SONARKT-595 Rule S7416: Android production release targets should not be debuggable (#588)

Author: antonioaversa

sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/KotlinGradleCheckList.kt

@@ -17,6 +17,7 @@
 package org.sonarsource.kotlin.gradle
 
 import org.sonarsource.kotlin.api.checks.KotlinCheck
+import org.sonarsource.kotlin.gradle.checks.AndroidReleaseBuildDebugCheck
 import org.sonarsource.kotlin.gradle.checks.AndroidReleaseBuildObfuscationCheck
 import org.sonarsource.kotlin.gradle.checks.CorePluginsShortcutUsageCheck
 import org.sonarsource.kotlin.gradle.checks.DependencyGroupedCheck
@@ -29,6 +30,7 @@ import org.sonarsource.kotlin.gradle.checks.TaskRegisterVsCreateCheck
 
 
 val KOTLIN_GRADLE_CHECKS: List<Class<out KotlinCheck>> = listOf(
+    AndroidReleaseBuildDebugCheck::class.java,
     AndroidReleaseBuildObfuscationCheck::class.java,
     CorePluginsShortcutUsageCheck::class.java,
     RootProjectNamePresentCheck::class.java,

sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/checks/AndroidReleaseBuildDebugCheck.kt

@@ -0,0 +1,48 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+import org.jetbrains.kotlin.psi.KtScriptInitializer
+import org.sonar.check.Rule
+import org.sonarsource.kotlin.api.checks.AbstractCheck
+import org.sonarsource.kotlin.api.checks.predictRuntimeBooleanValue
+import org.sonarsource.kotlin.api.frontend.KotlinFileContext
+
+private const val message = "Make sure this debug feature is deactivated before delivering the code in production."
+
+@Rule(key = "S7416")
+class AndroidReleaseBuildDebugCheck : AbstractCheck() {
+
+    override fun visitScriptInitializer(initializer: KtScriptInitializer, data: KotlinFileContext) {
+        !data.ktFile.isSettingGradleKts() || return
+        val androidLambda = initializer.getChildCallWithLambdaOrNull("android")?.lambda ?: return
+
+        // Ensure the project is an Android app, and not a library
+        androidLambda.getApplicationId() ?: return
+
+        val buildTypes = androidLambda.getChildCallWithLambdaOrNull("buildTypes") ?: return
+        val (_, releaseLambda) = buildTypes.lambda.getChildCallWithLambdaOrNull("release")
+            ?: androidLambda.getGetByNameCallWithLambdaOrNull()
+            ?: return
+
+        val isDebuggableAssignment = releaseLambda.getPropertyAssignmentOrNull("isDebuggable")
+
+        if (isDebuggableAssignment?.right?.predictRuntimeBooleanValue() == true) {
+            data.reportIssue(isDebuggableAssignment, message)
+        }
+    }
+}

sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/checks/AndroidReleaseBuildObfuscationCheck.kt

@@ -16,27 +16,14 @@
  */
 package org.sonarsource.kotlin.gradle.checks
 
-import com.intellij.psi.util.childrenOfType
-import com.intellij.psi.util.descendantsOfType
-import org.jetbrains.kotlin.lexer.KtTokens
-import org.jetbrains.kotlin.psi.KtBinaryExpression
-import org.jetbrains.kotlin.psi.KtCallExpression
-import org.jetbrains.kotlin.psi.KtElement
-import org.jetbrains.kotlin.psi.KtExpression
-import org.jetbrains.kotlin.psi.KtFile
-import org.jetbrains.kotlin.psi.KtFunctionLiteral
-import org.jetbrains.kotlin.psi.KtLambdaExpression
 import org.jetbrains.kotlin.psi.KtScriptInitializer
-import org.jetbrains.kotlin.psi.KtValueArgument
 import org.sonar.check.Rule
 import org.sonarsource.kotlin.api.checks.AbstractCheck
 import org.sonarsource.kotlin.api.checks.predictRuntimeBooleanValue
-import org.sonarsource.kotlin.api.checks.predictRuntimeStringValue
 import org.sonarsource.kotlin.api.frontend.KotlinFileContext
 import org.sonarsource.kotlin.api.reporting.KotlinTextRanges.textRange
 import org.sonarsource.kotlin.api.reporting.SecondaryLocation
 
-private const val settingsGradleFileName = "settings.gradle.kts"
 private const val mainMessage = "Make sure that obfuscation is enabled in the release build configuration."
 private const val debuggableSetToTrueMessage = "Enabling debugging disables obfuscation for this release build. Make sure this is safe here."
 
