Skip to content

Fix zip directory structure for Android Studio projects

James Liu requested to merge jliu-fix-zip-path into master

What does this MR do?

Fixes the directory structure created to scan Android Studio projects. Previously, when we encountered an Android Studio project, we would zip the entrypoint of this project **along with all parent directories up to CI_PROJECT_DIR (the repo's root directory). This caused an incorrect directory structure to be zipped and uploaded to MobSF.

Let's take this failed job on master as an example. This is the standard MobSF SAST job being executed against the mobsf repository itself.

  1. At some point during execution, it detected an Android Studio project in the qa/fixtures folder (because we have examples there used for testing).
  2. The entrypoint of the Android Studio project was determined to be qa/fixtures/java-android/app (https://gitlab.com/gitlab-org/security-products/analyzers/mobsf/-/tree/master/qa/fixtures/java-android/app). Because the base name of this path is app, this is treated as a standard Android Studio project (because by convention, Android Studio creates a folder named app when you generate a new Android project).
  3. The entire path (starting at qa/fixtures/... was zipped and sent to MobSF.
  4. MobSF errored with an invalid ZIP error because it doesn't know what the heck qa/fixtures/java-android means. It must be given an archive that begins at the app directory.

Below is the output of tree showing what was incorrectly uploaded to MobSF:

.
└── qa
    └── fixtures
        └── java-android
            ├── app
            │   └── src
            │       ├── androidTest
            │       │   └── java
            │       │       └── opensecurity
            │       │           └── webviewignoressl
            │       │               └── ApplicationTest.java
            │       └── main
            │           ├── AndroidManifest.xml
            │           ├── java
            │           │   └── opensecurity
            │           │       └── webviewignoressl
            │           │           └── MainActivity.java
            │           └── res
            │               ├── layout
            │               │   └── activity_main.xml
            │               ├── menu
            │               │   └── menu_main.xml
            │               ├── values
            │               │   ├── dimens.xml
            │               │   ├── strings.xml
            │               │   └── styles.xml
            │               └── values-w820dp
            │                   └── dimens.xml
            ├── build
            │   └── intermediates
            │       └── dex-cache
            │           └── cache.xml
            ├── gradle
            │   └── wrapper
            │       ├── gradle-wrapper.jar
            │       └── gradle-wrapper.properties
            ├── gradle.properties
            └── local.properties

24 directories, 15 files

This MR fixes the issue by treating standard Android Studio projects in the same way as non-standard projects as far as zipping is concerned. For both cases, we copy the app folder (or whatever it might be called in the case of a non-standard project) into a temporary dir, rename it if necessary, and zip up only the temporary dir before sending it to MobSF.

I've added a new java-android-nested integration test which validates the change is working correctly. I've also added some missing integration tests.

What are the relevant issue numbers?

Does this MR meet the acceptance criteria?

Edited by Lucas Charles

Merge request reports

Loading