diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | python-mobsfscan.spec | 438 | ||||
| -rw-r--r-- | sources | 1 |
3 files changed, 440 insertions, 0 deletions
@@ -0,0 +1 @@ +/mobsfscan-0.2.0.tar.gz diff --git a/python-mobsfscan.spec b/python-mobsfscan.spec new file mode 100644 index 0000000..ede2117 --- /dev/null +++ b/python-mobsfscan.spec @@ -0,0 +1,438 @@ +%global _empty_manifest_terminate_build 0 +Name: python-mobsfscan +Version: 0.2.0 +Release: 1 +Summary: mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. +License: GNU Lesser General Public License v3 or later (LGPLv3+) +URL: https://github.com/MobSF/mobsfscan +Source0: https://mirrors.nju.edu.cn/pypi/web/packages/f1/dc/f00e1956966233c883a6fb71fe8d283d0a06ac0e0727473574f43d351c7e/mobsfscan-0.2.0.tar.gz +BuildArch: noarch + +Requires: python3-colorama +Requires: python3-libsast +Requires: python3-sarif-om +Requires: python3-jschema-to-python +Requires: python3-tabulate +Requires: python3-xmltodict + +%description +- ignore-filenames: + - skip.java + ignore-paths: + - __MACOSX + - skip_dir + ignore-rules: + - android_kotlin_logging + - android_safetynet_api + - android_prevent_screenshot + - android_detect_tapjacking + - android_certificate_pinning + - android_root_detection + - android_certificate_transparency + severity-filter: + - WARNING + - ERROR +``` +## Suppress Findings +You can suppress findings from source files by adding the comment `// mobsf-ignore: rule_id1, rule_id2` to the line that trigger the findings. +Example: +```java +String password = "strong password"; // mobsf-ignore: hardcoded_password +``` +## CI/CD Integrations +You can enable mobsfscan in your CI/CD or DevSecOps pipelines. +#### Github Action +Add the following to the file `.github/workflows/mobsfscan.yml`. +```yaml +name: mobsfscan +on: + push: + branches: [ master, main ] + pull_request: + branches: [ master, main ] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: '. --json' +``` +Example: [pivaa with mobsfscan github action](https://github.com/MobSF/pivaa/actions/workflows/mobsfscan.yml) +#### Github Code Scanning Integration +Add the following to the file `.github/workflows/mobsfscan_sarif.yml`. +```yaml +name: mobsfscan sarif +on: + push: + branches: [ master, main ] + pull_request: + branches: [ master, main ] +jobs: + mobsfscan: + runs-on: ubuntu-latest + name: mobsfscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: '. --sarif --output results.sarif || true' + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif +``` + +#### Gitlab CI/CD +Add the following to the file `.gitlab-ci.yml`. +```yaml +stages: + - test +mobsfscan: + image: python + before_script: + - pip3 install --upgrade mobsfscan + script: + - mobsfscan . +``` +Example: +#### Travis CI +Add the following to the file `.travis.yml`. +```yaml +language: python +install: + - pip3 install --upgrade mobsfscan +script: + - mobsfscan . +``` +#### Circle CI +Add the following to the file `.circleci/config.yaml` +```yaml +version: 2.1 +jobs: + mobsfscan: + docker: + - image: cimg/python:3.9.6 + steps: + - checkout + - run: + name: Install mobsfscan + command: pip install --upgrade mobsfscan + - run: + name: mobsfscan check + command: mobsfscan . +``` +## Docker +### Prebuilt image from [DockerHub](https://hub.docker.com/r/opensecurity/mobsfscan) +```bash +docker pull opensecurity/mobsfscan +docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src +``` +### Build Locally +``` +docker build -t mobsfscan . +docker run -v /path-to-source-dir:/src mobsfscan /src +``` + +%package -n python3-mobsfscan +Summary: mobsfscan is a static analysis tool that can find insecure code patterns in your Android and iOS source code. Supports Java, Kotlin, Swift, and Objective C Code. +Provides: python-mobsfscan +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-pip +%description -n python3-mobsfscan +- ignore-filenames: + - skip.java + ignore-paths: + - __MACOSX + - skip_dir + ignore-rules: + - android_kotlin_logging + - android_safetynet_api + - android_prevent_screenshot + - android_detect_tapjacking + - android_certificate_pinning + - android_root_detection + - android_certificate_transparency + severity-filter: + - WARNING + - ERROR +``` +## Suppress Findings +You can suppress findings from source files by adding the comment `// mobsf-ignore: rule_id1, rule_id2` to the line that trigger the findings. +Example: +```java +String password = "strong password"; // mobsf-ignore: hardcoded_password +``` +## CI/CD Integrations +You can enable mobsfscan in your CI/CD or DevSecOps pipelines. +#### Github Action +Add the following to the file `.github/workflows/mobsfscan.yml`. +```yaml +name: mobsfscan +on: + push: + branches: [ master, main ] + pull_request: + branches: [ master, main ] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: '. --json' +``` +Example: [pivaa with mobsfscan github action](https://github.com/MobSF/pivaa/actions/workflows/mobsfscan.yml) +#### Github Code Scanning Integration +Add the following to the file `.github/workflows/mobsfscan_sarif.yml`. +```yaml +name: mobsfscan sarif +on: + push: + branches: [ master, main ] + pull_request: + branches: [ master, main ] +jobs: + mobsfscan: + runs-on: ubuntu-latest + name: mobsfscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: '. --sarif --output results.sarif || true' + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif +``` + +#### Gitlab CI/CD +Add the following to the file `.gitlab-ci.yml`. +```yaml +stages: + - test +mobsfscan: + image: python + before_script: + - pip3 install --upgrade mobsfscan + script: + - mobsfscan . +``` +Example: +#### Travis CI +Add the following to the file `.travis.yml`. +```yaml +language: python +install: + - pip3 install --upgrade mobsfscan +script: + - mobsfscan . +``` +#### Circle CI +Add the following to the file `.circleci/config.yaml` +```yaml +version: 2.1 +jobs: + mobsfscan: + docker: + - image: cimg/python:3.9.6 + steps: + - checkout + - run: + name: Install mobsfscan + command: pip install --upgrade mobsfscan + - run: + name: mobsfscan check + command: mobsfscan . +``` +## Docker +### Prebuilt image from [DockerHub](https://hub.docker.com/r/opensecurity/mobsfscan) +```bash +docker pull opensecurity/mobsfscan +docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src +``` +### Build Locally +``` +docker build -t mobsfscan . +docker run -v /path-to-source-dir:/src mobsfscan /src +``` + +%package help +Summary: Development documents and examples for mobsfscan +Provides: python3-mobsfscan-doc +%description help +- ignore-filenames: + - skip.java + ignore-paths: + - __MACOSX + - skip_dir + ignore-rules: + - android_kotlin_logging + - android_safetynet_api + - android_prevent_screenshot + - android_detect_tapjacking + - android_certificate_pinning + - android_root_detection + - android_certificate_transparency + severity-filter: + - WARNING + - ERROR +``` +## Suppress Findings +You can suppress findings from source files by adding the comment `// mobsf-ignore: rule_id1, rule_id2` to the line that trigger the findings. +Example: +```java +String password = "strong password"; // mobsf-ignore: hardcoded_password +``` +## CI/CD Integrations +You can enable mobsfscan in your CI/CD or DevSecOps pipelines. +#### Github Action +Add the following to the file `.github/workflows/mobsfscan.yml`. +```yaml +name: mobsfscan +on: + push: + branches: [ master, main ] + pull_request: + branches: [ master, main ] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: '. --json' +``` +Example: [pivaa with mobsfscan github action](https://github.com/MobSF/pivaa/actions/workflows/mobsfscan.yml) +#### Github Code Scanning Integration +Add the following to the file `.github/workflows/mobsfscan_sarif.yml`. +```yaml +name: mobsfscan sarif +on: + push: + branches: [ master, main ] + pull_request: + branches: [ master, main ] +jobs: + mobsfscan: + runs-on: ubuntu-latest + name: mobsfscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v2 + - name: mobsfscan + uses: MobSF/mobsfscan@main + with: + args: '. --sarif --output results.sarif || true' + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif +``` + +#### Gitlab CI/CD +Add the following to the file `.gitlab-ci.yml`. +```yaml +stages: + - test +mobsfscan: + image: python + before_script: + - pip3 install --upgrade mobsfscan + script: + - mobsfscan . +``` +Example: +#### Travis CI +Add the following to the file `.travis.yml`. +```yaml +language: python +install: + - pip3 install --upgrade mobsfscan +script: + - mobsfscan . +``` +#### Circle CI +Add the following to the file `.circleci/config.yaml` +```yaml +version: 2.1 +jobs: + mobsfscan: + docker: + - image: cimg/python:3.9.6 + steps: + - checkout + - run: + name: Install mobsfscan + command: pip install --upgrade mobsfscan + - run: + name: mobsfscan check + command: mobsfscan . +``` +## Docker +### Prebuilt image from [DockerHub](https://hub.docker.com/r/opensecurity/mobsfscan) +```bash +docker pull opensecurity/mobsfscan +docker run -v /path-to-source-dir:/src opensecurity/mobsfscan /src +``` +### Build Locally +``` +docker build -t mobsfscan . +docker run -v /path-to-source-dir:/src mobsfscan /src +``` + +%prep +%autosetup -n mobsfscan-0.2.0 + +%build +%py3_build + +%install +%py3_install +install -d -m755 %{buildroot}/%{_pkgdocdir} +if [ -d doc ]; then cp -arf doc %{buildroot}/%{_pkgdocdir}; fi +if [ -d docs ]; then cp -arf docs %{buildroot}/%{_pkgdocdir}; fi +if [ -d example ]; then cp -arf example %{buildroot}/%{_pkgdocdir}; fi +if [ -d examples ]; then cp -arf examples %{buildroot}/%{_pkgdocdir}; fi +pushd %{buildroot} +if [ -d usr/lib ]; then + find usr/lib -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/lib64 ]; then + find usr/lib64 -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/bin ]; then + find usr/bin -type f -printf "/%h/%f\n" >> filelist.lst +fi +if [ -d usr/sbin ]; then + find usr/sbin -type f -printf "/%h/%f\n" >> filelist.lst +fi +touch doclist.lst +if [ -d usr/share/man ]; then + find usr/share/man -type f -printf "/%h/%f.gz\n" >> doclist.lst +fi +popd +mv %{buildroot}/filelist.lst . +mv %{buildroot}/doclist.lst . + +%files -n python3-mobsfscan -f filelist.lst +%dir %{python3_sitelib}/* + +%files help -f doclist.lst +%{_docdir}/* + +%changelog +* Wed May 10 2023 Python_Bot <Python_Bot@openeuler.org> - 0.2.0-1 +- Package Spec generated @@ -0,0 +1 @@ +c15f4c7fb88553d2cf6c8beac60ded73 mobsfscan-0.2.0.tar.gz |