def cli(ctx, sdk_path, build_path, debug, source, report_type, exploit_apk):
if not source:
click.secho("Please pass a source for scanning through either --java or --apk")
click.secho(ctx.get_help())
return
if exploit_apk:
if not sdk_path:
# Try to set the SDK from environment variables if they exist
# Follows the guidelines from https://developer.android.com/studio/command-line/variables
if environ_path_variable_exists(ANDROID_SDK_HOME):
sdk_path = os.environ[ANDROID_SDK_HOME]
elif environ_path_variable_exists(ANDROID_HOME):
sdk_path = os.environ[ANDROID_HOME]
elif environ_path_variable_exists(ANDROID_SDK_ROOT):
sdk_path = os.environ[ANDROID_SDK_ROOT]
else:
click.secho("Please provide path to android SDK if building exploit APK.")
return
# Debug controls the output to stderr, debug logs are ALWAYS stored in `qark_debug.log`
if debug:
level = "DEBUG"
else:
level = "INFO"
initialize_logging(level)
click.secho("Decompiling...")
decompiler = Decompiler(path_to_source=source, build_directory=build_path)
decompiler.run()
click.secho("Running scans...")
if decompiler.source_code:
scanner = Scanner(manifest_path=decompiler.manifest_path, path_to_source=decompiler.path_to_source)
else:
scanner = Scanner(manifest_path=decompiler.manifest_path, path_to_source=decompiler.build_directory)
scanner.run()
grouped_issues = scanner.regroup_issues()
click.secho("Finish scans...")
click.secho("Writing report...")
report = Report(issues=dict(grouped_issues))
report_path = report.generate(file_type=report_type)
click.secho("Finish writing report to {report_path} ...".format(report_path=report_path))
if exploit_apk:
click.secho("Building exploit APK...")
exploit_builder = APKBuilder(exploit_apk_path=build_path, issues=scanner.issues, apk_name=decompiler.apk_name,
manifest_path=decompiler.manifest_path, sdk_path=sdk_path)
exploit_builder.build()
click.secho("Finish building exploit APK...")
def test_report_json_defaults():
report = Report()
issue = Issue(category='Test',
name='Test Issue',
severity=Severity.VULNERABILITY,
description='Test')
report.issues.append(issue)
report.generate(file_type='json')
# We remove the issue we added to clean up after ourselves.
report.issues.remove(issue)
assert os.path.exists(os.path.join(DEFAULT_REPORT_PATH, 'report.json'))
# We remove the report, to clean up after ourselves
os.remove(os.path.join(DEFAULT_REPORT_PATH, 'report.json'))
def test_report_html_custom_template():
report = Report()
issue = Issue(category='Test',
name='Test Issue',
severity=Severity.VULNERABILITY,
description='Test')
report.issues.append(issue)
report.generate(
template_file=os.path.join('templates', 'html_report.jinja'))
# We remove the issue we added to clean up after ourselves.
report.issues.remove(issue)
assert os.path.exists(os.path.join(DEFAULT_REPORT_PATH, 'report.html'))
# We remove the report, to clean up after ourselves
os.remove(os.path.join(DEFAULT_REPORT_PATH, 'report.html'))
def test_report_singleton():
assert Report() is Report()
report3 = Report()
report4 = Report()
assert report3 is report4
report3.value = 4
assert report4.value == 4
def test_report_with_report_path():
assert Report(report_path=DEFAULT_REPORT_PATH) is Report(
report_path=DEFAULT_REPORT_PATH)