scanner

Documentation

Overview

Package scanner provides a security rule engine for analyzing Android application packages using parsed DEX bytecode and manifest data. It produces findings compatible with the mobilepkg analysis pipeline.

Index

• type Context
  • func (c *Context) MergedStrings() map[string]struct{}
• type Finding
  • func Scan(ctx *Context) []Finding
  • func ScanWithRules(ctx *Context, rules []Rule) []Finding
• type Rule
  • func DefaultRules() []Rule

Types

type Context

type Context struct {
	DexFiles []*dex.File
	// DexNames holds the archive entry name for each DexFile (same index).
	// Used to populate Finding.ArchivePath with the correct file name.
	DexNames []string
	// contains filtered or unexported fields
}

Context provides all data that rules need to inspect.

func (*Context) MergedStrings

func (c *Context) MergedStrings() map[string]struct{}

MergedStrings returns the deduplicated set of strings from all DEX files.

type Finding

type Finding struct {
	ID          string
	Category    string
	Severity    string // "info", "warn", "error"
	Confidence  string // "high", "medium", "low"
	Message     string
	ArchivePath string
	Field       string
	Matched     string
	Offset      int
}

Finding represents a security observation from a scanner rule. Fields use plain types to avoid circular imports with the root package.

func Scan

func Scan(ctx *Context) []Finding

Scan runs all default rules against the given context and returns the aggregated findings.

func ScanWithRules

func ScanWithRules(ctx *Context, rules []Rule) []Finding

ScanWithRules runs the given rules against the context and returns the aggregated findings.

type Rule

type Rule interface {
	Name() string
	Match(ctx *Context) []Finding
}

Rule is the interface that all security detection rules implement.

func DefaultRules

func DefaultRules() []Rule

DefaultRules returns the standard set of security detection rules.