False positive security hotspots due to merged manifests

  • What language is this for?
    XML / Android Project

  • Which rule?
    xml:S5332 xml:S6358

  • Why do you believe it’s a false-positive/false-negative?
    Sonarqube does not respect merged manifests. Altough usesCleartextTraffic and allowBackup are correctly configured inside the main manifest, the scanner alerts about application tags inside submodules.
    This is an issue if you house e.g. activities inside application-tags in submodules.

  • Are you using

    • SonarQube - which version? * Developer Edition Version 9.9.1
  • How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

<application>

        <activity
            android:name=".feature.sample.MyActivity"
            android:configChanges="orientation|keyboardHidden"/>

</application

<application
        android:name=".App"
        android:icon="@mipmap/app_icon_android_launch"
        android:roundIcon="@mipmap/app_icon_android_launch"
        android:theme="@style/AppTheme"
        android:supportsRtl="true"
        android:label="@string/app_name"
        android:usesCleartextTraffic="false"
        android:networkSecurityConfig="@xml/network_security_config"
        android:allowBackup="false"
        android:fullBackupContent="false"
        android:dataExtractionRules="@xml/data_extraction_rules">

Are there any other solutions than?

  • disabling the rule completely
  • adding the config to all manifests
  • marking the rule as safe manually for all manifests except main

Hello @woodii,

Thanks for reaching out. Unfortunately, our XML analyzer is not going cross-file and can’t understand that the property is already configured.

This is exactly the reason we had it as a “Security Hotspot”. This means the developer can review it and discard issues if they are not relevant.

About the solution, I think you decide what works best for you. If it doesn’t bring any value, but the noise, just disable it. If you think it’s still relevant, then mark issues as “Safe”.

For our side, we’ll take your feedback into consideration and will think about what we can do.

Best,
Margarita

2 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.