Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MASWE-0076 - Dependencies with Known Vulnerabilities (SBOM) #2912

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

MASWE-0076 - Dependencies with Known Vulnerabilities (SBOM) #2912

wants to merge 18 commits into from

Conversation

sushi2k
Copy link
Collaborator

@sushi2k sushi2k commented Oct 16, 2024
edited by cpholguera
Loading

anantshri
anantshri reviewed Oct 16, 2024
View reviewed changes
demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md Outdated

Let's run our @MASTG-TOOL-0116 rule against the sample code.

{{ ../../../../rules/mastg-android-insecure-random-use.yml }}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure the rule name should contain android for this demo.

Copy link
Collaborator Author

@sushi2k sushi2k Oct 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a draft PR and as indicated in the title the demos and and tests are not ready yet :-)

@sushi2k sushi2k changed the title first draft MASWE-0076 - WIP - Demos and Tests are missing first draft MASWE-0076 - WIP - Demos and Tests are not ready yet Oct 19, 2024
@sushi2k sushi2k marked this pull request as ready for review October 20, 2024 17:48
@sushi2k
Copy link
Collaborator Author

sushi2k commented Oct 25, 2024
edited
Loading

@sushi2k To-Do

  • add ticket to dependency-check for APK scan and add it as limitation for the scan of APKs that no libraries can be found. Done: What can dependency-check scan for in an APK? jeremylong/DependencyCheck#7107

  • check old test cases from MASTG v1

  • Make it clear this information that can be queried by developers (like SBOM, or artifacts of dependency managers)

  • Make it clear that black box testing is very tedious and incomplete!

@cpholguera cpholguera changed the title first draft MASWE-0076 - WIP - Demos and Tests are not ready yet MASWE-0076 - Dependencies with Known Vulnerabilities (SBOM) Oct 25, 2024
@cpholguera cpholguera marked this pull request as draft October 25, 2024 09:45
@anantshri
Copy link
Collaborator

@sushi2k To-Do

Has there ever been a software in public space that can accurately fingerprint dependency version from within apk's. I have read a few whitepapers and seen a few academic tooling but nothing that has worked seemlessly and or kept working after the thesis work was done.. Curious if i missed something.

Whitepapers that i have seens are listed below

  • Zhan, Xian, Tianming Liu, Yepang Liu, Yang Liu, Li Li, Haoyu Wang, and Xiapu Luo. 2021. “A Systematic Assessment on Android Third-Party Library Detection Tools.” arXiv. https://doi.org/10.48550/arXiv.2108.01964.
  • Backes, Michael, Sven Bugiel, and Erik Derr. 2016. “Reliable Third-Party Library Detection in Android and Its Security Applications.” In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 356–67. CCS ’16. New York, NY, USA: Association for Computing Machinery. https://doi.org/10.1145/2976749.2978333.
  • Li, Menghao, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. “LibD: Scalable and Precise Third-Party Library Detection in Android Markets.” In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), 335–46. https://doi.org/10.1109/ICSE.2017.38.
  • Soh, Charlie, Hee Beng Kuan Tan, Yauhen Leanidavich Arnatovich, Annamalai Narayanan, and Lipo Wang. 2016. “LibSift: Automated Detection of Third-Party Libraries in Android Applications.” In 2016 23rd Asia-Pacific Software Engineering Conference (APSEC), 41–48. Hamilton: IEEE. https://doi.org/10.1109/APSEC.2016.017.
  • Wang, Haoyu, and Yao Guo. 2017. “Understanding Third-Party Libraries in Mobile App Analysis.” In Proceedings of the 39th International Conference on Software Engineering Companion, 515–16. ICSE-C ’17. Buenos Aires, Argentina: IEEE Press. https://doi.org/10.1109/ICSE-C.2017.161.
  • Zhang, Jiexin, Alastair R. Beresford, and Stephan A. Kollmann. 2019. “LibID: Reliable Identification of Obfuscated Third-Party Android Libraries.” In Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, 55–65. New York, NY, USA: Association for Computing Machinery. https://doi.org/10.1145/3293882.3330563.

@sushi2k
Copy link
Collaborator Author

sushi2k commented Oct 29, 2024
edited
Loading

Thank you for sharing @anantshri! I am trying out blint at the moment, that might be able to do this, but I am struggling to create a proper SBOM, see owasp-dep-scan/blint#119

@serek8 serek8 mentioned this pull request Nov 6, 2024
Open
@sushi2k sushi2k marked this pull request as ready for review November 10, 2024 16:00
Copilot
Copilot AI reviewed Nov 22, 2024
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 16 out of 31 changed files in this pull request and generated 2 suggestions.

Files not reviewed (15)
  • .vscode/settings.json: Language not supported
  • demos/android/MASVS-CODE/MASTG-DEMO-0021/build.gradle.kts: Language not supported
  • demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt: Language not supported
  • demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh: Language not supported
  • demos/android/MASVS-CODE/MASTG-DEMO-0022/run.sh: Language not supported
  • demos/ios/MASVS-CODE/MASTG-DEMO-0020/Package.resolved: Language not supported
  • demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt: Language not supported
  • demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh: Language not supported
  • demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt: Language not supported
  • demos/ios/MASVS-CODE/MASTG-DEMO-0023/run.sh: Language not supported
  • demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md: Evaluated as low risk
  • demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md: Evaluated as low risk
  • demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md: Evaluated as low risk
  • techniques/ios/MASTG-TECH-0113.md: Evaluated as low risk
  • techniques/ios/MASTG-TECH-0114.md: Evaluated as low risk

techniques/android/MASTG-TECH-0116.md Outdated
}'
```

Go to frontend of dependency-check, which is <http://localhost:8080>, if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies.

This comment was marked as resolved.

Sign in to view

techniques/ios/MASTG-TECH-0115.md Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@anantshri anantshri anantshri left review comments

@cpholguera cpholguera Awaiting requested review from cpholguera

At least 1 approving review is required to merge this pull request.

Assignees

@sushi2k sushi2k

Labels
MASVS-CODE MASWE
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[MASWE-0076] New MASWE Weakness
3 participants
@sushi2k @anantshri @cpholguera