MASTG-DEMO-0025: Uses of Build.VERSION.SDK_INT with semgrep

Download MASTG-DEMO-0025 APK Open MASTG-DEMO-0025 Folder Build MASTG-DEMO-0025 APK

Sample

The following sample uses the Build.VERSION.SDK_INT API to check the operating system version.

MastgTest.ktMastgTest_reversed.java

package org.owasp.mastestapp

import android.content.Context

class MastgTest (private val context: Context){

    fun mastgTest(): String {
        val androidSdkVersion = getSystemSdkVersion()
        return "AndroidSdkVersion:$androidSdkVersion\n"
    }

    fun getSystemSdkVersion(): Int {
        return android.os.Build.VERSION.SDK_INT
    }
}

package org.owasp.mastestapp;

import android.content.Context;
import android.os.Build;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: MastgTest.kt */
@Metadata(m69d1 = {"\u0000\u001e\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\b\n\u0000\n\u0002\u0010\u000e\n\u0000\b\u0007\u0018\u00002\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0006\u0010\u0005\u001a\u00020\u0006J\u0006\u0010\u0007\u001a\u00020\bR\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\t"}, m70d2 = {"Lorg/owasp/mastestapp/MastgTest;", "", "context", "Landroid/content/Context;", "(Landroid/content/Context;)V", "getSystemSdkVersion", "", "mastgTest", "", "app_debug"}, m71k = 1, m72mv = {1, 9, 0}, m74xi = 48)
/* loaded from: classes4.dex */
public final class MastgTest {
    public static final int $stable = 8;
    private final Context context;

    public MastgTest(Context context) {
        Intrinsics.checkNotNullParameter(context, "context");
        this.context = context;
    }

    public final String mastgTest() {
        int androidSdkVersion = getSystemSdkVersion();
        return "AndroidSdkVersion:" + androidSdkVersion + '\n';
    }

    public final int getSystemSdkVersion() {
        return Build.VERSION.SDK_INT;
    }
}

Steps

Let's run semgrep rules against the sample code.

rules:
  - id: mastg-android-sdk-version
    languages:
      - java
    severity: WARNING
    metadata:
      summary: This rule scans for API that checks the version of the operating system
    message: "[MASVS-PLATFORM] Make sure to verify that your app runs on a device with an up-to-date OS version to make sure it satisfy your security requirements"
    patterns:
      - pattern: Build.VERSION.SDK_INT

NO_COLOR=true semgrep -c ../../../../rules/mastg-android-sdk-version.yml ./MastgTest_reversed.java --text -o output.txt

Observation

The output file shows usages of the API that verifies the operating system version.

┌────────────────┐
│ 1 Code Finding │
└────────────────┘

    MastgTest_reversed.java
    ❯❱ rules.mastg-android-sdk-version
          [MASVS-PLATFORM] Make sure to verify that your app runs on a device with an up-to-date OS
          version to make sure it satisfy your security requirements                               

           26┆ return Build.VERSION.SDK_INT;

Evaluation

The test passes because the output shows references to SDK version check API.