V2 #716

besendorf · 2025-11-07T16:21:33Z

No description provided.

Adding support to automatically run ADB backup and bugreport modules automatically when running the check-androidqf command. This is a first step to deduplicate the code for Android modules.

This commit makes a structural change to MVT by changing binary detected/not detected logic into a structured multi-level system of alerts. This gives far more power to extend MVT and manage alerts. This commit also begins the process of adding proper typing for key objects used in MVT including Indicators, IndicatorMatches, and ModuleResults. This will also be keep to programmatically using the output of MVT.

Resolved conflicts: - pyproject.toml: Used v2 pinned dependency versions - Removed cmd_check_adb.py (deleted in refactor branch) - Updated all command files to include disable_version_check and disable_indicator_check flags - Adopted new AlertStore system from refactor branch - Updated version to 3.0.0 - Kept VirusTotal functionality commented out - Consolidated imports and module lists - Adopted refactor branch's simplified JSON loading - Updated iOS modules to use new alertstore approach

- Add log_latest() call in root_binaries to log each alert - Fix UnboundLocalError in cmd_check_androidqf by initializing bugreport variable - Remove incorrect backup.close() call since load_backup() returns bytes - Remove duplicate from_ab method in cmd_check_backup that was using old attributes

github-actions · 2025-11-07T16:22:16Z

Coverage Report

File	Stmts	Miss	Cover	Missing
src/mvt/android
cli.py	115	23	80%	53, 73–76, 87, 98, 135–136, 195–196, 257–258, 285–294, 302–303
cmd_check_androidqf.py	110	31	72%	74, 84–87, 91–92, 95, 104–105, 109–118, 127, 130–131, 140, 152–165, 168, 173–177
cmd_check_backup.py	70	17	76%	71–72, 78–79, 85–88, 105–118, 122
cmd_check_bugreport.py	45	8	82%	81–84, 88, 91, 97, 103
utils.py	16	5	69%	11–19
src/mvt/android/artifacts
dumpsys_accessibility.py	29	1	97%	14
dumpsys_adb.py	92	13	86%	50–51, 91, 99–101, 113–115, 141–142, 148–151
dumpsys_appops.py	103	11	89%	27, 74–80, 117–118, 155, 171–173, 179
dumpsys_battery_daily.py	42	4	90%	19, 29, 45–46
dumpsys_battery_history.py	47	7	85%	16, 48–56
dumpsys_dbinfo.py	41	6	85%	18, 61–66
dumpsys_package_activities.py	39	4	90%	12, 65, 71–72
dumpsys_packages.py	122	5	96%	20–26, 164, 171
dumpsys_platform_compat.py	21	2	90%	16, 32
dumpsys_receivers.py	56	9	84%	24, 29, 34, 39, 45, 51, 101, 107–108
file_timestamps.py	18	1	94%	32
getprop.py	36	5	86%	40, 53, 59, 62–63
mounts.py	68	28	59%	53, 79–80, 84, 113–118, 129–165, 180–192
processes.py	32	8	75%	20, 24–25, 31, 55, 59, 63–66
tombstone_crashes.py	148	14	91%	98–101, 104–111, 167–168, 194, 234–235, 275
src/mvt/android/modules/adb
__init__.py	13	13	0%	6–19
chrome_history.py	38	38	0%	6–117
dumpsys_full.py	17	17	0%	6–46
files.py	74	74	0%	6–160
getprop.py	15	15	0%	6–44
logcat.py	22	22	0%	6–58
packages.py	121	121	0%	6–311
processes.py	14	14	0%	6–43
root_binaries.py	25	25	0%	6–75
selinux_status.py	18	18	0%	6–49
settings.py	26	26	0%	6–59
sms.py	80	80	0%	6–186
whatsapp.py	55	55	0%	6–121
src/mvt/android/modules/androidqf
aqf_files.py	79	23	71%	12–13, 83, 92–96, 100, 104–110, 115–117, 125, 134–139
aqf_log_timestamps.py	25	25	0%	6–63
aqf_packages.py	60	9	85%	47–53, 78, 83–88, 91–96, 117
aqf_settings.py	25	2	92%	52–53
base.py	44	2	95%	74–75
mounts.py	29	15	48%	51–74
root_binaries.py	44	6	86%	76–78, 81–82, 101
sms.py	50	13	74%	54, 58, 65–66, 82–87, 90, 94–100, 105–106
src/mvt/android/modules/backup
base.py	35	3	91%	61–62, 67
helpers.py	22	1	95%	27
sms.py	35	4	89%	41, 45, 49–52
src/mvt/android/modules/bugreport
base.py	58	18	69%	47–48, 53–54, 61–66, 70, 85–92, 96–97
dumpsys_accessibility.py	18	3	83%	39–43, 52
dumpsys_activities.py	17	2	88%	43–47
