Hello Android / Java developers,
We are happy to announce the taint analyzer detecting injection vulnerabilities was improved to support Android SDK.
What has been done?
- Activity, Receiver, Service intent parameters and ContentProvider method params are considered as “sources”.
- a new rule specific to Anrdoid was added: S6384 - Components should not be vulnerable to intent redirection
- existing vulnerability rules were adjusted to considered Android “sinks”:
This is available now on SonarCloud and is included in SonarQube 9.3.