xml:S5604: tagging a dangerous permission that we are actually *removing*

Hello!

• What language is this for?
  Android

• Which rule?
  xml:S5604

• Why do you believe it’s a false-positive/false-negative?
  This is a false-positive.

We are integrating an Android SDK that adds sensitive permissions. We however do not use the feature that needs this permission, and do not want this permission to appear in our manifest.
To prevent having this permission, we add a removal rule in our app’s manifest:

<uses-permission
    android:name="android.permission.READ_EXTERNAL_STORAGE"
    android:maxSdkVersion="32"
    tools:node="remove" />

Notice the tools:node="remove".

It seems that Sonar does not care about the removal, and treats this instruction as “You are adding a dangerous permission, be careful”. This is actually the other way around. We know about it, and actively remove it from our manifest.

Screenshot 2023-11-14 at 14.26.551628×306 30.8 KB

• Are you using
  SonarCloud

• How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

1. Create a simple project that contains the Zendesk SDK: com.zendesk:support:5.2.0

2. Add a removal rule in your manifest:

<uses-permission
    android:name="android.permission.READ_EXTERNAL_STORAGE"
    android:maxSdkVersion="32"
    tools:node="remove" />

3. Scan with Sonar.

Hi @jonas55, and welcome to our community!

Thanks a lot for your feedback! This rule is a few years old now, and it looks like tools:node="remove" was not taken into account when we wrote the detection logic.

You may change the status of this issue as a false positive while we fix our detection logic . I created an internal ticket to fix that.

Thanks again for your feedback! It is pretty rare for our team to get feedback on our security rules for Android, we appreciate it.
If you happen to have feedback on how you perceive the quality of the security issues raised on your Android codebase(s), I would be happy to hear it.

Have a good day,

Loris