23 Feb 2021 |
proletarius101 | If there are anyone particularly interested in security of fdroidclient, here is a report I just scanned: https://gitlab.com/proletarius101/fdroidclient/-/pipelines/260448916/security | 13:27:23 |
| @freenode_FstplttnSchntzl:matrix.org left the room. | 14:15:52 |
| @freenode_FstplttnSchntzl:matrix.org joined the room. | 14:16:11 |
_hc | proletarius101: seems like it didn't find anything | 14:18:39 |
proletarius101 | In reply to @eighthave:matrix.org proletarius101: seems like it didn't find anything The number is 0 but how about those below that? | 14:20:41 |
_hc | where are you looking? | 14:21:38 |
_hc | looking at the JSON, it looks like a pile of false positives | 14:22:34 |
_hc | to make it useful, you'll have to make an exclude list like what's used for pm | 14:23:22 |
_hc | pmd | 14:23:23 |
_hc | and lint | 14:23:27 |
proletarius101 | In reply to @eighthave:matrix.org looking at the JSON, it looks like a pile of false positives Well, then I'll look into it later. All of them are false?😂 | 14:24:57 |
_hc | looks like a binary APK scanner for malware | 14:25:13 |
_hc | for example, android_prevent_screenshot is true, but we want that | 14:25:31 |
_hc | same for android_package_tamper | 14:25:51 |
_hc | using android_hiddenui is a common patter | 14:26:32 |
_hc | might be a more useful scan as part of issuebot on fdroiddata | 14:28:06 |
proletarius101 | In reply to @eighthave:matrix.org for example, android_prevent_screenshot is true, but we want that That's right | 14:34:10 |
proletarius101 | I'll look into this deliberately. And hopefully someone who is more familiar with android security could make more comments | 14:36:57 |
proletarius101 | I think the vulnerable random generator report is true | 14:37:31 |
_hc | I doubt it | 14:37:40 |
mimi89999 | What vuln? | 14:38:24 |
proletarius101 | https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom | 14:40:43 |
proletarius101 | Looks it's true | 14:40:59 |
proletarius101 | In reply to @freenode_mimi89999:matrix.org What vuln? A pile of them: https://gitlab.com/proletarius101/fdroidclient/-/pipelines/260448916/security. Some of them may be false positive though | 14:41:22 |
mimi89999 | I only see a pipeline that is not finished | 14:42:25 |
proletarius101 | In reply to @freenode_mimi89999:matrix.org I only see a pipeline that is not finished I realize the view is different when it's not viewed by me | 14:43:23 |
mimi89999 | Can I get access? | 14:43:43 |
proletarius101 | I'm trying | 14:44:01 |
_hc | https://gitlab.com/proletarius101/fdroidclient/-/jobs/1049695605/artifacts/file/gl-sast-report.json mimi89999 | 14:46:22 |
proletarius101 | In reply to @freenode_mimi89999:matrix.org Can I get access? Sorry, I'm afraid you have to download the json: https://gitlab.com/proletarius101/fdroidclient/-/jobs/1049695605/artifacts/download?file_type=sast | 14:46:27 |