Skip to content

Commit 4d504b6

Browse files
manuel-sommermanuel-sommer
committed
🔨 Merge the MobSF scanner
1 parent 0197647 commit 4d504b6

File tree

11 files changed

+558
-572
lines changed

11 files changed

+558
-572
lines changed

docs/content/en/connecting_your_tools/parsers/file/mobsf.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
title: "MobSF Scanner"
33
toc_hide: true
44
---
5-
Export a JSON file using the API, api/v1/report\_json.
5+
Export a JSON file using the API, api/v1/report\_json and import it to Defectdojo or import a JSON report from <https://github.com/MobSF/mobsfscan>
66

77
### Sample Scan Data
88
Sample MobSF Scanner scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/mobsf).

docs/content/en/connecting_your_tools/parsers/file/mobsfscan.md

Lines changed: 0 additions & 8 deletions
This file was deleted.

dojo/tools/mobsf/api_report_json.py

Lines changed: 388 additions & 0 deletions
Large diffs are not rendered by default.

dojo/tools/mobsf/parser.py

Lines changed: 8 additions & 383 deletions
Large diffs are not rendered by default.

dojo/tools/mobsfscan/parser.py renamed to dojo/tools/mobsf/report.py

Lines changed: 2 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,10 @@
11
import hashlib
2-
import json
32
import re
43

54
from dojo.models import Finding
65

76

8-
class MobsfscanParser:
7+
class MobSFjsonreport:
98

109
"""A class that can be used to parse the mobsfscan (https://github.com/MobSF/mobsfscan) JSON report file."""
1110

@@ -15,19 +14,7 @@ class MobsfscanParser:
1514
"INFO": "Low",
1615
}
1716

18-
def get_scan_types(self):
19-
return ["Mobsfscan Scan"]
20-
21-
def get_label_for_scan_types(self, scan_type):
22-
return "Mobsfscan Scan"
23-
24-
def get_description_for_scan_types(self, scan_type):
25-
return "Import JSON report for mobsfscan report file."
26-
27-
def get_findings(self, filename, test):
28-
data = json.load(filename)
29-
if len(data.get("results")) == 0:
30-
return []
17+
def get_findings(self, data, test):
3118
dupes = {}
3219
for key, item in data.get("results").items():
3320
metadata = item.get("metadata")

dojo/tools/mobsfscan/__init__.py

Whitespace-only changes.

unittests/scans/mobsfscan/many_findings.json renamed to unittests/scans/mobsf/many_findings.json

File renamed without changes.

unittests/scans/mobsfscan/many_findings_cwe_lower.json renamed to unittests/scans/mobsf/many_findings_cwe_lower.json

File renamed without changes.

unittests/scans/mobsfscan/no_findings.json renamed to unittests/scans/mobsf/no_findings.json

File renamed without changes.

unittests/tools/test_mobsf_parser.py

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,3 +136,162 @@ def test_parse_damnvulnrablebank(self):
136136
findings = parser.get_findings(testfile, test)
137137
testfile.close()
138138
self.assertEqual(80, len(findings))
139+
140+
def test_parse_no_findings(self):
141+
with (get_unit_tests_scans_path("mobsf") / "no_findings.json").open(encoding="utf-8") as testfile:
142+
parser = MobSFParser()
143+
findings = parser.get_findings(testfile, Test())
144+
self.assertEqual(0, len(findings))
145+
146+
def test_parse_many_findings(self):
147+
with (get_unit_tests_scans_path("mobsf") / "many_findings.json").open(encoding="utf-8") as testfile:
148+
parser = MobSFParser()
149+
findings = parser.get_findings(testfile, Test())
150+
self.assertEqual(8, len(findings))
151+
152+
with self.subTest(i=0):
153+
finding = findings[0]
154+
self.assertEqual("android_certificate_transparency", finding.title)
155+
self.assertEqual("Low", finding.severity)
156+
self.assertEqual(1, finding.nb_occurences)
157+
self.assertIsNotNone(finding.description)
158+
self.assertEqual(295, finding.cwe)
159+
self.assertIsNotNone(finding.references)
160+
161+
with self.subTest(i=1):
162+
finding = findings[1]
163+
self.assertEqual("android_kotlin_hardcoded", finding.title)
164+
self.assertEqual("Medium", finding.severity)
165+
self.assertEqual(1, finding.nb_occurences)
166+
self.assertIsNotNone(finding.description)
167+
self.assertEqual(798, finding.cwe)
168+
self.assertIsNotNone(finding.references)
169+
self.assertEqual("app/src/main/java/com/routes/domain/analytics/event/Signatures.kt", finding.file_path)
170+
self.assertEqual(10, finding.line)
171+
172+
with self.subTest(i=2):
173+
finding = findings[2]
174+
self.assertEqual("android_kotlin_hardcoded", finding.title)
175+
self.assertEqual("Medium", finding.severity)
176+
self.assertEqual(1, finding.nb_occurences)
177+
self.assertIsNotNone(finding.description)
178+
self.assertEqual(798, finding.cwe)
179+
self.assertIsNotNone(finding.references)
180+
self.assertEqual("app/src/main/java/com/routes/domain/analytics/event/Signatures2.kt", finding.file_path)
181+
self.assertEqual(20, finding.line)
182+
183+
with self.subTest(i=3):
184+
finding = findings[3]
185+
self.assertEqual("android_prevent_screenshot", finding.title)
186+
self.assertEqual("Low", finding.severity)
187+
self.assertEqual(1, finding.nb_occurences)
188+
self.assertIsNotNone(finding.description)
189+
self.assertEqual(200, finding.cwe)
190+
self.assertIsNotNone(finding.references)
191+
192+
with self.subTest(i=4):
193+
finding = findings[4]
194+
self.assertEqual("android_root_detection", finding.title)
195+
self.assertEqual("Low", finding.severity)
196+
self.assertEqual(1, finding.nb_occurences)
197+
self.assertIsNotNone(finding.description)
198+
self.assertEqual(919, finding.cwe)
199+
self.assertIsNotNone(finding.references)
200+
201+
with self.subTest(i=5):
202+
finding = findings[5]
203+
self.assertEqual("android_safetynet", finding.title)
204+
self.assertEqual("Low", finding.severity)
205+
self.assertEqual(1, finding.nb_occurences)
206+
self.assertIsNotNone(finding.description)
207+
self.assertEqual(353, finding.cwe)
208+
self.assertIsNotNone(finding.references)
209+
210+
with self.subTest(i=6):
211+
finding = findings[6]
212+
self.assertEqual("android_ssl_pinning", finding.title)
213+
self.assertEqual("Low", finding.severity)
214+
self.assertEqual(1, finding.nb_occurences)
215+
self.assertIsNotNone(finding.description)
216+
self.assertEqual(295, finding.cwe)
217+
self.assertIsNotNone(finding.references)
218+
219+
with self.subTest(i=7):
220+
finding = findings[7]
221+
self.assertEqual("android_tapjacking", finding.title)
222+
self.assertEqual("Low", finding.severity)
223+
self.assertEqual(1, finding.nb_occurences)
224+
self.assertIsNotNone(finding.description)
225+
self.assertEqual(200, finding.cwe)
226+
self.assertIsNotNone(finding.references)
227+
228+
def test_parse_many_findings_cwe_lower(self):
229+
with (get_unit_tests_scans_path("mobsf") / "many_findings_cwe_lower.json").open(encoding="utf-8") as testfile:
230+
parser = MobSFParser()
231+
findings = parser.get_findings(testfile, Test())
232+
self.assertEqual(7, len(findings))
233+
234+
with self.subTest(i=0):
235+
finding = findings[0]
236+
self.assertEqual("android_certificate_transparency", finding.title)
237+
self.assertEqual("Low", finding.severity)
238+
self.assertEqual(1, finding.nb_occurences)
239+
self.assertIsNotNone(finding.description)
240+
self.assertEqual(295, finding.cwe)
241+
self.assertIsNotNone(finding.references)
242+
243+
with self.subTest(i=1):
244+
finding = findings[1]
245+
self.assertEqual("android_kotlin_hardcoded", finding.title)
246+
self.assertEqual("Medium", finding.severity)
247+
self.assertEqual(1, finding.nb_occurences)
248+
self.assertIsNotNone(finding.description)
249+
self.assertEqual(798, finding.cwe)
250+
self.assertIsNotNone(finding.references)
251+
self.assertEqual("app/src/main/java/com/routes/domain/analytics/event/Signatures.kt", finding.file_path)
252+
self.assertEqual(10, finding.line)
253+
254+
with self.subTest(i=2):
255+
finding = findings[2]
256+
self.assertEqual("android_prevent_screenshot", finding.title)
257+
self.assertEqual("Low", finding.severity)
258+
self.assertEqual(1, finding.nb_occurences)
259+
self.assertIsNotNone(finding.description)
260+
self.assertEqual(200, finding.cwe)
261+
self.assertIsNotNone(finding.references)
262+
263+
with self.subTest(i=3):
264+
finding = findings[3]
265+
self.assertEqual("android_root_detection", finding.title)
266+
self.assertEqual("Low", finding.severity)
267+
self.assertEqual(1, finding.nb_occurences)
268+
self.assertIsNotNone(finding.description)
269+
self.assertEqual(919, finding.cwe)
270+
self.assertIsNotNone(finding.references)
271+
272+
with self.subTest(i=4):
273+
finding = findings[4]
274+
self.assertEqual("android_safetynet", finding.title)
275+
self.assertEqual("Low", finding.severity)
276+
self.assertEqual(1, finding.nb_occurences)
277+
self.assertIsNotNone(finding.description)
278+
self.assertEqual(353, finding.cwe)
279+
self.assertIsNotNone(finding.references)
280+
281+
with self.subTest(i=5):
282+
finding = findings[5]
283+
self.assertEqual("android_ssl_pinning", finding.title)
284+
self.assertEqual("Low", finding.severity)
285+
self.assertEqual(1, finding.nb_occurences)
286+
self.assertIsNotNone(finding.description)
287+
self.assertEqual(295, finding.cwe)
288+
self.assertIsNotNone(finding.references)
289+
290+
with self.subTest(i=6):
291+
finding = findings[6]
292+
self.assertEqual("android_tapjacking", finding.title)
293+
self.assertEqual("Low", finding.severity)
294+
self.assertEqual(1, finding.nb_occurences)
295+
self.assertIsNotNone(finding.description)
296+
self.assertEqual(200, finding.cwe)
297+
self.assertIsNotNone(finding.references)

0 commit comments

Comments
 (0)