:hammer: Merge the MobSF scanner

[manuel-sommer]

It is more userfriendly to have only one MobSF scan type to choose. Before parsing MobSF files, you have to analyse which parser is the right one.

[dryrunsecurity[bot]]

:red_circle: Risk threshold exceeded.

This pull request involves configuration changes for scanner support, primarily updating MobSF Scan integration in the settings, with a potential information injection risk in the MobSF report processing that may require additional input validation and sanitization.

:warning: Configured Codepaths Edit in dojo/db_migrations/0230_merge_mobsf.py

Vulnerability	Configured Codepaths Edit
Description	Sensitive edits detected for this file. Sensitive file paths and allowed authors can be configured in .dryrunsecurity.yaml.

:warning: Configuration Change Risk in dojo/settings/settings.dist.py

Vulnerability

Configuration Change Risk

Description

The suggested vulnerability highlights a potential reduction in security monitoring capabilities due to the removal of scanner configurations for Nexpose and SonarQube. However, this is not a security vulnerability in the traditional sense, but rather an operational configuration change. The addition of the MobSF Scan configuration suggests an intentional update to the scanner ecosystem. This does not represent a security risk that requires remediation through code changes.

https://github.com/DefectDojo/django-DefectDojo/blob/1a999ff83b835e38aeea2dd40d2623b2ea072d8c/dojo/settings/settings.dist.py#L1262-L1267

:warning: Configuration Change Risk in dojo/settings/settings.dist.py

Vulnerability	Configuration Change Risk
Description	Similar to the previous hunk, this is an intentional configuration update for scanner support. The removal of existing scanner configurations and addition of MobSF Scan appears to be a deliberate modification to the application's scanner integration. This does not constitute a security vulnerability requiring immediate action.

https://github.com/DefectDojo/django-DefectDojo/blob/1a999ff83b835e38aeea2dd40d2623b2ea072d8c/dojo/settings/settings.dist.py#L1322-L1328

:warning: Configuration Change Risk in dojo/settings/settings.dist.py

Vulnerability	Configuration Change Risk
Description	Continuing the pattern of previous hunks, this configuration change is part of a coordinated update to the scanner support in the application. The changes do not introduce a security risk that would require mitigation.

https://github.com/DefectDojo/django-DefectDojo/blob/1a999ff83b835e38aeea2dd40d2623b2ea072d8c/dojo/settings/settings.dist.py#L1380-L1385

:warning: Configuration Change Risk in dojo/settings/settings.dist.py

Vulnerability	Configuration Change Risk
Description	Consistent with the previous hunks, this configuration modification is part of a planned update to the application's scanner integration. It does not represent a security vulnerability.

https://github.com/DefectDojo/django-DefectDojo/blob/1a999ff83b835e38aeea2dd40d2623b2ea072d8c/dojo/settings/settings.dist.py#L1488-L1493

:warning: Potential Information Injection in dojo/tools/mobsf/api_report_json.py

Vulnerability	Potential Information Injection
Description	The code constructs descriptions by directly incorporating fields from an external MobSF report without comprehensive sanitization. While the use of html2text() provides some mitigation, there's a potential risk of information disclosure or content manipulation if the input is maliciously crafted. The code should implement additional input validation and sanitization to prevent potential risks.

https://github.com/DefectDojo/django-DefectDojo/blob/1a999ff83b835e38aeea2dd40d2623b2ea072d8c/dojo/tools/mobsf/api_report_json.py#L1-L388

We've notified @mtesauro.

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

I notice 3 MobSF entries in settings.dist.py

[github-actions[bot]]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions[bot]]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[manuel-sommer]

I looked at the mobsfscan github repo and website. It looks like there are two ways to generate reports. One via the CLI, the other via the API (of the SAAS platform?). And we used to have two parsers for them and this PR merges them into 1 parser?

If this is correct, could you add a little of this info to the docs and/or description of the PR?

Could you also add instructions to the upgrade notes about the removal of the Mobsfscan Scan scan type and the new value to be used (MobSF Scan)

The thing is that I checked out MobSF and I wanted to import it to Defectdojo, but was confused about two parsers being listed. Thus, I am not really familiar with MobSF, but that PR helps beginners. I will add upgrade instructions.

[valentijnscholten]

Hi @manuel-sommer, we have some concerns around the disappearance of the Mobsfscan Scan scan_type which might break integrations. What do you think about not migrating the existing tests, but adding the old scan_type to the new parser similar to #12604

[manuel-sommer]

Hi @manuel-sommer, we have some concerns around the disappearance of the Mobsfscan Scan scan_type which might break integrations. What do you think about not migrating the existing tests, but adding the old scan_type to the new parser similar to #12604

Done @valentijnscholten

[github-actions[bot]]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions[bot]]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[github-actions[bot]]

This pull request has conflicts, please resolve those before we can evaluate the pull request.

[github-actions[bot]]

Conflicts have been resolved. A maintainer will review the pull request shortly.

[manuel-sommer]

Do you think we can merge this for release 2.50.0?

[manuel-sommer]

Can we get this on the road please @mtesauro ?

[manuel-sommer]

@valentijnscholten Can we merge this even though the unittests are failing as the docs unittests have nothing to do with this PR?

[mtesauro]

@manuel-sommer

Can you move the upgrade notes to the correct file? Can you try to rebase to see if that fixes the docs build error. The error seems persistent.

I agree with moving the upgrade notes as Val mentioned.

We're also looking into that doc error - seems like one of the dependencies that builds the doc hasn't upgraded to the version of hugo we're using. We're trying to verify that currently.

[manuel-sommer]

Done @valentijnscholten . Let's see if that fixes the broken docs.

[dryrunsecurity[bot]]

This pull request includes a finding where sensitive internal data (the apk_exploit_dict and line_number) are directly concatenated into a finding description in dojo/tools/mobsf/api_report_json.py (lines 311–314), which may disclose application structure or exploit details to attackers. Consider removing or redacting that data from descriptions or moving it to a less-exposed, access-controlled field.

Information Disclosure in Finding Descriptions in dojo/tools/mobsf/api_report_json.py

Vulnerability

Information Disclosure in Finding Descriptions

Description

The apk_exploit_dict and line_number are directly concatenated into the finding's description. The apk_exploit_dict likely contains internal details about the application's structure or potential exploit paths, which could be sensitive. Exposing this information in the main description of a finding could provide an attacker with valuable insights into the application's vulnerabilities or internal workings.

https://github.com/DefectDojo/django-DefectDojo/blob/591d3f0f5a1dc0341441f8b19385cc51836108e2/dojo/tools/mobsf/api_report_json.py#L311-L314

---

All finding details can be found in the DryRun Security Dashboard.

[manuel-sommer]

ok, problem persists. Can we merge it anyway?