Merge branch 'allow_binary_upload_to_mobsf' into 'master'

Allow the users to provide binaries to MobSF

See merge request gitlab-org/gitlab!61814

ee/changelogs/unreleased/allow_binary_upload_to_mobsf.yml

+---
+title: Allow the users to upload binaries to MobSF
+merge_request: 61814
+author:
+type: added

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -47,12 +47,20 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
 
       context 'by default' do
         describe 'language detection' do
+          sast_experimental_features = { 'SAST_EXPERIMENTAL_FEATURES' => 'true' }
+          android = 'Android'
+          ios = 'iOS'
+          mobsf_android_build = %w(mobsf-android-sast)
+          mobsf_ios_build = %w(mobsf-ios-sast)
+
           using RSpec::Parameterized::TableSyntax
 
           where(:case_name, :files, :variables, :include_build_names) do
-            'Android'              | { 'AndroidManifest.xml' => '', 'a.java' => '' } | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(mobsf-android-sast)
-            'Android'              | { 'app/src/main/AndroidManifest.xml' => '' }    | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(mobsf-android-sast)
-            'Android'              | { 'a/b/AndroidManifest.xml' => '' }             | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(mobsf-android-sast)
+            android                | { 'AndroidManifest.xml' => '', 'a.java' => '' } | sast_experimental_features                 | mobsf_android_build
+            android                | { 'app/src/main/AndroidManifest.xml' => '' }    | sast_experimental_features                 | mobsf_android_build
+            android                | { 'a/b/AndroidManifest.xml' => '' }             | sast_experimental_features                 | mobsf_android_build
+            android                | { 'a/b/android.apk' => '' }                     | sast_experimental_features                 | mobsf_android_build
+            android                | { 'android.apk' => '' }                         | sast_experimental_features                 | mobsf_android_build
             'Apex'                 | { 'app.cls' => '' }                             | {}                                         | %w(pmd-apex-sast)
             'C'                    | { 'app.c' => '' }                               | {}                                         | %w(flawfinder-sast)
             'C++'                  | { 'app.cpp' => '' }                             | {}                                         | %w(flawfinder-sast)
@@ -60,9 +68,10 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
             'Elixir'               | { 'mix.exs' => '' }                             | {}                                         | %w(sobelow-sast)
             'Golang'               | { 'main.go' => '' }                             | {}                                         | %w(gosec-sast)
             'Groovy'               | { 'app.groovy' => '' }                          | {}                                         | %w(spotbugs-sast)
-            'iOS'                  | { 'a.xcodeproj/x.pbxproj' => '' }               | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(mobsf-ios-sast)
+            ios                    | { 'a.xcodeproj/x.pbxproj' => '' }               | sast_experimental_features                 | mobsf_ios_build
+            ios                    | { 'a/b/ios.ipa' => '' }                         | sast_experimental_features                 | mobsf_ios_build
             'Java'                 | { 'app.java' => '' }                            | {}                                         | %w(spotbugs-sast)
-            'Java with MobSF'      | { 'app.java' => '' }                            | { 'SAST_EXPERIMENTAL_FEATURES' => 'true' } | %w(spotbugs-sast)
+            'Java with MobSF'      | { 'app.java' => '' }                            | sast_experimental_features                 | %w(spotbugs-sast)
             'Java without MobSF'   | { 'AndroidManifest.xml' => '', 'a.java' => '' } | {}                                         | %w(spotbugs-sast)
             'Javascript'           | { 'app.js' => '' }                              | {}                                         | %w(eslint-sast semgrep-sast)
             'JSX'                  | { 'app.jsx' => '' }                             | {}                                         | %w(eslint-sast semgrep-sast)

lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

@@ -155,7 +155,7 @@ gosec-sast:
       exists:
         - '**/*.go'
 
-mobsf-android-sast:
+.mobsf-sast:
   extends: .sast-analyzer
   image:
     name: "$SAST_ANALYZER_IMAGE"
@@ -164,6 +164,9 @@ mobsf-android-sast:
     # override the analyzer image with a custom value. This may be subject to change or
     # breakage across GitLab releases.
     SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
+
+mobsf-android-sast:
+  extends: .mobsf-sast
   rules:
     - if: $SAST_DISABLED
       when: never
@@ -173,17 +176,11 @@ mobsf-android-sast:
           $SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
           $SAST_EXPERIMENTAL_FEATURES == 'true'
       exists:
+        - '**/*.apk'
         - '**/AndroidManifest.xml'
 
 mobsf-ios-sast:
-  extends: .sast-analyzer
-  image:
-    name: "$SAST_ANALYZER_IMAGE"
-  variables:
-    # SAST_ANALYZER_IMAGE is an undocumented variable used internally to allow QA to
-    # override the analyzer image with a custom value. This may be subject to change or
-    # breakage across GitLab releases.
-    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/mobsf:$SAST_ANALYZER_IMAGE_TAG"
+  extends: .mobsf-sast
   rules:
     - if: $SAST_DISABLED
       when: never
@@ -193,6 +190,7 @@ mobsf-ios-sast:
           $SAST_DEFAULT_ANALYZERS =~ /mobsf/ &&
           $SAST_EXPERIMENTAL_FEATURES == 'true'
       exists:
+        - '**/*.ipa'
         - '**/*.xcodeproj/*'
 
 nodejs-scan-sast: