NexusIQ scan for Android

Sonatype Lifecycle & Repository Firewall
1

Hi,

We’re using Nexus Platform Plugin in Jenkins to carry out Android scan vulnerabilities.
I’m looking for how NexusIq will be scanning Android application?
I tried to apply the parameter scanPattern as [*.apk] file, but it is not get scanning.

e.g We’re executing following pipeline script in Jenkins

nexusPolicyEvaluation iqApplication: ‘ApplicationID’, iqStage: ‘build’, iqScanPatterns: [scanPattern: ‘**/*.apk’]

Any thoughts?

2

Hi,

Check out this post from @fcremer for information about scanning Android with IQ server.

3

Thanks for the workaround. It works.:+1:
We are able to scan the Android vulnerabilities

Any thoughts, if it available with Nexus Platform Plugin itself?

4

Recently I had the requirement to perform IQ scan on an android package and the above instructions do not work with the latest version of Android. This is confirmed by the Sonatype support team as well. I’ll walk you through the steps that worked for me:

Environment

  • Dependency and build tool: Gradle
  • Build pipeline: Gitlab CI
  • Android SDK version: 29

Design

  1. Generate an SBOM from the apk file
  2. Upload SBOM to Sonatype lifecycle to get reporting into the platform
  3. Validate violation response to use as a build action

Steps

  1. Add the following to build.gradle.

cyclonedx 1.7.x did not work for me.

plugins {
    id  'org.cyclonedx.bom' version '1.6.1'
}

cyclonedxBom {
    skipConfigs += [
            "debugCompileClasspath",
            "debugAndroidTestCompileClasspath",
            "debugUnitTestCompileClasspath",
            "releaseUnitTestCompileClasspath",
            "debugUnitTestRuntimeClasspath",
            "releaseUnitTestRuntimeClasspath"
    ]
    destination = file("app/build/reports")
}
  1. Add the following to gitlab-ci.yml file to generate a SBOM file
iq-sbom:
  stage: build
  # Packages installation before running script
  before_script:
    - chmod +x ./gradlew
  script:
    - ./gradlew cyclonedxBom
  artifacts:
    paths:
      - app/build/reports/bom.xml
  1. In gitlab-ci.yml,
    • Upload SBOM using Sonatype Rest API to the Sonatype platform
    • Wait for few seconds
    • Validate response
    • Fail build if there is a policy violation
    • Replace IQ_URL and APP_ID
iq-scan:
  stage: security-scan
  variables:
    APPLICATION_INTERNAL_ID: 'APP_ID'
    IQ_URL: 'https://IQ_URL/api/v2/scan/applications/$APPLICATION_INTERNAL_ID/sources/cyclone'
    SCAN_CURL_COMMAND: "curl -k -X POST -H 'Content-Type: application/xml' -u ${iq_user}:${iq_pass} -d @app/build/reports/bom.xml $IQ_URL"
  script:
    - |
     apt-get update && apt-get install jq -y
     STATUS_URL=$(eval "$SCAN_CURL_COMMAND" | grep statusUrl | cut -d ":" -f2 | cut -d "}" -f1 | cut -d '"' -f2)
     sleep 30
     CHECK_STATUS_OUTPUT=$(curl -k -X GET -H 'Content-Type: application/json' -u ${iq_user}:${iq_pass} "https://IQ_URL/$STATUS_URL")
     SCAN_RESULT=$(echo $CHECK_STATUS_OUTPUT | jq -r '.policyAction')
     REPORT_URI=$(echo $CHECK_STATUS_OUTPUT | jq -r '.reportHtmlUrl')
     echo "Report: https://IQ_URL/$REPORT_URI"

     if [ "$SCAN_RESULT" = "Failure" ]; then
      echo "Scan result: $SCAN_RESULT"
      exit 1
     fi
1 Like