@@ -48,11 +35,7 @@ class AndroidReleaseBuildObfuscationCheck : AbstractCheck() {
         val (androidCallee, androidLambda) = initializer.getChildCallWithLambdaOrNull("android") ?: return
 
         // Ensure the project is an Android app, and not a library
-        androidLambda
-            .getChildCallWithLambdaOrNull("defaultConfig")
-            ?.lambda
-            ?.getPropertyAssignmentOrNull("applicationId")
-            ?: return
+        androidLambda.getApplicationId() ?: return
 
         val buildTypes = androidLambda.getChildCallWithLambdaOrNull("buildTypes")
         if (buildTypes == null) {
@@ -82,40 +65,4 @@ class AndroidReleaseBuildObfuscationCheck : AbstractCheck() {
                 data.reportIssue(releaseCallee, mainMessage)
         }
     }
-
-    private fun KtFile.isSettingGradleKts() = name.endsWith(settingsGradleFileName, ignoreCase = true)
-
-    private fun KtElement.getChildCallOrNull(childCallName: String): KtCallExpression? =
-        descendantsOfType<KtCallExpression>().firstOrNull { it.calleeExpression?.text == childCallName }
-
-    private fun KtElement.getChildCallWithLambdaOrNull(childCallName: String): CalleeAndLambda? {
-        val callee = getChildCallOrNull(childCallName) ?: return null
-        val lambda = callee.functionLiteralArgumentOrNull() ?: return null
-        return CalleeAndLambda(callee.calleeExpression!!, lambda)
-    }
-
-    private fun KtElement.getGetByNameCallWithLambdaOrNull(): CalleeAndLambda? {
-        val callee = descendantsOfType<KtCallExpression>().firstOrNull {
-            it.calleeExpression?.text == "getByName" &&
-                it.valueArguments.size == 2 &&
-                it.valueArguments[0].isReleaseBuildType()
-        } ?: return null
-        val lambda = callee.functionLiteralArgumentOrNull() ?: return null
-        return CalleeAndLambda(callee.calleeExpression!!, lambda)
-    }
-
-    private fun KtValueArgument.isReleaseBuildType(): Boolean =
-        textMatches("BuildType.RELEASE") ||
-        getArgumentExpression()?.predictRuntimeStringValue() == "release"
-
-    private fun KtCallExpression.functionLiteralArgumentOrNull(): KtFunctionLiteral? =
-        valueArguments
-            .flatMap { it.childrenOfType<KtLambdaExpression>() }
-            .flatMap { it.childrenOfType<KtFunctionLiteral>() }
-            .singleOrNull()
-
-    private fun KtElement.getPropertyAssignmentOrNull(propertyName: String): KtBinaryExpression? =
-        descendantsOfType<KtBinaryExpression>().firstOrNull { it.operationToken == KtTokens.EQ && it.left?.text == propertyName }
-
-    private data class CalleeAndLambda(val callee: KtExpression, val lambda: KtFunctionLiteral)
 }

sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/checks/androidReleaseBuildUtils.kt

