From 2234e8d273e036f2e7ee4c789921ab23bf70659d Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Wed, 16 Oct 2024 09:53:09 +0200 Subject: [PATCH 01/17] first draft - WIP - Demos and Tests are missing --- .vscode/settings.json | 1 + .../MASTG-DEMO-0021/MASTG-DEMO-0021.md | 35 +++++++++++++ .../MASVS-CODE/MASTG-DEMO-0021/output.txt | 0 .../android/MASVS-CODE/MASTG-DEMO-0021/run.sh | 0 .../MASTG-DEMO-0020/MASTG-DEMO-0020.md | 35 +++++++++++++ .../MASTG-DEMO-0020/Package.resolved | 15 ++++++ .../ios/MASVS-CODE/MASTG-DEMO-0020/output.txt | 0 demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh | 0 techniques/android/MASTG-TECH-0112.md | 50 +++++++++++++++++++ techniques/ios/MASTG-TECH-0113.md | 30 +++++++++++ .../android/MASVS-CODE/MASTG-TEST-0216.md | 23 +++++++++ tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md | 23 +++++++++ tools/generic/MASTG-TOOL-0116.md | 13 +++++ tools/generic/MASTG-TOOL-0117.md | 7 +++ tools/generic/MASTG-TOOL-0118.md | 11 ++++ weaknesses/MASVS-CODE/MASWE-0076.md | 37 ++++++++++---- 16 files changed, 269 insertions(+), 11 deletions(-) create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0020/Package.resolved create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh create mode 100644 techniques/android/MASTG-TECH-0112.md create mode 100644 techniques/ios/MASTG-TECH-0113.md create mode 100644 tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md create mode 100644 tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md create mode 100644 tools/generic/MASTG-TOOL-0116.md create mode 100644 tools/generic/MASTG-TOOL-0117.md create mode 100644 tools/generic/MASTG-TOOL-0118.md diff --git a/.vscode/settings.json b/.vscode/settings.json index 4c1cd20459..e89c7c5caa 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -41,6 +41,7 @@ "Ljava", "loadbalancer", "mainactivity", + "MASTG", "MASVS", "MITM", "MSTG", diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md b/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md new file mode 100644 index 0000000000..c4cc5cc9f6 --- /dev/null +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md @@ -0,0 +1,35 @@ +--- +platform: android +title: Usage of Insecure Android Dependencies +id: MASTG-DEMO-0021 +code: [java] +test: MASTG-TEST-0216 +--- + +### Sample + +{{ MastgTest.kt # MastgTest_reversed.java }} + +### Steps + +Let's run our @MASTG-TOOL-0116 rule against the sample code. + +{{ ../../../../rules/mastg-android-insecure-random-use.yml }} + +{{ run.sh }} + +### Observation + +The rule has identified XXX instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation. + +{{ output.txt }} + +### Evaluation + +Review each of the reported instances. + +- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens. +- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context. +- Line 27 is part of the password generation function which is a security-critical operation. + +Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator. diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh new file mode 100644 index 0000000000..e69de29bb2 diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md new file mode 100644 index 0000000000..5e7fa5ad0d --- /dev/null +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md @@ -0,0 +1,35 @@ +--- +platform: ios +title: Usage of Insecure iOS Dependencies +id: MASTG-DEMO-0020 +code: [java] +test: MASTG-TEST-0216 +--- + +### Sample + +{{ MastgTest.kt # MastgTest_reversed.java }} + +### Steps + +Let's run our @MASTG-TOOL-0116 rule against the sample code. + +{{ ../../../../rules/mastg-android-insecure-random-use.yml }} + +{{ run.sh }} + +### Observation + +The rule has identified XXX instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation. + +{{ output.txt }} + +### Evaluation + +Review each of the reported instances. + +- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens. +- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context. +- Line 27 is part of the password generation function which is a security-critical operation. + +Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator. diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/Package.resolved b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/Package.resolved new file mode 100644 index 0000000000..ac1796e354 --- /dev/null +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/Package.resolved @@ -0,0 +1,15 @@ +{ + "originHash" : "b68c973e78e301de37753c919a62c1dda9a70e82a8dbd432336372a4edf9b951", + "pins" : [ + { + "identity" : "swift-nio", + "kind" : "remoteSourceControl", + "location" : "https://github.com/apple/swift-nio.git", + "state" : { + "revision" : "6aa9347d9bc5bbfe6a84983aec955c17ffea96ef", + "version" : "2.33.0" + } + } + ], + "version" : 3 +} diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt new file mode 100644 index 0000000000..e69de29bb2 diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh new file mode 100644 index 0000000000..e69de29bb2 diff --git a/techniques/android/MASTG-TECH-0112.md b/techniques/android/MASTG-TECH-0112.md new file mode 100644 index 0000000000..5b8def2a3f --- /dev/null +++ b/techniques/android/MASTG-TECH-0112.md @@ -0,0 +1,50 @@ +--- +title: Software Composition Analysis (SCA) of Android Dependencies +platform: android +--- + +For Android both popular build automation tools, are also dependency managers: + +- [Gradle](https://developer.android.com/build/dependencies) and +- Maven. + +Gradle is the default build automation tool in Android Studio and this technique will focus on it. + +Tools like @MASTG-TOOL-0116 can be integrated into the build environments, where they can inspect the build configuration files or the actual `.jar` files and their metadata, such as the version, to identify dependencies. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). + +In order to test for dependencies with known vulnerabilities, we need to integrate the @MASTG-TOOL-0116 plugin into the Android project via Gradle. The dependencies of the Android project are located in the following directory `~/.gradle/caches/modules-2/files-2.1`, and not in the Android Project directory. + +The dependencies will be integrated into the project during run-time, but will also be modified and compiled into the DEX file(s) of the APK. therefore we need to scan dependencies in Android Studio and cannot scan the APK. + +Before we can run the scan, you will need to obtain an API key for NVD, which is used to retrieve the latest CVE information. The API Key to access the NVD API can be requested from . + +In the `build.gradle` of `Module: app` (not the project `build.gradle` file), add the `dependencycheck` dependency in the latest version and the `dependencyCheck` configuration: + +```json +plugins { + ... + id("org.owasp.dependencycheck") version "10.0.4" // This is the latest version at the time of writing, please update accordingly +} + +dependencyCheck { + + formats = listOf("HTML", "XML", "JSON") // Generate reports in HTML, JSON and XML format + + nvd { + apiKey = "" + delay = 16000 + } + +} +``` + +Open a terminal in Android Studio and execute the following command: + +```bash +$ ./gradlew dependencyCheckAnalyze +... +BUILD SUCCESSFUL in 6s +1 actionable task: 1 executed +``` + +The report was generated in 3 different formats (HTML, JSON and XML) and can be found in the project directory in `app/build/reports`. diff --git a/techniques/ios/MASTG-TECH-0113.md b/techniques/ios/MASTG-TECH-0113.md new file mode 100644 index 0000000000..97f7082e92 --- /dev/null +++ b/techniques/ios/MASTG-TECH-0113.md @@ -0,0 +1,30 @@ +--- +title: Software Composition Analysis (SCA) of iOS Dependencies +platform: ios +--- + +iOS has several dependency managers, where the most popular are: + +- [Carthage](https://github.com/Carthage/Carthage), +- [CocoaPods](https://github.com/CocoaPods/CocoaPods) and +- [SwiftPM](https://github.com/swiftlang/swift-package-manager) (Swift Package Manager) + +The dependencies will be integrated into the project during the build and compiled into the IPA, therefore we cannot scan the IPA file. Instead, tools like @MASTG-TOOL-0116 can be used to scan the files created by the dependency managers, which list the dependencies and their versions built into the iOS app. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). + +In order to test for dependencies with known vulnerabilities, we need to retrieve the corresponding file of the dependency manager used: + +- For Carthage it is the file `Cartfile.resolved`. +- For CocoaPods it is the file `*.podspec` or `Podfile.lock` +- For SwiftPM it is the file `Package.swift` or `Package.resolved` + +When scanning with @MASTG-TOOL-0116 it is sufficient to scan the file of the dependency manager that is used. + +Before we can run the scan, you will need to obtain an API key for NVD, which is used to retrieve the latest CVE information. The API Key to access the NVD API can be requested from . + +To start a scan for a project using SwiftPM, execute the following command: + +```bash +$ dependency-check --enableExperimental -f SARIF --nvdApiKey -s Package.resolved +``` + +The output will be a SARIF file, which can be viewed in @MASTG-TOOL-0118 by using the Sarif Viewer Plugin. If any known vulnerabilities were identified, it will list them and their CVE number and description. diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md new file mode 100644 index 0000000000..4eee737898 --- /dev/null +++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md @@ -0,0 +1,23 @@ +--- +platform: android +title: Usage of Dependencies with Known Vulnerabilities +id: MASTG-TEST-0216 +type: [static] +weakness: MASWE-0076 +--- + +## Overview + +In this test case... TBD + +## Steps + +1. Run a SCA analysis tool such as @MASTG-TOOL-0116 on the source code, or use a dynamic analysis tool like @MASTG-TOOL-XXXX, and look for uses of vulnerable dependencies. + +## Observation + +The output should contain... + +## Evaluation + +The test case fails if you can find... diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md new file mode 100644 index 0000000000..b0c5973230 --- /dev/null +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md @@ -0,0 +1,23 @@ +--- +platform: ios +title: Usage of Dependencies with Known Vulnerabilities +id: MASTG-TEST-0215 +type: [static] +weakness: MASWE-0076 +--- + +## Overview + +In this test case... TBD + +## Steps + +1. Run a SCA analysis tool such as @MASTG-TOOL-0116 on the source code, or use a dynamic analysis tool like @MASTG-TOOL-XXXX, and look for uses of vulnerable dependencies. + +## Observation + +The output should contain... + +## Evaluation + +The test case fails if you can find... diff --git a/tools/generic/MASTG-TOOL-0116.md b/tools/generic/MASTG-TOOL-0116.md new file mode 100644 index 0000000000..3013074662 --- /dev/null +++ b/tools/generic/MASTG-TOOL-0116.md @@ -0,0 +1,13 @@ +--- +title: dependency-check +platform: generic +source: https://github.com/jeremylong/DependencyCheck +--- + +[Dependency-Check](https://github.com/jeremylong/DependencyCheck) is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. + +SCA tools will fail to scan an IPA or APK, as: + +- **Transformed format**: The libraries are no longer in their original format but are part of the app binaries compiled code format. +- **Lack of metadata**: Information such as the library version or name is stripped or altered when building the mobile app. +- **Hash mismatch**: The transformation of dependencies during the mobile app build process changes the file's hash, so tools that rely on matching file hashes (like @MASTG-TOOL-0116) won’t work after the transformation. diff --git a/tools/generic/MASTG-TOOL-0117.md b/tools/generic/MASTG-TOOL-0117.md new file mode 100644 index 0000000000..9e3a0d73f8 --- /dev/null +++ b/tools/generic/MASTG-TOOL-0117.md @@ -0,0 +1,7 @@ +--- +title: dependency-track +platform: generic +source: https://github.com/DependencyTrack/dependency-track +--- + +[Dependency-Track](https://github.com/DependencyTrack/dependency-track) is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track is leveraging the capabilities of Software Bill of Materials (SBOM). diff --git a/tools/generic/MASTG-TOOL-0118.md b/tools/generic/MASTG-TOOL-0118.md new file mode 100644 index 0000000000..104c92f391 --- /dev/null +++ b/tools/generic/MASTG-TOOL-0118.md @@ -0,0 +1,11 @@ +--- +title: vs-code +platform: generic +source: https://github.com/microsoft/vscode +--- + +[Visual Studio Code](https://github.com/microsoft/vscode) is a code editor that offers various plugins, that are useful for security tests, like: + +- [SARIF Viewer](https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer) - to work with and visualise SARIF files. +- [Swift](https://marketplace.visualstudio.com/items?itemName=sswg.swift-lang) - for syntax support for the Swift programming language +- [Kotlin](https://marketplace.visualstudio.com/items?itemName=mathiasfrohlich.Kotlin) - for syntax support for the Kotlin programming language diff --git a/weaknesses/MASVS-CODE/MASWE-0076.md b/weaknesses/MASVS-CODE/MASWE-0076.md index eb65f89c47..80ba992055 100644 --- a/weaknesses/MASVS-CODE/MASWE-0076.md +++ b/weaknesses/MASVS-CODE/MASWE-0076.md @@ -7,17 +7,32 @@ profiles: [L1, L2] mappings: masvs-v1: [MSTG-CODE-5] masvs-v2: [MASVS-CODE-3] +status: new +refs: +- https://developer.android.com/privacy-and-security/risks/insecure-library +--- -draft: - description: e.g. via dependency check and SBOM (software bill of materials) - topics: - - Frameworks on iOS - - Gradle dependencies on Android - - maven dependencies on Android - - cocoapods on iOS - - swift package manager on iOS - - carthage on iOS -status: draft +## Overview ---- +External or third-party libraries, SDK's or frameworks used by the app that contain security flaws that are publicly documented, usually through CVE's, are called "Dependencies with Known Vulnerabilities". + +## Impact + +Using dependencies with known vulnerabilities in mobile apps can result in various security risks, including but not limited to: + +- **Data Exposure**: Known vulnerabilities in dependencies can be exploited by attackers to gain unauthorized access to sensitive user data or app functionality. This can lead to data breaches, exposing private information like user credentials or personal data, which can have legal and financial consequences for the app owner and undermine user trust. +- **Compromise of System Integrity and Functionality**: Vulnerabilities in dependencies may allow attackers to compromise the app’s overall integrity, potentially introducing malicious behavior such as unauthorized code execution or privilege escalation. This can lead to account take-over or lead to app downtime. +- **Non-Compliance**: Using outdated or vulnerable dependencies can result in non-compliance with security standards and regulations. This can expose businesses to regulatory penalties and legal liabilities, especially in industries handling sensitive data like healthcare or finance. + +## Modes of Introduction + +Mobile apps rely heavily on dependencies. This can be "closed-source" dependencies through vendor products, or "open-source" dependencies that are maintained by the community. + +Dependencies can be implemented manually by adding them into the project and linking them, but are usually added through dependency managers that take care of the integration into the project's files. + +## Mitigations +- **Keep Dependencies Updated**: Regularly update dependencies to their latest secure versions to ensure that any known vulnerabilities are patched. +- **Regular Dependency Audits:**: Continuously scan and audit third-party libraries for vulnerabilities using Software Composition Analysis (SCA) tools in the CI/CD pipeline, like @MASTG-TOOL-0116. +- **Software Bill of Material (SBOM)**: Create a SBOM and manage the dependencies by using tools like @MASTG-TOOL-0117. +- **Remove Unused Dependencies**: Regularly review and remove any unused or unnecessary libraries to reduce the app’s attack surface. From 257bf9ea4be6e8204695618cc4dcd0575b29851a Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 20 Oct 2024 07:04:11 +0200 Subject: [PATCH 02/17] update tools and techniques --- .../ios/MASVS-CODE/MASTG-DEMO-0020/output.txt | 1 + demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh | 2 + techniques/android/MASTG-TECH-0112.md | 29 ++++++++++++- techniques/ios/MASTG-TECH-0113.md | 41 +++++++++++++++++-- tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md | 10 +++-- tools/generic/MASTG-TOOL-0116.md | 5 ++- tools/generic/MASTG-TOOL-0117.md | 8 +++- tools/generic/MASTG-TOOL-0119.md | 9 ++++ 8 files changed, 94 insertions(+), 11 deletions(-) create mode 100644 tools/generic/MASTG-TOOL-0119.md diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt index e69de29bb2..24a44c931b 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt @@ -0,0 +1 @@ +{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","version": "2.1.0","runs": [{"tool": {"driver": {"name": "dependency-check","version": "10.0.4","informationUri": "https://jeremylong.github.io/DependencyCheck/","rules": [{"id": "CVE-2020-9861","shortDescription": {"text": "high severity - CVE-2020-9861 Uncontrolled Recursion vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"help": {"text": "","markdown": "For more information see [CVE-2020-9861](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9861).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-1642","shortDescription": {"text": "high severity - CVE-2022-1642 Incorrect Type Conversion or Cast vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"help": {"text": "","markdown": "For more information see [CVE-2022-1642](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1642).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-3918","shortDescription": {"text": "high severity - CVE-2022-3918 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"help": {"text": "","markdown": "For more information see [CVE-2022-3918](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3918).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2019-8790","shortDescription": {"text": "medium severity - CVE-2019-8790 Insecure Storage of Sensitive Information vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"help": {"text": "","markdown": "For more information see [CVE-2019-8790](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8790).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 2.1,"cvssv2_accessVector": "LOCAL","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "PARTIAL","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "NONE","cvssv2_severity": "LOW","cvssv3_baseScore": 5.5,"security-severity": "5.5","cvssv3_attackVector": "LOCAL","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "NONE","cvssv3_baseSeverity": "MEDIUM","cvssv3_exploitabilityScore": "1.8","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2018-4220","shortDescription": {"text": "high severity - CVE-2018-4220 Incorrect Permission Assignment for Critical Resource vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"help": {"text": "","markdown": "For more information see [CVE-2018-4220](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4220).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 9.3,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "MEDIUM","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "COMPLETE","cvssv2_integrityImpact": "COMPLETE","cvssv2_availabilityImpact": "COMPLETE","cvssv2_severity": "HIGH","cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "REQUIRED","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_0","source": "NVD"}}],"properties": {"disclaimer": "Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.","nvd": "This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov","cisa": "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog","npm": "This report may contain data retrieved from the the Github Advisory Database (via NPM Audit API): https://github.com/advisories/","retirejs": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/","ossindex": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org","NVD API Last Checked": "2024-10-16T06:07:56+02","NVD API Last Modified": "2024-10-16T03:15:02Z"}}},"artifacts": [{"location": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved"},"properties": {"id1": "pkg:swift\/swift-nio@2.33.0","vid1": "cpe:2.3:a:apple:swift:2.33.0:*:*:*:*:*:*:*","vid2": "cpe:2.3:a:apple:swift_foundation:2.33.0:*:*:*:*:*:*:*"}}],"results": [ {"ruleId": "CVE-2018-4220","level": "warning","message": {"text": "CVE-2018-4220 - An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"partialFingerprints": {"vulnerabilityHash": "3f758c43ed8a0566a7f3f5f4f46bae5f"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-3918","level": "warning","message": {"text": "CVE-2022-3918 - A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"partialFingerprints": {"vulnerabilityHash": "6ea52063e689446a344d211c519a3556"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2020-9861","level": "warning","message": {"text": "CVE-2020-9861 - A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"partialFingerprints": {"vulnerabilityHash": "ad32e387d304c49cc53ee1feabc845c8"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-1642","level": "warning","message": {"text": "CVE-2022-1642 - A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"partialFingerprints": {"vulnerabilityHash": "50e80d7087d1cf08bbc18924970c6f6a"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2019-8790","level": "warning","message": {"text": "CVE-2019-8790 - This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"partialFingerprints": {"vulnerabilityHash": "f59a361684f99f0204c2ab5c2a16daf7"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}]}]} \ No newline at end of file diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh index e69de29bb2..5dfadd4bca 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/run.sh @@ -0,0 +1,2 @@ +$NVD_API_KEY="YOUR_NVD_API" +dependency-check --enableExperimental -f SARIF --nvdApiKey $NVD_API_KEY -s Package.resolved \ No newline at end of file diff --git a/techniques/android/MASTG-TECH-0112.md b/techniques/android/MASTG-TECH-0112.md index 5b8def2a3f..8445b17643 100644 --- a/techniques/android/MASTG-TECH-0112.md +++ b/techniques/android/MASTG-TECH-0112.md @@ -10,6 +10,33 @@ For Android both popular build automation tools, are also dependency managers: Gradle is the default build automation tool in Android Studio and this technique will focus on it. +## Scanning through SBOM + +@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. Navigate to the root directory of the Android Studio project you want to scan and execute the following command: + +```bash +$ cdxgen -t java -o sbom.json +``` + +The created SBOM file need to be Base64 encoded and can then be uploaded to @MASTG-TOOL-0117 for analysis: + +```bash +$ cat sbom.json | base64 +$ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ + -H 'Content-Type: application/json' \ + -H 'X-API-Key: >' \ + -d $'{ + "project": "", + "bom": "" + }' +``` + +Go to frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. + +> Note: Transitive dependencies are supported by @MASTG-TOOL-0117 for [Java and Kotlin](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). + +## Scanning through build environment + Tools like @MASTG-TOOL-0116 can be integrated into the build environments, where they can inspect the build configuration files or the actual `.jar` files and their metadata, such as the version, to identify dependencies. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). In order to test for dependencies with known vulnerabilities, we need to integrate the @MASTG-TOOL-0116 plugin into the Android project via Gradle. The dependencies of the Android project are located in the following directory `~/.gradle/caches/modules-2/files-2.1`, and not in the Android Project directory. @@ -47,4 +74,4 @@ BUILD SUCCESSFUL in 6s 1 actionable task: 1 executed ``` -The report was generated in 3 different formats (HTML, JSON and XML) and can be found in the project directory in `app/build/reports`. +The report was generated in 3 different formats (HTML, JSON and XML) and can be found in the project directory in `app/build/reports`. \ No newline at end of file diff --git a/techniques/ios/MASTG-TECH-0113.md b/techniques/ios/MASTG-TECH-0113.md index 97f7082e92..4afca31d2f 100644 --- a/techniques/ios/MASTG-TECH-0113.md +++ b/techniques/ios/MASTG-TECH-0113.md @@ -9,15 +9,48 @@ iOS has several dependency managers, where the most popular are: - [CocoaPods](https://github.com/CocoaPods/CocoaPods) and - [SwiftPM](https://github.com/swiftlang/swift-package-manager) (Swift Package Manager) -The dependencies will be integrated into the project during the build and compiled into the IPA, therefore we cannot scan the IPA file. Instead, tools like @MASTG-TOOL-0116 can be used to scan the files created by the dependency managers, which list the dependencies and their versions built into the iOS app. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). +The dependencies will be integrated into the project during the build and compiled into the IPA, therefore we cannot scan the IPA file. -In order to test for dependencies with known vulnerabilities, we need to retrieve the corresponding file of the dependency manager used: +Depending on the Package Manager used, you have different options to execute a scan. Keep in mind that developers may use more than one dependency manager and you might need to execute therefore more than one scan. + +## SwiftPM + +@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. Navigate to the root directory of the Xcode project you want to scan and execute the following command: + +```bash +$ cdxgen -o sbom.json +``` + +The created SBOM file need to be Base64 encoded and can then be uploaded to @MASTG-TOOL-0117 for analysis: + +```bash +$ cat sbom.json | base64 +$ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ + -H 'Content-Type: application/json' \ + -H 'X-API-Key: >' \ + -d $'{ + "project": "", + "bom": "" + }' +``` + +Go to frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. + +> Note: Transitive dependencies are not supported by @MASTG-TOOL-0117 for [SwiftPM](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). + +## Carthage, CocoaPods and SwiftPM + +Tools like @MASTG-TOOL-0116 can be used to scan the files created by all 3 dependency managers, which list the dependencies and their versions built into the iOS app. