sast-scan
sast-scan copied to clipboard
ShiftLeftSecurity
Feature request: iOS language support
It would be nice to have support for Swift and Objective-C scanning. Maybe through running https://mobsf.github.io/docs/#/ as a local server in the docker container.
@donnie-jp Good suggestion. I remember seeing mobsf a while ago and decided against bundling it with scan. The tool is a nice static + dynamic analyzer. The static analysis tool, however, uses basic rules with regular expressions - https://github.com/MobSF/Mobile-Security-Framework-MobSF/tree/master/StaticAnalyzer/views/ios/rules
Other than JavaScript which uses a grepping tool (and about to be removed), all the tools bundled with scan have undergone a level of testing to ensure the findings are accurate with less false positives. The tools should at a minimum use a combination of AST (Abstract syntax trees) with some amount of CFG (Control Flow Graph) to arrive at the findings. If you find such a tool for ios swift please let me know so that we can do some testing collaboratively with sample vulnerable repos.
Maybe you can add support through the new (I think) https://github.com/MobSF/mobsfscan which doesn't require a server/container - or is that more of an alternative to sast-scan?
@donnie-jp Thank you for sharing this link. I looked at mobsfscan now, and it looks like a grep based tool and therefore can hardly work. Let's take an example - deserialization
https://github.com/MobSF/mobsfscan/blob/main/mobsfscan/rules/semgrep/deserialization/jackson_deserialization.yaml
Deserialization occurs when an attacker controlled input is passed to a method without any validation or sanitization. In case of jackson databind there are methods such as readValue. There are other read methods too and there are other libraries such as XStream that can offer deserialization capability.
The rule used by mobsfscan is very rudimentary. It is looking for an import of ObjectMapper and then a method called enableDefaultTyping.
import com.fasterxml.jackson.databind.ObjectMapper;
...
$Z.enableDefaultTyping();
This is a wrong assumption that deserialization is only possible after invoking enableDefaultTyping. There are many other enable methods and many other forms of performing insecure deserialization. So, the tool has both a high false negative and false positive rate.
This is where my dilemma starts. Should I include the only oss tool available for a given language despite knowing its limitations, or wait for a better tool to be developed? I think I would rather wait, but please don't hesitate to use multiple tools.