Request to enhance Sonarqube scan detection to include Android security improvement campaign

We would like to request that SonarQube’s scanning capabilities be enhanced to detect security issues mentioned in the Android Security Improvement Program (as outlined at App security improvement program  |  Security  |  Android Developers).

We used the self-hosted SonarQube Developer Edition v10.3 to scan our mobile app’s source code for security vulnerabilities. Although our application passed the SonarQube scan with zero vulnerabilities detected, it failed to identify the WebView SSLHandler security issue flagged by the Android team.

Thanks for your patience on this one.

We are restarting our effort on Kotlin security rules and we will look at your feedback to understand why this problem was not detected by SonarQube Developer Edition.