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). + +> Note that @MASTG-TOOL-0116 does support [Carthage](https://jeremylong.github.io/DependencyCheck/analyzers/carthage.html), [CocoaPods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html) and [SwiftPM](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html), but the analyzers are considered experimental. While this analyzer may be useful and provide valid results more testing must be completed to ensure that the false negative/false positive rates are acceptable. + +In order to test with @MASTG-TOOL-0116 for dependencies with known vulnerabilities, we need to retrieve the corresponding file of the dependency manager used: - For Carthage it is the file `Cartfile.resolved`. - For CocoaPods it is the file `*.podspec` or `Podfile.lock` - For SwiftPM it is the file `Package.swift` or `Package.resolved` -When scanning with @MASTG-TOOL-0116 it is sufficient to scan the file of the dependency manager that is used. +When scanning with @MASTG-TOOL-0116 it is sufficient to scan the file created by the dependency manager. Before we can run the scan, you will need to obtain an API key for NVD, which is used to retrieve the latest CVE information. The API Key to access the NVD API can be requested from . @@ -28,3 +61,5 @@ $ dependency-check --enableExperimental -f SARIF --nvdApiKey -s P ``` The output will be a SARIF file, which can be viewed in @MASTG-TOOL-0118 by using the Sarif Viewer Plugin. If any known vulnerabilities were identified, it will list them and their CVE number and description. + +When scanning for CocoaPods or Carthage you can re-use the same command, but scanning the corresponding file of the dependency manager instead. diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md index b0c5973230..cb69d44440 100644 --- a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md @@ -8,16 +8,18 @@ weakness: MASWE-0076 ## Overview -In this test case... TBD +In this test case we are identifying dependencies with known vulnerabilities in iOS. Dependencies are integrated through dependency managers, and there might be one or more of them being used. We therefore need all of the relevant files created by them to analyse them with a SCA scanning tool. ## Steps -1. Run a SCA analysis tool such as @MASTG-TOOL-0116 on the source code, or use a dynamic analysis tool like @MASTG-TOOL-XXXX, and look for uses of vulnerable dependencies. +1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0113 for on overview of the package managers, relevant files you can request for and how to use @MASTG-TOOL-0116. + +2. Run a SCA analysis tool such as @MASTG-TOOL-0116 against the file(s) created by the dependency manager(s) and look for the use of vulnerable dependencies. ## Observation -The output should contain... +The output should include the dependency, the CVE identifiers and ## Evaluation -The test case fails if you can find... +The test case fails if you can find dependencies with known vulnerabilities. diff --git a/tools/generic/MASTG-TOOL-0116.md b/tools/generic/MASTG-TOOL-0116.md index 3013074662..11ca09a4be 100644 --- a/tools/generic/MASTG-TOOL-0116.md +++ b/tools/generic/MASTG-TOOL-0116.md @@ -6,8 +6,9 @@ source: https://github.com/jeremylong/DependencyCheck [Dependency-Check](https://github.com/jeremylong/DependencyCheck) is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project's dependencies. -SCA tools will fail to scan an IPA or APK, as: +Limitations for SCA tools are, that they will usually fail to scan an IPA or APK, due to 2 main reasons: - **Transformed format**: The libraries are no longer in their original format but are part of the app binaries compiled code format. - **Lack of metadata**: Information such as the library version or name is stripped or altered when building the mobile app. -- **Hash mismatch**: The transformation of dependencies during the mobile app build process changes the file's hash, so tools that rely on matching file hashes (like @MASTG-TOOL-0116) won’t work after the transformation. + +Therefore usually the files generated by dependency managers are scanned, that list the dependencies used in an app. diff --git a/tools/generic/MASTG-TOOL-0117.md b/tools/generic/MASTG-TOOL-0117.md index 9e3a0d73f8..44b7dcea33 100644 --- a/tools/generic/MASTG-TOOL-0117.md +++ b/tools/generic/MASTG-TOOL-0117.md @@ -4,4 +4,10 @@ platform: generic source: https://github.com/DependencyTrack/dependency-track --- -[Dependency-Track](https://github.com/DependencyTrack/dependency-track) is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Dependency-Track is leveraging the capabilities of Software Bill of Materials (SBOM). +[Dependency-Track](https://github.com/DependencyTrack/dependency-track) is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. + +You can install Dependency-Track by using [docker](https://docs.dependencytrack.org/getting-started/deploy-docker/). The default credentials can be found in the [initial setup](https://docs.dependencytrack.org/getting-started/initial-startup/). + +Dependency-Track relies on Software Bill of Materials (SBOM) for identifying vulnerable dependencies, which can be generated through @MASTG-TOOL-0119 and uploaded via [API](https://docs.dependencytrack.org/usage/cicd/). + +To use the REST API you need to create an [API Key](https://docs.dependencytrack.org/integrations/rest-api/) and a project where the SBOM is uploaded to. diff --git a/tools/generic/MASTG-TOOL-0119.md b/tools/generic/MASTG-TOOL-0119.md new file mode 100644 index 0000000000..216f1829f3 --- /dev/null +++ b/tools/generic/MASTG-TOOL-0119.md @@ -0,0 +1,9 @@ +--- +title: cdxgen +platform: generic +source: https://github.com/CycloneDX/cdxgen +--- + +[cdxgen](https://cyclonedx.github.io/cdxgen/) can generate Software Bill of Materials (SBOM) for most applications and container images with a single command. It supports SwiftPM for iOS and Maven for Android. Also the creation of an SBOM out of an APK or AAB for Android is possible. + +The generated SBOM can then be submitted to @MASTG-TOOL-0117 for analysis. From 2f5b291c39ffb0fd8ba230f40b2d7c1a8ef9915f Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 20 Oct 2024 07:10:45 +0200 Subject: [PATCH 03/17] added code highlighting for markdown --- techniques/android/MASTG-TECH-0112.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/techniques/android/MASTG-TECH-0112.md b/techniques/android/MASTG-TECH-0112.md index 8445b17643..a8be53ed0e 100644 --- a/techniques/android/MASTG-TECH-0112.md +++ b/techniques/android/MASTG-TECH-0112.md @@ -47,7 +47,7 @@ Before we can run the scan, you will need to obtain an API key for NVD, which is In the `build.gradle` of `Module: app` (not the project `build.gradle` file), add the `dependencycheck` dependency in the latest version and the `dependencyCheck` configuration: -```json +```groovy plugins { ... id("org.owasp.dependencycheck") version "10.0.4" // This is the latest version at the time of writing, please update accordingly From 2b3b0da758ccc8db9ea4fe3def6726da28186684 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 20 Oct 2024 08:08:20 +0200 Subject: [PATCH 04/17] added tests --- .../android/MASVS-CODE/MASTG-TEST-0216.md | 10 ++++---- .../android/MASVS-CODE/MASTG-TEST-0218.md | 25 +++++++++++++++++++ tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md | 6 ++--- tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md | 25 +++++++++++++++++++ 4 files changed, 58 insertions(+), 8 deletions(-) create mode 100644 tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md create mode 100644 tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md index 4eee737898..4cbc9834b2 100644 --- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md +++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0216.md @@ -1,6 +1,6 @@ --- platform: android -title: Usage of Dependencies with Known Vulnerabilities +title: Identify Dependencies with Known Vulnerabilities in the Android Project id: MASTG-TEST-0216 type: [static] weakness: MASWE-0076 @@ -8,16 +8,16 @@ weakness: MASWE-0076 ## Overview -In this test case... TBD +In this test case we will identify dependencies in Android Studio and scan them with @MASTG-TOOL-0116. ## Steps -1. Run a SCA analysis tool such as @MASTG-TOOL-0116 on the source code, or use a dynamic analysis tool like @MASTG-TOOL-XXXX, and look for uses of vulnerable dependencies. +1. Follow @MASTG-TECH-0112 and execute a scan through the build environment of Android Studio by using Gradle. ## Observation -The output should contain... +The output should include the dependency and the CVE identifiers for any dependency with known vulnerabilities. ## Evaluation -The test case fails if you can find... +The test case fails if you can find dependencies with known vulnerabilities. diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md new file mode 100644 index 0000000000..8a981b3681 --- /dev/null +++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md @@ -0,0 +1,25 @@ +--- +platform: android +title: Identify Dependencies with Known Vulnerabilities through usage of SBOM +id: MASTG-TEST-0218 +type: [static] +weakness: MASWE-0076 +--- + +## Overview + +In this test case we are identifying dependencies with known vulnerabilities by relying on a Software Bill of Material (SBOM). + +## Steps + +1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0112. + +2. Open @MASTG-TOOL-0117 and inspect the project where the SBOM was uploaded for the use of vulnerable dependencies. + +## Observation + +The output should include the dependency and the CVE identifiers for any dependency with known vulnerabilities. + +## Evaluation + +The test case fails if you can find dependencies with known vulnerabilities. diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md index cb69d44440..c68b99fa74 100644 --- a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md @@ -1,6 +1,6 @@ --- platform: ios -title: Usage of Dependencies with Known Vulnerabilities +title: Identify Dependencies with Known Vulnerabilities by Scanning Dependency Managers Artifacts id: MASTG-TEST-0215 type: [static] weakness: MASWE-0076 @@ -12,13 +12,13 @@ In this test case we are identifying dependencies with known vulnerabilities in ## Steps -1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0113 for on overview of the package managers, relevant files you can request for and how to use @MASTG-TOOL-0116. +1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0113 for on overview of the package managers and request for the relevant files. 2. Run a SCA analysis tool such as @MASTG-TOOL-0116 against the file(s) created by the dependency manager(s) and look for the use of vulnerable dependencies. ## Observation -The output should include the dependency, the CVE identifiers and +The output should include the dependency and the CVE identifiers for any dependency with known vulnerabilities. ## Evaluation diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md new file mode 100644 index 0000000000..0984decc72 --- /dev/null +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md @@ -0,0 +1,25 @@ +--- +platform: ios +title: Identify SwiftPM Dependencies with Known Vulnerabilities through usage of SBOM +id: MASTG-TEST-0217 +type: [static] +weakness: MASWE-0076 +--- + +## Overview + +In this test case we are identifying SwiftPM dependencies with known vulnerabilities by relying on a Software Bill of Material (SBOM). + +## Steps + +1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0113. + +2. Open @MASTG-TOOL-0117 and inspect the project where the SBOM was uploaded for the use of vulnerable dependencies. + +## Observation + +The output should include the dependency and the CVE identifiers for any dependency with known vulnerabilities. + +## Evaluation + +The test case fails if you can find dependencies with known vulnerabilities. From 640a96d2ef8dffa2b3220d9326532b5d960bc186 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 20 Oct 2024 19:47:25 +0200 Subject: [PATCH 05/17] added demos --- .../MASTG-DEMO-0021/MASTG-DEMO-0021.md | 18 +- .../MASTG-DEMO-0021/build.gradle.kts | 84 +++++ .../MASVS-CODE/MASTG-DEMO-0021/output.txt | 312 ++++++++++++++++++ .../android/MASVS-CODE/MASTG-DEMO-0021/run.sh | 1 + .../MASTG-DEMO-0022/MASTG-DEMO-022.md | 24 ++ .../MASVS-CODE/MASTG-DEMO-0022/output.txt | 1 + .../android/MASVS-CODE/MASTG-DEMO-0022/run.sh | 1 + .../MASTG-DEMO-0020/MASTG-DEMO-0020.md | 18 +- .../MASTG-DEMO-0020/output copy.sarif | 1 + .../MASTG-DEMO-0023/MASTG-DEMO-0023.md | 24 ++ .../ios/MASVS-CODE/MASTG-DEMO-0023/output.txt | 1 + demos/ios/MASVS-CODE/MASTG-DEMO-0023/run.sh | 1 + 12 files changed, 460 insertions(+), 26 deletions(-) create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0021/build.gradle.kts create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0022/output.txt create mode 100644 demos/android/MASVS-CODE/MASTG-DEMO-0022/run.sh create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt create mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0023/run.sh diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md b/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md index c4cc5cc9f6..34b9214240 100644 --- a/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0021/MASTG-DEMO-0021.md @@ -1,6 +1,6 @@ --- platform: android -title: Usage of Insecure Android Dependencies +title: Identifying Insecure Dependencies in Android Studio id: MASTG-DEMO-0021 code: [java] test: MASTG-TEST-0216 @@ -8,28 +8,20 @@ test: MASTG-TEST-0216 ### Sample -{{ MastgTest.kt # MastgTest_reversed.java }} +{{ build.gradle.kts # build.gradle.kts }} ### Steps -Let's run our @MASTG-TOOL-0116 rule against the sample code. - -{{ ../../../../rules/mastg-android-insecure-random-use.yml }} +Execute `gradle` in Android Studio to trigger @MASTG-TOOL-0116. {{ run.sh }} ### Observation -The rule has identified XXX instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation. +The scan has identified 262 unique dependencies with 35 vulnerable dependencies and 83 vulnerabilities (as more vulnerabilities might be found over time this number might increase). {{ output.txt }} ### Evaluation -Review each of the reported instances. - -- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens. -- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context. -- Line 27 is part of the password generation function which is a security-critical operation. - -Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator. +Due to the number of vulnerabilities, the `dependency-check` report can be lengthy and can contain false positives. Review each of the reported instances. The dependency `okhttp-4.8.0.jar` added in the `build.gradle.kts` has known vulnerabilities and should be updated to the latest version. diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/build.gradle.kts b/demos/android/MASVS-CODE/MASTG-DEMO-0021/build.gradle.kts new file mode 100644 index 0000000000..6353605690 --- /dev/null +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0021/build.gradle.kts @@ -0,0 +1,84 @@ +plugins { + id("com.android.application") + id("org.jetbrains.kotlin.android") + id("org.owasp.dependencycheck") version "10.0.4" // dependencyCheck Plugin +} + +// dependencyCheck Configuration +dependencyCheck { + + formats = listOf("HTML", "XML", "JSON") // Generate reports in HTML, JSON and XML format + nvd { + apiKey = "" // Set the NVD API key + delay = 16000 + } + +} + +android { + namespace = "org.owasp.mastestapp" + compileSdk = 34 + + defaultConfig { + applicationId = "org.owasp.mastestapp" + minSdk = 29 + targetSdk = 34 + versionCode = 1 + versionName = "1.0" + + testInstrumentationRunner = "androidx.test.runner.AndroidJUnitRunner" + vectorDrawables { + useSupportLibrary = true + } + } + + buildTypes { + release { + isMinifyEnabled = false + proguardFiles( + getDefaultProguardFile("proguard-android-optimize.txt"), + "proguard-rules.pro" + ) + } + } + compileOptions { + sourceCompatibility = JavaVersion.VERSION_1_8 + targetCompatibility = JavaVersion.VERSION_1_8 + } + kotlinOptions { + jvmTarget = "1.8" + } + buildFeatures { + compose = true + } + composeOptions { + kotlinCompilerExtensionVersion = "1.5.1" + } + packaging { + resources { + excludes += "/META-INF/{AL2.0,LGPL2.1}" + } + } +} + +dependencies { + + implementation("androidx.core:core-ktx:1.12.0") + implementation("androidx.lifecycle:lifecycle-runtime-ktx:2.7.0") + implementation("androidx.activity:activity-compose:1.8.2") + implementation(platform("androidx.compose:compose-bom:2024.04.00")) + implementation("androidx.compose.ui:ui") + implementation("androidx.compose.ui:ui-graphics") + implementation("androidx.compose.ui:ui-tooling-preview") + implementation("androidx.compose.material3:material3") + testImplementation("junit:junit:4.13.2") + androidTestImplementation("androidx.test.ext:junit:1.1.5") + androidTestImplementation("androidx.test.espresso:espresso-core:3.5.1") + androidTestImplementation(platform("androidx.compose:compose-bom:2024.04.00")) + androidTestImplementation("androidx.compose.ui:ui-test-junit4") + debugImplementation("androidx.compose.ui:ui-tooling") + debugImplementation("androidx.compose.ui:ui-test-manifest") + implementation("org.jetbrains.kotlin:kotlin-reflect:1.9.10") + implementation ("com.squareup.okhttp3:okhttp:4.8.0") // vulnerable library + +} \ No newline at end of file diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt index e69de29bb2..566a57ac0f 100644 --- a/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt @@ -0,0 +1,312 @@ +... +[redacted for readability] +... + { + "isVirtual": false, + "fileName": "okhttp-4.8.0.jar", + "filePath": "\/Users\/sushi2k\/.gradle\/caches\/modules-2\/files-2.1\/com.squareup.okhttp3\/okhttp\/4.8.0\/5c34a8c35bb3fd5ec39d3a67ceae691d0f3eb455\/okhttp-4.8.0.jar", + "md5": "5132d18a9ed0b5eb9a6137885959bcb5", + "sha1": "5c34a8c35bb3fd5ec39d3a67ceae691d0f3eb455", + "sha256": "04d68254c5216d059504d97e2cf2f8ba7922453059701a5adc65652809dd1599", + "projectReferences": [ + "app:debugCompileClasspath", + "app:implementationDependenciesMetadata", + "app:releaseCompileClasspath", + "app:releaseRuntimeClasspath", + "app:debugRuntimeClasspath" + ], + "includedBy": [ + { + "reference": "pkg:maven\/MASTestApp\/app@unspecified" + }, + { + "reference": "pkg:maven\/MASTestApp\/app@unspecified" + }, + { + "reference": "pkg:maven\/MASTestApp\/app@unspecified" + }, + { + "reference": "pkg:maven\/MASTestApp\/app@unspecified" + }, + { + "reference": "pkg:maven\/MASTestApp\/app@unspecified" + } + ], + "evidenceCollected": { + "vendorEvidence": [ + { + "type": "vendor", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "okhttp" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "gradle", + "name": "artifactid", + "value": "okhttp" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "gradle", + "name": "groupid", + "value": "com.squareup.okhttp3" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "jar", + "name": "package name", + "value": "internal" + }, + { + "type": "vendor", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "okhttp3" + }, + { + "type": "vendor", + "confidence": "LOW", + "source": "jar", + "name": "package name", + "value": "okhttp3" + }, + { + "type": "vendor", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "automatic-module-name", + "value": "okhttp3" + } + ], + "productEvidence": [ + { + "type": "product", + "confidence": "HIGH", + "source": "file", + "name": "name", + "value": "okhttp" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "gradle", + "name": "artifactid", + "value": "okhttp" + }, + { + "type": "product", + "confidence": "LOW", + "source": "jar", + "name": "package name", + "value": "internal" + }, + { + "type": "product", + "confidence": "HIGHEST", + "source": "jar", + "name": "package name", + "value": "okhttp3" + }, + { + "type": "product", + "confidence": "MEDIUM", + "source": "Manifest", + "name": "automatic-module-name", + "value": "okhttp3" + } + ], + "versionEvidence": [ + { + "type": "version", + "confidence": "MEDIUM", + "source": "file", + "name": "name", + "value": "okhttp" + }, + { + "type": "version", + "confidence": "HIGH", + "source": "file", + "name": "version", + "value": "4.8.0" + }, + { + "type": "version", + "confidence": "HIGHEST", + "source": "gradle", + "name": "version", + "value": "4.8.0" + } + ] + }, + "packages": [ + { + "id": "pkg:maven\/com.squareup.okhttp3\/okhttp@4.8.0", + "confidence": "HIGHEST", + "url": "https:\/\/ossindex.sonatype.org\/component\/pkg:maven\/com.squareup.okhttp3\/okhttp@4.8.0?utm_source=dependency-check&utm_medium=integration&utm_content=10.0.4" + } + ], + "vulnerabilityIds": [ + { + "id": "cpe:2.3:a:squareup:okhttp:4.8.0:*:*:*:*:*:*:*", + "confidence": "LOW" + }, + { + "id": "cpe:2.3:a:squareup:okhttp3:4.8.0:*:*:*:*:*:*:*", + "confidence": "LOW" + } + ], + "vulnerabilities": [ + { + "source": "OSSINDEX", + "name": "CVE-2021-0341", + "severity": "HIGH", + "cvssv3": { + "baseScore": 7.5, + "attackVector": "NETWORK", + "attackComplexity": "LOW", + "privilegesRequired": "NONE", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseSeverity": "HIGH", + "version": "3.1" + }, + "cwes": [ + "CWE-295" + ], + "description": "In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069", + "notes": "", + "references": [ + { + "source": "OSSINDEX", + "url": "https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2021-0341?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.4", + "name": "[CVE-2021-0341] CWE-295: Improper Certificate Validation" + }, + { + "source": "OSSIndex", + "url": "https:\/\/source.android.com\/security\/bulletin\/2021-02-01#android-runtime", + "name": "https:\/\/source.android.com\/security\/bulletin\/2021-02-01#android-runtime" + }, + { + "source": "OSSIndex", + "url": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2021-0341", + "name": "http:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2021-0341" + }, + { + "source": "OSSIndex", + "url": "https:\/\/github.com\/square\/okhttp\/pull\/6353", + "name": "https:\/\/github.com\/square\/okhttp\/pull\/6353" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:com.squareup.okhttp3:okhttp:4.8.0:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true" + } + } + ] + }, + { + "source": "NVD", + "name": "CVE-2023-0833", + "severity": "MEDIUM", + "cvssv3": { + "baseScore": 5.5, + "attackVector": "LOCAL", + "attackComplexity": "LOW", + "privilegesRequired": "LOW", + "userInteraction": "NONE", + "scope": "UNCHANGED", + "confidentialityImpact": "HIGH", + "integrityImpact": "NONE", + "availabilityImpact": "NONE", + "baseSeverity": "MEDIUM", + "exploitabilityScore": "1.8", + "impactScore": "3.6", + "version": "3.1" + }, + "cwes": [ + "CWE-209" + ], + "description": "A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.", + "notes": "", + "references": [ + { + "source": "secalert@redhat.com", + "url": "https:\/\/access.redhat.com\/errata\/RHSA-2023:1241", + "name": "THIRD_PARTY_ADVISORY" + }, + { + "source": "secalert@redhat.com", + "url": "https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2169845", + "name": "ISSUE_TRACKING,THIRD_PARTY_ADVISORY" + }, + { + "source": "secalert@redhat.com", + "url": "https:\/\/github.com\/square\/okhttp\/issues\/6738", + "name": "EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY" + }, + { + "source": "secalert@redhat.com", + "url": "https:\/\/access.redhat.com\/security\/cve\/CVE-2023-0833", + "name": "THIRD_PARTY_ADVISORY" + }, + { + "source": "OSSINDEX", + "url": "https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2023-0833?