dumpsys_adb_state.py	17	3	82%	39–43, 52
dumpsys_appops.py	16	2	88%	39–43
dumpsys_battery_daily.py	16	2	88%	39–43
dumpsys_battery_history.py	16	2	88%	39–43
dumpsys_dbinfo.py	17	2	88%	41–45
dumpsys_getprop.py	27	7	74%	41–45, 52–53, 58–61
dumpsys_packages.py	25	3	88%	40–44, 57
dumpsys_platform_compat.py	17	2	88%	39–43
dumpsys_receivers.py	17	2	88%	41–45
tombstones.py	25	5	80%	40–44, 53, 58–60
src/mvt/android/parsers
backup.py	110	9	92%	62, 102–103, 109, 129, 132, 175, 190–191
src/mvt/common
alerts.py	103	21	80%	55, 65–69, 180, 205–212, 215–236
cmd_check_iocs.py	41	32	22%	30–44, 47–92
command.py	178	57	68%	84–90, 96–114, 122–128, 138–144, 150–151, 157–185, 191–195, 198–200, 206, 268, 273, 290, 294–295
indicators.py	313	61	81%	54–56, 69–75, 154, 166, 172, 178, 184, 206, 220–225, 308, 320, 332, 374–377, 414–432, 455, 465, 482, 501, 513, 529–537, 548, 569, 591, 600–601, 619, 641–651, 662, 665, 689, 732, 747
log.py	49	2	96%	64–65
logo.py	42	35	17%	18–83, 89–96
module.py	121	36	70%	83–88, 105–131, 173, 182, 187, 197, 216–217, 233–234, 250–264
options.py	13	3	77%	27–33
updates.py	160	134	16%	27–38, 43–56, 61–69, 72–74, 81–89, 92–94, 97–114, 117–137, 140–178, 185–219, 226–236, 239–269
url.py	25	6	76%	327, 366, 372–376
utils.py	108	37	66%	49–51, 64, 96–97, 111, 125–126, 165–182, 197–198, 211–212, 219–228, 242, 252, 260
src/mvt/ios
cli.py	151	68	55%	62, 82–85, 96, 125–169, 188–211, 254–255, 285–307, 327–342, 350–351
cmd_check_fs.py	14	4	71%	33–48, 51
decrypt.py	114	92	19%	33–36, 39, 48–56, 61–64, 73–123, 131–181, 192–221, 227–231, 244–255
versions.py	32	3	91%	21, 30, 48
src/mvt/ios/modules
base.py	91	23	75%	55, 65, 72–97, 115, 123, 130, 138–139, 158–161, 196–197
net_base.py	126	49	61%	73–75, 105–106, 187–245, 260–273, 290, 336–337, 345–346, 350
src/mvt/ios/modules/backup
backup_info.py	30	2	93%	44, 80
configuration_profiles.py	70	48	31%	48–53, 63, 66–93, 108–183
manifest.py	83	7	92%	64, 71, 119–120, 130, 176–177
profile_events.py	54	34	37%	49, 60–64, 67, 70–79, 83–109, 115–122
src/mvt/ios/modules/fs
analytics.py	67	51	24%	39, 49, 57–82, 87–144, 147–150, 153–159
analytics_ios_versions.py	37	26	30%	35, 45, 53–91
cache_files.py	47	35	26%	29, 39–50, 53–68, 71–86, 98–105
filesystem.py	43	8	81%	57, 61–62, 66, 82–83, 94–95
net_netusage.py	19	10	47%	35, 45–58
safari_favicon.py	38	26	32%	36, 46, 55–65, 68–120, 123–129
shutdownlog.py	66	54	18%	35, 45, 54–75, 78–133, 136–139
version_history.py	21	9	57%	37, 47, 55–70
webkit_base.py	23	17	26%	17–25, 28–39
webkit_indexeddb.py	14	4	71%	39, 49, 58–59
webkit_localstorage.py	13	4	69%	37, 47, 56–57
webkit_safariviewservice.py	11	3	73%	33, 43–44
src/mvt/ios/modules/mixed
applications.py	72	42	42%	52–59, 63–104, 115–123, 129–134, 144–156, 162, 164–166
calendar.py	50	2	96%	82–88
calls.py	23	10	57%	42, 54–83
chrome_favicon.py	37	23	38%	47, 55–66, 72–110
chrome_history.py	31	17	45%	49, 59–66, 72–107
contacts.py	29	17	41%	46–76
firefox_favicon.py	33	19	42%	48, 57–67, 73–111
firefox_history.py	31	17	45%	52, 60–67, 73–106
global_preferences.py	27	2	93%	47–48
idstatuscache.py	56	38	32%	51, 60–75, 83–113, 118–128
interactionc.py	56	40	29%	256–280, 286–325
locationd.py	85	66	22%	63–75, 78–150, 153–172, 177–189
osanalytics_addaily.py	32	17	47%	50, 61–68, 75–103
safari_browserstate.py	77	30	61%	75, 78–82, 105–117, 124–144, 179, 185–192
safari_history.py	71	44	38%	53, 64–103, 114, 117–120, 123–158, 170–178
shortcuts.py	68	50	26%	52–60, 76–83, 89–158
sms.py	71	14	80%	79–85, 94, 118–135, 148, 162
sms_attachments.py	45	26	42%	49, 62–77, 105–136
tcc.py	83	31	63%	73, 90, 114–134, 149–152, 172–214
webkit_resource_load_statistics.py	53	11	79%	71–73, 98–99, 133–140
webkit_session_resource_log.py	87	63	28%	57–67, 71, 74–116, 124–170, 177–194
whatsapp.py	52	38	27%	48–53, 61–68, 74–140
TOTAL	6508	2503	62%

