False positive: "Implement permissions on this exported component" for the main Android activity

Product: SonarCloud

Latest version of SonarCloud requires to set permission on any exported component, even if it’s a main activity with intent-filter action android.intent.action.MAIN and category android.intent.category.LAUNCHER, and that looks odd. For example:


I think that’s a false positive, because such activity is intended to be launched by 3rd parties by design.

Yeah, thats definitely a false positiv!
All Activities with android.intent.action.VIEW in their intent-filter are intended to be launched from other applications without any special permissions. For example to allow app-links.

The Compliant Solution states that you have to define a (custom) permissions. But from the official Google documentation:

Creating a new permission is relatively uncommon for most applications, because the system-defined permissions cover many situations.