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.4", + "name": "[CVE-2023-0833] CWE-200: Information Exposure" + }, + { + "source": "OSSIndex", + "url": "https:\/\/github.com\/square\/okhttp\/pull\/6551", + "name": "https:\/\/github.com\/square\/okhttp\/pull\/6551" + }, + { + "source": "secalert@redhat.com", + "url": "https:\/\/access.redhat.com\/errata\/RHSA-2023:3223", + "name": "THIRD_PARTY_ADVISORY" + }, + { + "source": "OSSIndex", + "url": "https:\/\/github.com\/square\/okhttp\/issues\/6738", + "name": "https:\/\/github.com\/square\/okhttp\/issues\/6738" + } + ], + "vulnerableSoftware": [ + { + "software": { + "id": "cpe:2.3:a:redhat:a-mq_streams:*:*:*:*:*:*:*:*", + "versionEndExcluding": "2.2.1" + } + }, + { + "software": { + "id": "cpe:2.3:a:redhat:a-mq_streams:*:*:*:*:*:*:*:*", + "versionStartIncluding": "2.3.0", + "versionEndExcluding": "2.4.0" + } + }, + { + "software": { + "id": "cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched": "true", + "versionEndExcluding": "4.9.2" + } + } + ] + } + ] + }, +... +[redacted for readability] +... \ No newline at end of file diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh index e69de29bb2..835327c131 100644 --- a/demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0021/run.sh @@ -0,0 +1 @@ +./gradlew dependencyCheckAnalyze \ No newline at end of file diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md b/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md new file mode 100644 index 0000000000..f237992304 --- /dev/null +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md @@ -0,0 +1,24 @@ +--- +platform: android +title: Identifying Insecure Dependencies through SBOM creation +id: MASTG-DEMO-0022 +test: MASTG-TEST-0216 +--- + +### Steps + +Execute `cdxgen` in the root directory of the Android Studio project. + +{{ run.sh }} + +This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0112. + +### Observation + +In the project of @MASTG-TOOL-0117, where the SBOM has been uploaded, the scan should have identified over 200 unique dependencies (components) with 7 vulnerable dependencies and 7 vulnerabilities (as more vulnerabilities might be found over time this number might increase). + +{{ output.txt }} + +### Evaluation + +Review each of the reported instances. The dependency `okhttp` has 2 known vulnerabilities and `okio` has 1 known vulnerability and they should all be updated to the latest version. diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0022/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0022/output.txt new file mode 100644 index 0000000000..96b960251d --- /dev/null +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0022/output.txt @@ -0,0 +1 @@ +{"bomFormat":"CycloneDX","specVersion":"1.5","serialNumber":"urn:uuid:08260d88-3747-4adf-8364-e8d75174bf8e","version":1,"metadata":{"timestamp":"2024-10-20T17:18:51Z","tools":{"components":[{"group":"@cyclonedx","name":"cdxgen","version":"10.10.5","purl":"pkg:npm/%40cyclonedx/cdxgen@10.10.5","type":"application","bom-ref":"pkg:npm/@cyclonedx/cdxgen@10.10.5","author":"OWASP Foundation","publisher":"OWASP Foundation"}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"component":{"name":"MASTestApp","type":"application","group":"","version":"latest","properties":[{"name":"GradleModule","value":"MASTestApp"},{"name":"buildFile","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/build.gradle.kts"},{"name":"projectDir","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076"},{"name":"rootDir","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076"}],"purl":"pkg:maven/MASTestApp@latest?type=jar","bom-ref":"pkg:maven/MASTestApp@latest?type=jar","components":[{"group":"MASTestApp","name":"app","version":"latest","purl":"pkg:maven/MASTestApp/app@latest?type=jar","type":"application","bom-ref":"pkg:maven/MASTestApp/app@latest?type=jar","properties":[{"name":"GradleModule","value":":app"},{"name":"buildFile","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/app/build.gradle.kts"},{"name":"projectDir","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076/app"},{"name":"rootDir","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-Android-MASWE-0076"}]}]},"properties":[{"name":"cdx:bom:componentTypes","value":"maven"},{"name":"cdx:bom:componentNamespaces","value":"androidx.activity\\nandroidx.annotation\\nandroidx.arch.core\\nandroidx.autofill\\nandroidx.collection\\nandroidx.compose\\nandroidx.compose.animation\\nandroidx.compose.compiler\\nandroidx.compose.foundation\\nandroidx.compose.material\\nandroidx.compose.material3\\nandroidx.compose.runtime\\nandroidx.compose.ui\\nandroidx.concurrent\\nandroidx.core\\nandroidx.customview\\nandroidx.emoji2\\nandroidx.interpolator\\nandroidx.lifecycle\\nandroidx.profileinstaller\\nandroidx.savedstate\\nandroidx.startup\\nandroidx.test\\nandroidx.test.espresso\\nandroidx.test.ext\\nandroidx.test.services\\nandroidx.tracing\\nandroidx.versionedparcelable\\ncom.android.tools\\ncom.android.tools.ddms\\ncom.android.tools.emulator\\ncom.android.tools.utp\\ncom.google.android\\ncom.google.api.grpc\\ncom.google.code.findbugs\\ncom.google.code.gson\\ncom.google.crypto.tink\\ncom.google.errorprone\\ncom.google.guava\\ncom.google.j2objc\\ncom.google.protobuf\\ncom.google.testing.platform\\ncom.squareup\\ncom.squareup.okhttp3\\ncom.squareup.okio\\ncommons-io\\nio.grpc\\nio.netty\\nio.perfmark\\njavax.annotation\\njavax.inject\\njunit\\nnet.java.dev.jna\\nnet.sf.kxml\\norg.checkerframework\\norg.codehaus.mojo\\norg.hamcrest\\norg.jetbrains\\norg.jetbrains.intellij.deps\\norg.jetbrains.kotlin\\norg.jetbrains.kotlinx"}]},"components":[{"group":"com.android.tools.utp","name":"android-device-provider-ddmlib","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-device-provider-ddmlib@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-device-provider-ddmlib@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.android.tools","name":"common","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools/common@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools/common@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.android.tools","name":"annotations","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools/annotations@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools/annotations@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.guava","name":"guava","version":"32.0.1-jre","scope":"optional","purl":"pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","type":"library","bom-ref":"pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.guava","name":"failureaccess","version":"1.0.1","scope":"optional","purl":"pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar","type":"library","bom-ref":"pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.guava","name":"listenablefuture","version":"9999.0-empty-to-avoid-conflict-with-guava","scope":"optional","purl":"pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar","type":"library","bom-ref":"pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.code.findbugs","name":"jsr305","version":"3.0.2","scope":"optional","purl":"pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","type":"library","bom-ref":"pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.checkerframework","name":"checker-qual","version":"3.33.0","scope":"optional","purl":"pkg:maven/org.checkerframework/checker-qual@3.33.0?type=jar","type":"library","bom-ref":"pkg:maven/org.checkerframework/checker-qual@3.33.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.errorprone","name":"error_prone_annotations","version":"2.18.0","scope":"optional","purl":"pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","type":"library","bom-ref":"pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.j2objc","name":"j2objc-annotations","version":"2.8","scope":"optional","purl":"pkg:maven/com.google.j2objc/j2objc-annotations@2.8?type=jar","type":"library","bom-ref":"pkg:maven/com.google.j2objc/j2objc-annotations@2.8?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"net.java.dev.jna","name":"jna-platform","version":"5.6.0","scope":"optional","purl":"pkg:maven/net.java.dev.jna/jna-platform@5.6.0?type=jar","type":"library","bom-ref":"pkg:maven/net.java.dev.jna/jna-platform@5.6.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"net.java.dev.jna","name":"jna","version":"5.6.0","scope":"optional","purl":"pkg:maven/net.java.dev.jna/jna@5.6.0?type=jar","type":"library","bom-ref":"pkg:maven/net.java.dev.jna/jna@5.6.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-jdk8","version":"1.9.20","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib","version":"1.9.20","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.20?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.20?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains","name":"annotations","version":"23.0.0","scope":"optional","purl":"pkg:maven/org.jetbrains/annotations@23.0.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains/annotations@23.0.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-jdk7","version":"1.9.20","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.20?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.20?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-common","version":"1.9.20","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.20?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.20?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.android.tools.ddms","name":"ddmlib","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.ddms/ddmlib@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.ddms/ddmlib@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.protobuf","name":"protobuf-java","version":"3.22.3","scope":"optional","purl":"pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","type":"library","bom-ref":"pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"net.sf.kxml","name":"kxml2","version":"2.3.0","scope":"optional","purl":"pkg:maven/net.sf.kxml/kxml2@2.3.0?type=jar","type":"library","bom-ref":"pkg:maven/net.sf.kxml/kxml2@2.3.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.android.tools.utp","name":"android-device-provider-ddmlib-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-device-provider-ddmlib-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-device-provider-ddmlib-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-core","version":"1.6.4","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-core-jvm","version":"1.6.4","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.6.4?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.6.4?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-bom","version":"1.6.4","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.6.4?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.6.4?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.testing.platform","name":"core-proto","version":"0.0.9-alpha02","scope":"optional","purl":"pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","type":"library","bom-ref":"pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.google.testing.platform","name":"android-device-provider-local","version":"0.0.9-alpha02","scope":"optional","purl":"pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","type":"library","bom-ref":"pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-ddmlib"}]},{"group":"com.android.tools.utp","name":"android-device-provider-gradle","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-device-provider-gradle@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-device-provider-gradle@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-gradle"}]},{"group":"org.jetbrains","name":"annotations","version":"13.0","scope":"optional","purl":"pkg:maven/org.jetbrains/annotations@13.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains/annotations@13.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-gradle"}]},{"group":"com.android.tools.utp","name":"android-device-provider-gradle-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-device-provider-gradle-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-device-provider-gradle-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-device-provider-gradle"}]},{"group":"com.google.testing.platform","name":"android-driver-instrumentation","version":"0.0.9-alpha02","scope":"optional","purl":"pkg:maven/com.google.testing.platform/android-driver-instrumentation@0.0.9-alpha02?type=jar","type":"library","bom-ref":"pkg:maven/com.google.testing.platform/android-driver-instrumentation@0.0.9-alpha02?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-driver-instrumentation"}]},{"group":"com.google.testing.platform","name":"android-test-plugin","version":"0.0.9-alpha02","scope":"optional","purl":"pkg:maven/com.google.testing.platform/android-test-plugin@0.0.9-alpha02?type=jar","type":"library","bom-ref":"pkg:maven/com.google.testing.platform/android-test-plugin@0.0.9-alpha02?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-additional-test-output","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-additional-test-output"}]},{"group":"com.android.tools.utp","name":"utp-common","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-additional-test-output"}]},{"group":"com.google.testing.platform","name":"launcher","version":"0.0.9-alpha02","scope":"optional","purl":"pkg:maven/com.google.testing.platform/launcher@0.0.9-alpha02?type=jar","type":"library","bom-ref":"pkg:maven/com.google.testing.platform/launcher@0.0.9-alpha02?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-additional-test-output"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-additional-test-output-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-additional-test-output"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-apk-installer","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-apk-installer"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-apk-installer-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-apk-installer"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-coverage","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-coverage"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-coverage-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-coverage"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-device-info","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-device-info"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-device-info-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-device-info"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-emulator-control","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"commons-io","name":"commons-io","version":"2.13.0","scope":"optional","purl":"pkg:maven/commons-io/commons-io@2.13.0?type=jar","type":"library","bom-ref":"pkg:maven/commons-io/commons-io@2.13.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.google.code.gson","name":"gson","version":"2.10.1","scope":"optional","purl":"pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","type":"library","bom-ref":"pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-emulator-control-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.android.tools.emulator","name":"proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.emulator/proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.emulator/proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-core","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","type":"library","bom-ref":"pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-api","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-api@1.57.0?type=jar","type":"library","bom-ref":"pkg:maven/io.grpc/grpc-api@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.google.android","name":"annotations","version":"4.1.1.4","scope":"optional","purl":"pkg:maven/com.google.android/annotations@4.1.1.4?type=jar","type":"library","bom-ref":"pkg:maven/com.google.android/annotations@4.1.1.4?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"org.codehaus.mojo","name":"animal-sniffer-annotations","version":"1.23","scope":"optional","purl":"pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.23?type=jar","type":"library","bom-ref":"pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.23?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.perfmark","name":"perfmark-api","version":"0.26.0","scope":"optional","purl":"pkg:maven/io.perfmark/perfmark-api@0.26.0?type=jar","type":"library","bom-ref":"pkg:maven/io.perfmark/perfmark-api@0.26.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-context","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-context@1.57.0?type=jar","type":"library","bom-ref":"pkg:maven/io.grpc/grpc-context@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-netty","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","type":"framework","bom-ref":"pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-codec-http2","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-codec-http2@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-codec-http2@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-common","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-buffer","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-transport","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-resolver","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-resolver@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-resolver@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-codec","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-handler","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-handler@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-handler@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-transport-native-unix-common","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-transport-native-unix-common@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-transport-native-unix-common@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-codec-http","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-codec-http@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-codec-http@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-handler-proxy","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-handler-proxy@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-handler-proxy@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.netty","name":"netty-codec-socks","version":"4.1.93.Final","scope":"optional","purl":"pkg:maven/io.netty/netty-codec-socks@4.1.93.Final?type=jar","type":"framework","bom-ref":"pkg:maven/io.netty/netty-codec-socks@4.1.93.Final?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-protobuf","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","type":"library","bom-ref":"pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.google.api.grpc","name":"proto-google-common-protos","version":"2.17.0","scope":"optional","purl":"pkg:maven/com.google.api.grpc/proto-google-common-protos@2.17.0?type=jar","type":"library","bom-ref":"pkg:maven/com.google.api.grpc/proto-google-common-protos@2.17.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-protobuf-lite","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-protobuf-lite@1.57.0?type=jar","type":"library","bom-ref":"pkg:maven/io.grpc/grpc-protobuf-lite@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"io.grpc","name":"grpc-stub","version":"1.57.0","scope":"optional","purl":"pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","type":"library","bom-ref":"pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"javax.annotation","name":"javax.annotation-api","version":"1.3.2","scope":"optional","purl":"pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar","type":"library","bom-ref":"pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.google.crypto.tink","name":"tink","version":"1.7.0","scope":"optional","purl":"pkg:maven/com.google.crypto.tink/tink@1.7.0?type=jar","type":"library","bom-ref":"pkg:maven/com.google.crypto.tink/tink@1.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-emulator-control"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-logcat","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-logcat"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-logcat-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-logcat"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-retention","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-retention@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-retention@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-retention"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-host-retention-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-host-retention-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-retention-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-host-retention"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-result-listener-gradle","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-result-listener-gradle"}]},{"group":"com.android.tools.utp","name":"android-test-plugin-result-listener-gradle-proto","version":"31.4.0","scope":"optional","purl":"pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle-proto@31.4.0?type=jar","type":"library","bom-ref":"pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle-proto@31.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-android-test-plugin-result-listener-gradle"}]},{"group":"com.google.testing.platform","name":"core","version":"0.0.9-alpha02","scope":"optional","purl":"pkg:maven/com.google.testing.platform/core@0.0.9-alpha02?type=jar","type":"library","bom-ref":"pkg:maven/com.google.testing.platform/core@0.0.9-alpha02?type=jar","properties":[{"name":"GradleProfileName","value":"_internal-unified-test-platform-core"}]},{"group":"androidx.test.ext","name":"junit","version":"1.1.5","scope":"optional","purl":"pkg:maven/androidx.test.ext/junit@1.1.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test.ext/junit@1.1.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test.espresso","name":"espresso-core","version":"3.5.1","scope":"optional","purl":"pkg:maven/androidx.test.espresso/espresso-core@3.5.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test.espresso/espresso-core@3.5.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose","name":"compose-bom","version":"2024.04.00","scope":"optional","purl":"pkg:maven/androidx.compose/compose-bom@2024.04.00?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose/compose-bom@2024.04.00?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"junit","name":"junit","version":"4.13.2","scope":"optional","purl":"pkg:maven/junit/junit@4.13.2?type=jar","type":"library","bom-ref":"pkg:maven/junit/junit@4.13.2?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.hamcrest","name":"hamcrest-core","version":"1.3","scope":"optional","purl":"pkg:maven/org.hamcrest/hamcrest-core@1.3?type=jar","type":"library","bom-ref":"pkg:maven/org.hamcrest/hamcrest-core@1.3?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test","name":"core","version":"1.5.0","scope":"optional","purl":"pkg:maven/androidx.test/core@1.5.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test/core@1.5.0?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.annotation","name":"annotation","version":"1.7.0","scope":"optional","purl":"pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib","version":"1.8.22","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-common","version":"1.8.22","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test","name":"monitor","version":"1.6.1","scope":"optional","purl":"pkg:maven/androidx.test/monitor@1.6.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test/monitor@1.6.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test","name":"annotation","version":"1.0.1","scope":"optional","purl":"pkg:maven/androidx.test/annotation@1.0.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test/annotation@1.0.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.annotation","name":"annotation-experimental","version":"1.1.0","scope":"optional","purl":"pkg:maven/androidx.annotation/annotation-experimental@1.1.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.annotation/annotation-experimental@1.1.0?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.tracing","name":"tracing","version":"1.0.0","scope":"optional","purl":"pkg:maven/androidx.tracing/tracing@1.0.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.tracing/tracing@1.0.0?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test.services","name":"storage","version":"1.4.2","scope":"optional","purl":"pkg:maven/androidx.test.services/storage@1.4.2?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test.services/storage@1.4.2?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"com.google.code.findbugs","name":"jsr305","version":"2.0.2","scope":"optional","purl":"pkg:maven/com.google.code.findbugs/jsr305@2.0.2?type=jar","type":"library","bom-ref":"pkg:maven/com.google.code.findbugs/jsr305@2.0.2?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.lifecycle","name":"lifecycle-common","version":"2.3.1","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-common@2.3.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-common@2.3.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"com.google.guava","name":"listenablefuture","version":"1.0","scope":"optional","purl":"pkg:maven/com.google.guava/listenablefuture@1.0?type=jar","type":"library","bom-ref":"pkg:maven/com.google.guava/listenablefuture@1.0?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.concurrent","name":"concurrent-futures","version":"1.1.0","scope":"optional","purl":"pkg:maven/androidx.concurrent/concurrent-futures@1.1.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.concurrent/concurrent-futures@1.1.0?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test","name":"runner","version":"1.5.2","scope":"optional","purl":"pkg:maven/androidx.test/runner@1.5.2?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test/runner@1.5.2?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.test.espresso","name":"espresso-idling-resource","version":"3.5.1","scope":"optional","purl":"pkg:maven/androidx.test.espresso/espresso-idling-resource@3.5.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.test.espresso/espresso-idling-resource@3.5.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"com.squareup","name":"javawriter","version":"2.1.1","scope":"optional","purl":"pkg:maven/com.squareup/javawriter@2.1.1?type=jar","type":"library","bom-ref":"pkg:maven/com.squareup/javawriter@2.1.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"javax.inject","name":"javax.inject","version":"1","scope":"optional","purl":"pkg:maven/javax.inject/javax.inject@1?type=jar","type":"library","bom-ref":"pkg:maven/javax.inject/javax.inject@1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.hamcrest","name":"hamcrest-library","version":"1.3","scope":"optional","purl":"pkg:maven/org.hamcrest/hamcrest-library@1.3?type=jar","type":"library","bom-ref":"pkg:maven/org.hamcrest/hamcrest-library@1.3?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.hamcrest","name":"hamcrest-integration","version":"1.3","scope":"optional","purl":"pkg:maven/org.hamcrest/hamcrest-integration@1.3?type=jar","type":"library","bom-ref":"pkg:maven/org.hamcrest/hamcrest-integration@1.3?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-test-junit4","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-test","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.runtime","name":"runtime","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-text","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-unit","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.runtime","name":"runtime-saveable","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-geometry","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-graphics","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"androidx.compose.ui","name":"ui-util","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-core","version":"1.7.1","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-jdk8","version":"1.8.20","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.8.20?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.8.20?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-jdk7","version":"1.8.20","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.8.20?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.8.20?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlinx","name":"atomicfu","version":"0.20.2","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/atomicfu@0.20.2?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/atomicfu@0.20.2?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-test","version":"1.7.1","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar","properties":[{"name":"GradleProfileName","value":"androidTestImplementation"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-jdk8","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"api"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"api"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-common","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"api"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-jdk7","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"api"}]},{"group":"androidx.annotation","name":"annotation-jvm","version":"1.7.0","scope":"optional","purl":"pkg:maven/androidx.annotation/annotation-jvm@1.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.annotation/annotation-jvm@1.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib","version":"1.9.10","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-stdlib-common","version":"1.9.10","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.annotation","name":"annotation-experimental","version":"1.4.0","scope":"optional","purl":"pkg:maven/androidx.annotation/annotation-experimental@1.4.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.annotation/annotation-experimental@1.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-common","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-android","version":"1.7.1","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-core-jvm","version":"1.7.1","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.7.1?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.7.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-bom","version":"1.7.1","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.7.1?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.7.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlinx","name":"kotlinx-coroutines-test-jvm","version":"1.7.1","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test-jvm@1.7.1?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test-jvm@1.7.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-runtime","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-runtime-ktx","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-viewmodel","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-viewmodel-ktx","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-viewmodel-savedstate","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-livedata-core","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.material3","name":"material3","version":"1.2.1","scope":"optional","purl":"pkg:maven/androidx.compose.material3/material3@1.2.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material3/material3@1.2.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-test-manifest","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-tooling","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-tooling-preview","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-test-junit4-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-test-junit4-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-test-junit4-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-graphics-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-graphics-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-graphics-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.material3","name":"material3-android","version":"1.2.1","scope":"optional","purl":"pkg:maven/androidx.compose.material3/material3-android@1.2.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material3/material3-android@1.2.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-tooling-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-tooling-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-tooling-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-tooling-preview-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-tooling-preview-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-tooling-preview-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.runtime","name":"runtime-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.runtime/runtime-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.runtime/runtime-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.runtime","name":"runtime-saveable-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.runtime/runtime-saveable-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.runtime/runtime-saveable-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.foundation","name":"foundation","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.foundation","name":"foundation-layout","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.material","name":"material-icons-core","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.material","name":"material-ripple","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-tooling-data","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-test-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-test-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-test-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-geometry-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-geometry-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-geometry-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-text-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-text-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-text-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-unit-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-unit-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-unit-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-util-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-util-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-util-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.foundation","name":"foundation-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.foundation/foundation-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.foundation/foundation-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.foundation","name":"foundation-layout-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.foundation/foundation-layout-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.foundation/foundation-layout-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.material","name":"material-icons-core-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.material/material-icons-core-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material/material-icons-core-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.material","name":"material-ripple-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.material/material-ripple-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material/material-ripple-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.ui","name":"ui-tooling-data-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.ui/ui-tooling-data-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.ui/ui-tooling-data-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.animation","name":"animation","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.animation","name":"animation-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.animation/animation-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.animation/animation-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.animation","name":"animation-core","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.compose.animation","name":"animation-core-android","version":"1.6.5","scope":"optional","purl":"pkg:maven/androidx.compose.animation/animation-core-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.animation/animation-core-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.activity","name":"activity","version":"1.8.2","scope":"optional","purl":"pkg:maven/androidx.activity/activity@1.8.2?type=jar","type":"library","bom-ref":"pkg:maven/androidx.activity/activity@1.8.2?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.core","name":"core","version":"1.12.0","scope":"optional","purl":"pkg:maven/androidx.core/core@1.12.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.core/core@1.12.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.arch.core","name":"core-common","version":"2.2.0","scope":"optional","purl":"pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.versionedparcelable","name":"versionedparcelable","version":"1.1.1","scope":"optional","purl":"pkg:maven/androidx.versionedparcelable/versionedparcelable@1.1.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.versionedparcelable/versionedparcelable@1.1.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.collection","name":"collection","version":"1.4.0","scope":"optional","purl":"pkg:maven/androidx.collection/collection@1.4.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.collection/collection@1.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.collection","name":"collection-jvm","version":"1.4.0","scope":"optional","purl":"pkg:maven/androidx.collection/collection-jvm@1.4.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.collection/collection-jvm@1.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.core","name":"core-ktx","version":"1.12.0","scope":"optional","purl":"pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.savedstate","name":"savedstate","version":"1.2.1","scope":"optional","purl":"pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.savedstate","name":"savedstate-ktx","version":"1.2.1","scope":"optional","purl":"pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.activity","name":"activity-compose","version":"1.8.2","scope":"optional","purl":"pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","type":"library","bom-ref":"pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.activity","name":"activity-ktx","version":"1.8.2","scope":"optional","purl":"pkg:maven/androidx.activity/activity-ktx@1.8.2?type=jar","type":"library","bom-ref":"pkg:maven/androidx.activity/activity-ktx@1.8.2?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-reflect","version":"1.9.10","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.10?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.10?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"com.squareup.okhttp3","name":"okhttp","version":"4.8.0","scope":"optional","purl":"pkg:maven/com.squareup.okhttp3/okhttp@4.8.0?type=jar","type":"library","bom-ref":"pkg:maven/com.squareup.okhttp3/okhttp@4.8.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"com.squareup.okio","name":"okio","version":"2.7.0","scope":"optional","purl":"pkg:maven/com.squareup.okio/okio@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/com.squareup.okio/okio@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestCompileClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-process","version":"2.7.0","scope":"optional","purl":"pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.collection","name":"collection-ktx","version":"1.4.0","scope":"optional","purl":"pkg:maven/androidx.collection/collection-ktx@1.4.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.collection/collection-ktx@1.4.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.interpolator","name":"interpolator","version":"1.0.0","scope":"optional","purl":"pkg:maven/androidx.interpolator/interpolator@1.0.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.interpolator/interpolator@1.0.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.arch.core","name":"core-runtime","version":"2.2.0","scope":"optional","purl":"pkg:maven/androidx.arch.core/core-runtime@2.2.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.arch.core/core-runtime@2.2.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.profileinstaller","name":"profileinstaller","version":"1.3.0","scope":"optional","purl":"pkg:maven/androidx.profileinstaller/profileinstaller@1.3.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.profileinstaller/profileinstaller@1.3.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.startup","name":"startup-runtime","version":"1.1.1","scope":"optional","purl":"pkg:maven/androidx.startup/startup-runtime@1.1.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.startup/startup-runtime@1.1.1?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.autofill","name":"autofill","version":"1.0.0","scope":"optional","purl":"pkg:maven/androidx.autofill/autofill@1.0.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.autofill/autofill@1.0.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.emoji2","name":"emoji2","version":"1.3.0","scope":"optional","purl":"pkg:maven/androidx.emoji2/emoji2@1.3.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.emoji2/emoji2@1.3.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.customview","name":"customview-poolingcontainer","version":"1.0.0","scope":"optional","purl":"pkg:maven/androidx.customview/customview-poolingcontainer@1.0.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.customview/customview-poolingcontainer@1.0.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugAndroidTestRuntimeClasspath"}]},{"group":"androidx.lifecycle","name":"lifecycle-common-java8","version":"2.7.0","scope":"required","purl":"pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"debugRuntimeClasspath"}]},{"group":"androidx.compose.material","name":"material","version":"1.6.5","scope":"required","purl":"pkg:maven/androidx.compose.material/material@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material/material@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugRuntimeClasspath"}]},{"group":"androidx.compose.material","name":"material-android","version":"1.6.5","scope":"required","purl":"pkg:maven/androidx.compose.material/material-android@1.6.5?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.material/material-android@1.6.5?type=jar","properties":[{"name":"GradleProfileName","value":"debugRuntimeClasspath"}]},{"group":"androidx.annotation","name":"annotation-experimental","version":"1.3.0","purl":"pkg:maven/androidx.annotation/annotation-experimental@1.3.0?type=jar","type":"library","bom-ref":"pkg:maven/androidx.annotation/annotation-experimental@1.3.0?type=jar","properties":[{"name":"GradleProfileName","value":"implementation"}]},{"group":"com.squareup.okio","name":"okio-metadata","version":"2.7.0","purl":"pkg:maven/com.squareup.okio/okio-metadata@2.7.0?type=jar","type":"library","bom-ref":"pkg:maven/com.squareup.okio/okio-metadata@2.7.0?type=jar","properties":[{"name":"GradleProfileName","value":"implementation"}]},{"group":"androidx.compose.compiler","name":"compiler","version":"1.5.1","purl":"pkg:maven/androidx.compose.compiler/compiler@1.5.1?type=jar","type":"library","bom-ref":"pkg:maven/androidx.compose.compiler/compiler@1.5.1?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-build-tools-impl","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-impl@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-impl@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-build-tools-api","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-api@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-api@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-compiler-embeddable","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-compiler-embeddable@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-compiler-embeddable@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-script-runtime","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-script-runtime@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-script-runtime@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-reflect","version":"1.6.10","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.6.10?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.6.10?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-daemon-embeddable","version":"1.9.0","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-daemon-embeddable@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-daemon-embeddable@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.intellij.deps","name":"trove4j","version":"1.0.20200330","purl":"pkg:maven/org.jetbrains.intellij.deps/trove4j@1.0.20200330?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.intellij.deps/trove4j@1.0.20200330?type=jar","properties":[{"name":"GradleProfileName","value":"kotlin-extension"}]},{"group":"org.jetbrains.kotlin","name":"kotlin-klib-commonizer-embeddable","version":"1.9.0","scope":"optional","purl":"pkg:maven/org.jetbrains.kotlin/kotlin-klib-commonizer-embeddable@1.9.0?type=jar","type":"library","bom-ref":"pkg:maven/org.jetbrains.kotlin/kotlin-klib-commonizer-embeddable@1.9.0?type=jar","properties":[{"name":"GradleProfileName","value":"kotlinCompilerPluginClasspathReleaseUnitTest"}]}],"dependencies":[{"ref":"pkg:maven/MASTestApp@latest?type=jar","dependsOn":["pkg:maven/MASTestApp/app@latest?type=jar"]},{"ref":"pkg:maven/MASTestApp/app@latest?type=jar","dependsOn":["pkg:maven/MASTestApp/app@latest?type=jar","pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","pkg:maven/androidx.compose.compiler/compiler@1.5.1?type=jar","pkg:maven/androidx.compose.material3/material3@1.2.1?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.compose/compose-bom@2024.04.00?type=jar","pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.test.espresso/espresso-core@3.5.1?type=jar","pkg:maven/androidx.test.ext/junit@1.1.5?type=jar","pkg:maven/com.android.tools.utp/android-device-provider-ddmlib@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-device-provider-gradle@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-retention@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle@31.4.0?type=jar","pkg:maven/com.google.testing.platform/android-driver-instrumentation@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/android-test-plugin@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/core@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/launcher@0.0.9-alpha02?type=jar","pkg:maven/com.squareup.okhttp3/okhttp@4.8.0?type=jar","pkg:maven/junit/junit@4.13.2?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-impl@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-compiler-embeddable@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-klib-commonizer-embeddable@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-device-provider-ddmlib@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.ddms/ddmlib@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-device-provider-ddmlib-proto@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar"]},{"ref":"pkg:maven/com.android.tools/common@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools/annotations@31.4.0?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/net.java.dev.jna/jna-platform@5.6.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools/annotations@31.4.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","dependsOn":["pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar","pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar","pkg:maven/com.google.j2objc/j2objc-annotations@2.8?type=jar","pkg:maven/org.checkerframework/checker-qual@3.33.0?type=jar"]},{"ref":"pkg:maven/com.google.guava/failureaccess@1.0.1?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.guava/listenablefuture@9999.0-empty-to-avoid-conflict-with-guava?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.checkerframework/checker-qual@3.33.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.j2objc/j2objc-annotations@2.8?type=jar","dependsOn":[]},{"ref":"pkg:maven/net.java.dev.jna/jna-platform@5.6.0?type=jar","dependsOn":["pkg:maven/net.java.dev.jna/jna@5.6.0?type=jar"]},{"ref":"pkg:maven/net.java.dev.jna/jna@5.6.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.20?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.20?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","pkg:maven/org.jetbrains/annotations@13.0?type=jar","pkg:maven/org.jetbrains/annotations@23.0.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains/annotations@23.0.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.20?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.20?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.20?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.ddms/ddmlib@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/net.sf.kxml/kxml2@2.3.0?type=jar","pkg:maven/org.jetbrains/annotations@23.0.0?type=jar"]},{"ref":"pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","dependsOn":[]},{"ref":"pkg:maven/net.sf.kxml/kxml2@2.3.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.android.tools.utp/android-device-provider-ddmlib-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.6.4?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.6.4?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.6.4?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.6.4?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.6.4?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar"]},{"ref":"pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.android.tools.utp/android-device-provider-gradle@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-device-provider-gradle-proto@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/org.jetbrains/annotations@13.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.android.tools.utp/android-device-provider-gradle-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.google.testing.platform/android-driver-instrumentation@0.0.9-alpha02?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.testing.platform/android-test-plugin@0.0.9-alpha02?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output-proto@31.4.0?type=jar","pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.testing.platform/launcher@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.google.testing.platform/launcher@0.0.9-alpha02?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-additional-test-output-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer-proto@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-apk-installer-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage-proto@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-coverage-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info-proto@31.4.0?type=jar","pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-device-info-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.emulator/proto@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control-proto@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.crypto.tink/tink@1.7.0?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/android-driver-instrumentation@0.0.9-alpha02?type=jar","pkg:maven/commons-io/commons-io@2.13.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar"]},{"ref":"pkg:maven/commons-io/commons-io@2.13.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-emulator-control-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.emulator/proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar"]},{"ref":"pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","dependsOn":["pkg:maven/com.google.android/annotations@4.1.1.4?type=jar","pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/io.grpc/grpc-api@1.57.0?type=jar","pkg:maven/io.grpc/grpc-context@1.57.0?type=jar","pkg:maven/io.perfmark/perfmark-api@0.26.0?type=jar","pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.23?type=jar"]},{"ref":"pkg:maven/io.grpc/grpc-api@1.57.0?type=jar","dependsOn":["pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar"]},{"ref":"pkg:maven/com.google.android/annotations@4.1.1.4?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.codehaus.mojo/animal-sniffer-annotations@1.23?type=jar","dependsOn":[]},{"ref":"pkg:maven/io.perfmark/perfmark-api@0.26.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/io.grpc/grpc-context@1.57.0?type=jar","dependsOn":["pkg:maven/io.grpc/grpc-api@1.57.0?type=jar"]},{"ref":"pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","dependsOn":["pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","pkg:maven/io.netty/netty-codec-http2@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-handler-proxy@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport-native-unix-common@4.1.93.Final?type=jar","pkg:maven/io.perfmark/perfmark-api@0.26.0?type=jar"]},{"ref":"pkg:maven/io.netty/netty-codec-http2@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec-http@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-handler@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","dependsOn":[]},{"ref":"pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-resolver@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-resolver@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-handler@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-resolver@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport-native-unix-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-transport-native-unix-common@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-codec-http@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-handler@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-handler-proxy@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec-http@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec-socks@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.netty/netty-codec-socks@4.1.93.Final?type=jar","dependsOn":["pkg:maven/io.netty/netty-buffer@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-codec@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-common@4.1.93.Final?type=jar","pkg:maven/io.netty/netty-transport@4.1.93.Final?type=jar"]},{"ref":"pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","dependsOn":["pkg:maven/com.google.api.grpc/proto-google-common-protos@2.17.0?type=jar","pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/io.grpc/grpc-api@1.57.0?type=jar","pkg:maven/io.grpc/grpc-protobuf-lite@1.57.0?type=jar"]},{"ref":"pkg:maven/com.google.api.grpc/proto-google-common-protos@2.17.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/io.grpc/grpc-protobuf-lite@1.57.0?type=jar","dependsOn":["pkg:maven/com.google.code.findbugs/jsr305@3.0.2?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/io.grpc/grpc-api@1.57.0?type=jar"]},{"ref":"pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","dependsOn":["pkg:maven/com.google.errorprone/error_prone_annotations@2.18.0?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/io.grpc/grpc-api@1.57.0?type=jar"]},{"ref":"pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.google.crypto.tink/tink@1.7.0?type=jar","dependsOn":["pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat-proto@31.4.0?type=jar","pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-logcat-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-retention@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.emulator/proto@31.4.0?type=jar","pkg:maven/com.android.tools.utp/android-test-plugin-host-retention-proto@31.4.0?type=jar","pkg:maven/com.android.tools.utp/utp-common@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/commons-io/commons-io@2.13.0?type=jar","pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-host-retention-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle@31.4.0?type=jar","dependsOn":["pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle-proto@31.4.0?type=jar","pkg:maven/com.android.tools/common@31.4.0?type=jar","pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/com.google.testing.platform/android-device-provider-local@0.0.9-alpha02?type=jar","pkg:maven/com.google.testing.platform/core-proto@0.0.9-alpha02?type=jar","pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.20?