Kotlin intent broadcasting rule not triggering

Sonarqube version: Community Edition v9.9
Deployment: Self Hosted via zip

Product Used: Sonarqube Community Edition
Languag Analysed: Kotlin
Rule affected: Broadcasting intents is security-sensitive (id: kotlin:S5320)

Its false negative because same issue has been reported by google play as an security issue but sonarqube was unable to flag it since above rule was not triggered.

Sample Code:

  val eventLogIntent = Intent()
                eventLogIntent.action = BobbleConstants.ACTION_LOG_EVENT
                eventLogIntent.putExtra("eventType", "campaign_web_view_keyboard_tap")
                eventLogIntent.putExtra("campaignId", mCampaignId)
                eventLogIntent.putExtra("campaignSource", mCampaignSource)
                sendBroadcast(eventLogIntent)

Hi,

Welcome to the community and thanks for this report!

To be clear, you’re saying no Security Hotspot was raised on the code?

 
Ann

Hi Ann,

Sorry for delayed response.

Yes, no hotspot was raised for this code even though sonarqube has rule for this!

1 Like

Hi Ann,

Any update on this issue?

Hi,

I’ve flagged this for the experts.

 
Ann

Hello @Shubhdeep_Rajput,

Thanks for your message. In general, our Kotlin analyzer is reporting issues like this. However, there could be some reasons why you don’t see them and I need a bit more information to find it out:

  • I need to see a complete reproducer with imports, to understand the context. Are you inside the custom implementation of android.content.Context or anything else. For me it’s not clear, from where sendBroadcast function is coming. If it’s coming from android.content.Context or any of it’s children, it should be reported.

  • Do you see any other issues of the rule S5320? Is Kotlin analyzer reporting anything at all?

  • Could you please make sure there were no exceptions in the log or provide the full log of the analysis.

  • Have you changed value of the properties: sonar.java.binaries, sonar.java.libraries?

Regards,
Margarita

Hi @Margarita_Nedzelska

First of all, let me clear, we have used sonarqube for one big project only, for now, and these answers are based on that analysis.

Multiple occurrences of sendBroadcast exist and this rule was not triggered on any of those.

We were trying developer edition and kotlin analyser didn’t report ine issue there but, as told by sonarqube support team, that was because kotlin language does not have taint analysis support. Apart from that, none of Kotlin issues are reported in the analysis and I am currently not aware of any other issue that exists in the codebase.

We have set value of sonar.java.binaries=.

sonar.log? If yes, no there are no exceptions in it.

Didn’t exactly understand what you require!

Hi @Shubhdeep_Rajput,
Thanks for your reply.

I think the issue is happening because you’ve set the property sonar.java.binaries to .. Could you, please, remove that property from your config and re-run the analysis?

Out of curiosity, why are you setting this property? It is extremely important for the analysis to not touch sonar.java.binaries and sonar.java.libraries unless it’s needed and you’re aware of the consequences.
Without proper values of these 2 properties (handled by the Gradle plugin, you don’t have to set them) it’s impossible for the analyzer to generate a proper semantic model, and most of the issues won’t be reported.

Best,
Margarita

Hi @Margarita_Nedzelska

Actually, while we were running sonarqube analysis without this property setup, we were getting Invalid value for sonar.java.binaries error and we had to set this up. Can you suggest correct way?

Could you, please, remove setting that property to anything and analyze your project? Then you can share the logs with me and check if the issue is still not reporting.

Getting following error after removing the property:
ERROR: Error during SonarScanner execution

283INFO: ------------------------------------------------------------------------

284org.sonar.java.AnalysisException: Your project contains .java files, please provide compiled classes with sonar.java.binaries property, or exclude them from the analysis with sonar.exclusions property.

Hello @Shubhdeep_Rajput,
Sorry for the late reply, I was off last week. Could you, please, share your configuration of sonar and how you run the analysis?

Best,
Margarita

@Margarita_Nedzelska We use sonarqube image in gitlab ci/cd job and standard configurations are used. Could you please elaborate which configurations would you require?

Hello @Shubhdeep_Rajput,

Are you using Gradle as your build system? In Gradle build file you have a sonarqube plugin. This plugin could have a configuration. So I need to look at it. And also a complete log, to investigate the issue.

@Margarita_Nedzelska We are not using gradle plugin. We are using sonarqube docker and sonarscanner-cli for the scan. I am attaching job yaml below for your reference:

sonarqube-scan:
stage: sonarqube
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [“”]
variables:
SONAR_USER_HOME: “${CI_PROJECT_DIR}/.sonar”
GIT_DEPTH: “0”
cache:
key: “${CI_JOB_NAME}”
paths:
- .sonar/cache
script:
- sonar-scanner
allow_failure: true

Can’t add complete job logs so just adding sonarscanner debug logs after running the scan with -X flag:

sonarscanner-debug-log.txt (1.2 MB)

Okay, thanks for explaining, now I see your problem. I think there are 2 ways to solve it:

  • Use Gradle scanner and it should set this property automatically and in your script you can run gradle sonarqube command.
  • add sonar.java.binaries property with proper values. most likely it should be something like build/classes.

Best,
Margarita

@Margarita_Nedzelska Thanks for quick response. I will check this and reach out to you if this still exists.

Hi @Margarita_Nedzelska I have checked the second option, its still not flagging the issue. For the first one, since we have already setup project with different configurations, is there a way to reset the project with gradle settings without deleting the project?

Hi,
Could you please share to log of the analysis with Gradle?

As far as I know, if you analyze the same project and pass the same projectKey, it should be fine regardless which scanner you’re using. However, I need logs, to understand, what happened on your side.