generated from nventive/Template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(305172): add MobSF security scan on android and iOS builds for s…
…taging and prod
- Loading branch information
1 parent
cb75a04
commit abb21f3
Showing
7 changed files
with
445 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
parameters: | ||
- name: applicationEnvironment | ||
type: string | ||
default: '' | ||
- name: androidKeyStoreFile | ||
type: string | ||
default: '' | ||
- name: androidVariableGroup | ||
type: string | ||
default: '' | ||
- name: artifactName | ||
type: string | ||
default: '' | ||
- name: pathToSrc | ||
type: string | ||
default: '$(Build.SourcesDirectory)/src' | ||
- name: androidKeyPropertiesFile | ||
type: string | ||
default: '' | ||
- name: projectName | ||
type: string | ||
default: '$(ProjectName)' | ||
- name: firebaseJsonFile | ||
type: string | ||
- name: firebaseOptionsDartFile | ||
type: string | ||
- name: googleServicesJsonFile | ||
type: string | ||
- name: enableSecurityScan | ||
type: boolean | ||
default: false | ||
|
||
jobs: | ||
- job: OnLinux_Android_SecurityScan | ||
condition: eq(${{parameters.enableSecurityScan}}, true) | ||
dependsOn: [] | ||
pool: | ||
vmImage: $(ubuntuHostedAgentImage) | ||
steps: | ||
- template: templates/mobsf-android-scan.yml | ||
parameters: | ||
mobSfApiKey: '8181' | ||
artifactName: '$(AndroidArtifactName)_${{ parameters.applicationEnvironment }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
parameters: | ||
- name: applicationEnvironment | ||
type: string | ||
default: '' | ||
- name: artifactName | ||
type: string | ||
default: '' | ||
- name: pathToSrc | ||
type: string | ||
default: '$(Build.SourcesDirectory)/src' | ||
- name: iosCertificateFile | ||
type: string | ||
default: '' | ||
- name: iosProvisioningProfileFile | ||
type: string | ||
default: '' | ||
- name: iosExportOptionsFile | ||
type: string | ||
default: '' | ||
- name: iosCertificatePassword | ||
type: string | ||
default: '' | ||
- name: iosVariableGroup | ||
type: string | ||
default: '' | ||
- name: projectName | ||
type: string | ||
default: '$(ProjectName)' | ||
- name: firebaseJsonFile | ||
type: string | ||
- name: firebaseOptionsDartFile | ||
type: string | ||
- name: googleServicesJsonFile | ||
type: string | ||
- name: enableSecurityScan | ||
type: boolean | ||
default: false | ||
|
||
jobs: | ||
- job: OnLinux_iOS_SecurityScan | ||
condition: eq(${{parameters.enableSecurityScan}}, true) | ||
dependsOn: [] | ||
pool: | ||
vmImage: $(ubuntuHostedAgentImage) | ||
steps: | ||
- template: templates/mobsf-ios-scan.yml | ||
parameters: | ||
mobSfApiKey: '8181' | ||
artifactName: '$(iOSArtifactName)_${{ parameters.applicationEnvironment }}' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
parameters: | ||
- name: mobSfApiKey | ||
type: string | ||
default: '8181' | ||
- name: artifactName | ||
type: string | ||
default: '' | ||
|
||
steps: | ||
- task: DownloadPipelineArtifact@1 | ||
inputs: | ||
buildType: 'current' | ||
downloadType: 'single' | ||
artifactName: "${{parameters.artifactName}}" | ||
downloadPath: '$(System.ArtifactsDirectory)' | ||
condition: succeeded() | ||
|
||
- task: DockerInstaller@0 | ||
displayName: 'Install Docker' | ||
inputs: | ||
dockerVersion: $(DockerVersion) | ||
condition: succeeded() | ||
|
||
- script: docker pull opensecurity/mobile-security-framework-mobsf:latest | ||
displayName: 'Pull MobSF Docker Image' | ||
condition: succeeded() | ||
|
||
- script: docker run -d -it --rm -e MOBSF_API_KEY='${{parameters.mobSfApiKey}}' -e DATA_UPLOAD_MAX_MEMORY_SIZE=209715200 -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latest | ||
displayName: 'Run MobSF Docker Image' | ||
condition: succeeded() | ||
|
||
- script: ls -R "$(System.ArtifactsDirectory)" | ||
displayName: 'List Downloaded Artifacts' | ||
|
||
- task: PowerShell@2 | ||
displayName: 'Upload Android file to MobSF' | ||
inputs: | ||
targetType: 'inline' | ||
script: | | ||