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.6.4?type=jar"]},{"ref":"pkg:maven/com.android.tools.utp/android-test-plugin-result-listener-gradle-proto@31.4.0?type=jar","dependsOn":["pkg:maven/com.google.code.gson/gson@2.10.1?type=jar","pkg:maven/com.google.guava/guava@32.0.1-jre?type=jar","pkg:maven/com.google.protobuf/protobuf-java@3.22.3?type=jar","pkg:maven/io.grpc/grpc-core@1.57.0?type=jar","pkg:maven/io.grpc/grpc-netty@1.57.0?type=jar","pkg:maven/io.grpc/grpc-protobuf@1.57.0?type=jar","pkg:maven/io.grpc/grpc-stub@1.57.0?type=jar","pkg:maven/javax.annotation/javax.annotation-api@1.3.2?type=jar"]},{"ref":"pkg:maven/com.google.testing.platform/core@0.0.9-alpha02?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.test.ext/junit@1.1.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.test/core@1.5.0?type=jar","pkg:maven/androidx.test/monitor@1.6.1?type=jar","pkg:maven/junit/junit@4.13.2?type=jar"]},{"ref":"pkg:maven/androidx.test.espresso/espresso-core@3.5.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.test.espresso/espresso-idling-resource@3.5.1?type=jar","pkg:maven/androidx.test/annotation@1.0.1?type=jar","pkg:maven/androidx.test/core@1.5.0?type=jar","pkg:maven/androidx.test/runner@1.5.2?type=jar","pkg:maven/com.google.code.findbugs/jsr305@2.0.2?type=jar","pkg:maven/com.squareup/javawriter@2.1.1?type=jar","pkg:maven/javax.inject/javax.inject@1?type=jar","pkg:maven/org.hamcrest/hamcrest-integration@1.3?type=jar","pkg:maven/org.hamcrest/hamcrest-library@1.3?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose/compose-bom@2024.04.00?type=jar","dependsOn":["pkg:maven/androidx.compose.animation/animation-android@1.6.5?type=jar","pkg:maven/androidx.compose.animation/animation-core-android@1.6.5?type=jar","pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-android@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout-android@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-android@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core-android@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple-android@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","pkg:maven/androidx.compose.material/material@1.6.5?type=jar","pkg:maven/androidx.compose.material3/material3-android@1.2.1?type=jar","pkg:maven/androidx.compose.material3/material3@1.2.1?type=jar","pkg:maven/androidx.compose.runtime/runtime-android@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable-android@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/junit/junit@4.13.2?type=jar","dependsOn":["pkg:maven/org.hamcrest/hamcrest-core@1.3?type=jar"]},{"ref":"pkg:maven/org.hamcrest/hamcrest-core@1.3?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.test/core@1.5.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.concurrent/concurrent-futures@1.1.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.3.1?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.test.services/storage@1.4.2?type=jar","pkg:maven/androidx.test/monitor@1.6.1?type=jar","pkg:maven/androidx.tracing/tracing@1.0.0?type=jar","pkg:maven/com.google.guava/listenablefuture@1.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation-jvm@1.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","pkg:maven/org.jetbrains/annotations@13.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.test/monitor@1.6.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.test/annotation@1.0.1?type=jar","pkg:maven/androidx.tracing/tracing@1.0.0?type=jar"]},{"ref":"pkg:maven/androidx.test/annotation@1.0.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation-experimental@1.1.0?type=jar","pkg:maven/androidx.annotation/annotation-experimental@1.4.0?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar"]},{"ref":"pkg:maven/androidx.annotation/annotation-experimental@1.1.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.tracing/tracing@1.0.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar"]},{"ref":"pkg:maven/androidx.test.services/storage@1.4.2?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.test/annotation@1.0.1?type=jar","pkg:maven/androidx.test/monitor@1.6.1?type=jar","pkg:maven/com.google.code.findbugs/jsr305@2.0.2?type=jar"]},{"ref":"pkg:maven/com.google.code.findbugs/jsr305@2.0.2?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-common@2.3.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar"]},{"ref":"pkg:maven/com.google.guava/listenablefuture@1.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.concurrent/concurrent-futures@1.1.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/com.google.guava/listenablefuture@1.0?type=jar"]},{"ref":"pkg:maven/androidx.test/runner@1.5.2?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.test.services/storage@1.4.2?type=jar","pkg:maven/androidx.test/annotation@1.0.1?type=jar","pkg:maven/androidx.test/monitor@1.6.1?type=jar","pkg:maven/androidx.tracing/tracing@1.0.0?type=jar","pkg:maven/junit/junit@4.13.2?type=jar"]},{"ref":"pkg:maven/androidx.test.espresso/espresso-idling-resource@3.5.1?type=jar","dependsOn":[]},{"ref":"pkg:maven/com.squareup/javawriter@2.1.1?type=jar","dependsOn":[]},{"ref":"pkg:maven/javax.inject/javax.inject@1?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.hamcrest/hamcrest-library@1.3?type=jar","dependsOn":["pkg:maven/org.hamcrest/hamcrest-core@1.3?type=jar"]},{"ref":"pkg:maven/org.hamcrest/hamcrest-integration@1.3?type=jar","dependsOn":["pkg:maven/org.hamcrest/hamcrest-library@1.3?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/junit/junit@4.13.2?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.runtime/runtime-android@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.runtime/runtime-saveable-android@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-geometry-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.8.20?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlinx/atomicfu@0.20.2?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.7.1?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.8.20?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.8.20?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.8.20?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.8.22?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/atomicfu@0.20.2?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.8.22?type=jar","pkg:maven/org.jetbrains.kotlinx/atomicfu@0.20.2?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test-jvm@1.7.1?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0?type=jar","pkg:maven/org.jetbrains/annotations@13.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.9.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.annotation/annotation-jvm@1.7.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains/annotations@13.0?type=jar","pkg:maven/org.jetbrains/annotations@23.0.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","dependsOn":[]},{"ref":"pkg:maven/androidx.annotation/annotation-experimental@1.4.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.7.1?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.7.1?type=jar","pkg:maven/org.jetbrains/annotations@23.0.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.7.1?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core-jvm@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test-jvm@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test-jvm@1.7.1?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-bom@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","pkg:maven/org.jetbrains/annotations@23.0.0?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar","pkg:maven/androidx.arch.core/core-runtime@2.2.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.profileinstaller/profileinstaller@1.3.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar","pkg:maven/androidx.arch.core/core-runtime@2.2.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.material3/material3@1.2.1?type=jar","dependsOn":["pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","pkg:maven/androidx.compose.material3/material3-android@1.2.1?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.activity/activity@1.8.2?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-tooling-android@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview-android@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-test-junit4-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","pkg:maven/androidx.activity/activity@1.8.2?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.test.espresso/espresso-core@3.5.1?type=jar","pkg:maven/androidx.test.espresso/espresso-idling-resource@3.5.1?type=jar","pkg:maven/androidx.test.ext/junit@1.1.5?type=jar","pkg:maven/androidx.test/core@1.5.0?type=jar","pkg:maven/androidx.test/monitor@1.6.1?type=jar","pkg:maven/junit/junit@4.13.2?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-ktx@1.8.2?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.autofill/autofill@1.0.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/androidx.customview/customview-poolingcontainer@1.0.0?type=jar","pkg:maven/androidx.emoji2/emoji2@1.3.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.profileinstaller/profileinstaller@1.3.0?type=jar","pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-graphics-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.material3/material3-android@1.2.1?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","pkg:maven/androidx.annotation/annotation-experimental@1.4.0?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-tooling-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-tooling-preview-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.runtime/runtime-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-android@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.runtime/runtime-saveable-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-android@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.foundation/foundation-layout-android@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.material/material-icons-core-android@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple-android@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-tooling-data-android@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-test-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","pkg:maven/androidx.test.espresso/espresso-core@3.5.1?type=jar","pkg:maven/androidx.test/monitor@1.6.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-test@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-geometry-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-text-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/androidx.emoji2/emoji2@1.3.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-unit-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection-ktx@1.4.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-util-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-data@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.foundation/foundation-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/androidx.emoji2/emoji2@1.3.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.foundation/foundation-layout-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.material/material-icons-core-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","pkg:maven/androidx.compose.material/material@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.material/material-ripple-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","pkg:maven/androidx.compose.material/material@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.ui/ui-tooling-data-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-graphics@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-junit4@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test-manifest@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-test@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling-preview@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-tooling@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.animation/animation-android@1.6.5?type=jar","pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.animation/animation-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-geometry@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.animation/animation-core-android@1.6.5?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.compose.animation/animation-core-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-unit@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlinx/kotlinx-coroutines-core@1.7.1?type=jar"]},{"ref":"pkg:maven/androidx.activity/activity@1.8.2?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","pkg:maven/androidx.activity/activity-ktx@1.8.2?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.profileinstaller/profileinstaller@1.3.0?type=jar","pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","pkg:maven/androidx.tracing/tracing@1.0.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.core/core@1.12.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation-experimental@1.3.0?type=jar","pkg:maven/androidx.annotation/annotation-experimental@1.4.0?type=jar","pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.concurrent/concurrent-futures@1.1.0?type=jar","pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","pkg:maven/androidx.interpolator/interpolator@1.0.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.versionedparcelable/versionedparcelable@1.1.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar"]},{"ref":"pkg:maven/androidx.versionedparcelable/versionedparcelable@1.1.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar"]},{"ref":"pkg:maven/androidx.collection/collection@1.4.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection-jvm@1.4.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.collection/collection-jvm@1.4.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection-ktx@1.4.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","dependsOn":["pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-ktx@1.8.2?type=jar","pkg:maven/androidx.activity/activity@1.8.2?type=jar","pkg:maven/androidx.compose.runtime/runtime-saveable@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.activity/activity-ktx@1.8.2?type=jar","dependsOn":["pkg:maven/androidx.activity/activity-compose@1.8.2?type=jar","pkg:maven/androidx.activity/activity@1.8.2?type=jar","pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.savedstate/savedstate-ktx@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.9.10?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/com.squareup.okhttp3/okhttp@4.8.0?type=jar","dependsOn":["pkg:maven/com.squareup.okio/okio@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/com.squareup.okio/okio@2.7.0?type=jar","dependsOn":["pkg:maven/com.squareup.okio/okio-metadata@2.7.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.startup/startup-runtime@1.1.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.collection/collection-ktx@1.4.0?type=jar","dependsOn":["pkg:maven/androidx.collection/collection@1.4.0?type=jar"]},{"ref":"pkg:maven/androidx.interpolator/interpolator@1.0.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar"]},{"ref":"pkg:maven/androidx.arch.core/core-runtime@2.2.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.arch.core/core-common@2.2.0?type=jar"]},{"ref":"pkg:maven/androidx.profileinstaller/profileinstaller@1.3.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.concurrent/concurrent-futures@1.1.0?type=jar","pkg:maven/androidx.startup/startup-runtime@1.1.1?type=jar","pkg:maven/com.google.guava/listenablefuture@1.0?type=jar"]},{"ref":"pkg:maven/androidx.startup/startup-runtime@1.1.1?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.tracing/tracing@1.0.0?type=jar"]},{"ref":"pkg:maven/androidx.autofill/autofill@1.0.0?type=jar","dependsOn":["pkg:maven/androidx.core/core@1.12.0?type=jar"]},{"ref":"pkg:maven/androidx.emoji2/emoji2@1.3.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.collection/collection@1.4.0?type=jar","pkg:maven/androidx.core/core@1.12.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.startup/startup-runtime@1.1.1?type=jar"]},{"ref":"pkg:maven/androidx.customview/customview-poolingcontainer@1.0.0?type=jar","dependsOn":["pkg:maven/androidx.core/core-ktx@1.12.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.lifecycle/lifecycle-common-java8@2.7.0?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-common@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-livedata-core@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-process@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-ktx@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel-savedstate@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar"]},{"ref":"pkg:maven/androidx.compose.material/material@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.compose.material/material-android@1.6.5?type=jar"]},{"ref":"pkg:maven/androidx.compose.material/material-android@1.6.5?type=jar","dependsOn":["pkg:maven/androidx.annotation/annotation@1.7.0?type=jar","pkg:maven/androidx.compose.animation/animation-core@1.6.5?type=jar","pkg:maven/androidx.compose.animation/animation@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation-layout@1.6.5?type=jar","pkg:maven/androidx.compose.foundation/foundation@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-icons-core@1.6.5?type=jar","pkg:maven/androidx.compose.material/material-ripple@1.6.5?type=jar","pkg:maven/androidx.compose.runtime/runtime@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-text@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui-util@1.6.5?type=jar","pkg:maven/androidx.compose.ui/ui@1.6.5?type=jar","pkg:maven/androidx.lifecycle/lifecycle-runtime@2.7.0?type=jar","pkg:maven/androidx.lifecycle/lifecycle-viewmodel@2.7.0?type=jar","pkg:maven/androidx.savedstate/savedstate@1.2.1?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.annotation/annotation-experimental@1.3.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.10?type=jar"]},{"ref":"pkg:maven/com.squareup.okio/okio-metadata@2.7.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-common@1.9.10?type=jar"]},{"ref":"pkg:maven/androidx.compose.compiler/compiler@1.5.1?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-impl@1.9.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-api@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-build-tools-api@1.9.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-compiler-embeddable@1.9.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.intellij.deps/trove4j@1.0.20200330?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-daemon-embeddable@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.6.10?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-script-runtime@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar"]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-script-runtime@1.9.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-reflect@1.6.10?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-daemon-embeddable@1.9.0?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.intellij.deps/trove4j@1.0.20200330?type=jar","dependsOn":[]},{"ref":"pkg:maven/org.jetbrains.kotlin/kotlin-klib-commonizer-embeddable@1.9.0?type=jar","dependsOn":["pkg:maven/org.jetbrains.kotlin/kotlin-compiler-embeddable@1.9.0?type=jar","pkg:maven/org.jetbrains.kotlin/kotlin-stdlib@1.9.0?type=jar"]}]} \ No newline at end of file diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0022/run.sh b/demos/android/MASVS-CODE/MASTG-DEMO-0022/run.sh new file mode 100644 index 0000000000..9ca300887f --- /dev/null +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0022/run.sh @@ -0,0 +1 @@ +cdxgen -t java -o sbom.json \ No newline at end of file diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md index 5e7fa5ad0d..5a081ea85f 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md @@ -3,33 +3,25 @@ platform: ios title: Usage of Insecure iOS Dependencies id: MASTG-DEMO-0020 code: [java] -test: MASTG-TEST-0216 +test: MASTG-TEST-0215 --- ### Sample -{{ MastgTest.kt # MastgTest_reversed.java }} +{{ Package.resolved # Package.resolved }} ### Steps -Let's run our @MASTG-TOOL-0116 rule against the sample code. - -{{ ../../../../rules/mastg-android-insecure-random-use.yml }} +Let's run @MASTG-TOOL-0116 in the root directory of the Xcode project. {{ run.sh }} ### Observation -The rule has identified XXX instances in the code file where an insecure random number generator is used. The specified line numbers can be located in the original code for further investigation and remediation. +The SARIF file can be opened by using @MASTG-TOOL-0118 for analyzing the identified vulnerabilities. {{ output.txt }} ### Evaluation -Review each of the reported instances. - -- Line 12 seems to be used to generate random numbers for security purposes, in this case for generating authentication tokens. -- Line 17 is part of the function `get_random`. Review any calls to this function to ensure that the random number is not used in a security-relevant context. -- Line 27 is part of the password generation function which is a security-critical operation. - -Note that line 37 did not trigger the rule because the random number is generated using `SecureRandom` which is a secure random number generator. +Review each of the reported instances, as it can contain false positives. The library `swift-nio` has at least 2 known vulnerabilities as part of Swift with CVE-2022-3918 and CVE-2022-1642 and should be updated to the latest version. diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif new file mode 100644 index 0000000000..24a44c931b --- /dev/null +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif @@ -0,0 +1 @@ +{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","version": "2.1.0","runs": [{"tool": {"driver": {"name": "dependency-check","version": "10.0.4","informationUri": "https://jeremylong.github.io/DependencyCheck/","rules": [{"id": "CVE-2020-9861","shortDescription": {"text": "high severity - CVE-2020-9861 Uncontrolled Recursion vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"help": {"text": "","markdown": "For more information see [CVE-2020-9861](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9861).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-1642","shortDescription": {"text": "high severity - CVE-2022-1642 Incorrect Type Conversion or Cast vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"help": {"text": "","markdown": "For more information see [CVE-2022-1642](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1642).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-3918","shortDescription": {"text": "high severity - CVE-2022-3918 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"help": {"text": "","markdown": "For more information see [CVE-2022-3918](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3918).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2019-8790","shortDescription": {"text": "medium severity - CVE-2019-8790 Insecure Storage of Sensitive Information vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"help": {"text": "","markdown": "For more information see [CVE-2019-8790](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8790).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 2.1,"cvssv2_accessVector": "LOCAL","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "PARTIAL","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "NONE","cvssv2_severity": "LOW","cvssv3_baseScore": 5.5,"security-severity": "5.5","cvssv3_attackVector": "LOCAL","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "NONE","cvssv3_baseSeverity": "MEDIUM","cvssv3_exploitabilityScore": "1.8","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2018-4220","shortDescription": {"text": "high severity - CVE-2018-4220 Incorrect Permission Assignment for Critical Resource vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"help": {"text": "","markdown": "For more information see [CVE-2018-4220](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4220).