Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix #1940 #2311

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions mobsf/StaticAnalyzer/views/common/appsec.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
AppSec Dashboard
"""
import logging
import math

from django.shortcuts import render

Expand Down Expand Up @@ -179,19 +180,18 @@ def common_fields(findings, data):
high = len(findings.get('high'))
warn = len(findings.get('warning'))
sec = len(findings.get('secure'))
total = high + warn + sec
score = 0
if total > 0:
score = int(100 - (
((high * 1) + (warn * .5) - (sec * .2)) / total) * 100)
if score > 100:
score = 100
findings['security_score'] = score
findings['security_score'] = get_secure_score(high, warn, sec)
findings['app_name'] = data.get('app_name', '')
findings['file_name'] = data.get('file_name', '')
findings['hash'] = data['md5']


def get_secure_score(high, warn, sec):
loss_score = high * 10 + warn * 5 - sec * 2
normalize_reverse = 2 / (1 + pow(math.e, loss_score / 30))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did a round of testing. I found that most apps with more than 4 high findings get a score of 0, which makes appscore comparison difficult. I was able to get around this by changing 30 to 70. What are your thoughts on that?

Copy link
Author

@johnxguo johnxguo Dec 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can i have a look at your test code? I tried value of (high, warn, sec) with (11, 7, 0) and get score 1, with (12, 9, 1) and get score 0, with (5, 21, 0) and get score 1.
But it is indeed difficult to achieve high scores with the current setting,If you want most apps to generate higher scores,you can change 30 to a higher value

----- here is my test code

import math

def get_secure_score(high, warn, sec):
      loss_score = high * 10 + warn * 5  - sec * 2
      normalize_reverse = 2 / (1 + pow(math.e, loss_score / 30))
      return int(min(normalize_reverse, 1) * 100)

def print_score(high, warn, sec):
      print('%5d | %4d %4d %3d' % (get_secure_score(high, warn, sec), high, warn, sec))
    
print("score | high warn sec")
print_score(4, 2, 0)
print_score(5, 3, 1)
print_score(5, 21, 0)
print_score(7, 4, 0)
print_score(8, 5, 1)
print_score(10, 6, 1)
print_score(11, 7, 0)
print_score(12, 9, 1)

----- output
score | high warn sec
31 | 4 2 0
21 | 5 3 1
1 | 5 21 0
9 | 7 4 0
6 | 8 5 1
2 | 10 6 1
1 | 11 7 0
0 | 12 9 1

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me test this with some real apps and get back.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any update on this??

return int(min(normalize_reverse, 1) * 100)


def get_android_dashboard(context, from_ctx=False):
"""Get Android AppSec Dashboard."""
findings = {
Expand Down