Port MASTG-TEST-0036: Testing Enforced Updating (android)

[aakarshgopishetty]

Thank you for submitting a Pull Request to the OWASP MASTG. Please make sure that:

• Your contribution is written in the 2nd person (e.g. you)
• Your contribution is written in an active present form for as much as possible.
• You have made sure that the reference section is up to date (e.g. please add sources you have used, make sure that the references to MITRE/MASVS/etc. are up to date)
• Your contribution has proper formatted markdown and/or code
• Any references to website have been formatted as [TEXT](URL “NAME”)
• You verified/tested the effectiveness of your contribution (e.g.: is the code really an effective remediation? Please verify it works!)

If your PR is related to an issue. Please end your PR test with the following line:
This PR closes #2994.

[cpholguera]

This PR doesn't comply with our guidelines. Please check them out before proceeding. See our previous discussions here:

#2994 (comment)

#2999 (comment)

Turning into "DRAFT" until the files are compliant.

[cpholguera]

This file doesn't belong to this PR

[cpholguera]

This file doesn't belong to this PR

[cpholguera]

This doesn't comply with the required structure and style as defined in our guidelines. Please check them out before proceeding.

[aakarshgopishetty]

@cpholguera I have removed unrelated files and fixed Markdown linting. Please review again. Thanks!

[sk3l10x1ng]

@aakarshgopishetty kindly follow the structure and update changes accordingly.

[sk3l10x1ng]

@aakarshgopishetty

Here are the links to the guidelines as well as the specific guidelines for writing new tests and demos here:

https://docs.google.com/document/d/1EMsVdfrDBAu0gmjWAUEs60q-fWaOmDB5oecY9d9pOlg/edit?tab=t.0

• The file is located in the wrong directory.This new porting MASTG-TEST-xxxx.md file needs to be located in tests-beta/android/MASVS-CODE/ and should include the following essential elements.

  • Metadata

    ---
    platform: android
    title: Enforced Updating
    id: MASTG-TEST-0x36
    type: [static]
    weakness: MASWE-0075
    --- 
    

  • Body

     ## Overview
    
     ## Steps
    
     ## Observation
    
     ## Evaluation
    

  Here’s a example of the MASTG-TEST-0254 structure https://github.com/OWASP/owasp-mastg/blob/f041b2c60afc81452095bd921e243309c817e292/tests-beta/android/MASVS-PRIVACY/MASTG-TEST-0254.md

Demo

• A demo needs to be developed for MASTG-TEST-xxxx using the demo application found at https://github.com/cpholguera/MASTestApp-Android.
  For this demo should be located in the directory demos/android/MASVS-CODE/MASTG-DEMO-xxxx/.

• The Semgrep rule for the application needs to be located beneath rules/mastg-android-xxxx.yaml. i.e https://github.com/OWASP/owasp-mastg/tree/f041b2c60afc81452095bd921e243309c817e292/rules

Here’s an example of the demo folder structure:
https://github.com/OWASP/owasp-mastg/tree/f041b2c60afc81452095bd921e243309c817e292/demos/android/MASVS-PRIVACY/MASTG-DEMO-0033

[sk3l10x1ng]

• This file doesn't belong to this PR , the MASTG-TEST-0036 is associated with this testcase

• When dealing with "porting tests" issues, you won't be modifying the V1 tests. Instead, you'll mark them as deprecated and indicate the new tests to be used at the end of the metadata.

  status: deprecated
  covered_by: [MASTG-TEST-0x36]
  deprecation_note: New version available in MASTG V2
  

[sk3l10x1ng]

@aakarshgopishetty any news on this? Thanks

[sk3l10x1ng]

@aakarshgopishetty any update on this ? Please let us know if you have any doubts. thank you

[aakarshgopishetty]

Hi @sk3l10x1ng ,

I'm a bit confused about how to create the demo and add the Semgrep rule for the MASTG-TEST-0036 port. Could you please help clarify how I should proceed with these tasks?

[sk3l10x1ng]

@aakarshgopishetty
DEMO

• A demo needs to be developed for MASTG-TEST-xxxx using the demo application found at https://github.com/cpholguera/MASTestApp-Android. In the ApplicationMastgTest.kt - This section includes a single function, which is where the source code for the demo test case should be written. Then, Launch the app in the emulator and run the provided script:
  /tools/extract-code-for-mastg-demo.sh , a output folder is created containing file. Run your SAST rules on the _reversed files and ensure they work as expected.
• For this testcase the demo should be located in the directory demos/android/MASVS-CODE/MASTG-DEMO-xxxx/
• A semgrep rule should be and the rule for the application needs to be located beneath rules/mastg-android-xxxx.yml. i.e https://github.com/OWASP/owasp-mastg/tree/f041b2c60afc81452095bd921e243309c817e292/rules

[sk3l10x1ng]

@aakarshgopishetty you can refer to the https://mas.owasp.org/MASTG/tests/android/MASVS-CODE/MASTG-TEST-0036/ for creating a demo for the testcase

[sk3l10x1ng]

@aakarshgopishetty any update ?

[sk3l10x1ng]

@aakarshgopishetty any update ?

[aakarshgopishetty]

Hi @sk3l10x1ng and @cpholguera,

Thank you for your continued support and detailed guidance throughout the process.

After reviewing the requirements and steps involved, I've realized that I'm currently not equipped with the necessary experience and skills to implement the demo and create the corresponding Semgrep rule as required for this test case. At this time, I won’t be able to complete the remaining work on this PR.

I truly appreciate the opportunity to contribute and learn from this experience. I hope to come back and contribute again in the future once I’ve built up more expertise.

Thank you again for your time and understanding.

Best regards,
@aakarshgopishetty

[cpholguera]

Thank you, @aakarshgopishetty. We really appreciate your willingness to learn and contribute. Wishing you all the best on your learning journey!

We’ll go ahead and close the PRs for now.

Take care, and thanks again!