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 9.3,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "MEDIUM","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "COMPLETE","cvssv2_integrityImpact": "COMPLETE","cvssv2_availabilityImpact": "COMPLETE","cvssv2_severity": "HIGH","cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "REQUIRED","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_0","source": "NVD"}}],"properties": {"disclaimer": "Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.","nvd": "This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov","cisa": "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog","npm": "This report may contain data retrieved from the the Github Advisory Database (via NPM Audit API): https://github.com/advisories/","retirejs": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/","ossindex": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org","NVD API Last Checked": "2024-10-16T06:07:56+02","NVD API Last Modified": "2024-10-16T03:15:02Z"}}},"artifacts": [{"location": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved"},"properties": {"id1": "pkg:swift\/swift-nio@2.33.0","vid1": "cpe:2.3:a:apple:swift:2.33.0:*:*:*:*:*:*:*","vid2": "cpe:2.3:a:apple:swift_foundation:2.33.0:*:*:*:*:*:*:*"}}],"results": [ {"ruleId": "CVE-2018-4220","level": "warning","message": {"text": "CVE-2018-4220 - An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"partialFingerprints": {"vulnerabilityHash": "3f758c43ed8a0566a7f3f5f4f46bae5f"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-3918","level": "warning","message": {"text": "CVE-2022-3918 - A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"partialFingerprints": {"vulnerabilityHash": "6ea52063e689446a344d211c519a3556"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2020-9861","level": "warning","message": {"text": "CVE-2020-9861 - A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"partialFingerprints": {"vulnerabilityHash": "ad32e387d304c49cc53ee1feabc845c8"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-1642","level": "warning","message": {"text": "CVE-2022-1642 - A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"partialFingerprints": {"vulnerabilityHash": "50e80d7087d1cf08bbc18924970c6f6a"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2019-8790","level": "warning","message": {"text": "CVE-2019-8790 - This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"partialFingerprints": {"vulnerabilityHash": "f59a361684f99f0204c2ab5c2a16daf7"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}]}]} \ No newline at end of file diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md new file mode 100644 index 0000000000..b69a4f9c14 --- /dev/null +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md @@ -0,0 +1,24 @@ +--- +platform: ios +title: Identifying Insecure Dependencies in SwiftPM through SBOM creation +id: MASTG-DEMO-0023 +test: MASTG-TEST-0215 +--- + +### Steps + +Execute `cdxgen` in the root directory of the Xcode project. + +{{ run.sh }} + +This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0112. + +### Observation + +In the project of @MASTG-TOOL-0117, where the SBOM has been uploaded, the scan should have identified 2 unique dependencies (components) with 2 vulnerable dependencies and 2 vulnerabilities (as more vulnerabilities might be found over time this number might increase). + +{{ output.txt }} + +### Evaluation + +Review each of the reported instances. The dependency `swift-nio` has 2 known vulnerabilities and should be updated to the latest version. diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt new file mode 100644 index 0000000000..1280d22f19 --- /dev/null +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt @@ -0,0 +1 @@ +{"bomFormat":"CycloneDX","specVersion":"1.5","serialNumber":"urn:uuid:54c73891-97b0-40be-90a1-a432ffc62330","version":1,"metadata":{"timestamp":"2024-10-20T17:34:54Z","tools":{"components":[{"group":"@cyclonedx","name":"cdxgen","version":"10.10.5","purl":"pkg:npm/%40cyclonedx/cdxgen@10.10.5","type":"application","bom-ref":"pkg:npm/@cyclonedx/cdxgen@10.10.5","author":"OWASP Foundation","publisher":"OWASP Foundation"}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"component":{"group":"","name":"MASTestApp-iOS-MASWE-0076","version":"latest","type":"application","bom-ref":"pkg:swift/MASTestApp-iOS-MASWE-0076@latest","purl":"pkg:swift/MASTestApp-iOS-MASWE-0076@latest"},"properties":[{"name":"cdx:bom:componentTypes","value":"github\\nswift"},{"name":"cdx:bom:componentNamespaces","value":"actions\\ngithub.com/apple"}]},"components":[{"group":"actions","name":"checkout","version":"v4","purl":"pkg:github/actions/checkout@v4","type":"application","bom-ref":"pkg:github/actions/checkout@v4"},{"group":"github.com/apple","name":"swift-nio","version":"1.4.0","purl":"pkg:swift/github.com/apple/swift-nio@1.4.0","externalReferences":[{"type":"vcs","url":"https://github.com/apple/swift-nio.git"}],"type":"library","bom-ref":"pkg:swift/github.com/apple/swift-nio@1.4.0","evidence":{"identity":{"field":"purl","confidence":1,"methods":[{"technique":"manifest-analysis","confidence":1,"value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]}},"properties":[{"name":"SrcFile","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]},{"group":"github.com/apple","name":"swift-nio-zlib-support","version":"1.0.0","purl":"pkg:swift/github.com/apple/swift-nio-zlib-support@1.0.0","externalReferences":[{"type":"vcs","url":"https://github.com/apple/swift-nio-zlib-support.git"}],"type":"library","bom-ref":"pkg:swift/github.com/apple/swift-nio-zlib-support@1.0.0","evidence":{"identity":{"field":"purl","confidence":1,"methods":[{"technique":"manifest-analysis","confidence":1,"value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]}},"properties":[{"name":"SrcFile","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]}],"services":[],"dependencies":[]} \ No newline at end of file diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/run.sh b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/run.sh new file mode 100644 index 0000000000..36b35255d2 --- /dev/null +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/run.sh @@ -0,0 +1 @@ +cdxgen -o sbom.json \ No newline at end of file From 2bf4530687ba1b77175a28de59e73bae9258d071 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 20 Oct 2024 19:49:55 +0200 Subject: [PATCH 06/17] added newline --- techniques/android/MASTG-TECH-0112.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/techniques/android/MASTG-TECH-0112.md b/techniques/android/MASTG-TECH-0112.md index a8be53ed0e..73c5bc135b 100644 --- a/techniques/android/MASTG-TECH-0112.md +++ b/techniques/android/MASTG-TECH-0112.md @@ -74,4 +74,4 @@ BUILD SUCCESSFUL in 6s 1 actionable task: 1 executed ``` -The report was generated in 3 different formats (HTML, JSON and XML) and can be found in the project directory in `app/build/reports`. \ No newline at end of file +The report was generated in 3 different formats (HTML, JSON and XML) and can be found in the project directory in `app/build/reports`. From cf4bf10449ee6fd4d829ed3ca17678ab8f855468 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Tue, 29 Oct 2024 07:06:12 +0100 Subject: [PATCH 07/17] splitted SBOM and dependency-check into 2 techniques for iOS and added blint --- techniques/ios/MASTG-TECH-0113.md | 48 ++++++------------------------- techniques/ios/MASTG-TECH-0114.md | 36 +++++++++++++++++++++++ tools/android/MASTG-TOOL-0120.md | 11 +++++++ 3 files changed, 55 insertions(+), 40 deletions(-) create mode 100644 techniques/ios/MASTG-TECH-0114.md create mode 100644 tools/android/MASTG-TOOL-0120.md diff --git a/techniques/ios/MASTG-TECH-0113.md b/techniques/ios/MASTG-TECH-0113.md index 4afca31d2f..d870158dd7 100644 --- a/techniques/ios/MASTG-TECH-0113.md +++ b/techniques/ios/MASTG-TECH-0113.md @@ -1,21 +1,13 @@ --- -title: Software Composition Analysis (SCA) of iOS Dependencies +title: Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBOM platform: ios --- -iOS has several dependency managers, where the most popular are: +@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. -- [Carthage](https://github.com/Carthage/Carthage), -- [CocoaPods](https://github.com/CocoaPods/CocoaPods) and -- [SwiftPM](https://github.com/swiftlang/swift-package-manager) (Swift Package Manager) +> Note: Currently only SwiftPM is supported, not Carthage and CocoaPods. -The dependencies will be integrated into the project during the build and compiled into the IPA, therefore we cannot scan the IPA file. - -Depending on the Package Manager used, you have different options to execute a scan. Keep in mind that developers may use more than one dependency manager and you might need to execute therefore more than one scan. - -## SwiftPM - -@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. Navigate to the root directory of the Xcode project you want to scan and execute the following command: +Navigate to the root directory of the Xcode project you want to scan and execute the following command: ```bash $ cdxgen -o sbom.json @@ -31,35 +23,11 @@ $ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ -d $'{ "project": "", "bom": "" - }' + }' ``` -Go to frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. - -> Note: Transitive dependencies are not supported by @MASTG-TOOL-0117 for [SwiftPM](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). - -## Carthage, CocoaPods and SwiftPM - -Tools like @MASTG-TOOL-0116 can be used to scan the files created by all 3 dependency managers, which list the dependencies and their versions built into the iOS app. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). - -> Note that @MASTG-TOOL-0116 does support [Carthage](https://jeremylong.github.io/DependencyCheck/analyzers/carthage.html), [CocoaPods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html) and [SwiftPM](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html), but the analyzers are considered experimental. While this analyzer may be useful and provide valid results more testing must be completed to ensure that the false negative/false positive rates are acceptable. - -In order to test with @MASTG-TOOL-0116 for dependencies with known vulnerabilities, we need to retrieve the corresponding file of the dependency manager used: +> Check also [alternatives for uploading](https://docs.dependencytrack.org/usage/cicd/) the SBOM file, in case the produced json file is too large. -- For Carthage it is the file `Cartfile.resolved`. -- For CocoaPods it is the file `*.podspec` or `Podfile.lock` -- For SwiftPM it is the file `Package.swift` or `Package.resolved` +Go to the frontend of @MASTG-TOOL-0117, which is , if you are using the default settings of the @MASTG-TOOL-0118 docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. -When scanning with @MASTG-TOOL-0116 it is sufficient to scan the file created by the dependency manager. - -Before we can run the scan, you will need to obtain an API key for NVD, which is used to retrieve the latest CVE information. The API Key to access the NVD API can be requested from . - -To start a scan for a project using SwiftPM, execute the following command: - -```bash -$ dependency-check --enableExperimental -f SARIF --nvdApiKey -s Package.resolved -``` - -The output will be a SARIF file, which can be viewed in @MASTG-TOOL-0118 by using the Sarif Viewer Plugin. If any known vulnerabilities were identified, it will list them and their CVE number and description. - -When scanning for CocoaPods or Carthage you can re-use the same command, but scanning the corresponding file of the dependency manager instead. +> Note: Transitive dependencies are not supported by @MASTG-TOOL-0117 for [SwiftPM](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). diff --git a/techniques/ios/MASTG-TECH-0114.md b/techniques/ios/MASTG-TECH-0114.md new file mode 100644 index 0000000000..0e6b2331d6 --- /dev/null +++ b/techniques/ios/MASTG-TECH-0114.md @@ -0,0 +1,36 @@ +--- +title: Software Composition Analysis (SCA) of iOS Dependencies by Scanning Package Manager Artifacts +platform: ios +--- + +iOS has several dependency managers, where the most popular are: + +- [Carthage](https://github.com/Carthage/Carthage), +- [CocoaPods](https://github.com/CocoaPods/CocoaPods) and +- [SwiftPM](https://github.com/swiftlang/swift-package-manager) (Swift Package Manager) + +The dependencies are integrated into the project during build and compiled into the IPA. The version information of the dependencies may be stripped out during compilation, so we cannot scan the IPA file, but we can scan the artifacts produced by the dependency managers. + +Tools such as @MASTG-TOOL-0116 can be used to scan the files created by all three dependency managers, which list the dependencies and their versions that will be included in the iOS app. Once identified, such tools will search for known vulnerabilities in the dependencies by checking them against a vulnerability database (such as the National Vulnerability Database, NVD). + +> Note that @MASTG-TOOL-0116 does support [Carthage](https://jeremylong.github.io/DependencyCheck/analyzers/carthage.html), [CocoaPods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html) and [SwiftPM](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html), but the analyzers are considered experimental. While this analyzer may be useful and provide valid results more testing must be completed to ensure that the false negative/positive rates are acceptable. + +In order to test with @MASTG-TOOL-0116, we need to retrieve the corresponding file of the dependency manager used: + +- For Carthage it is the file `Cartfile.resolved`. +- For CocoaPods it is the file `*.podspec` or `Podfile.lock` +- For SwiftPM it is the file `Package.swift` or `Package.resolved` + +Keep in mind that developers may use more than one dependency manager and you might need to execute therefore more than one scan. When scanning with @MASTG-TOOL-0116 it is sufficient to scan the file created by the dependency manager, you don't need access to the whole Xcode project or source code. + +Before we can run the scan, you will need to obtain an API key for NVD, which is used to retrieve the latest CVE information. The API Key to access the NVD API can be requested from . + +To start a scan for a project using SwiftPM, execute the following command: + +```bash +$ dependency-check --enableExperimental -f SARIF --nvdApiKey -s Package.resolved +``` + +The output is a SARIF file which can be viewed using the Sarif viewer plugin in @MASTG-TOOL-0118. If any known vulnerabilities are found, they will be listed with their CVE number and description. + +If you are scanning for CocoaPods or Carthage, you can use the same command again, but scan the corresponding dependency manager file instead. diff --git a/tools/android/MASTG-TOOL-0120.md b/tools/android/MASTG-TOOL-0120.md new file mode 100644 index 0000000000..0b58525899 --- /dev/null +++ b/tools/android/MASTG-TOOL-0120.md @@ -0,0 +1,11 @@ +--- +title: blint +platform: android +source: https://github.com/owasp-dep-scan/blint +--- + +[BLint](https://github.com/owasp-dep-scan/blint) is a Binary Linter that checks the security properties and capabilities of an executable. Since version 2, `blint` can generate Software Bill-of-Materials (SBOM) for supported binaries, which includes APK and AAB, but not IPA. + +## WIP + +[How accurate can `blint` generate a SBOM out of an APK](https://github.com/owasp-dep-scan/blint/issues/119) From 35b18c3884adf8517a2f09aad639dca8070fcd0b Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Wed, 30 Oct 2024 16:56:34 +0100 Subject: [PATCH 08/17] updated demos and techniques for iOS --- .../MASTG-DEMO-0020/MASTG-DEMO-0020.md | 2 +- .../MASTG-DEMO-0020/output copy.sarif | 1 - .../ios/MASVS-CODE/MASTG-DEMO-0020/output.txt | 64 ++++++++- .../MASTG-DEMO-0023/MASTG-DEMO-0023.md | 4 +- .../ios/MASVS-CODE/MASTG-DEMO-0023/output.txt | 130 +++++++++++++++++- techniques/ios/MASTG-TECH-0113.md | 10 +- techniques/ios/MASTG-TECH-0114.md | 2 +- tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md | 4 +- 8 files changed, 201 insertions(+), 16 deletions(-) delete mode 100644 demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md index 5a081ea85f..d4704931bc 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/MASTG-DEMO-0020.md @@ -1,6 +1,6 @@ --- platform: ios -title: Usage of Insecure iOS Dependencies +title: Scanning Package Manager Artifacts for Insecure iOS Dependencies id: MASTG-DEMO-0020 code: [java] test: MASTG-TEST-0215 diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif deleted file mode 100644 index 24a44c931b..0000000000 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output copy.sarif +++ /dev/null @@ -1 +0,0 @@ -{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","version": "2.1.0","runs": [{"tool": {"driver": {"name": "dependency-check","version": "10.0.4","informationUri": "https://jeremylong.github.io/DependencyCheck/","rules": [{"id": "CVE-2020-9861","shortDescription": {"text": "high severity - CVE-2020-9861 Uncontrolled Recursion vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"help": {"text": "","markdown": "For more information see [CVE-2020-9861](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9861).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-1642","shortDescription": {"text": "high severity - CVE-2022-1642 Incorrect Type Conversion or Cast vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"help": {"text": "","markdown": "For more information see [CVE-2022-1642](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1642).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-3918","shortDescription": {"text": "high severity - CVE-2022-3918 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"help": {"text": "","markdown": "For more information see [CVE-2022-3918](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3918).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2019-8790","shortDescription": {"text": "medium severity - CVE-2019-8790 Insecure Storage of Sensitive Information vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"help": {"text": "","markdown": "For more information see [CVE-2019-8790](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8790).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 2.1,"cvssv2_accessVector": "LOCAL","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "PARTIAL","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "NONE","cvssv2_severity": "LOW","cvssv3_baseScore": 5.5,"security-severity": "5.5","cvssv3_attackVector": "LOCAL","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "NONE","cvssv3_baseSeverity": "MEDIUM","cvssv3_exploitabilityScore": "1.8","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2018-4220","shortDescription": {"text": "high severity - CVE-2018-4220 Incorrect Permission Assignment for Critical Resource vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"help": {"text": "","markdown": "For more information see [CVE-2018-4220](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4220).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 9.3,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "MEDIUM","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "COMPLETE","cvssv2_integrityImpact": "COMPLETE","cvssv2_availabilityImpact": "COMPLETE","cvssv2_severity": "HIGH","cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "REQUIRED","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_0","source": "NVD"}}],"properties": {"disclaimer": "Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.","nvd": "This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov","cisa": "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog","npm": "This report may contain data retrieved from the the Github Advisory Database (via NPM Audit API): https://github.com/advisories/","retirejs": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/","ossindex": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org","NVD API Last Checked": "2024-10-16T06:07:56+02","NVD API Last Modified": "2024-10-16T03:15:02Z"}}},"artifacts": [{"location": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved"},"properties": {"id1": "pkg:swift\/swift-nio@2.33.0","vid1": "cpe:2.3:a:apple:swift:2.33.0:*:*:*:*:*:*:*","vid2": "cpe:2.3:a:apple:swift_foundation:2.33.0:*:*:*:*:*:*:*"}}],"results": [ {"ruleId": "CVE-2018-4220","level": "warning","message": {"text": "CVE-2018-4220 - An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"partialFingerprints": {"vulnerabilityHash": "3f758c43ed8a0566a7f3f5f4f46bae5f"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-3918","level": "warning","message": {"text": "CVE-2022-3918 - A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"partialFingerprints": {"vulnerabilityHash": "6ea52063e689446a344d211c519a3556"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2020-9861","level": "warning","message": {"text": "CVE-2020-9861 - A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"partialFingerprints": {"vulnerabilityHash": "ad32e387d304c49cc53ee1feabc845c8"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-1642","level": "warning","message": {"text": "CVE-2022-1642 - A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"partialFingerprints": {"vulnerabilityHash": "50e80d7087d1cf08bbc18924970c6f6a"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2019-8790","level": "warning","message": {"text": "CVE-2019-8790 - This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"partialFingerprints": {"vulnerabilityHash": "f59a361684f99f0204c2ab5c2a16daf7"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}]}]} \ No newline at end of file diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt index 24a44c931b..c6ddd443c3 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0020/output.txt @@ -1 +1,63 @@ -{"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json","version": "2.1.0","runs": [{"tool": {"driver": {"name": "dependency-check","version": "10.0.4","informationUri": "https://jeremylong.github.io/DependencyCheck/","rules": [{"id": "CVE-2020-9861","shortDescription": {"text": "high severity - CVE-2020-9861 Uncontrolled Recursion vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"help": {"text": "","markdown": "For more information see [CVE-2020-9861](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9861).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-1642","shortDescription": {"text": "high severity - CVE-2022-1642 Incorrect Type Conversion or Cast vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"help": {"text": "","markdown": "For more information see [CVE-2022-1642](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1642).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 5.0,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "NONE","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "PARTIAL","cvssv2_severity": "MEDIUM","cvssv3_baseScore": 7.5,"security-severity": "7.5","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "NONE","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "3.9","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2022-3918","shortDescription": {"text": "high severity - CVE-2022-3918 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"help": {"text": "","markdown": "For more information see [CVE-2022-3918](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3918).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2019-8790","shortDescription": {"text": "medium severity - CVE-2019-8790 Insecure Storage of Sensitive Information vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"help": {"text": "","markdown": "For more information see [CVE-2019-8790](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8790).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 2.1,"cvssv2_accessVector": "LOCAL","cvssv2_accessComplexity": "LOW","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "PARTIAL","cvssv2_integrityImpact": "NONE","cvssv2_availabilityImpact": "NONE","cvssv2_severity": "LOW","cvssv3_baseScore": 5.5,"security-severity": "5.5","cvssv3_attackVector": "LOCAL","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "LOW","cvssv3_userInteraction": "NONE","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "NONE","cvssv3_availabilityImpact": "NONE","cvssv3_baseSeverity": "MEDIUM","cvssv3_exploitabilityScore": "1.8","cvssv3_impactScore": "3.6","cvssv3_version": "_3_1","source": "NVD"}},{"id": "CVE-2018-4220","shortDescription": {"text": "high severity - CVE-2018-4220 Incorrect Permission Assignment for Critical Resource vulnerability in pkg:swift\/swift-nio@2.33.0"},"fullDescription": {"text": "An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"help": {"text": "","markdown": "For more information see [CVE-2018-4220](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4220).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)."},"properties": {"cvssv2_score": 9.3,"cvssv2_accessVector": "NETWORK","cvssv2_accessComplexity": "MEDIUM","cvssv2_authenticationr": "NONE","cvssv2_confidentialityImpact": "COMPLETE","cvssv2_integrityImpact": "COMPLETE","cvssv2_availabilityImpact": "COMPLETE","cvssv2_severity": "HIGH","cvssv3_baseScore": 8.8,"security-severity": "8.8","cvssv3_attackVector": "NETWORK","cvssv3_attackComplexity": "LOW","cvssv3_privilegesRequired": "NONE","cvssv3_userInteraction": "REQUIRED","cvssv3_scope": "UNCHANGED","cvssv3_confidentialityImpact": "HIGH","cvssv3_integrityImpact": "HIGH","cvssv3_availabilityImpact": "HIGH","cvssv3_baseSeverity": "HIGH","cvssv3_exploitabilityScore": "2.8","cvssv3_impactScore": "5.9","cvssv3_version": "_3_0","source": "NVD"}}],"properties": {"disclaimer": "Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user's risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.","nvd": "This product uses the NVD API but is not endorsed or certified by the NVD. This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov","cisa": "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog","npm": "This report may contain data retrieved from the the Github Advisory Database (via NPM Audit API): https://github.com/advisories/","retirejs": "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/","ossindex": "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org","NVD API Last Checked": "2024-10-16T06:07:56+02","NVD API Last Modified": "2024-10-16T03:15:02Z"}}},"artifacts": [{"location": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved"},"properties": {"id1": "pkg:swift\/swift-nio@2.33.0","vid1": "cpe:2.3:a:apple:swift:2.33.0:*:*:*:*:*:*:*","vid2": "cpe:2.3:a:apple:swift_foundation:2.33.0:*:*:*:*:*:*:*"}}],"results": [ {"ruleId": "CVE-2018-4220","level": "warning","message": {"text": "CVE-2018-4220 - An issue was discovered in certain Apple products. Swift before 4.1.1 Security Update 2018-001 is affected. The issue involves the \"Swift for Ubuntu\" component. It allows attackers to execute arbitrary code in a privileged context because write and execute permissions are enabled during library loading."},"partialFingerprints": {"vulnerabilityHash": "3f758c43ed8a0566a7f3f5f4f46bae5f"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-3918","level": "warning","message": {"text": "CVE-2022-3918 - A program using FoundationNetworking in swift-corelibs-foundation is potentially vulnerable to CRLF ( ) injection in URLRequest headers. In this vulnerability, a client can insert one or several CRLF sequences into a URLRequest header value. When that request is sent via URLSession to an HTTP server, the server may interpret the content after the CRLF as extra headers, or even a second request. For example, consider a URLRequest to http:\/\/example.com\/ with the GET method. Suppose we set the URLRequest header \"Foo\" to the value \"Bar Extra-Header: Added GET \/other HTTP\/1.1\". When this request is sent, it will appear to the server as two requests: GET \/ HTTP\/1.1 Foo: Bar Extra-Header: Added GET \/other HTTP\/1.1 In this manner, the client is able to inject extra headers and craft an entirely new request to a separate path, despite only making one API call in URLSession. If a developer has total control over the request and its headers, this vulnerability may not pose a threat. However, this vulnerability escalates if un-sanitized user input is placed in header values. If so, a malicious user could inject new headers or requests to an intermediary or backend server. Developers should be especially careful to sanitize user input in this case, or upgrade their version of swift-corelibs-foundation to include the patch below."