$FILENAME = Get-ChildItem -Path "$(System.ArtifactsDirectory)/" -File | Select-Object -First 1 -ExpandProperty Name | ||
Write-Host "Filename: $FILENAME" | ||
$file = "$(System.ArtifactsDirectory)/$FILENAME" | ||
Write-Host "Uploading file $file to MobSF..." | ||
# Check if the server is up and running | ||
$serverIsRunning = $false | ||
$retryCount = 0 | ||
while (-not $serverIsRunning -and $retryCount -lt 10) { | ||
$response = curl --url http://127.0.0.1:8000/api/v1/scans -H "Authorization: ${{parameters.mobSfApiKey}}" | ||
if ($response.StatusCode -eq 200) { | ||
Write-Host "MobSF server is up and running" | ||
$serverIsRunning = $true | ||
} else { | ||
Write-Host "Waiting for the MobSF server to start..." | ||
$retryCount++ | ||
Start-Sleep -Seconds 5 | ||
} | ||
} | ||
$uploadResponse = curl -X POST -F "file=@$file;type=application/octet-stream" http://127.0.0.1:8000/api/v1/upload -H "Authorization: ${{parameters.mobSfApiKey}}" | ||
$uploadResponseJson = $uploadResponse | ConvertFrom-Json | ||
$hash = $uploadResponseJson.hash | ||
echo "##vso[task.setvariable variable=fileHash]$hash" | ||
Write-Host "Uploaded file hash: $hash" | ||
Write-Host "Android file uploaded to MobSF" | ||
condition: succeeded() | ||
|
||
- task: PowerShell@2 | ||
displayName: 'Run MobSF Scan' | ||
inputs: | ||
targetType: 'inline' | ||
script: | | ||
Write-Host "MobSF Scan started" | ||
$hash = "$(fileHash)" | ||
$scanUrl = "http://127.0.0.1:8000/api/v1/scan" | ||
Write-Host "Scanning Uploaded file hash: $hash" | ||
$headers = @{ | ||
"Authorization" = ${{parameters.mobSfApiKey}} | ||
} | ||
$scanBody = @{ | ||
"scan_type" = "$(aabFileExtension)" | ||
"hash" = $hash # use the hash from the upload response | ||
} | ||
$response = Invoke-RestMethod -Uri $scanUrl -Method Post -Headers $headers -Body $scanBody | ||
Write-Host "Scan completed" | ||
condition: succeeded() | ||
|
||
- task: PowerShell@2 | ||
displayName: 'Download MobSF PDF report' | ||
inputs: | ||
targetType: 'inline' | ||
script: | | ||
Write-Host "Downloading MobSF PDF report..." | ||
$hash = "$(fileHash)" | ||
Write-Host "File hash: $hash" | ||
$reportUrl = "http://127.0.0.1:8000/api/v1/download_pdf" | ||
$headers = @{ | ||
"Authorization" = "${{parameters.mobSfApiKey}}" | ||
} | ||
$reportBody = @{ | ||
"hash" = $hash # use the hash from the upload response | ||
} | ||
$directoryPath = "${{parameters.artifactName}}/Android" | ||
if (!(Test-Path -Path $directoryPath)) { | ||
New-Item -ItemType Directory -Path $directoryPath | Out-Null | ||
} | ||
$pdfFilePath = "$directoryPath/report.pdf" | ||
Invoke-WebRequest -Uri $reportUrl -Method Post -Headers $headers -Body $reportBody -OutFile $pdfFilePath | ||
Write-Host "PDF report downloaded to $pdfFilePath" | ||
condition: succeeded() | ||
|
||
- task: PowerShell@2 | ||
displayName: 'Download MobSF Json report' | ||
inputs: | ||
targetType: 'inline' | ||
script: | | ||
Write-Host "Downloading MobSF Json report..." | ||
$hash = "$(fileHash)" | ||
Write-Host "File hash: $hash" | ||
$reportUrl = "http://127.0.0.1:8000/api/v1/report_json" | ||
$headers = @{ | ||
"Authorization" = "${{parameters.mobSfApiKey}}" | ||
} | ||
$reportBody = @{ | ||
"hash" = $hash # use the hash from the upload response | ||
} | ||
$reportResponse = Invoke-RestMethod -Uri $reportUrl -Method Post -Headers $headers -Body $reportBody | ||
Write-Host "Response: $reportResponse" | ||
$jsonFilePath = "${{parameters.artifactName}}/Android/Report.json" | ||
$reportResponse | ConvertTo-Json | Out-File -FilePath $jsonFilePath | ||
Write-Host "JSON report downloaded to $jsonFilePath" | ||
condition: succeeded() | ||
|
||
- task: PublishBuildArtifacts@1 | ||
displayName: 'Publish Artifact' | ||
inputs: | ||
PathtoPublish: '${{parameters.artifactName}}/Android' | ||
ArtifactName: ${{parameters.artifactName}}_Security_Reports | ||
publishLocation: 'Container' | ||
|
||
- task: PostBuildCleanup@3 | ||
displayName: 'Post-Build Cleanup: Cleanup files to keep build server clean!' | ||
condition: always() |
Oops, something went wrong.