Tests	Skipped	Failures	Errors	Time
111	1 💤	0 ❌	0 🔥	7.345s ⏱️

github-actions · 2025-11-07T16:22:16Z

Coverage Report

File	Stmts	Miss	Cover	Missing
src/mvt/android
cli.py	115	23	80%	53, 73–76, 87, 98, 135–136, 195–196, 257–258, 285–294, 302–303
cmd_check_androidqf.py	110	31	72%	74, 84–87, 91–92, 95, 104–105, 109–118, 127, 130–131, 140, 152–165, 168, 173–177
cmd_check_backup.py	70	17	76%	71–72, 78–79, 85–88, 105–118, 122
cmd_check_bugreport.py	45	8	82%	81–84, 88, 91, 97, 103
utils.py	16	5	69%	11–20
src/mvt/android/artifacts
dumpsys_accessibility.py	30	1	97%	14
dumpsys_adb.py	92	13	86%	50–51, 91, 99–101, 113–115, 141–142, 148–151
dumpsys_appops.py	103	11	89%	27, 76–82, 120–121, 158, 174–176, 182
dumpsys_battery_daily.py	42	4	90%	17, 27, 42–43
dumpsys_battery_history.py	48	7	85%	16, 47–55
dumpsys_dbinfo.py	42	6	86%	18, 62–67
dumpsys_package_activities.py	40	4	90%	12, 66, 72–73
dumpsys_packages.py	123	5	96%	20–27, 164, 171
dumpsys_platform_compat.py	22	2	91%	16, 31
dumpsys_receivers.py	57	9	84%	24, 29, 34, 39, 45, 51, 99, 105–106
file_timestamps.py	18	1	94%	32
getprop.py	37	5	86%	40, 53, 59, 62–63
mounts.py	70	30	57%	53, 79–80, 84, 113–118, 129–168, 183–197
processes.py	34	9	74%	20, 24–25, 31, 55, 59, 63–65
tombstone_crashes.py	149	15	90%	98–100, 103–110, 167–168, 194, 234–235, 275
src/mvt/android/modules/adb
__init__.py	13	13	0%	6–19
chrome_history.py	39	39	0%	6–116
dumpsys_full.py	17	17	0%	6–46
files.py	73	73	0%	6–156
getprop.py	15	15	0%	6–44
logcat.py	22	22	0%	6–58
packages.py	123	123	0%	6–311
processes.py	14	14	0%	6–43
root_binaries.py	26	26	0%	6–71
selinux_status.py	18	18	0%	6–49
settings.py	26	26	0%	6–59
sms.py	81	81	0%	6–187
whatsapp.py	54	54	0%	6–118
src/mvt/android/modules/androidqf
aqf_files.py	81	25	69%	12–13, 83, 92–95, 99, 103–109, 114–117, 123, 132–137
aqf_log_timestamps.py	25	25	0%	6–63
aqf_packages.py	63	9	86%	47–54, 82, 87–93, 96–102, 123
aqf_settings.py	25	2	92%	52–53
base.py	44	2	95%	74–75
mounts.py	29	15	48%	51–74
root_binaries.py	44	6	86%	77–79, 82–83, 102
sms.py	51	14	73%	54, 58–59, 66–67, 83–88, 91, 95–101, 106–107
src/mvt/android/modules/backup
base.py	35	3	91%	61–62, 67
helpers.py	22	1	95%	27
sms.py	36	5	86%	41, 45, 49–53
src/mvt/android/modules/bugreport
base.py	58	18	69%	47–48, 53–54, 61–66, 70, 85–92, 96–97
dumpsys_accessibility.py	18	3	83%	39–43, 52
dumpsys_activities.py	17	2	88%	43–47
dumpsys_adb_state.py	17	3	82%	39–43, 52
dumpsys_appops.py	16	2	88%	39–43
dumpsys_battery_daily.py	16	2	88%	39–43
dumpsys_battery_history.py	16	2	88%	39–43
dumpsys_dbinfo.py	17	2	88%	41–45
dumpsys_getprop.py	27	7	74%	41–45, 52–53, 58–61
dumpsys_packages.py	25	3	88%	40–44, 57
dumpsys_platform_compat.py	17	2	88%	39–43
dumpsys_receivers.py	17	2	88%	41–45
tombstones.py	25	5	80%	40–44, 53, 58–60
src/mvt/android/parsers
backup.py	110	9	92%	62, 102–103, 109, 129, 132, 175, 190–191
src/mvt/common
alerts.py	82	18	78%	115, 118, 143–150, 153–174
cmd_check_iocs.py	41	32	22%	30–44, 47–92
command.py	178	57	68%	84–90, 96–114, 122–128, 138–144, 150–151, 157–185, 191–195, 198–200, 206, 268, 273, 290, 294–295
indicators.py	313	61	81%	54–56, 69–75, 154, 166, 172, 178, 184, 206, 220–225, 308, 320, 332, 374–377, 414–432, 455, 465, 482, 501, 513, 529–537, 548, 569, 591, 600–601, 619, 641–651, 662, 665, 689, 732, 747
log.py	49	2	96%	64–65
logo.py	42	35	17%	18–83, 89–96
module.py	122	36	70%	84–89, 106–132, 183, 192, 197, 207, 226–227, 243–244, 260–274
options.py	13	3	77%	27–33
updates.py	160	134	16%	27–38, 43–56, 61–69, 72–74, 81–89, 92–94, 97–114, 117–137, 140–178, 185–219, 226–236, 239–269
url.py	25	6	76%	327, 366, 372–376
utils.py	108	37	66%	49–51, 64, 96–97, 111, 125–126, 165–182, 197–198, 211–212, 219–228, 242, 252, 260
src/mvt/ios
cli.py	151	68	55%	62, 82–85, 96, 125–169, 188–211, 254–255, 285–307, 327–342, 350–351
cmd_check_fs.py	14	4	71%	33–48, 51
decrypt.py	114	92	19%	33–36, 39, 48–56, 61–64, 73–123, 131–181, 192–221, 227–231, 244–255
versions.py	32	3	91%	21, 30, 48
src/mvt/ios/modules
base.py	91	23	75%	55, 65, 72–97, 115, 123, 130, 138–139, 158–161, 196–197
net_base.py	126	49	61%	73–75, 105–106, 187–245, 260–273, 290, 336–337, 345–346, 350
src/mvt/ios/modules/backup
backup_info.py	30	2	93%	44, 80
configuration_profiles.py	70	48	31%	48–53, 63, 66–93, 108–183
manifest.py	83	7	92%	64, 71, 119–120, 130, 176–177
profile_events.py	54	34	37%	49, 60–64, 67, 70–79, 83–109, 115–122
src/mvt/ios/modules/fs
analytics.py	67	51	24%	39, 49, 57–82, 87–144, 147–150, 153–159
analytics_ios_versions.py	37	26	30%	35, 45, 53–91
cache_files.py	47	35	26%	29, 39–50, 53–68, 71–86, 98–105
filesystem.py	43	8	81%	57, 61–62, 66, 82–83, 94–95
net_netusage.py	19	10	47%	35, 45–58
safari_favicon.py	38	26	32%	36, 46, 55–65, 68–120, 123–129
shutdownlog.py	66	54	18%	35, 45, 54–75, 78–133, 136–139
version_history.py	21	9	57%	37, 47, 55–70
webkit_base.py	23	17	26%	17–25, 28–39
webkit_indexeddb.py	14	4	71%	39, 49, 58–59
webkit_localstorage.py	13	4	69%	37, 47, 56–57
webkit_safariviewservice.py	11	3	73%	33, 43–44
src/mvt/ios/modules/mixed
applications.py	72	42	42%	52–59, 63–104, 115–123, 129–134, 144–156, 162, 164–166
calendar.py	50	2	96%	82–88
calls.py	23	10	57%	42, 54–83
chrome_favicon.py	37	23	38%	47, 55–66, 72–110
chrome_history.py	31	17	45%	49, 59–66, 72–107
contacts.py	29	17	41%	46–76
firefox_favicon.py	33	19	42%	48, 57–67, 73–111
firefox_history.py	31	17	45%	52, 60–67, 73–106
global_preferences.py	28	3	89%	49–53
idstatuscache.py	56	38	32%	51, 60–75, 83–113, 118–128
interactionc.py	56	40	29%	256–280, 286–325
locationd.py	85	66	22%	63–75, 78–150, 153–172, 177–189
osanalytics_addaily.py	32	17	47%	50, 61–68, 75–103
safari_browserstate.py	77	30	61%	75, 78–82, 105–117, 124–144, 179, 185–192
safari_history.py	71	44	38%	53, 64–103, 114, 117–120, 123–158, 170–178
shortcuts.py	68	50	26%	52–60, 76–83, 89–158
sms.py	71	14	80%	79–85, 94, 118–135, 148, 162
sms_attachments.py	45	26	42%	49, 62–77, 105–136
tcc.py	84	31	63%	73, 90, 113–133, 148–151, 171–213
webkit_resource_load_statistics.py	53	11	79%	71–73, 98–99, 133–140
webkit_session_resource_log.py	87	63	28%	57–67, 71, 74–116, 124–170, 177–194
whatsapp.py	52	38	27%	48–53, 61–68, 74–140
TOTAL	6513	2512	61%

Tests	Skipped	Failures	Errors	Time
111	1 💤	0 ❌	0 🔥	7.477s ⏱️

DonnchaC and others added 16 commits February 10, 2025 19:28

Run bugreport and backup modules during check-androidqf

5d69635

Adding support to automatically run ADB backup and bugreport modules automatically when running the check-androidqf command. This is a first step to deduplicate the code for Android modules.

Deduplicate modules which are run by the sub-commands.

a08c24b

Raise the proper NoAndroidQFBackup exception when a back-up isn't found

4c1cdf5

Remove check-adb command and update docs

064b9fb

Remove check-apk code and old dependencies

6bac787

Fix up, remove ADB module base

ca0bc46

Rework old detections tracking into stuctured alert levels

2d54766

Quote STIX path in log line

70d646a

Fix profile events log line

05ad7d2

Close open archive (zip/tar) file handles

e9e6216

Fix root_binaries and mounts modules to use alertstore

af8c566

Update tests to use alertstore instead of detected attribute

301582d

Fix alertstore method calls - use high() instead of warning()

5b1f4df

besendorf added 7 commits November 7, 2025 18:07

Log alerts on add

d4b970c

Remove slug from alertstore calls

d259ab4

update alerts.py

b1f0a2d

update alerts.py

c6837a4

move indicator_match to alert object

cc7781e

.

6d1d499

- Remove timeline_detected and route to alertstore

801c464

besendorf requested a review from DonnchaC November 12, 2025 12:55

fix typing for mypy

c779009

besendorf mentioned this pull request Dec 20, 2025

Configure CI to automatically run MyPy type checks #545

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

V2 #716

V2 #716

Uh oh!

besendorf commented Nov 7, 2025

Uh oh!

github-actions bot commented Nov 7, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Nov 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

V2 #716

Are you sure you want to change the base?

V2 #716

Uh oh!

Conversation

besendorf commented Nov 7, 2025

Uh oh!

github-actions bot commented Nov 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Nov 7, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

github-actions bot commented Nov 7, 2025 •

edited

Loading