},"partialFingerprints": {"vulnerabilityHash": "6ea52063e689446a344d211c519a3556"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2020-9861","level": "warning","message": {"text": "CVE-2020-9861 - A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input."},"partialFingerprints": {"vulnerabilityHash": "ad32e387d304c49cc53ee1feabc845c8"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2022-1642","level": "warning","message": {"text": "CVE-2022-1642 - A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected."},"partialFingerprints": {"vulnerabilityHash": "50e80d7087d1cf08bbc18924970c6f6a"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}, {"ruleId": "CVE-2019-8790","level": "warning","message": {"text": "CVE-2019-8790 - This issue was addresses by updating incorrect URLSession file descriptors management logic to match Swift 5.0. This issue is fixed in Swift 5.1.1 for Ubuntu. Incorrect management of file descriptors in URLSession could lead to inadvertent data disclosure."},"partialFingerprints": {"vulnerabilityHash": "f59a361684f99f0204c2ab5c2a16daf7"},"locations": [{"physicalLocation": {"artifactLocation": {"uri": "file://\/Users\/sushi2k\/Documents\/mastg-apps\/MASTestApp-iOS-MASWE-0076\/MASTestApp.xcodeproj\/project.xcworkspace\/xcshareddata\/swiftpm\/Package.resolved","index": 0 }},"logicalLocations": [{"fullyQualifiedName": "pkg:swift\/swift-nio@2.33.0"}]}]}]}]} \ No newline at end of file +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "dependency-check", + "version": "10.0.4", + "informationUri": "https://jeremylong.github.io/DependencyCheck/", + "rules": [ + { + "id": "CVE-2020-9861", + "shortDescription": { + "text": "high severity - CVE-2020-9861 Uncontrolled Recursion vulnerability in pkg:swift\/swift-nio@2.33.0" + }, + "fullDescription": { + "text": "A stack overflow issue existed in Swift for Linux. The issue was addressed with improved input validation for dealing with deeply nested malicious JSON input." + }, + "help": { + "text": "", + "markdown": "For more information see [CVE-2020-9861](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9861).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)." + }, + "properties": { + "cvssv2_score": 5.0, + "cvssv2_accessVector": "NETWORK", + "cvssv2_accessComplexity": "LOW", + "cvssv2_authenticationr": "NONE", + "cvssv2_confidentialityImpact": "NONE", + "cvssv2_integrityImpact": "NONE", + "cvssv2_availabilityImpact": "PARTIAL", + "cvssv2_severity": "MEDIUM", + "cvssv3_baseScore": 7.5, + "security-severity": "7.5", + "cvssv3_attackVector": "NETWORK", + "cvssv3_attackComplexity": "LOW", + "cvssv3_privilegesRequired": "NONE", + "cvssv3_userInteraction": "NONE", + "cvssv3_scope": "UNCHANGED", + "cvssv3_confidentialityImpact": "NONE", + "cvssv3_integrityImpact": "NONE", + "cvssv3_availabilityImpact": "HIGH", + "cvssv3_baseSeverity": "HIGH", + "cvssv3_exploitabilityScore": "3.9", + "cvssv3_impactScore": "3.6", + "cvssv3_version": "_3_1", + "source": "NVD" + } + }, + { + "id": "CVE-2022-1642", + "shortDescription": { + "text": "high severity - CVE-2022-1642 Incorrect Type Conversion or Cast vulnerability in pkg:swift\/swift-nio@2.33.0" + }, + "fullDescription": { + "text": "A program using swift-corelibs-foundation is vulnerable to a denial of service attack caused by a potentially malicious source producing a JSON document containing a type mismatch. This vulnerability is caused by the interaction between a deserialization mechanism offered by the Swift standard library, the Codable protocol; and the JSONDecoder class offered by swift-corelibs-foundation, which can deserialize types that adopt the Codable protocol based on the content of a provided JSON document. When a type that adopts Codable requests the initialization of a field with an integer value, the JSONDecoder class uses a type-erased container with different accessor methods to attempt and coerce a corresponding JSON value and produce an integer. In the case the JSON value was a numeric literal with a floating-point portion, JSONDecoder used different type-eraser methods during validation than it did during the final casting of the value. The checked casting produces a deterministic crash due to this mismatch. The JSONDecoder class is often wrapped by popular Swift-based web frameworks to parse the body of HTTP requests and perform basic type validation. This makes the attack low-effort: sending a specifically crafted JSON document during a request to these endpoints will cause them to crash. The attack does not have any confidentiality or integrity risks in and of itself; the crash is produced deterministically by an abort function that ensures that execution does not continue in the face of this violation of assumptions. However, unexpected crashes can lead to violations of invariants in services, so it's possible that this attack can be used to trigger error conditions that escalate the risk. Producing a denial of service may also be the goal of an attacker in itself. This issue is solved in Swift 5.6.2 for Linux and Windows. This issue was solved by ensuring that the same methods are invoked both when validating and during casting, so that no type mismatch occurs. Swift for Linux and Windows versions are not ABI-interchangeable. To upgrade a service, its owner must update to this version of the Swift toolchain, then recompile and redeploy their software. The new version of Swift includes an updated swift-corelibs-foundation package. Versions of Swift running on Darwin-based operating systems are not affected." + }, + "help": { + "text": "", + "markdown": "For more information see [CVE-2022-1642](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-1642).\n\n\nIf this is a false positive - consider using the HTML report to generate a suppression file. For more information see [How dependency-check works](https://jeremylong.github.io/DependencyCheck/general/internals.html), [How to read the HTML report](https://jeremylong.github.io/DependencyCheck/general/thereport.html), and [Suppressing false positives](https://jeremylong.github.io/DependencyCheck/general/suppression.html)." + + } +...[REDACTED]... \ No newline at end of file diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md index b69a4f9c14..e2f14b2fed 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md @@ -7,11 +7,11 @@ test: MASTG-TEST-0215 ### Steps -Execute `cdxgen` in the root directory of the Xcode project. +Execute @MASTG-TOOL-0119 in the root directory of the Xcode project. {{ run.sh }} -This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0112. +This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0113. ### Observation diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt index 1280d22f19..9d9ed267fc 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/output.txt @@ -1 +1,129 @@ -{"bomFormat":"CycloneDX","specVersion":"1.5","serialNumber":"urn:uuid:54c73891-97b0-40be-90a1-a432ffc62330","version":1,"metadata":{"timestamp":"2024-10-20T17:34:54Z","tools":{"components":[{"group":"@cyclonedx","name":"cdxgen","version":"10.10.5","purl":"pkg:npm/%40cyclonedx/cdxgen@10.10.5","type":"application","bom-ref":"pkg:npm/@cyclonedx/cdxgen@10.10.5","author":"OWASP Foundation","publisher":"OWASP Foundation"}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"component":{"group":"","name":"MASTestApp-iOS-MASWE-0076","version":"latest","type":"application","bom-ref":"pkg:swift/MASTestApp-iOS-MASWE-0076@latest","purl":"pkg:swift/MASTestApp-iOS-MASWE-0076@latest"},"properties":[{"name":"cdx:bom:componentTypes","value":"github\\nswift"},{"name":"cdx:bom:componentNamespaces","value":"actions\\ngithub.com/apple"}]},"components":[{"group":"actions","name":"checkout","version":"v4","purl":"pkg:github/actions/checkout@v4","type":"application","bom-ref":"pkg:github/actions/checkout@v4"},{"group":"github.com/apple","name":"swift-nio","version":"1.4.0","purl":"pkg:swift/github.com/apple/swift-nio@1.4.0","externalReferences":[{"type":"vcs","url":"https://github.com/apple/swift-nio.git"}],"type":"library","bom-ref":"pkg:swift/github.com/apple/swift-nio@1.4.0","evidence":{"identity":{"field":"purl","confidence":1,"methods":[{"technique":"manifest-analysis","confidence":1,"value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]}},"properties":[{"name":"SrcFile","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]},{"group":"github.com/apple","name":"swift-nio-zlib-support","version":"1.0.0","purl":"pkg:swift/github.com/apple/swift-nio-zlib-support@1.0.0","externalReferences":[{"type":"vcs","url":"https://github.com/apple/swift-nio-zlib-support.git"}],"type":"library","bom-ref":"pkg:swift/github.com/apple/swift-nio-zlib-support@1.0.0","evidence":{"identity":{"field":"purl","confidence":1,"methods":[{"technique":"manifest-analysis","confidence":1,"value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]}},"properties":[{"name":"SrcFile","value":"/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved"}]}],"services":[],"dependencies":[]} \ No newline at end of file +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:54c73891-97b0-40be-90a1-a432ffc62330", + "version": 1, + "metadata": { + "timestamp": "2024-10-20T17:34:54Z", + "tools": { + "components": [ + { + "group": "@cyclonedx", + "name": "cdxgen", + "version": "10.10.5", + "purl": "pkg:npm/%40cyclonedx/cdxgen@10.10.5", + "type": "application", + "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.10.5", + "author": "OWASP Foundation", + "publisher": "OWASP Foundation" + } + ] + }, + "authors": [ + { + "name": "OWASP Foundation" + } + ], + "lifecycles": [ + { + "phase": "build" + } + ], + "component": { + "group": "", + "name": "MASTestApp-iOS-MASWE-0076", + "version": "latest", + "type": "application", + "bom-ref": "pkg:swift/MASTestApp-iOS-MASWE-0076@latest", + "purl": "pkg:swift/MASTestApp-iOS-MASWE-0076@latest" + }, + "properties": [ + { + "name": "cdx:bom:componentTypes", + "value": "github\\nswift" + }, + { + "name": "cdx:bom:componentNamespaces", + "value": "actions\\ngithub.com/apple" + } + ] + }, + "components": [ + { + "group": "actions", + "name": "checkout", + "version": "v4", + "purl": "pkg:github/actions/checkout@v4", + "type": "application", + "bom-ref": "pkg:github/actions/checkout@v4" + }, + { + "group": "github.com/apple", + "name": "swift-nio", + "version": "1.4.0", + "purl": "pkg:swift/github.com/apple/swift-nio@1.4.0", + "externalReferences": [ + { + "type": "vcs", + "url": "https://github.com/apple/swift-nio.git" + } + ], + "type": "library", + "bom-ref": "pkg:swift/github.com/apple/swift-nio@1.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved" + } + ] + }, + { + "group": "github.com/apple", + "name": "swift-nio-zlib-support", + "version": "1.0.0", + "purl": "pkg:swift/github.com/apple/swift-nio-zlib-support@1.0.0", + "externalReferences": [ + { + "type": "vcs", + "url": "https://github.com/apple/swift-nio-zlib-support.git" + } + ], + "type": "library", + "bom-ref": "pkg:swift/github.com/apple/swift-nio-zlib-support@1.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/Users/sushi2k/Documents/mastg-apps/MASTestApp-iOS-MASWE-0076/MASTestApp.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved" + } + ] + } + ], + "services": [], + "dependencies": [] +} \ No newline at end of file diff --git a/techniques/ios/MASTG-TECH-0113.md b/techniques/ios/MASTG-TECH-0113.md index d870158dd7..f6be56080b 100644 --- a/techniques/ios/MASTG-TECH-0113.md +++ b/techniques/ios/MASTG-TECH-0113.md @@ -3,11 +3,7 @@ title: Software Composition Analysis (SCA) of iOS Dependencies by Creating a SBO platform: ios --- -@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. - -> Note: Currently only SwiftPM is supported, not Carthage and CocoaPods. - -Navigate to the root directory of the Xcode project you want to scan and execute the following command: +@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format in case SwiftPM is used (Carthage and CocoaPods are not supported yet). Either you ask the development team to provide the SBOM file to you, or you create the SBOM by yourself. To do this, navigate to the root directory of the Xcode project you want to scan and execute the following command: ```bash $ cdxgen -o sbom.json @@ -26,8 +22,8 @@ $ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ }' ``` -> Check also [alternatives for uploading](https://docs.dependencytrack.org/usage/cicd/) the SBOM file, in case the produced json file is too large. +Check also [alternatives for uploading](https://docs.dependencytrack.org/usage/cicd/) the SBOM file, in case the produced json file is too large. Go to the frontend of @MASTG-TOOL-0117, which is , if you are using the default settings of the @MASTG-TOOL-0118 docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. -> Note: Transitive dependencies are not supported by @MASTG-TOOL-0117 for [SwiftPM](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). +> Note: Transitive dependencies are not supported by @MASTG-TOOL-0119 for [SwiftPM](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). diff --git a/techniques/ios/MASTG-TECH-0114.md b/techniques/ios/MASTG-TECH-0114.md index 0e6b2331d6..ab8b1d52df 100644 --- a/techniques/ios/MASTG-TECH-0114.md +++ b/techniques/ios/MASTG-TECH-0114.md @@ -33,4 +33,4 @@ $ dependency-check --enableExperimental -f SARIF --nvdApiKey -s P The output is a SARIF file which can be viewed using the Sarif viewer plugin in @MASTG-TOOL-0118. If any known vulnerabilities are found, they will be listed with their CVE number and description. -If you are scanning for CocoaPods or Carthage, you can use the same command again, but scan the corresponding dependency manager file instead. +You can only scan one file at at time. If you are scanning for CocoaPods or Carthage, you can use the same command again, but scan the corresponding dependency manager file instead. diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md index 0984decc72..a187bf35b6 100644 --- a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md @@ -1,6 +1,6 @@ --- platform: ios -title: Identify SwiftPM Dependencies with Known Vulnerabilities through usage of SBOM +title: Identify Dependencies with Known Vulnerabilities through usage of SBOM id: MASTG-TEST-0217 type: [static] weakness: MASWE-0076 @@ -18,7 +18,7 @@ In this test case we are identifying SwiftPM dependencies with known vulnerabili ## Observation -The output should include the dependency and the CVE identifiers for any dependency with known vulnerabilities. +The output should include the dependency name and the CVE identifiers for any dependency with known vulnerabilities. ## Evaluation From b24c78f06a8195e2377ad4fc2303cbfb727b07af Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 10 Nov 2024 16:39:40 +0100 Subject: [PATCH 09/17] Updates iOS and integrated MASTG-TEST-0085 --- techniques/ios/MASTG-TECH-0114.md | 18 ++++++++++-- techniques/ios/MASTG-TECH-0115.md | 31 ++++++++++++++++++++ tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md | 6 ++-- tools/android/MASTG-TOOL-0120.md | 10 +++++-- tools/generic/MASTG-TOOL-0116.md | 4 +-- tools/generic/MASTG-TOOL-0117.md | 2 +- tools/generic/MASTG-TOOL-0119.md | 6 ++-- weaknesses/MASVS-CODE/MASWE-0076.md | 4 +-- 8 files changed, 65 insertions(+), 16 deletions(-) create mode 100644 techniques/ios/MASTG-TECH-0115.md diff --git a/techniques/ios/MASTG-TECH-0114.md b/techniques/ios/MASTG-TECH-0114.md index ab8b1d52df..e973388a82 100644 --- a/techniques/ios/MASTG-TECH-0114.md +++ b/techniques/ios/MASTG-TECH-0114.md @@ -11,7 +11,7 @@ iOS has several dependency managers, where the most popular are: The dependencies are integrated into the project during build and compiled into the IPA. The version information of the dependencies may be stripped out during compilation, so we cannot scan the IPA file, but we can scan the artifacts produced by the dependency managers. -Tools such as @MASTG-TOOL-0116 can be used to scan the files created by all three dependency managers, which list the dependencies and their versions that will be included in the iOS app. Once identified, such tools will search for known vulnerabilities in the dependencies by checking them against a vulnerability database (such as the National Vulnerability Database, NVD). +Tools such as @MASTG-TOOL-0116 can be used to scan the files created by all three dependency managers, which list the dependencies as [Common Platform Enumeration (CPE)](https://nvd.nist.gov/products/cpe "CPE") and their versions, which will be included in the iOS app. Once identified, such tools will search for known vulnerabilities, so called [CVE's (Common Vulnerability and Exposure)](https://cve.mitre.org/ "CVE") in the dependencies by checking them against a vulnerability database such as the National Vulnerability Database (NVD). > Note that @MASTG-TOOL-0116 does support [Carthage](https://jeremylong.github.io/DependencyCheck/analyzers/carthage.html), [CocoaPods](https://jeremylong.github.io/DependencyCheck/analyzers/cocoapods.html) and [SwiftPM](https://jeremylong.github.io/DependencyCheck/analyzers/swift.html), but the analyzers are considered experimental. While this analyzer may be useful and provide valid results more testing must be completed to ensure that the false negative/positive rates are acceptable. @@ -25,12 +25,24 @@ Keep in mind that developers may use more than one dependency manager and you mi Before we can run the scan, you will need to obtain an API key for NVD, which is used to retrieve the latest CVE information. The API Key to access the NVD API can be requested from . -To start a scan for a project using SwiftPM, execute the following command: +- To start a scan for a project using SwiftPM, execute the following command to scan the `Package.Swift` or `Package.resolved`: ```bash $ dependency-check --enableExperimental -f SARIF --nvdApiKey -s Package.resolved ``` -The output is a SARIF file which can be viewed using the Sarif viewer plugin in @MASTG-TOOL-0118. If any known vulnerabilities are found, they will be listed with their CVE number and description. +- To start a scan for a project using CocoaPods, execute the following command to scan the `Podfile.lock` or `*.podspec`: + +```bash +$ dependency-check --enableExperimental -f SARIF --nvdApiKey -s Podfile.lock +``` + +- To start a scan for a project using Carthage, execute the following command to scan the `Cartfile.resolved.`: + +```bash +$ dependency-check --enableExperimental -f SARIF --nvdApiKey -s Cartfile.resolved +``` + +The output is always a SARIF file which can be viewed using the Sarif viewer plugin in @MASTG-TOOL-0118. If any known vulnerabilities are found, they will be listed with their CVE number and description. You can only scan one file at at time. If you are scanning for CocoaPods or Carthage, you can use the same command again, but scan the corresponding dependency manager file instead. diff --git a/techniques/ios/MASTG-TECH-0115.md b/techniques/ios/MASTG-TECH-0115.md new file mode 100644 index 0000000000..3baabf6964 --- /dev/null +++ b/techniques/ios/MASTG-TECH-0115.md @@ -0,0 +1,31 @@ +--- +title: Verifying iOS Dependencies during runtime +platform: ios +--- + +> The preferred technique for analyzing dependencies, is @MASTG-TECH-0113 or @MASTG-TECH-0114. This technique described here should only be used in a black-box environment, as it is manual and and cannot easily be automated. + +When performing app analysis, it is important to also analyze the app dependencies, usually in the form of libraries or so-called iOS Frameworks and ensure that they don't contain any known vulnerabilities. Even when you don't have the source code, you can still identify some of the app dependencies using tools like @MASTG-TOOL-0038, @MASTG-TOOL-0035 or the `otool -L` command. @MASTG-TOOL-0038 is the recommended tool, since it provides the most accurate results and it is easy to use. It contains a module to work with iOS Bundles, which offers two commands: `list_bundles` and `list_frameworks`. + +The `list_bundles` command lists all of the application’s bundles that are not related to frameworks. The output contains the executable name, bundle id, version of the library and path to the library. + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios bundles list_bundles +Executable Bundle Version Path +------------ ----------------------------------------- --------- ------------------------------------------- +DVIA-v2 com.highaltitudehacks.DVIAswiftv2.develop 2 ...-1F0C-4DB1-8C39-04ACBFFEE7C8/DVIA-v2.app +CoreGlyphs com.apple.CoreGlyphs 1 ...m/Library/CoreServices/CoreGlyphs.bundle +``` + +The `list_frameworks` command lists all of the application’s bundles that represent frameworks and their version. + +```bash +...itudehacks.DVIAswiftv2.develop on (iPhone: 13.2.3) [usb] # ios bundles list_frameworks +Executable Bundle Version Path +-------------- ----------------------------------------- --------- ------------------------------------------- +Bolts org.cocoapods.Bolts 1.9.0 ...8/DVIA-v2.app/Frameworks/Bolts.framework +RealmSwift org.cocoapods.RealmSwift 4.1.1 ...A-v2.app/Frameworks/RealmSwift.framework +... +``` + +With this information it is possible to investigate manually if the frameworks and it's version have publicly known vulnerabilities. diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md index c68b99fa74..4c221f6fd4 100644 --- a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md @@ -8,17 +8,17 @@ weakness: MASWE-0076 ## Overview -In this test case we are identifying dependencies with known vulnerabilities in iOS. Dependencies are integrated through dependency managers, and there might be one or more of them being used. We therefore need all of the relevant files created by them to analyse them with a SCA scanning tool. +In this test case we are identifying dependencies with known vulnerabilities in iOS. Dependencies are integrated through dependency managers, and there might be one or more of them being used. We therefore need all of the relevant artifacts created by them to analyse them with a SCA scanning tool. ## Steps -1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0113 for on overview of the package managers and request for the relevant files. +1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0114 for on overview of the package managers and request for the relevant files. 2. Run a SCA analysis tool such as @MASTG-TOOL-0116 against the file(s) created by the dependency manager(s) and look for the use of vulnerable dependencies. ## Observation -The output should include the dependency and the CVE identifiers for any dependency with known vulnerabilities. +The output should include the dependency name and the CVE identifiers for any dependency with known vulnerabilities. ## Evaluation diff --git a/tools/android/MASTG-TOOL-0120.md b/tools/android/MASTG-TOOL-0120.md index 0b58525899..4bc1a9c42a 100644 --- a/tools/android/MASTG-TOOL-0120.md +++ b/tools/android/MASTG-TOOL-0120.md @@ -4,8 +4,12 @@ platform: android source: https://github.com/owasp-dep-scan/blint --- -[BLint](https://github.com/owasp-dep-scan/blint) is a Binary Linter that checks the security properties and capabilities of an executable. Since version 2, `blint` can generate Software Bill-of-Materials (SBOM) for supported binaries, which includes APK and AAB, but not IPA. +[BLint](https://github.com/owasp-dep-scan/blint) is a Binary Linter that checks the security properties and capabilities of an executable. Since version 2, `blint` can generate Software Bill-of-Materials (SBOM) for supported binaries, which includes Android (APK and AAB), but not iOS (IPA) apps. -## WIP +The creation of an SBOM out of an Android App (APK or AAB) is supported, but [limited](https://github.com/owasp-dep-scan/blint/issues/119). Due to stripping out meta-information of the libraries used in an app, a SBOM created ouf of an Android app will always be incomplete. -[How accurate can `blint` generate a SBOM out of an APK](https://github.com/owasp-dep-scan/blint/issues/119) +BLint can be a choice in a black-box security assessment, but other tools should be preferred during a grey/white-box test, like: + +- @MASTG-TOOL-0116 +- @MASTG-TOOL-0117 +- @MASTG-TOOL-0119 diff --git a/tools/generic/MASTG-TOOL-0116.md b/tools/generic/MASTG-TOOL-0116.md index 11ca09a4be..89f97ffc4a 100644 --- a/tools/generic/MASTG-TOOL-0116.md +++ b/tools/generic/MASTG-TOOL-0116.md @@ -8,7 +8,7 @@ source: https://github.com/jeremylong/DependencyCheck Limitations for SCA tools are, that they will usually fail to scan an IPA or APK, due to 2 main reasons: -- **Transformed format**: The libraries are no longer in their original format but are part of the app binaries compiled code format. +- **Transformed format**: The libraries are no longer in their original format but are part of the app binaries compiled code format. For example an Android app will not contain the 3rd party JAR files in the APK, as they part of the compiled DEX files. - **Lack of metadata**: Information such as the library version or name is stripped or altered when building the mobile app. -Therefore usually the files generated by dependency managers are scanned, that list the dependencies used in an app. +Therefore, for iOS, the files generated by dependency managers (such as Podfile for CocoaPods) that list the dependencies used in an app are scanned, or for Android, the scan is performed at build time using Dependency-Check. diff --git a/tools/generic/MASTG-TOOL-0117.md b/tools/generic/MASTG-TOOL-0117.md index 44b7dcea33..4d2e254f51 100644 --- a/tools/generic/MASTG-TOOL-0117.md +++ b/tools/generic/MASTG-TOOL-0117.md @@ -10,4 +10,4 @@ You can install Dependency-Track by using [docker](https://docs.dependencytrack. Dependency-Track relies on Software Bill of Materials (SBOM) for identifying vulnerable dependencies, which can be generated through @MASTG-TOOL-0119 and uploaded via [API](https://docs.dependencytrack.org/usage/cicd/). -To use the REST API you need to create an [API Key](https://docs.dependencytrack.org/integrations/rest-api/) and a project where the SBOM is uploaded to. +To use the REST API you need to create an [API Key](https://docs.dependencytrack.org/integrations/rest-api/) and a project where the SBOM can be uploaded to. diff --git a/tools/generic/MASTG-TOOL-0119.md b/tools/generic/MASTG-TOOL-0119.md index 216f1829f3..57fd2a1ea2 100644 --- a/tools/generic/MASTG-TOOL-0119.md +++ b/tools/generic/MASTG-TOOL-0119.md @@ -4,6 +4,8 @@ platform: generic source: https://github.com/CycloneDX/cdxgen --- -[cdxgen](https://cyclonedx.github.io/cdxgen/) can generate Software Bill of Materials (SBOM) for most applications and container images with a single command. It supports SwiftPM for iOS and Maven for Android. Also the creation of an SBOM out of an APK or AAB for Android is possible. +[cdxgen](https://cyclonedx.github.io/cdxgen/) can generate Software Bill of Materials (SBOM) for most applications and container images with a single command. It supports SwiftPM for iOS and Maven for Android. The generated SBOM can then be submitted to @MASTG-TOOL-0117 for analysis. -The generated SBOM can then be submitted to @MASTG-TOOL-0117 for analysis. +The creation of an SBOM out of an Android App (APK or AAB) is supported, but limited. Due to stripping out meta-information of the libraries used in an app, a SBOM created ouf of an Android app will always be incomplete. + +It is therefore recommended to execute `cdxgen` in the Android App project folder to create a complete SBOM. diff --git a/weaknesses/MASVS-CODE/MASWE-0076.md b/weaknesses/MASVS-CODE/MASWE-0076.md index 80ba992055..028965e81f 100644 --- a/weaknesses/MASVS-CODE/MASWE-0076.md +++ b/weaknesses/MASVS-CODE/MASWE-0076.md @@ -33,6 +33,6 @@ Dependencies can be implemented manually by adding them into the project and lin ## Mitigations - **Keep Dependencies Updated**: Regularly update dependencies to their latest secure versions to ensure that any known vulnerabilities are patched. -- **Regular Dependency Audits:**: Continuously scan and audit third-party libraries for vulnerabilities using Software Composition Analysis (SCA) tools in the CI/CD pipeline, like @MASTG-TOOL-0116. -- **Software Bill of Material (SBOM)**: Create a SBOM and manage the dependencies by using tools like @MASTG-TOOL-0117. +- **Regular Dependency Audits:**: Continuously scan and audit third-party libraries for vulnerabilities using Software Composition Analysis (SCA) tools in the CI/CD pipeline, like @MASTG-TOOL-0116 or @MASTG-TOOL-0117. +- **Software Bill of Material (SBOM)**: Create a SBOM and manage the dependencies by using tools like @MASTG-TOOL-0119 and @MASTG-TOOL-0117. - **Remove Unused Dependencies**: Regularly review and remove any unused or unnecessary libraries to reduce the app’s attack surface. From 32c17c200ae144816c373cb0f5b03d0c1f1285c0 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 10 Nov 2024 16:49:54 +0100 Subject: [PATCH 10/17] Split Android Techniques --- techniques/android/MASTG-TECH-0112.md | 29 +-------------------------- techniques/android/MASTG-TECH-0116.md | 27 +++++++++++++++++++++++++ techniques/android/MASTG-TECH-0117.md | 8 ++++++++ 3 files changed, 36 insertions(+), 28 deletions(-) create mode 100644 techniques/android/MASTG-TECH-0116.md create mode 100644 techniques/android/MASTG-TECH-0117.md diff --git a/techniques/android/MASTG-TECH-0112.md b/techniques/android/MASTG-TECH-0112.md index 73c5bc135b..1a938173ce 100644 --- a/techniques/android/MASTG-TECH-0112.md +++ b/techniques/android/MASTG-TECH-0112.md @@ -1,5 +1,5 @@ --- -title: Software Composition Analysis (SCA) of Android Dependencies +title: Software Composition Analysis (SCA) of Android Dependencies during the Build platform: android --- @@ -10,33 +10,6 @@ For Android both popular build automation tools, are also dependency managers: Gradle is the default build automation tool in Android Studio and this technique will focus on it. -## Scanning through SBOM - -@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. Navigate to the root directory of the Android Studio project you want to scan and execute the following command: - -```bash -$ cdxgen -t java -o sbom.json -``` - -The created SBOM file need to be Base64 encoded and can then be uploaded to @MASTG-TOOL-0117 for analysis: - -```bash -$ cat sbom.json | base64 -$ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ - -H 'Content-Type: application/json' \ - -H 'X-API-Key: >' \ - -d $'{ - "project": "", - "bom": "" - }' -``` - -Go to frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. - -> Note: Transitive dependencies are supported by @MASTG-TOOL-0117 for [Java and Kotlin](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). - -## Scanning through build environment - Tools like @MASTG-TOOL-0116 can be integrated into the build environments, where they can inspect the build configuration files or the actual `.jar` files and their metadata, such as the version, to identify dependencies. Once identified such tools will identify known vulnerabilities in the dependencies by comparing them to a vulnerability database (like the National Vulnerability Database, NVD). In order to test for dependencies with known vulnerabilities, we need to integrate the @MASTG-TOOL-0116 plugin into the Android project via Gradle. The dependencies of the Android project are located in the following directory `~/.gradle/caches/modules-2/files-2.1`, and not in the Android Project directory. diff --git a/techniques/android/MASTG-TECH-0116.md b/techniques/android/MASTG-TECH-0116.md new file mode 100644 index 0000000000..1e77625ae1 --- /dev/null +++ b/techniques/android/MASTG-TECH-0116.md @@ -0,0 +1,27 @@ +--- +title: Software Composition Analysis (SCA) of Android Dependencies by Creating a SBOM +platform: android +--- + +@MASTG-TOOL-0119 can be used to create a so called Software Bill of Material (SBOM) in the CycloneDX format. Navigate to the root directory of the Android Studio project you want to scan and execute the following command: + +```bash +$ cdxgen -t java -o sbom.json +``` + +The created SBOM file need to be Base64 encoded and can then be uploaded to @MASTG-TOOL-0117 for analysis: + +```bash +$ cat sbom.json | base64 +$ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ + -H 'Content-Type: application/json' \ + -H 'X-API-Key: >' \ + -d $'{ + "project": "", + "bom": "" + }' +``` + +Go to frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. + +> Note: Transitive dependencies are supported by @MASTG-TOOL-0117 for [Java and Kotlin](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). diff --git a/techniques/android/MASTG-TECH-0117.md b/techniques/android/MASTG-TECH-0117.md new file mode 100644 index 0000000000..035d03bee9 --- /dev/null +++ b/techniques/android/MASTG-TECH-0117.md @@ -0,0 +1,8 @@ +--- +title: Verifying Android Dependencies during runtime +platform: android +--- + +> The preferred technique for analyzing dependencies, is @MASTG-TECH-0112 or @MASTG-TECH-0116. This technique described here should only be used in a black-box environment, as it is manual and and cannot easily be automated. + +When analysing an application, it's important to analyse the dependencies of the application, usually in the form of libraries, and make sure they don't contain any known vulnerabilities. If the sources are not available, you can decompile the application and check the JAR files. If @MASTG-TOOL-0022D or other obfuscation tools are used properly, the version information about the library is often obfuscated and therefore gone. Otherwise, the information can often still be found in the comments of the Java files of given libraries. Tools such as @MASTG-TOOL-0002 can help to analyse the possible libraries packaged with the application. If you can get the version of the library, either from the comments or from specific methods used in certain versions, you can look for CVEs by hand. From 60081e3a3ffbd30b6d8798a6c6b1dff065a0d7b1 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 10 Nov 2024 16:57:53 +0100 Subject: [PATCH 11/17] change of IDs --- demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md | 2 +- tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md b/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md index f237992304..79f5f1b3b6 100644 --- a/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md @@ -11,7 +11,7 @@ Execute `cdxgen` in the root directory of the Android Studio project. {{ run.sh }} -This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0112. +This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0116. ### Observation diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md index 8a981b3681..e63fd17d0f 100644 --- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md +++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md @@ -12,7 +12,7 @@ In this test case we are identifying dependencies with known vulnerabilities by ## Steps -1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0112. +1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0116. 2. Open @MASTG-TOOL-0117 and inspect the project where the SBOM was uploaded for the use of vulnerable dependencies. From ce28cd2606bdc8fd677819bf79a0b5ae489884e3 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sun, 10 Nov 2024 16:59:59 +0100 Subject: [PATCH 12/17] redacted output --- .../MASVS-CODE/MASTG-DEMO-0021/output.txt | 231 +----------------- 1 file changed, 3 insertions(+), 228 deletions(-) diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt b/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt index 566a57ac0f..e850adce81 100644 --- a/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0021/output.txt @@ -8,143 +8,9 @@ "md5": "5132d18a9ed0b5eb9a6137885959bcb5", "sha1": "5c34a8c35bb3fd5ec39d3a67ceae691d0f3eb455", "sha256": "04d68254c5216d059504d97e2cf2f8ba7922453059701a5adc65652809dd1599", - "projectReferences": [ - "app:debugCompileClasspath", - "app:implementationDependenciesMetadata", - "app:releaseCompileClasspath", - "app:releaseRuntimeClasspath", - "app:debugRuntimeClasspath" - ], - "includedBy": [ - { - "reference": "pkg:maven\/MASTestApp\/app@unspecified" - }, - { - "reference": "pkg:maven\/MASTestApp\/app@unspecified" - }, - { - "reference": "pkg:maven\/MASTestApp\/app@unspecified" - }, - { - "reference": "pkg:maven\/MASTestApp\/app@unspecified" - }, - { - "reference": "pkg:maven\/MASTestApp\/app@unspecified" - } - ], - "evidenceCollected": { - "vendorEvidence": [ - { - "type": "vendor", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "okhttp" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "gradle", - "name": "artifactid", - "value": "okhttp" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "gradle", - "name": "groupid", - "value": "com.squareup.okhttp3" - }, - { - "type": "vendor", - "confidence": "LOW", - "source": "jar", - "name": "package name", - "value": "internal" - }, - { - "type": "vendor", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "okhttp3" - }, - { - "type": "vendor", - "confidence": "LOW", - "source": "jar", - "name": "package name", - "value": "okhttp3" - }, - { - "type": "vendor", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "automatic-module-name", - "value": "okhttp3" - } - ], - "productEvidence": [ - { - "type": "product", - "confidence": "HIGH", - "source": "file", - "name": "name", - "value": "okhttp" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "gradle", - "name": "artifactid", - "value": "okhttp" - }, - { - "type": "product", - "confidence": "LOW", - "source": "jar", - "name": "package name", - "value": "internal" - }, - { - "type": "product", - "confidence": "HIGHEST", - "source": "jar", - "name": "package name", - "value": "okhttp3" - }, - { - "type": "product", - "confidence": "MEDIUM", - "source": "Manifest", - "name": "automatic-module-name", - "value": "okhttp3" - } - ], - "versionEvidence": [ - { - "type": "version", - "confidence": "MEDIUM", - "source": "file", - "name": "name", - "value": "okhttp" - }, - { - "type": "version", - "confidence": "HIGH", - "source": "file", - "name": "version", - "value": "4.8.0" - }, - { - "type": "version", - "confidence": "HIGHEST", - "source": "gradle", - "name": "version", - "value": "4.8.0" - } - ] - }, +... +[redacted for readability] +... "packages": [ { "id": "pkg:maven\/com.squareup.okhttp3\/okhttp@4.8.0", @@ -216,97 +82,6 @@ } ] }, - { - "source": "NVD", - "name": "CVE-2023-0833", - "severity": "MEDIUM", - "cvssv3": { - "baseScore": 5.5, - "attackVector": "LOCAL", - "attackComplexity": "LOW", - "privilegesRequired": "LOW", - "userInteraction": "NONE", - "scope": "UNCHANGED", - "confidentialityImpact": "HIGH", - "integrityImpact": "NONE", - "availabilityImpact": "NONE", - "baseSeverity": "MEDIUM", - "exploitabilityScore": "1.8", - "impactScore": "3.6", - "version": "3.1" - }, - "cwes": [ - "CWE-209" - ], - "description": "A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.", - "notes": "", - "references": [ - { - "source": "secalert@redhat.com", - "url": "https:\/\/access.redhat.com\/errata\/RHSA-2023:1241", - "name": "THIRD_PARTY_ADVISORY" - }, - { - "source": "secalert@redhat.com", - "url": "https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=2169845", - "name": "ISSUE_TRACKING,THIRD_PARTY_ADVISORY" - }, - { - "source": "secalert@redhat.com", - "url": "https:\/\/github.com\/square\/okhttp\/issues\/6738", - "name": "EXPLOIT,ISSUE_TRACKING,THIRD_PARTY_ADVISORY" - }, - { - "source": "secalert@redhat.com", - "url": "https:\/\/access.redhat.com\/security\/cve\/CVE-2023-0833", - "name": "THIRD_PARTY_ADVISORY" - }, - { - "source": "OSSINDEX", - "url": "https:\/\/ossindex.sonatype.org\/vulnerability\/CVE-2023-0833?component-type=maven&component-name=com.squareup.okhttp3%2Fokhttp&utm_source=dependency-check&utm_medium=integration&utm_content=10.0.4", - "name": "[CVE-2023-0833] CWE-200: Information Exposure" - }, - { - "source": "OSSIndex", - "url": "https:\/\/github.com\/square\/okhttp\/pull\/6551", - "name": "https:\/\/github.com\/square\/okhttp\/pull\/6551" - }, - { - "source": "secalert@redhat.com", - "url": "https:\/\/access.redhat.com\/errata\/RHSA-2023:3223", - "name": "THIRD_PARTY_ADVISORY" - }, - { - "source": "OSSIndex", - "url": "https:\/\/github.com\/square\/okhttp\/issues\/6738", - "name": "https:\/\/github.com\/square\/okhttp\/issues\/6738" - } - ], - "vulnerableSoftware": [ - { - "software": { - "id": "cpe:2.3:a:redhat:a-mq_streams:*:*:*:*:*:*:*:*", - "versionEndExcluding": "2.2.1" - } - }, - { - "software": { - "id": "cpe:2.3:a:redhat:a-mq_streams:*:*:*:*:*:*:*:*", - "versionStartIncluding": "2.3.0", - "versionEndExcluding": "2.4.0" - } - }, - { - "software": { - "id": "cpe:2.3:a:squareup:okhttp:*:*:*:*:*:*:*:*", - "vulnerabilityIdMatched": "true", - "versionEndExcluding": "4.9.2" - } - } - ] - } - ] - }, ... [redacted for readability] ... \ No newline at end of file From acaddcc72ec9575c9a6e328a255bb2d7d57f4225 Mon Sep 17 00:00:00 2001 From: Sven Date: Sat, 23 Nov 2024 06:37:46 +0100 Subject: [PATCH 13/17] Update techniques/ios/MASTG-TECH-0115.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- techniques/ios/MASTG-TECH-0115.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/techniques/ios/MASTG-TECH-0115.md b/techniques/ios/MASTG-TECH-0115.md index 3baabf6964..a25c42be83 100644 --- a/techniques/ios/MASTG-TECH-0115.md +++ b/techniques/ios/MASTG-TECH-0115.md @@ -3,7 +3,7 @@ title: Verifying iOS Dependencies during runtime platform: ios --- -> The preferred technique for analyzing dependencies, is @MASTG-TECH-0113 or @MASTG-TECH-0114. This technique described here should only be used in a black-box environment, as it is manual and and cannot easily be automated. +> The preferred technique for analyzing dependencies, is @MASTG-TECH-0113 or @MASTG-TECH-0114. This technique described here should only be used in a black-box environment, as it is manual and cannot easily be automated. When performing app analysis, it is important to also analyze the app dependencies, usually in the form of libraries or so-called iOS Frameworks and ensure that they don't contain any known vulnerabilities. Even when you don't have the source code, you can still identify some of the app dependencies using tools like @MASTG-TOOL-0038, @MASTG-TOOL-0035 or the `otool -L` command. @MASTG-TOOL-0038 is the recommended tool, since it provides the most accurate results and it is easy to use. It contains a module to work with iOS Bundles, which offers two commands: `list_bundles` and `list_frameworks`. From cc2cf1160f331ee02394b96ce9214fd1c0ffc965 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sat, 23 Nov 2024 06:42:24 +0100 Subject: [PATCH 14/17] changed tech ID due to conflict --- techniques/android/{MASTG-TECH-0116.md => MASTG-TECH-0122.md} | 2 +- tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename techniques/android/{MASTG-TECH-0116.md => MASTG-TECH-0122.md} (77%) diff --git a/techniques/android/MASTG-TECH-0116.md b/techniques/android/MASTG-TECH-0122.md similarity index 77% rename from techniques/android/MASTG-TECH-0116.md rename to techniques/android/MASTG-TECH-0122.md index 1e77625ae1..c81ce24c91 100644 --- a/techniques/android/MASTG-TECH-0116.md +++ b/techniques/android/MASTG-TECH-0122.md @@ -22,6 +22,6 @@ $ curl -X "PUT" "http://localhost:8081/api/v1/bom" \ }' ``` -Go to frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. +Go to the frontend of dependency-check, which is , if you are using the default settings of the dependency-track docker container. Open the project you uploaded the SBOM to and you can verify if there are any vulnerable dependencies. > Note: Transitive dependencies are supported by @MASTG-TOOL-0117 for [Java and Kotlin](https://cyclonedx.github.io/cdxgen/#/PROJECT_TYPES). diff --git a/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md b/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md index e63fd17d0f..44838a29e4 100644 --- a/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md +++ b/tests-beta/android/MASVS-CODE/MASTG-TEST-0218.md @@ -12,7 +12,7 @@ In this test case we are identifying dependencies with known vulnerabilities by ## Steps -1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0116. +1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0122. 2. Open @MASTG-TOOL-0117 and inspect the project where the SBOM was uploaded for the use of vulnerable dependencies. From 9050cb9305ee24b11ed9d89437af76ef44cf8ad3 Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sat, 23 Nov 2024 06:44:29 +0100 Subject: [PATCH 15/17] Updated new TECH ID --- demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md | 2 +- techniques/android/MASTG-TECH-0117.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md b/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md index 79f5f1b3b6..99623a06d8 100644 --- a/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md +++ b/demos/android/MASVS-CODE/MASTG-DEMO-0022/MASTG-DEMO-022.md @@ -11,7 +11,7 @@ Execute `cdxgen` in the root directory of the Android Studio project. {{ run.sh }} -This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0116. +This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0122. ### Observation diff --git a/techniques/android/MASTG-TECH-0117.md b/techniques/android/MASTG-TECH-0117.md index 035d03bee9..1eb0513e50 100644 --- a/techniques/android/MASTG-TECH-0117.md +++ b/techniques/android/MASTG-TECH-0117.md @@ -3,6 +3,6 @@ title: Verifying Android Dependencies during runtime platform: android --- -> The preferred technique for analyzing dependencies, is @MASTG-TECH-0112 or @MASTG-TECH-0116. This technique described here should only be used in a black-box environment, as it is manual and and cannot easily be automated. +> The preferred technique for analyzing dependencies, is @MASTG-TECH-0112 or @MASTG-TECH-0122. This technique described here should only be used in a black-box environment, as it is manual and and cannot easily be automated. When analysing an application, it's important to analyse the dependencies of the application, usually in the form of libraries, and make sure they don't contain any known vulnerabilities. If the sources are not available, you can decompile the application and check the JAR files. If @MASTG-TOOL-0022D or other obfuscation tools are used properly, the version information about the library is often obfuscated and therefore gone. Otherwise, the information can often still be found in the comments of the Java files of given libraries. Tools such as @MASTG-TOOL-0002 can help to analyse the possible libraries packaged with the application. If you can get the version of the library, either from the comments or from specific methods used in certain versions, you can look for CVEs by hand. From 8801851a256091c540d1606dbbc47119a3a6979d Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Sat, 23 Nov 2024 06:52:09 +0100 Subject: [PATCH 16/17] updated IDs --- demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md | 2 +- techniques/android/{MASTG-TECH-0117.md => MASTG-TECH-0121.md} | 0 techniques/ios/MASTG-TECH-0115.md | 2 +- techniques/ios/{MASTG-TECH-0113.md => MASTG-TECH-0123.md} | 0 techniques/ios/{MASTG-TECH-0114.md => MASTG-TECH-0124.md} | 0 tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md | 2 +- tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md | 2 +- tools/android/{MASTG-TOOL-0120.md => MASTG-TOOL-0125.md} | 0 8 files changed, 4 insertions(+), 4 deletions(-) rename techniques/android/{MASTG-TECH-0117.md => MASTG-TECH-0121.md} (100%) rename techniques/ios/{MASTG-TECH-0113.md => MASTG-TECH-0123.md} (100%) rename techniques/ios/{MASTG-TECH-0114.md => MASTG-TECH-0124.md} (100%) rename tools/android/{MASTG-TOOL-0120.md => MASTG-TOOL-0125.md} (100%) diff --git a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md index e2f14b2fed..bb37a2555e 100644 --- a/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md +++ b/demos/ios/MASVS-CODE/MASTG-DEMO-0023/MASTG-DEMO-0023.md @@ -11,7 +11,7 @@ Execute @MASTG-TOOL-0119 in the root directory of the Xcode project. {{ run.sh }} -This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0113. +This will create a SBOM file that can be uploaded to @MASTG-TOOL-0117 by following @MASTG-TECH-0123. ### Observation diff --git a/techniques/android/MASTG-TECH-0117.md b/techniques/android/MASTG-TECH-0121.md similarity index 100% rename from techniques/android/MASTG-TECH-0117.md rename to techniques/android/MASTG-TECH-0121.md diff --git a/techniques/ios/MASTG-TECH-0115.md b/techniques/ios/MASTG-TECH-0115.md index a25c42be83..9511b97af3 100644 --- a/techniques/ios/MASTG-TECH-0115.md +++ b/techniques/ios/MASTG-TECH-0115.md @@ -3,7 +3,7 @@ title: Verifying iOS Dependencies during runtime platform: ios --- -> The preferred technique for analyzing dependencies, is @MASTG-TECH-0113 or @MASTG-TECH-0114. This technique described here should only be used in a black-box environment, as it is manual and cannot easily be automated. +> The preferred technique for analyzing dependencies, is @MASTG-TECH-0123 or @MASTG-TECH-0124. This technique described here should only be used in a black-box environment, as it is manual and cannot easily be automated. When performing app analysis, it is important to also analyze the app dependencies, usually in the form of libraries or so-called iOS Frameworks and ensure that they don't contain any known vulnerabilities. Even when you don't have the source code, you can still identify some of the app dependencies using tools like @MASTG-TOOL-0038, @MASTG-TOOL-0035 or the `otool -L` command. @MASTG-TOOL-0038 is the recommended tool, since it provides the most accurate results and it is easy to use. It contains a module to work with iOS Bundles, which offers two commands: `list_bundles` and `list_frameworks`. diff --git a/techniques/ios/MASTG-TECH-0113.md b/techniques/ios/MASTG-TECH-0123.md similarity index 100% rename from techniques/ios/MASTG-TECH-0113.md rename to techniques/ios/MASTG-TECH-0123.md diff --git a/techniques/ios/MASTG-TECH-0114.md b/techniques/ios/MASTG-TECH-0124.md similarity index 100% rename from techniques/ios/MASTG-TECH-0114.md rename to techniques/ios/MASTG-TECH-0124.md diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md index 4c221f6fd4..5bcedec434 100644 --- a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0215.md @@ -12,7 +12,7 @@ In this test case we are identifying dependencies with known vulnerabilities in ## Steps -1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0114 for on overview of the package managers and request for the relevant files. +1. In order to do this in the most efficient way you would need to ask the developer(s) which dependency managers are being used and to share the relevant file(s) created by them. Follow @MASTG-TECH-0124 for on overview of the package managers and request for the relevant files. 2. Run a SCA analysis tool such as @MASTG-TOOL-0116 against the file(s) created by the dependency manager(s) and look for the use of vulnerable dependencies. diff --git a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md index a187bf35b6..219b0a6b6d 100644 --- a/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md +++ b/tests-beta/ios/MASVS-CODE/MASTG-TEST-0217.md @@ -12,7 +12,7 @@ In this test case we are identifying SwiftPM dependencies with known vulnerabili ## Steps -1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0113. +1. Either ask the development team to share a SBOM in CycloneDX format, or create one by yourself and follow @MASTG-TECH-0123. 2. Open @MASTG-TOOL-0117 and inspect the project where the SBOM was uploaded for the use of vulnerable dependencies. diff --git a/tools/android/MASTG-TOOL-0120.md b/tools/android/MASTG-TOOL-0125.md similarity index 100% rename from tools/android/MASTG-TOOL-0120.md rename to tools/android/MASTG-TOOL-0125.md From 48544da5aeecd13863873aba2897cc126218b26c Mon Sep 17 00:00:00 2001 From: Sven Schleier Date: Wed, 27 Nov 2024 05:12:36 +0100 Subject: [PATCH 17/17] deprecate v1 test cases --- tests/android/MASVS-CODE/MASTG-TEST-0042.md | 3 +++ tests/ios/MASVS-CODE/MASTG-TEST-0085.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/tests/android/MASVS-CODE/MASTG-TEST-0042.md b/tests/android/MASVS-CODE/MASTG-TEST-0042.md index 99b1c02ad1..017f1aafe8 100644 --- a/tests/android/MASVS-CODE/MASTG-TEST-0042.md +++ b/tests/android/MASVS-CODE/MASTG-TEST-0042.md @@ -8,6 +8,9 @@ title: Checking for Weaknesses in Third Party Libraries masvs_v1_levels: - L1 - L2 +status: deprecated +covered_by: [MASTG-TEST-0216, MASTG-TEST-0218] +deprecation_note: New version available in MASTG V2 --- ## Overview diff --git a/tests/ios/MASVS-CODE/MASTG-TEST-0085.md b/tests/ios/MASVS-CODE/MASTG-TEST-0085.md index e1a952e99a..86a104778d 100644 --- a/tests/ios/MASVS-CODE/MASTG-TEST-0085.md +++ b/tests/ios/MASVS-CODE/MASTG-TEST-0085.md @@ -8,6 +8,9 @@ title: Checking for Weaknesses in Third Party Libraries masvs_v1_levels: - L1 - L2 +status: deprecated +covered_by: [MASTG-TEST-0215, MASTG-TEST-0217] +deprecation_note: New version available in MASTG V2 --- ## Overview