Request to enhance Sonarqube scan detection to include Android security improvement campaign

sgbrt-ckkoh · September 29, 2024, 9:12am

We would like to request that SonarQube’s scanning capabilities be enhanced to detect security issues mentioned in the Android Security Improvement Program (as outlined at App security improvement program | Security | Android Developers).

We used the self-hosted SonarQube Developer Edition v10.3 to scan our mobile app’s source code for security vulnerabilities. Although our application passed the SonarQube scan with zero vulnerabilities detected, it failed to identify the WebView SSLHandler security issue flagged by the Android team.

Alexandre_Gigleux · February 17, 2025, 4:04pm

Thanks for your patience on this one.

We are restarting our effort on Kotlin security rules and we will look at your feedback to understand why this problem was not detected by SonarQube Developer Edition.

Topic		Replies	Views
The Java/Kotlin/XML analyzers detect misconfiguration security issues on Android applications Sonar Updates kotlin , xml , java , android	1	1137	October 26, 2021
Taint analysis comes to Android Sonar Updates java , android	0	677	February 15, 2022
Known C# vulnerabilities not detected by SonarQube Plugin Development scanner	5	30	March 18, 2025
SonarQube Developer Edition but scans are not showing any vulnerabilities SonarQube Server / Community Build rules	3	284	February 16, 2024
SonarQube Community - Unable to detect issues SonarQube Server / Community Build sonarqube , scanner , community	1	12	November 21, 2024

Request to enhance Sonarqube scan detection to include Android security improvement campaign

Related topics