I am analyzing the source code of an Android application, but the build folder contains auto-generated subfolders like intermediates. During the analysis, security hotspot review issues are being flagged in these auto-generated files. We reviewed these issues and marked them as safe, but they keep reappearing with each analysis. Is there a default folder structure or a recommended approach to ignore or exclude such folders during Android project analysis?
Hi,
I wouldn’t expect auto-generated source to be analyzed if it’s being generated to an Android-standard location. I’ll flag that for further attention if you’ll tell me how you’re analyzing. I assume you’re using the SonarScanner for Gradle?
I also wouldn’t expect reviewed Security Hotspots to be re-opened with each analysis. My guess is that the intermediate code isn’t generated exactly the same way each time, so the old Security Hotspots aren’t seen as matching the ones that are found with the next analysis. Thus the old Security Hotspots are closed and new ones are opened.
Short-term, your best option is to set an exclusion on the intermediates directory. (And tell me which scanner you’re using. 
)
Thx,
Ann