-
What language is this for?
XML / Android Project -
Which rule?
xml:S5332 xml:S6358 -
Why do you believe it’s a false-positive/false-negative?
Sonarqube does not respect merged manifests. Altough usesCleartextTraffic and allowBackup are correctly configured inside the main manifest, the scanner alerts about application tags inside submodules.
This is an issue if you house e.g. activities inside application-tags in submodules. -
Are you using
- SonarQube - which version? * Developer Edition Version 9.9.1
-
How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)
<application>
<activity
android:name=".feature.sample.MyActivity"
android:configChanges="orientation|keyboardHidden"/>
</application
<application
android:name=".App"
android:icon="@mipmap/app_icon_android_launch"
android:roundIcon="@mipmap/app_icon_android_launch"
android:theme="@style/AppTheme"
android:supportsRtl="true"
android:label="@string/app_name"
android:usesCleartextTraffic="false"
android:networkSecurityConfig="@xml/network_security_config"
android:allowBackup="false"
android:fullBackupContent="false"
android:dataExtractionRules="@xml/data_extraction_rules">
Are there any other solutions than?
- disabling the rule completely
- adding the config to all manifests
- marking the rule as safe manually for all manifests except main