.py", line 703, in _run_rules_direct_to_semgrep_core
    returncode = runner.execute()
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/semgrep/core_runner.py", line 283, in execute
    rc = asyncio.run(self._stream_subprocess())
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/asyncio/runners.py", line 44, in run
    return loop.run_until_complete(main)
  File "/Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/3.8/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
    return future.result()
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/semgrep/core_runner.py", line 257, in _stream_subprocess
    raise SemgrepError(f"Error while running rules: {r}")
semgrep.error.SemgrepError: Error while running rules: 0 bytes read on a total of 2 expected bytes
- Semantic Grep  5
Traceback (most recent call last):
  File "/Users/xxx/Library/Python/3.8/bin/mobsfscan", line 8, in <module>
    sys.exit(main())
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/mobsfscan/__main__.py", line 65, in main
    scan_results = MobSFScan(
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/mobsfscan/mobsfscan.py", line 79, in scan
    result = scanner.scan()
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/libsast/scanner.py", line 64, in scan
    results['semantic_grep'] = SemanticGrep(
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/libsast/core_sgrep/semantic_sgrep.py", line 41, in scan
    self.format_output(sgrep_out)
  File "/Users/xxx/Library/Python/3.8/lib/python/site-packages/libsast/core_sgrep/semantic_sgrep.py", line 46, in format_output
    self.findings['errors'] = results['errors']
TypeError: 'NoneType' object is not subscriptable

When I run the GitHub Action:

    - name: Static Swift code security tests
      uses: MobSF/mobsfscan@main
      with:
        args: '--json'

With the .mobsf config file:

---
- severity-filter:
  - WARNING

It works as expected and only displays results with the severity "WARNING".

However, when I instead specify the path in the args like args: 'Pods --json', it shows results of all severities. Even when specifying other flags in the .mobsf file, they don't work either, so this appears to be an issue with the .mobsf file being ignored altogether when paths are specified.

I have this code:

    override fun isRooted(): Boolean {
        return rootBeer.isRooted
    }

Yet, android_root_detection rule is still included in the report.