Merge pull request #81 from mpast/main

Update dev branch

.dockerignore

@@ -1,13 +1,11 @@
 # Ignore the logs
 app/logs/
-rabbitmq/logs/
+# Ignore rabbitmq and nginx
+rabbitmq
+nginx
 
 # Ignore apk directory
 app/media/apk
 
 # Ignoring git folders
-.git
-
-# Ignore certificates
-nginx/ssl/nginx.crt
-nginx/ssl/nginx.key
+.git

.github/workflows/semgrep.yml

@@ -1,41 +1,34 @@
 name: Semgrep
 
 on:
-  # Scan changed files in PRs, block on new issues only (existing issues ignored)
-  pull_request: {}
-
-  # Scan all files on branches, block on any issues
-  #push:
-  #    branches: ["master", "main"]
+  pull_request_target: {}
+  push:
+    branches: ["main"]
+  # Schedule the CI job (this method uses cron syntax):
+  schedule:
+    - cron: '0 0 1 * *' # Sets Semgrep to scan every month
 
 jobs:
   semgrep:
     name: Scan
     runs-on: ubuntu-latest
-    # Skip any PR created by dependabot to avoid permission issues
-    if: (github.actor != 'dependabot[bot]')
-    steps:
-      # Fetch project source
-      - uses: actions/checkout@v2
 
-      - uses: returntocorp/semgrep-action@v1
-        with:
-            publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
-        # Never fail the build due to findings on pushes.
-        # Instead, just collect findings for semgrep.dev/manage/findings
-            auditOn: push
+    container:
+      image: returntocorp/semgrep
 
-        # Upload findings to GitHub Advanced Security Dashboard [step 1/2]
-        # See also the next step.
-            generateSarif: "1"
-
-        # Change job timeout (default is 1800 seconds; set to 0 to disable)
-        # env:
-        #   SEMGREP_TIMEOUT: 300
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
 
-      # Upload findings to GitHub Advanced Security Dashboard [step 2/2]
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep ci --sarif --output=semgrep.sarif
+        env:
+          SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+      # Upload the results to Github Advanced Security
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: semgrep.sarif
         if: always()

.gitignore

@@ -1,7 +1,9 @@
 *.DS_Store
 .env
+.vscode
 app/logs/*
 rabbitmq/logs/*
+nginx/logs/*
 app/media/*
 *.sqlite3
 *.sqlite

Dockerfile

@@ -1,18 +1,19 @@
-FROM python:3.9.7-buster@sha256:79a631c93960c5919f27f3403e734ec19b130008370a5f902141bcff2e6d6f4c
+FROM python:3.9.16-buster@sha256:5e28891402c02291f65c6652a8abddedcb5af15933e923c07c2670f836243833
+
 # Update and package installation
 RUN apt-get update && \
 	apt-get clean && \
 	apt-get install -y ca-certificates-java --no-install-recommends && \
 	apt-get clean
 
 RUN apt-get update && \
-	apt-get install -y openjdk-11-jdk p11-kit wkhtmltopdf && \
+	apt-get install -y openjdk-11-jdk p11-kit wkhtmltopdf libqt5gui5 && \
 	apt-get install -y  && \
 	apt-get clean && \
 	update-ca-certificates -f
 
 # Get JADX Tool
-ENV JADX_VERSION 1.2.0
+ENV JADX_VERSION 1.4.5
 
 RUN \
     wget "https://github.com/skylot/jadx/releases/download/v$JADX_VERSION/jadx-$JADX_VERSION.zip" && \

README.md

@@ -4,12 +4,16 @@
 
 **MobileAudit** - SAST and Malware Analysis for Android Mobile APKs
 
+- [Mobile Audit](#mobile-audit)
   - [Components](#components)
   - [Docker Base images](#docker-base-images)
   - [Main features](#main-features)
   - [Patterns](#patterns)
-  - [Integrations](#integrations)
-  - [Install](#install)
+  - [Models](#models)
+    - [Virus Total (API v3)](#virus-total-api-v3)
+    - [Defect Dojo (API v2)](#defect-dojo-api-v2)
+    - [MalwareDB \& Maltrail](#malwaredb--maltrail)
+  - [Installation](#installation)
   - [API v1](#api-v1)
     - [Usage](#usage)
     - [Swagger](#swagger)
@@ -49,22 +53,22 @@ For easy access there is a sidebar on the left page of the scan:
 
 ![Schema](app/static/architecture.png)
 
-- **db**: PostgreSQL 13.2
-- **nginx**: Nginx 1.19.10
-- **rabbitmq**: RabbitMQ 3.8.14
-- **worker**: Celery 5.0.5
-- **web**: Mobile Audit App
+- **db**: PostgreSQL 3.11.5
+- **nginx**: Nginx 1.23.3
+- **rabbitmq**: RabbitMQ 3.11.5
+- **worker**: Celery 5.2.2
+- **web**: Mobile Audit App (Django 3.2.16)
 
 ### Docker Base images
 
 Image is based on python buster. Link to [Docker Hub image](https://hub.docker.com/repository/docker/mpast/mobile_audit)
 
 | Image |  Tags | Base |
-|--------------------|-------|---------------------|
-| mpast/mobile_audit | 1.3.8 | python:3.9.4-buster |
-| mpast/mobile_audit | 1.3.6 | python:3.9.2-buster |
-| mpast/mobile_audit | 1.3.0 | python:3.9.1-buster |
-| mpast/mobile_audit | 1.0.0 | python:3.9.0-buster |
+|--------------------|-------|--------------------- |
+| mpast/mobile_audit | 3.0.0 | python:3.9.16-buster |
+| mpast/mobile_audit | 2.2.1 | python:3.9.7-buster  |
+| mpast/mobile_audit | 1.3.8 | python:3.9.4-buster  |
+| mpast/mobile_audit | 1.0.0 | python:3.9.0-buster  |
 
 ### Main features
 
@@ -216,7 +220,7 @@ By default, there is a volume in `docker-compose.yml` with the configuration wit
 - ./nginx/app.conf:/etc/nginx/conf.d/app.conf
 ```
 
-** In production environment** use `docker-compose.prod.yaml` with port 443
+**In a production environment** use `docker-compose.prod.yaml` with port 443
 ```yml
 - ./nginx/app_tls.conf:/etc/nginx/conf.d/app_tls.conf
 ```
@@ -225,7 +229,7 @@ By default, there is a volume in `docker-compose.yml` with the configuration wit
 
 All the environment variables are in a `.env` file, there is an `.env.example` with all the variables needed. Also there are collected in `app/config/settings.py`:
 
-```py
+```python
 CWE_URL = env('CWE_URL', 'https://cwe.mitre.org/data/definitions/')
 
 MALWARE_ENABLED = env('MALWARE_ENABLED', True)