@@ -0,0 +1,74 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+import com.intellij.psi.util.childrenOfType
+import com.intellij.psi.util.descendantsOfType
+import org.jetbrains.kotlin.lexer.KtTokens
+import org.jetbrains.kotlin.psi.KtBinaryExpression
+import org.jetbrains.kotlin.psi.KtCallExpression
+import org.jetbrains.kotlin.psi.KtElement
+import org.jetbrains.kotlin.psi.KtExpression
+import org.jetbrains.kotlin.psi.KtFile
+import org.jetbrains.kotlin.psi.KtFunctionLiteral
+import org.jetbrains.kotlin.psi.KtLambdaExpression
+import org.jetbrains.kotlin.psi.KtValueArgument
+import org.sonarsource.kotlin.api.checks.predictRuntimeStringValue
+
+private const val settingsGradleFileName = "settings.gradle.kts"
+
+internal fun KtFile.isSettingGradleKts() = name.endsWith(settingsGradleFileName, ignoreCase = true)
+
+internal fun KtFunctionLiteral.getApplicationId() =
+        getChildCallWithLambdaOrNull("defaultConfig")
+        ?.lambda
+        ?.getPropertyAssignmentOrNull("applicationId")
+
+internal fun KtElement.getChildCallOrNull(childCallName: String): KtCallExpression? =
+    descendantsOfType<KtCallExpression>().firstOrNull { it.calleeExpression?.text == childCallName }
+
+internal fun KtElement.getChildCallWithLambdaOrNull(childCallName: String): CalleeAndLambda? {
+    val callee = getChildCallOrNull(childCallName) ?: return null
+    val lambda = callee.functionLiteralArgumentOrNull() ?: return null
+    return CalleeAndLambda(callee.calleeExpression!!, lambda)
+}
+
+internal fun KtElement.getGetByNameCallWithLambdaOrNull(): CalleeAndLambda? {
+    val callee = descendantsOfType<KtCallExpression>().firstOrNull {
+        it.calleeExpression?.text == "getByName" &&
+            it.valueArguments.size == 2 &&
+            it.valueArguments[0].isReleaseBuildType()
+    } ?: return null
+    val lambda = callee.functionLiteralArgumentOrNull() ?: return null
+    return CalleeAndLambda(callee.calleeExpression!!, lambda)
+}
+
+internal fun KtValueArgument.isReleaseBuildType(): Boolean =
+    textMatches("BuildType.RELEASE") ||
+        getArgumentExpression()?.predictRuntimeStringValue() == "release"
+
+internal fun KtCallExpression.functionLiteralArgumentOrNull(): KtFunctionLiteral? =
+    valueArguments
+        .flatMap { it.childrenOfType<KtLambdaExpression>() }
+        .flatMap { it.childrenOfType<KtFunctionLiteral>() }
+        .singleOrNull()
+
+internal fun KtElement.getPropertyAssignmentOrNull(propertyName: String): KtBinaryExpression? =
+    descendantsOfType<KtBinaryExpression>().firstOrNull { it.operationToken == KtTokens.EQ && it.left?.text == propertyName }
+
+internal data class CalleeAndLambda(val callee: KtExpression, val lambda: KtFunctionLiteral)
+

sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/checks/AndroidReleaseBuildDebugCheckTest.kt

@@ -0,0 +1,42 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+import org.junit.jupiter.api.Test
+import org.sonarsource.kotlin.testapi.KotlinVerifier
+import java.nio.file.Path
+
+internal class AndroidReleaseBuildDebugCheckTest {
+    private val check = AndroidReleaseBuildDebugCheck()
+    private val fileNamePrefix = "AndroidReleaseBuildDebugCheckSample"
+
+    @Test
+    fun `on build gradle file`() {
+        KotlinVerifier(check) {
+            this.fileName = Path.of(fileNamePrefix, "build.gradle.kts").toFile().path
+            this.baseDir = SAMPLES_BASE_DIR
+        }.verify()
+    }
+
+    @Test
+    fun `on settings gradle file`() {
+        KotlinVerifier(check) {
+            this.fileName = Path.of(fileNamePrefix, "settings.gradle.kts").toFile().path
+            this.baseDir = SAMPLES_BASE_DIR
+        }.verifyNoIssue()
+    }
+}

sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/checks/AndroidReleaseBuildObfuscationCheckTest.kt

@@ -25,7 +25,7 @@ internal class AndroidReleaseBuildObfuscationCheckTest {
     private val fileNamePrefix = "AndroidReleaseBuildObfuscationCheckSample"
 
     @Test
-    fun `on gradle file`() {
+    fun `on build gradle file`() {
         KotlinVerifier(check) {
             this.fileName = Path.of(fileNamePrefix, "build.gradle.kts").toFile().path
             this.baseDir = SAMPLES_BASE_DIR