NexusIQ scan for Android

vinaykumarbhandari · January 21, 2019, 3:27pm

Hi,

We’re using Nexus Platform Plugin in Jenkins to carry out Android scan vulnerabilities.
I’m looking for how NexusIq will be scanning Android application?
I tried to apply the parameter scanPattern as [*.apk] file, but it is not get scanning.

e.g We’re executing following pipeline script in Jenkins

nexusPolicyEvaluation iqApplication: ‘ApplicationID’, iqStage: ‘build’, iqScanPatterns: [scanPattern: ‘**/*.apk’]

Any thoughts?

nickcook · January 24, 2019, 12:10am

Hi,

Check out this post from @fcremer for information about scanning Android with IQ server.

vinaykumarbhandari · February 6, 2019, 1:50pm

Thanks for the workaround. It works.
We are able to scan the Android vulnerabilities

Any thoughts, if it available with Nexus Platform Plugin itself?

anoop.nair · November 10, 2022, 4:59pm

Recently I had the requirement to perform IQ scan on an android package and the above instructions do not work with the latest version of Android. This is confirmed by the Sonatype support team as well. I’ll walk you through the steps that worked for me:

Environment

Dependency and build tool: Gradle
Build pipeline: Gitlab CI
Android SDK version: 29

Design

Generate an SBOM from the apk file
Upload SBOM to Sonatype lifecycle to get reporting into the platform
Validate violation response to use as a build action

Steps

Add the following to build.gradle.

cyclonedx 1.7.x did not work for me.

plugins {
    id  'org.cyclonedx.bom' version '1.6.1'
}

cyclonedxBom {
    skipConfigs += [
            "debugCompileClasspath",
            "debugAndroidTestCompileClasspath",
            "debugUnitTestCompileClasspath",
            "releaseUnitTestCompileClasspath",
            "debugUnitTestRuntimeClasspath",
            "releaseUnitTestRuntimeClasspath"
    ]
    destination = file("app/build/reports")
}

Add the following to gitlab-ci.yml file to generate a SBOM file

iq-sbom:
  stage: build
  # Packages installation before running script
  before_script:
    - chmod +x ./gradlew
  script:
    - ./gradlew cyclonedxBom
  artifacts:
    paths:
      - app/build/reports/bom.xml

In gitlab-ci.yml,
- Upload SBOM using Sonatype Rest API to the Sonatype platform
- Wait for few seconds
- Validate response
- Fail build if there is a policy violation
- Replace IQ_URL and APP_ID

iq-scan:
  stage: security-scan
  variables:
    APPLICATION_INTERNAL_ID: 'APP_ID'
    IQ_URL: 'https://IQ_URL/api/v2/scan/applications/$APPLICATION_INTERNAL_ID/sources/cyclone'
    SCAN_CURL_COMMAND: "curl -k -X POST -H 'Content-Type: application/xml' -u ${iq_user}:${iq_pass} -d @app/build/reports/bom.xml $IQ_URL"
  script:
    - |
     apt-get update && apt-get install jq -y
     STATUS_URL=$(eval "$SCAN_CURL_COMMAND" | grep statusUrl | cut -d ":" -f2 | cut -d "}" -f1 | cut -d '"' -f2)
     sleep 30
     CHECK_STATUS_OUTPUT=$(curl -k -X GET -H 'Content-Type: application/json' -u ${iq_user}:${iq_pass} "https://IQ_URL/$STATUS_URL")
     SCAN_RESULT=$(echo $CHECK_STATUS_OUTPUT | jq -r '.policyAction')
     REPORT_URI=$(echo $CHECK_STATUS_OUTPUT | jq -r '.reportHtmlUrl')
     echo "Report: https://IQ_URL/$REPORT_URI"

     if [ "$SCAN_RESULT" = "Failure" ]; then
      echo "Scan result: $SCAN_RESULT"
      exit 1
     fi