Handling false positive security flags for mobile script execution projects

Hello everyone,

I’ve been working on a project that involves analyzing code for mobile environments, and I’ve run into a bit of a hurdle with how SonarQube is flagging certain execution blocks. Specifically, I’m seeing a high volume of “Security Hotspot” alerts related to dynamic code loading and permission requests that are actually intentional for the project’s functionality.

I started noticing this while I was trying to optimize the performance of the download to see how it handles script injections on different API levels. When I run the analysis, Sonar is pointing out several vulnerabilities that seem like false positives given the nature of the application.

Does anyone have tips on how to better configure the quality gate or suppress specific rules for mobile-specific script environments without compromising the overall security of the codebase? I’m also curious if there are specific plugins or custom rules you’d recommend for projects that involve high-level script execution like this.

I’d love to hear how you guys manage these types of false positives in your own workflows.

Hi,

It’s not actually your Quality Gate you want to configure here.

First, though, let me clarify a point about Security Hotspots. Explicitly, they’re not (necessarily) Vulnerabilities. I like to call them Schrodinger’s Vulnerabilities: it might be a Vulnerability; it might not. You won’t know until you look. So the Security Hotspot is saying “Hey, you’re doing something here that might be dangerous, but you need to come look to judge it in context.”

Now on to turning down the noise. If you’ve got a particular project where this rule isn’t appropriate (for the entire project), then I suggest a custom Quality Profile (rule set) that excludes that rule.

However, if there are only certain segments of the project where the rule isn’t appropriate, then what you want is an exclusion.

 
HTH,
Ann