MobSF
Rules for the manifest and network-security-config files
I noticed that the full framework has rules dealing with the network-security-config.xml file, which are implemented in Python and seem to not be included in mobsfscan (unless mobsfscan somehow includes the relevant stuff from the full framework and I missed this). I just wanted to let you know that I just submitted a few basic rules for these file types to the semgrep-rules repository. If these are also of interest to mobsfscan, you are very welcome to use them as well.
Note: They rely on the generic parser as no specialized XML parser exists. This means, for example, that "..." only matches up to 10 lines. Thus, the rules may fail for very long network-security-config files and are generally not 100% reliable.
If this type of linting is already supported by mobsfscan, feel free to simply close this issue.
Thanks @malexmave , this is something I was planning to strip from MobSF. I will take a look at this before implementing.
