SONARKT-594 Rule S7204: Obfuscation should be enabled for release builds

Author: antonioaversa

sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/KotlinGradleCheckList.kt

@@ -17,17 +17,19 @@
 package org.sonarsource.kotlin.gradle
 
 import org.sonarsource.kotlin.api.checks.KotlinCheck
+import org.sonarsource.kotlin.gradle.checks.AndroidReleaseBuildObfuscationCheck
 import org.sonarsource.kotlin.gradle.checks.CorePluginsShortcutUsageCheck
-import org.sonarsource.kotlin.gradle.checks.RootProjectNamePresentCheck
 import org.sonarsource.kotlin.gradle.checks.DependencyGroupedCheck
 import org.sonarsource.kotlin.gradle.checks.DependencyVersionHardcodedCheck
 import org.sonarsource.kotlin.gradle.checks.MissingSettingsCheck
 import org.sonarsource.kotlin.gradle.checks.MissingVerificationMetadataCheck
+import org.sonarsource.kotlin.gradle.checks.RootProjectNamePresentCheck
 import org.sonarsource.kotlin.gradle.checks.TaskDefinitionsCheck
 import org.sonarsource.kotlin.gradle.checks.TaskRegisterVsCreateCheck
 
 
 val KOTLIN_GRADLE_CHECKS: List<Class<out KotlinCheck>> = listOf(
+    AndroidReleaseBuildObfuscationCheck::class.java,
     CorePluginsShortcutUsageCheck::class.java,
     RootProjectNamePresentCheck::class.java,
     DependencyGroupedCheck::class.java,
@@ -37,3 +39,4 @@ val KOTLIN_GRADLE_CHECKS: List<Class<out KotlinCheck>> = listOf(
     TaskDefinitionsCheck::class.java,
     TaskRegisterVsCreateCheck::class.java,
 )
+

sonar-kotlin-gradle/src/main/java/org/sonarsource/kotlin/gradle/checks/AndroidReleaseBuildObfuscationCheck.kt

@@ -0,0 +1,121 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+import com.intellij.psi.util.childrenOfType
+import com.intellij.psi.util.descendantsOfType
+import org.jetbrains.kotlin.lexer.KtTokens
+import org.jetbrains.kotlin.psi.KtBinaryExpression
+import org.jetbrains.kotlin.psi.KtCallExpression
+import org.jetbrains.kotlin.psi.KtElement
+import org.jetbrains.kotlin.psi.KtExpression
+import org.jetbrains.kotlin.psi.KtFile
+import org.jetbrains.kotlin.psi.KtFunctionLiteral
+import org.jetbrains.kotlin.psi.KtLambdaExpression
+import org.jetbrains.kotlin.psi.KtScriptInitializer
+import org.jetbrains.kotlin.psi.KtValueArgument
+import org.sonar.check.Rule
+import org.sonarsource.kotlin.api.checks.AbstractCheck
+import org.sonarsource.kotlin.api.checks.predictRuntimeBooleanValue
+import org.sonarsource.kotlin.api.checks.predictRuntimeStringValue
+import org.sonarsource.kotlin.api.frontend.KotlinFileContext
+import org.sonarsource.kotlin.api.reporting.KotlinTextRanges.textRange
+import org.sonarsource.kotlin.api.reporting.SecondaryLocation
+
+private const val settingsGradleFileName = "settings.gradle.kts"
+private const val mainMessage = "Make sure that obfuscation is enabled in the release build configuration."
+private const val debuggableSetToTrueMessage = "Enabling debugging disables obfuscation for this release build. Make sure this is safe here."
+
+@Rule(key = "S7204")
+class AndroidReleaseBuildObfuscationCheck : AbstractCheck() {
+
+    override fun visitScriptInitializer(initializer: KtScriptInitializer, data: KotlinFileContext) {
+        !data.ktFile.isSettingGradleKts() || return
+        val (androidCallee, androidLambda) = initializer.getChildCallWithLambdaOrNull("android") ?: return
+
+        // Ensure the project is an Android app, and not a library
+        androidLambda
+            .getChildCallWithLambdaOrNull("defaultConfig")
+            ?.lambda
+            ?.getPropertyAssignmentOrNull("applicationId")
+            ?: return
+
+        val buildTypes = androidLambda.getChildCallWithLambdaOrNull("buildTypes")
+        if (buildTypes == null) {
+            data.reportIssue(androidCallee, mainMessage)
+            return
+        }
+
+        val (releaseCallee, releaseLambda) = buildTypes.lambda.getChildCallWithLambdaOrNull("release")
+            ?: androidLambda.getGetByNameCallWithLambdaOrNull()
+            ?: return
+
+        val isDebuggableAssignment = releaseLambda.getPropertyAssignmentOrNull("isDebuggable")
+        val isMinifiedEnabledAssignment = releaseLambda.getPropertyAssignmentOrNull("isMinifyEnabled")
+
+        when {
+            isMinifiedEnabledAssignment == null ->
+                data.reportIssue(releaseCallee, mainMessage)
+            isMinifiedEnabledAssignment.right?.predictRuntimeBooleanValue() == false ->
+                data.reportIssue(isMinifiedEnabledAssignment, mainMessage)
+            isDebuggableAssignment?.right?.predictRuntimeBooleanValue() == true ->
+                data.reportIssue(
+                    releaseCallee,
+                    debuggableSetToTrueMessage,
+                    secondaryLocations = listOf(isDebuggableAssignment).map { SecondaryLocation(data.textRange(it), "") }
+                )
+            releaseLambda.getChildCallOrNull("proguardFiles") == null ->
+                data.reportIssue(releaseCallee, mainMessage)
+        }
+    }
+
+    private fun KtFile.isSettingGradleKts() = name.endsWith(settingsGradleFileName, ignoreCase = true)
+
+    private fun KtElement.getChildCallOrNull(childCallName: String): KtCallExpression? =
+        descendantsOfType<KtCallExpression>().firstOrNull { it.calleeExpression?.text == childCallName }
+
+    private fun KtElement.getChildCallWithLambdaOrNull(childCallName: String): CalleeAndLambda? {
+        val callee = getChildCallOrNull(childCallName) ?: return null
+        val lambda = callee.functionLiteralArgumentOrNull() ?: return null
+        return CalleeAndLambda(callee.calleeExpression!!, lambda)
+    }
+
+    private fun KtElement.getGetByNameCallWithLambdaOrNull(): CalleeAndLambda? {
+        val callee = descendantsOfType<KtCallExpression>().firstOrNull {
+            it.calleeExpression?.text == "getByName" &&
+                it.valueArguments.size == 2 &&
+                it.valueArguments[0].isReleaseBuildType()
+        } ?: return null
+        val lambda = callee.functionLiteralArgumentOrNull() ?: return null
+        return CalleeAndLambda(callee.calleeExpression!!, lambda)
+    }
+
+    private fun KtValueArgument.isReleaseBuildType(): Boolean =
+        textMatches("BuildType.RELEASE") ||
+        getArgumentExpression()?.predictRuntimeStringValue() == "release"
+
+    private fun KtCallExpression.functionLiteralArgumentOrNull(): KtFunctionLiteral? =
+        valueArguments
+            .flatMap { it.childrenOfType<KtLambdaExpression>() }
+            .flatMap { it.childrenOfType<KtFunctionLiteral>() }
+            .singleOrNull()
+
+    private fun KtElement.getPropertyAssignmentOrNull(propertyName: String): KtBinaryExpression? =
+        descendantsOfType<KtBinaryExpression>().firstOrNull { it.operationToken == KtTokens.EQ && it.left?.text == propertyName }
+
+    private data class CalleeAndLambda(val callee: KtExpression, val lambda: KtFunctionLiteral)
+}

sonar-kotlin-gradle/src/test/java/org/sonarsource/kotlin/gradle/checks/AndroidReleaseBuildObfuscationCheckTest.kt

@@ -0,0 +1,42 @@
+/*
+ * SonarSource Kotlin
+ * Copyright (C) 2018-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+package org.sonarsource.kotlin.gradle.checks
+
+import org.junit.jupiter.api.Test
+import org.sonarsource.kotlin.testapi.KotlinVerifier
+import java.nio.file.Path
+
+internal class AndroidReleaseBuildObfuscationCheckTest {
+    private val check = AndroidReleaseBuildObfuscationCheck()
+    private val fileNamePrefix = "AndroidReleaseBuildObfuscationCheckSample"
+
+    @Test
+    fun `on gradle file`() {
+        KotlinVerifier(check) {
+            this.fileName = Path.of(fileNamePrefix, "build.gradle.kts").toFile().path
+            this.baseDir = SAMPLES_BASE_DIR
+        }.verify()
+    }
+
+    @Test
+    fun `on settings gradle file`() {
+        KotlinVerifier(check) {
+            this.fileName = Path.of(fileNamePrefix, "settings.gradle.kts").toFile().path
+            this.baseDir = SAMPLES_BASE_DIR
+        }.verifyNoIssue()
+    }
+}