New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Static review stuck in code analysis #2162
Comments
👋 @berial5 |
Reproduced this, code analysis works at my end, but there is a pid kill happening just before string extraction. |
So Memory leak is not true? |
We need to investigate this and identify the root cause of why the PID is getting killed, the error code suggests that it is a memory leak, but can only confirm after investigation. I guess you cannot scan the said APK(s) until this is fixed. |
Hi guys, [INFO] 28/Apr/2023 12:08:46 - Code Analysis Started on - java_source Regards! |
Hi, guys: [INFO] 15/May/2023 09:41:19 - | / | ___ | |/ || | | / / / [INFO] 15/May/2023 09:41:19 - �[1m�[34mMobile Security Framework v3.6.3 Beta�[0m If you use the API interface to upload the installation package for static analysis, you will get stuck here. |
I have avoided this problem by modifying the process and triggering an additional submission through the API. This method may only be regarded as a temporary solution, for your reference only. |
Any steps to reproduce this? I get something similar. An IPA at 100Mb+ is fine but an APK at 40Mb breaks with the following
|
Are you using it on a docker environment? Can you give a tutorial on how you did the work around please? Thanks mate! |
Upon checking some of the past versions of MobSF, the following versions all have the same issue of getting stuck.
Then after trying the version MobSF v3.4.0 Beta it works. The problem here is I want to use the latest version. I hope this get fixed soon. Additional information. The versions that are getting stuck is stopped around the logs below.
|
Hey there, I'm hoping you could give some more information about your temporary solution |
I seconded, may we please know what is this? Up to now the issue is still persisting. |
Hi, I'm having the same issue albeit with a few extra steps to reproduce. Environment: Steps to reproduce:
I can fix this temporarily by restarting the MobSF instance. |
This is unrelated. The code analysis being stuck is probably due to a regex dos/catastrophic backtracking from one of the SAST rules. |
Can folks share problematic APKs here so that we can take a look at the files and the rules causing the issue? |
Got the same issue while doing the static analysis. I uploaded myjio apk version 7.0.55 and got stuck at the same point (Downloaded the apk from apkmirror) I’m currently on Mobsf v3.7.6 Tried on docker(It Took a lot of time on docker for jadx and jadx timeout error thrown) and got stuck at Tried on bare metal (windows 11 home). It’s also got stuck (but no jadx timeout error thrown) |
It worked on the latest Signal APK on |
Make sure the |
My whole system got stuck when i tried to upload a large size apk for static analysis , Please! Provide me some solution for the same |
Probably unavoidable, will consider adding a timeout by default. |
I tested it, and it has something to do with the machine configuration. If the memory is 128G or more, there will be no problem. Most of the freezes are because the memory is exhausted. |
Another situation is that the java code generated by some apk decompilation is in the same file, resulting in a single java code file size of 2-10M, so it will get stuck in it during regular matching. |
ENVIRONMENT
EXPLANATION OF THE ISSUE
STEPS TO REPRODUCE THE ISSUE
LOG FILE
the apk just by this url (it's so big that upload fail)
https://mega.nz/file/YGgEiarD#yRR8dZK3UCb3t09TWt4I5c67aGQbtXVSmi5yCvyqKPk
The text was updated successfully, but these errors were encountered: