Add mobsfscan into the build (appmattus#127)

Author: mattmook

.github/workflows/autorelease.yml

@@ -19,16 +19,16 @@ jobs:
 
             -   name: 'Get last tag'
                 id: lasttag
-                uses: "WyriHaximus/github-action-get-previous-tag@v1"
+                uses: WyriHaximus/github-action-get-previous-tag@04e8485ecb6487243907e330d522ff60f02283ce # v1.4.0
 
             -   name: 'Get next version'
                 id: semvers
-                uses: "WyriHaximus/github-action-next-semvers@v1"
+                uses: WyriHaximus/github-action-next-semvers@18aa9ed4152808ab99b88d71f5481e41f8d89930 # v1.2.1
                 with:
                     version: ${{ steps.lasttag.outputs.tag }}
 
             -   name: 'Create tag and release'
-                uses: ncipollo/release-action@v1
+                uses: ncipollo/release-action@cdcc88a9acf3ca41c16c37bb7d21b9ad48560d87 # v1.15.0
                 with:
                     tag: ${{ steps.semvers.outputs.patch }}
                     commit: "main"

.github/workflows/loglist.yml

@@ -26,7 +26,7 @@ jobs:
                 run: ./gradlew updateLogList
 
             -   name: Push log list
-                uses: stefanzweifel/git-auto-commit-action@v4
+                uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
                 with:
                     commit_message: Auto update log_list.json and log_list.sig
                     file_pattern: 'certificatetransparency/src/main/resources/*'

.github/workflows/main.yml

@@ -20,7 +20,29 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             -   uses: actions/checkout@v4
-            -   uses: gradle/wrapper-validation-action@v1
+            -   uses: gradle/actions/wrapper-validation@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0
+
+    mobsfscan:
+        needs: [validation]
+        name: "MobSF Code Scanning"
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v4
+            - uses: actions/[email protected]
+              with:
+                  python-version: '3.12'
+            - name: mobsfscan
+              uses: MobSF/mobsfscan@main
+              with:
+                  args: '. --sarif --output mobsfscan.sarif || true'
+            - name: Upload mobsfscan report
+              uses: github/codeql-action/upload-sarif@v3
+              with:
+                  sarif_file: mobsfscan.sarif
+            - uses: actions/upload-artifact@v4
+              with:
+                  name: mobsfscan.sarif
+                  path: mobsfscan.sarif
 
     snyk:
         needs: [ validation ]
@@ -126,7 +148,7 @@ jobs:
                     retention-days: 1
 
     build:
-        needs: [ snyk, codeql-java-kotlin, codeql-actions ]
+        needs: [ snyk, codeql-java-kotlin, codeql-actions, mobsfscan ]
         runs-on: ubuntu-latest
 
         steps:
@@ -149,7 +171,7 @@ jobs:
                     path: '**/build/reports/**'
 
             -   name: Upload coverage to Codecov
-                uses: codecov/codecov-action@v3
+                uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
                 with:
                     token: ${{secrets.CODECOV_TOKEN}}
 

.mobsf

@@ -0,0 +1,17 @@
+---
+- ignore-paths:
+  # Ignore files in the sample app
+  - sampleapp
+
+  ignore-rules:
+  # Sample app only so rule not relevant
+  - android_tapjacking
+
+  # Sample app only so rule not relevant
+  - android_safetynet
+
+  # Sample app only so rule not relevant
+  - android_prevent_screenshot
+
+  # Sample app only so rule not relevant
+  - android_root_detection

README.md

@@ -26,7 +26,7 @@ We are open about the security of our library and provide a threat model in the
 we have missed please reach out so we can keep this up to date.
 
 The source code and dependencies are continuously scanned with
-[Snyk](https://snyk.io).
+[Snyk](https://snyk.io), [CodeQL](https://codeql.github.com) and [mobsfscan](https://github.com/MobSF/mobsfscan).
 
 ## Getting started
 
@@ -70,6 +70,9 @@ class SampleApplication : Application() {
 
         installCertificateTransparencyProvider {
             // Setup a logger
+            // NOTE: The logger outputs the host name and certificate
+            // transparency results which could be considered sensitive data.
+            // Please ensure you review your usage.
             logger = BasicAndroidCTLogger(BuildConfig.DEBUG)
 
             // Setup disk cache

certificatetransparency-android/src/main/kotlin/com/appmattus/certificaterevocation/BasicAndroidCRLogger.kt

@@ -22,10 +22,16 @@ package com.appmattus.certificaterevocation
 
 import android.util.Log
 
+/**
+ * Basic logger which outputs the host name and certificate revocation results.
+ *
+ * **NOTE:** This data could be considered sensitive data. Please ensure you review your usage.
+ */
 public class BasicAndroidCRLogger(private val isDebugMode: Boolean) : CRLogger {
     override fun log(host: String, result: RevocationResult) {
         if (isDebugMode) {
-            Log.i("CertificateRevocation", "$host $result")
+            // Suppressing MobSF warning as note added to documentation
+            Log.i("CertificateRevocation", "$host $result") // mobsf-ignore: android_kotlin_logging
         }
     }
 }

certificatetransparency-android/src/main/kotlin/com/appmattus/certificatetransparency/BasicAndroidCTLogger.kt

@@ -22,10 +22,16 @@ package com.appmattus.certificatetransparency
 
 import android.util.Log
 
+/**
+ * Basic logger which outputs the host name and certificate transparency results.
+ *
+ * **NOTE:** This data could be considered sensitive data. Please ensure you review your usage.
+ */
 public class BasicAndroidCTLogger(private val isDebugMode: Boolean) : CTLogger {
     override fun log(host: String, result: VerificationResult) {
         if (isDebugMode) {
-            Log.i("CertificateTransparency", "$host $result")
+            // Suppressing MobSF warning as note added to documentation
+            Log.i("CertificateTransparency", "$host $result") // mobsf-ignore: android_kotlin_logging
         }
     }
 }

certificatetransparency/src/main/kotlin/com/appmattus/certificatetransparency/internal/utils/Base64.kt

@@ -1,5 +1,5 @@
 /*
- * Copyright 2023 Appmattus Limited
+ * Copyright 2023-2025 Appmattus Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

certificatetransparency/src/test/kotlin/com/appmattus/certificatetransparency/internal/loglist/model/v3/LogListV3Test.kt

@@ -52,6 +52,7 @@ internal class LogListV3Test {
 
         val nimbusLog = cloudflare.logs.first { it.description == "Cloudflare 'Nimbus2022' Log" }
         assertEquals(86400, nimbusLog.maximumMergeDelay)
-        assertEquals(Instant.ofEpochMilli(1572549720000), nimbusLog.state?.timestamp)
+        // Suppressing MobSF warning as false positive, no logging occurs here
+        assertEquals(Instant.ofEpochMilli(1572549720000), nimbusLog.state?.timestamp) // mobsf-ignore: android_kotlin_logging
     }
 }

sampleapp/src/main/java/com/appmattus/certificatetransparency/sampleapp/item/CodeViewItem.kt

@@ -44,5 +44,5 @@ fun CodeViewItem(language: Language, sourceCode: String?, modifier: Modifier = M
 @Preview
 @Composable
 fun PreviewCodeViewItem() {
-    CodeViewItem(language = Language.JAVA, sourceCode = "fun main() {\n    System.out.println(\"Hello world!\");\n}")
+    CodeViewItem(language = Language.JAVA, sourceCode = "fun main() {\n    helloWorld();\n}")
 }