Search code examples
iosdockercasa

CASA Scan - fluidattacks/cli Doesn't seem to do anything

I'm attempting to run a tier 2 CASA scan on an iOS app using fluidattacks/cli, and I'm having trouble figuring out how to configure it.

The command I'm running is: docker run -v $(pwd)/FluidScanArtifacts:/working-dir fluidattacks/cli:arm64 skims scan /working-dir/MyApp/config.yaml

And my config.yaml is as follows:

namespace: MyApp
output:
  file_path: ./Fluid-Attacks-Results.csv
  format: CSV
working_dir: .
language: EN
sast:
  include:
    - .
  exclude:
    - glob(**/Pods/**)
sca:
  include:
    - .
  exclude:
    - glob(**/Pods/**)

When it runs I get no errors and it says no vulnerabilities were found, but I'm not sure it's actually scanning anything as the whole process is taking maybe a second and it says Analysis on 0 paths:

INFO] Official Documentation: https://docs.fluidattacks.com/tech/scanner/standalone/
[INFO] Namespace: MyApp
[ERROR] Computing commit hash: /src 
[INFO] info HEAD is now at: 0000000000000000000000000000000000000000
[INFO] Startup work dir is: /src
[INFO] Moving work dir to: /src
[INFO] Running SAST analysis on specified paths
[INFO] Performing lines analysis
[INFO] Performing Path Analysis on 0 paths
[INFO] SAST path analysis completed!
[INFO] Performing graph analysis
[INFO] Performing unverifiable paths analysis
[INFO] SAST analysis completed!
[INFO] Analysis finished, writing results
[INFO] An output file has been written: /src/Fluid-Attacks-Results.csv
[INFO] Summary: No vulnerabilities were found in your targets.

So something feels wrong here, and I think it may have to do with the working_dir in the config.yaml which is just set to .. I can't figure out what this path is relative to. If I set it to anything besides . I just get (after setting it to MyApp):

 File "/nix/store/ls4wycw226gqlidzliw3p9bzyr9gknx4-skims/core/scan.py", line 277, in main
    os.chdir(ctx.SKIMS_CONFIG.working_dir)
FileNotFoundError: [Errno 2] No such file or directory: '/src/MyApp'

[INFO] Summary: An error occurred while analyzing your targets.

And what is /src? I actually did a docker cp on the src directory from the container after it ran successfully and all it had is my CSV file. I kind of expected all my code to be in there but it wasn't.

Anyone know what's going on here?

Solution

  • The documentation is incorrect. You need to change working-dir to src. In your example, the command would then become:

    docker run -v $(pwd)/FluidScanArtifacts:/src fluidattacks/cli:arm64 skims scan /src/MyApp/config.yaml

    I wrote a blog post covering the steps after strugging with this which might help: https://mzansibytes.com/2024/03/07/performing-a-sast-for-a-casa-tier-2-self-scan/