You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, I am integrating LibScout into MobSF for a university project. In my testcase, I have an Android APK depending on OkHttp version 2.3.0. Referring to this repository's README.md, this version should be detected as vulnerable. However, this does not happen.
Specifics:
Java OpenJDK 8, tested on Ubuntu 20 LTS x86-64 and macOS Mojave
How to replicate:
Since the vulnerability is still present in the app's latest version, I am not going to disclose the exact APK used. Therefore, the placeholder VULN.apk
(executed in LibScout root directory, PROFILE_PATH is pointing to this):
java -jar build/libs/LibScout.jar -a <SDK_PATH> -p <PROFILE_PATH> -o match <VULN.apk>
Enabling the comments in the config file does display some information, but not the important [SECURITY] section. Has this been found after the latest update to above repo, or are we using the tool wrongly?
Yours sincerely
The text was updated successfully, but these errors were encountered:
Do I understand this correctly, the respective OkHttp version is found but no security indicator is shown in the results?
The security-related library versions are not hardcoded in the LibScout source. Instead, the [SECURITY] flag is used in the comment section of the library.xml when profiling the library version. Upon detection, LibScout scans the comment section for the [SECURITY] flag.
Dear LibScout Team
Currently, I am integrating LibScout into MobSF for a university project. In my testcase, I have an Android APK depending on OkHttp version 2.3.0. Referring to this repository's README.md, this version should be detected as vulnerable. However, this does not happen.
Specifics:
Java OpenJDK 8, tested on Ubuntu 20 LTS x86-64 and macOS Mojave
How to replicate:
Since the vulnerability is still present in the app's latest version, I am not going to disclose the exact APK used. Therefore, the placeholder VULN.apk
(executed in LibScout root directory, PROFILE_PATH is pointing to this):
Enabling the comments in the config file does display some information, but not the important [SECURITY] section. Has this been found after the latest update to above repo, or are we using the tool wrongly?
Yours sincerely
The text was updated successfully, but these errors were encountered: