Fix root_binaries and mounts modules to use alertstore

src/mvt/android/artifacts/mounts.py

@@ -133,13 +133,18 @@ class Mounts(AndroidArtifact):
             if mount["is_system_partition"] and mount["is_read_write"]:
                 system_rw_mounts.append(mount)
                 if mount_point == "/system":
-                    self.log.warning(
-                        "Root detected /system partition is mounted as read-write (rw). "
+                    self.alertstore.warning(
+                        self.get_slug(),
+                        "Root detected /system partition is mounted as read-write (rw)",
+                        "",
+                        mount,
                     )
                 else:
-                    self.log.warning(
-                        "System partition %s is mounted as read-write (rw). This may indicate system modifications.",
-                        mount_point,
+                    self.alertstore.warning(
+                        self.get_slug(),
+                        f"System partition {mount_point} is mounted as read-write (rw). This may indicate system modifications.",
+                        "",
+                        mount,
                     )
 
             # Check for other suspicious mount options
@@ -151,10 +156,11 @@ class Mounts(AndroidArtifact):
                 ):
                     continue
                 suspicious_mounts.append(mount)
-                self.log.warning(
-                    "Suspicious mount options found for %s: %s",
-                    mount_point,
-                    ", ".join(suspicious_opts),
+                self.alertstore.warning(
+                    self.get_slug(),
+                    f"Suspicious mount options found for {mount_point}: {', '.join(suspicious_opts)}",
+                    "",
+                    mount,
                 )
 
             # Log interesting mount information
@@ -177,10 +183,20 @@ class Mounts(AndroidArtifact):
             ioc = self.indicators.check_file_path(mount.get("mount_point", ""))
             if ioc:
                 mount["matched_indicator"] = ioc
-                self.detected.append(mount)
+                self.alertstore.critical(
+                    self.get_slug(),
+                    f"Mount point matches indicator: {mount.get('mount_point', '')}",
+                    "",
+                    mount,
+                )
 
             # Check device paths for indicators
             ioc = self.indicators.check_file_path(mount.get("device", ""))
             if ioc:
                 mount["matched_indicator"] = ioc
-                self.detected.append(mount)
+                self.alertstore.critical(
+                    self.get_slug(),
+                    f"Device path matches indicator: {mount.get('device', '')}",
+                    "",
+                    mount,
+                )

src/mvt/android/modules/androidqf/root_binaries.py

@@ -46,17 +46,17 @@ class RootBinaries(AndroidQFModule):
 
         # All found root binaries are considered indicators of rooting
         for result in self.results:
-            self.log.warning(
-                'Found root binary "%s" at path "%s"',
-                result["binary_name"],
-                result["path"],
+            self.alertstore.warning(
+                self.get_slug(),
+                f'Found root binary "{result["binary_name"]}" at path "{result["path"]}"',
+                "",
+                result,
             )
-            self.detected.append(result)
 
-        if self.detected:
+        if self.results:
             self.log.warning(
                 "Device shows signs of rooting with %d root binaries found",
-                len(self.detected),
+                len(self.results),
             )
 
     def run(self) -> None: