Port MASTG-TEST-0034: Testing Object Persistence (android) (by @appknox) #3418
Conversation
|
@cpholguera please check |
There was a problem hiding this comment.
Pull Request Overview
This PR ports MASTG-TEST-0034 (Testing Object Persistence) to a new version MASTG-TEST-0287 (Unwanted Object Deserialization Using Serializable) as part of MASTG V2 migration. The original test is marked as deprecated and replaced with an updated version that focuses specifically on insecure deserialization vulnerabilities in Android applications.
Key changes:
- Deprecates the original MASTG-TEST-0034 with proper metadata linking to the new version
- Creates new test MASTG-TEST-0287 with updated content focusing on deserialization security issues
- Adds comprehensive demo materials including Kotlin/Java code samples and semgrep rules
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/android/MASVS-CODE/MASTG-TEST-0034.md | Adds deprecation metadata linking to new test version |
| tests-beta/android/MASVS-CODE/MASTG-TEST-0287.md | New test definition focusing on insecure deserialization vulnerabilities |
| rules/mastg-android-object-deserialization.yml | Semgrep rule to detect ObjectInputStream.readObject() usage patterns |
| demos/android/MASVS-CODE/MASTG-DEMO-0061/ | Complete demo package with vulnerable code samples, analysis tools, and expected outputs |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - java | ||
| metadata: | ||
| summary: This rule looks for use of Object Serialization | ||
| message: "[MASVS-CODE-4] The application make use of Object deserialization in the code." |
There was a problem hiding this comment.
Grammar error: 'make use of' should be 'makes use of' to agree with the singular subject 'application'.
| message: "[MASVS-CODE-4] The application make use of Object deserialization in the code." | |
| message: "[MASVS-CODE-4] The application makes use of Object deserialization in the code." |
Copilot uses AI. Check for mistakes.
|
|
||
| ### Observation | ||
|
|
||
| The output file shows usages of the object persistence in the code. |
There was a problem hiding this comment.
The phrase 'object persistence' is inconsistent with the test's focus on 'object deserialization'. Should be 'object deserialization' to match the test context.
| The output file shows usages of the object persistence in the code. | |
| The output file shows usages of object deserialization in the code. |
Copilot uses AI. Check for mistakes.
1 participant
closes #3000