Empty Vulnerabilities Report in GitLab SAST Template MobSF Android Scan

DevSecOps
, ,
1

Hello GitLab Community,

I’m currently using the GitLab SAST template for a MobSF Android scan in my CI pipeline. However, I’m encountering an issue where the generated reports are empty, with no vulnerabilities listed.

Here’s the JSON report that’s being generated:

{
  "version": "15.0.7",
  "vulnerabilities": [],
  "dependency_files": [],
  "scan": {
    "analyzer": {
      "id": "mobsf",
      "name": "MobSF",
      "url": "https://gitlab.com/gitlab-org/security-products/analyzers/mobsf",
      "vendor": { "name": "GitLab" },
      "version": "4.6.2"
    },
    "scanner": {
      "id": "mobsf",
      "name": "MobSF",
      "url": "https://github.com/MobSF/Mobile-Security-Framework-MobSF",
      "vendor": { "name": "GitLab" },
      "version": "3.7.6-gitlab.1"
    },
    "type": "sast",
    "start_time": "2024-02-22T12:29:35",
    "end_time": "2024-02-22T12:29:38",
    "status": "success"
  }
}

And here’s my .gitlab-ci.yml:

stages:
  - build
  - test

build-job:
  stage: build
  image: mobiledevops/android-sdk-image:34.0.0-jdk17
  before_script:
  - export GRADLE_USER_HOME=$(pwd)/.gradle
  - yes | sdkmanager --sdk_root=${ANDROID_HOME} --licenses || true
  script: "./gradlew assemble"

include:
  - template: Jobs/SAST.gitlab-ci.yml

variables:
  SAST_EXPERIMENTAL_FEATURES: "true"

I’ve been trying to find a solution to this issue but haven’t had any luck so far. Any help or guidance would be greatly appreciated.

Here’s the link to the original project - GitHub - Sudhindra3000/android-dev-challenge-weather-app: Weather App UI made for Android Developer Challenge Week 4

Thank you!

2

Hello!

This is not a fresh issue, but I just ran into a similar one and found a solution so I decided to share it here.

I am running a customized auto devops pipeline on my project and I also had a SAST job that was returning an empty report (no vulnerabilities), even though I had confirmed that my code had some vulnerabilities.

The problem was that it seems that the SAST job requires the code quality job to run on a previous stage. As soon as I added that job the pipeline, the SAST job showed the vulnerabilities again.

Unfortunately, I checked the relevant documentation, but I could not find any mention in the requirements to the need of having the code quality step to run in an earlier stage.

In the end, my pipeline looks like this:

image: alpine:latest

stages:
  - code
  - security_scan

include:
  - template: Jobs/Code-Quality.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.gitlab-ci.yml


# Override the default security job definitions
code_quality:
  stage: code

sast:
  stage: security_scan
  artifacts:
    paths:
      - gl-sast-report.json

secret_detection:
  stage: security_scan
  artifacts:
    paths:
      - gl-secret-detection-report.json

# Irrelevant pipeline steps...