From 74306539b4ba86c82061b1826aca6365fff4bdfb Mon Sep 17 00:00:00 2001
From: "Ajin.Abraham" <ajin.abraham@chime.com>
Date: Sat, 16 Dec 2023 15:59:36 -0800
Subject: [PATCH] Fixes #2287

---
 .../StaticAnalyzer/views/ios/code_analysis.py | 25 ++++++++++++++----
 .../views/ios/rules/swift_rules.yaml          | 26 +++++++++----------
 2 files changed, 33 insertions(+), 18 deletions(-)

diff --git a/mobsf/StaticAnalyzer/views/ios/code_analysis.py b/mobsf/StaticAnalyzer/views/ios/code_analysis.py
index b50dd40a62..39de03388f 100755
--- a/mobsf/StaticAnalyzer/views/ios/code_analysis.py
+++ b/mobsf/StaticAnalyzer/views/ios/code_analysis.py
@@ -22,6 +22,19 @@ class _SourceType(Enum):
     nocode = 'No Code'
 
 
+def merge_findings(swift, objc):
+    code_analysis = {}
+    # Add all unique keys
+    for k in swift:
+        if k in objc:
+            swift[k]['files'].update(objc[k]['files'])
+        code_analysis[k] = swift[k]
+    for k in objc:
+        if k not in code_analysis:
+            code_analysis[k] = objc[k]
+    return code_analysis
+
+
 def ios_source_analysis(src):
     """IOS Objective-C and Swift Code Analysis."""
     try:
@@ -40,20 +53,22 @@ def ios_source_analysis(src):
         source_types = set()
 
         # Code and API Analysis
-        code_findings = scan(
+        objc_findings = scan(
             objective_c_rules.as_posix(),
             {'.m'},
             [src],
             settings.SKIP_CLASS_PATH)
-        if code_findings:
+        if objc_findings:
             source_types.add(_SourceType.objc)
-        code_findings.update(scan(
+        swift_findings = scan(
             swift_rules.as_posix(),
             {'.swift'},
             [src],
-            settings.SKIP_CLASS_PATH))
-        if code_findings:
+            settings.SKIP_CLASS_PATH)
+        if swift_findings:
             source_types.add(_SourceType.swift)
+        code_findings = merge_findings(swift_findings, objc_findings)
+        # API Analysis
         api_findings = scan(
             api_rules.as_posix(),
             {'.m', '.swift'},
diff --git a/mobsf/StaticAnalyzer/views/ios/rules/swift_rules.yaml b/mobsf/StaticAnalyzer/views/ios/rules/swift_rules.yaml
index 909908a1dc..7b46a82980 100644
--- a/mobsf/StaticAnalyzer/views/ios/rules/swift_rules.yaml
+++ b/mobsf/StaticAnalyzer/views/ios/rules/swift_rules.yaml
@@ -117,7 +117,7 @@
   type: Regex
   metadata:
     cvss: 7.5
-    cwe: CWE-532
+    cwe: cwe-532
     masvs: storage-3
     owasp-mobile: ''
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06i-Testing-Code-Quality-and-Build-Settings.md#finding-debugging-code-and-verbose-error-logging-mstg-code-4
@@ -131,7 +131,7 @@
   type: RegexOr
   metadata:
     cvss: 5.9
-    cwe: CWE-327
+    cwe: cwe-327
     masvs: crypto-4
     owasp-mobile: m5
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
@@ -144,7 +144,7 @@
   type: RegexOr
   metadata:
     cvss: 5.9
-    cwe: CWE-327
+    cwe: cwe-327
     masvs: crypto-4
     owasp-mobile: m5
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
@@ -157,7 +157,7 @@
   type: RegexOr
   metadata:
     cvss: 5.9
-    cwe: CWE-327
+    cwe: cwe-327
     masvs: crypto-4
     owasp-mobile: m5
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
@@ -171,7 +171,7 @@
   type: RegexOr
   metadata:
     cvss: 5.9
-    cwe: CWE-327
+    cwe: cwe-327
     masvs: crypto-4
     owasp-mobile: m5
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
@@ -185,7 +185,7 @@
   type: RegexOr
   metadata:
     cvss: 5.9
-    cwe: CWE-327
+    cwe: cwe-327
     masvs: crypto-4
     owasp-mobile: m5
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4
@@ -344,7 +344,7 @@
   type: Regex
   metadata:
     cvss: 4.3
-    cwe: CWE-311
+    cwe: cwe-311
     masvs: storage-1
     owasp-mobile: m2
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md#ios-data-storage
@@ -410,7 +410,7 @@
   type: RegexOr
   metadata:
     cvss: 0
-    cwe: CWE-295
+    cwe: cwe-295
     masvs: network-4
     owasp-mobile: m3
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4
@@ -422,7 +422,7 @@
   type: Regex
   metadata:
     cvss: 0
-    cwe: CWE-311
+    cwe: cwe-311
     masvs: storage-14
     owasp-mobile: m2
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md#realm-databases
@@ -436,7 +436,7 @@
   type: RegexAnd
   metadata:
     cvss: 0
-    cwe: CWE-311
+    cwe: cwe-311
     masvs: storage-14
     owasp-mobile: m2
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md#coredata
@@ -450,7 +450,7 @@
   type: RegexAnd
   metadata:
     cvss: 0
-    cwe: CWE-311
+    cwe: cwe-311
     masvs: storage-14
     owasp-mobile: m2
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x06d-Testing-Data-Storage.md#realm-databases
@@ -475,7 +475,7 @@
   type: Regex
   metadata:
     cvss: 0
-    cwe: CWE-939
+    cwe: cwe-939
     masvs: platform-3
     owasp-mobile: m1
 - id: ios_sensitive_backup
@@ -517,7 +517,7 @@
   type: RegexAndOr
   metadata:
     cvss: 7.5
-    cwe: CWE-757
+    cwe: cwe-757
     masvs: network-2
     owasp-mobile: m3
     ref: https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04f-Testing-Network-Communication.md#verifying-data-encryption-on-the-network-mstg-network-1-and-mstg-network-2