Fix zip directory structure for Android Studio projects
What does this MR do?
Fixes the directory structure created to scan Android Studio projects. Previously, when we encountered an Android Studio project, we would zip the entrypoint of this project **along with all parent directories up to CI_PROJECT_DIR
(the repo's root directory). This caused an incorrect directory structure to be zipped and uploaded to MobSF.
Let's take this failed job on master as an example. This is the standard MobSF SAST job being executed against the mobsf
repository itself.
- At some point during execution, it detected an Android Studio project in the
qa/fixtures
folder (because we have examples there used for testing). - The entrypoint of the Android Studio project was determined to be
qa/fixtures/java-android/app
(https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/tree/master/qa/fixtures/java-android/app). Because the base name of this path isapp
, this is treated as a standard Android Studio project (because by convention, Android Studio creates a folder namedapp
when you generate a new Android project). - The entire path (starting at
qa/fixtures/...
was zipped and sent to MobSF. - MobSF errored with an invalid ZIP error because it doesn't know what the heck
qa/fixtures/java-android
means. It must be given an archive that begins at theapp
directory.
Below is the output of tree
showing what was incorrectly uploaded to MobSF:
.
└── qa
└── fixtures
└── java-android
├── app
│ └── src
│ ├── androidTest
│ │ └── java
│ │ └── opensecurity
│ │ └── webviewignoressl
│ │ └── ApplicationTest.java
│ └── main
│ ├── AndroidManifest.xml
│ ├── java
│ │ └── opensecurity
│ │ └── webviewignoressl
│ │ └── MainActivity.java
│ └── res
│ ├── layout
│ │ └── activity_main.xml
│ ├── menu
│ │ └── menu_main.xml
│ ├── values
│ │ ├── dimens.xml
│ │ ├── strings.xml
│ │ └── styles.xml
│ └── values-w820dp
│ └── dimens.xml
├── build
│ └── intermediates
│ └── dex-cache
│ └── cache.xml
├── gradle
│ └── wrapper
│ ├── gradle-wrapper.jar
│ └── gradle-wrapper.properties
├── gradle.properties
└── local.properties
24 directories, 15 files
This MR fixes the issue by treating standard Android Studio projects in the same way as non-standard projects as far as zipping is concerned. For both cases, we copy the app
folder (or whatever it might be called in the case of a non-standard project) into a temporary dir, rename it if necessary, and zip up only the temporary dir before sending it to MobSF.
I've added a new java-android-nested
integration test which validates the change is working correctly. I've also added some missing integration tests.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests updated/added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer