dotanuki-labs / android-archives-watchdog Goto Github PK

Release this project with proper OSS goodies

• License
• Documentation
• Binaries
• Examples
• Etc

It would be nice having a --debug flag that allows this automation to output every meaningful information related to the processing, especially everything related to analyzing Android archives, eg

$> aaw compare -a my.apk -b my.product.android.toml --verbose

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

• WARN: File contents are invalid JSON but parse using JSON5. Support for this will be removed in a future release so please change to a support .json5 file name or ensure correct JSON syntax.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Right now, this tool only supports artifacts packaged in the apk format. In order to support the aab format we can take advantage of bundletool, either as a standalone binary or as dependency.

Provide CLI to extract from an .apk or an .aab, so we can list

• Android permissions used by the app
• Java packages composing the app
• Minimum and target Android SDK
• Etc

$> arw overview --target=path/to/myapp.aab

We'd like to also generate a configuration file arw.toml as long as we can have information about what's inside a releasable:

$> arw generate --target=path/to/myapp.aab

• Simple Gradle project for CLI app
• Must use the latest version of Gradle
• Must use the latest version of Kotlin
• Must use Gradle Version Catalogs
• Must use ktlint + detekt with standard setup
• Must have a simple unit test (junit4 + truth)
• Must have a simple GHA Workflow (with gradle-build-action)
• Must have configuration for Renovate
• Must have configuration for jEnv and/or JVM toolchains

We'd like to have E2E tests as part of our test suite, using projects like

• DuckDuckGo
• Element X
• Etc

Rather than listing and dumping everything we find inside an artifact, we'd like to trust a few package patterns in order to simplify the baseline with sensitive components to keep on track.

An example of such an extension:

applicationId = "com.my.product.android"
trustedPackages = [
  "com.android.*",
  "com.my.company.*"
]

# More configuration ....

Right now, the approach of converting .aab to a universal .apk with bundletool has a few issues related to apk signing, which generates non-trivial CLI output as part of the execution.

For instance, the default debug.keystore may not be available in the CI environment at runtime, which generates:

WARNING: The APKs won't be signed and thus not installable unless you also pass a keystore via the flag --ks. 
See the command help for more information.

In addition, when available bundletool will also pollute the output with a log:

INFO: The APKs will be signed with the debug keystore found at '<path/to/home>/.android/debug.keystore'.

Eventually both issues can be tackled by suppling a custom signing key to bundletool.

We want a CLI interface like

$> arw --apk path/to/some/app.apk --baseline path/to/arw.toml

which will

• evaluate information from a releasable artifact (as per #2)
• compare it with the baseline defined by a .toml file
• point out critical differences (like new permissions requests or new packages being added)

Open questions

• what should we do when we detect changes that actually improve on Security (eg, the app now requests less Android permissions?)

Right now, compare will output differences between archives and baselines only to stdout and plain text.

However, it'd useful to have different (structured) formats - eg json- so the output can be post-processed afterward. That would enable an enriched PR decoration for example. On Github Actions:

aaw compare -a app/build/output/release/my.apk -b my.org.product.toml --json > comparison.json

# Convert with tools like https://github.com/haltcase/tablemark-cli or in bash with jq
markdown=$(convert_to_markdown comparison.json) 

gh pr comment ${{ github.event.pull_request.number }} --body "$markdown" --edit-last

In addition, we could output markdown directly.