Skip to content

SONARXML-221 : S5604 Should not raise on items containing tools:node="remove" #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rombirli merged 8 commits into from
Jan 7, 2026
Merged

SONARXML-221 : S5604 Should not raise on items containing tools:node="remove" #397

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
8ecae8c
Draft of SONARXML-221 solution
rombirli Dec 23, 2025
99bb0fb
Refactoring : apply most change requests
rombirli Jan 5, 2026
069f0e0
Add tools:node="removeAll" support - no caching
rombirli Jan 5, 2026
1ee0cc5
Caching for tools:node="removeAll"
rombirli Jan 5, 2026
191e4bd
Refactoring : rename tests
rombirli Jan 5, 2026
887b423
Refactoring, rename tests, remove cache, remove repetitions
rombirli Jan 6, 2026
a842ee9
Refactoring : noToolsNodeRemoveAll signature change
rombirli Jan 7, 2026
df47080
Make function hasToolsNodeRemoveAll static
rombirli Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 44 additions & 5 deletions .../src/main/java/org/sonar/plugins/xml/checks/security/android/AndroidPermissionsCheck.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,21 +19,29 @@
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import java.util.stream.IntStream;
import javax.annotation.Nullable;
import javax.xml.xpath.XPathExpression;
import org.sonar.check.Rule;
import org.sonarsource.analyzer.commons.xml.XPathBuilder;
import org.sonarsource.analyzer.commons.xml.XmlFile;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_TOOLS;
import static org.sonar.plugins.xml.checks.security.android.Utils.ANDROID_MANIFEST_XMLNS;

@Rule(key = "S5604")
public class AndroidPermissionsCheck extends AbstractAndroidManifestCheck {

private static final String MESSAGE = "Make sure the use of \"%s\" permission is necessary.";
private final XPathExpression xPathExpression = XPathBuilder.forExpression("/manifest/uses-permission/@n1:name")
.withNamespace("n1", ANDROID_MANIFEST_XMLNS)
private final XPathExpression xPathExpression = XPathBuilder
.forExpression("/manifest/uses-permission")
.build();

// finding if any child contains tools:node="removeAll" can be costly if there are many uses-permission nodes
// so we cache the result for each parent node

private static final Set<String> DANGEROUS_PERMISSIONS = new HashSet<>(Arrays.asList(
// the below list is dangerous
// see https://developer.android.com/reference/android/Manifest.permission
Expand Down Expand Up @@ -110,13 +118,44 @@ public class AndroidPermissionsCheck extends AbstractAndroidManifestCheck {

@Override
protected final void scanAndroidManifest(XmlFile file) {
evaluateAsList(xPathExpression, file.getDocument()).stream()
.filter(node -> DANGEROUS_PERMISSIONS.contains(node.getNodeValue()))
.forEach(node -> reportIssue(node, String.format(MESSAGE, simpleName(node.getNodeValue()))));
if (noToolsNodeRemoveAll(file.getDocument().getFirstChild())) {
evaluateAsList(xPathExpression, file.getDocument())
.forEach(this::checkAndReportPermissionIssue);
}
}

private void checkAndReportPermissionIssue(Node node) {
Node permissionsAttribute = findPermissionAttribute(node);
String permissionValue = permissionsAttribute.getNodeValue();
if (!hasToolsNodeValue(node, "remove")
&& DANGEROUS_PERMISSIONS.contains(permissionValue)) {
reportIssue(permissionsAttribute, String.format(MESSAGE, simpleName(permissionValue)));
}
}

private static String simpleName(String fullyQualifiedName) {
return fullyQualifiedName.substring(fullyQualifiedName.lastIndexOf('.') + 1);
}

private static Node findPermissionAttribute(Node node) {
return node.getAttributes().getNamedItemNS(ANDROID_MANIFEST_XMLNS, "name");
}

private static boolean hasToolsNodeValue(Node node, String value) {
Node toolsNodeAttribute = node.getAttributes().getNamedItemNS(ANDROID_MANIFEST_TOOLS, "node");
return toolsNodeAttribute != null && value.equals(toolsNodeAttribute.getNodeValue());
}

private boolean noToolsNodeRemoveAll(@Nullable Node node) {
if (node == null) {
return true;
}

NodeList nodeList = node.getChildNodes();
return IntStream.range(0, nodeList.getLength())
.boxed()
.map(nodeList::item)
.filter(childNode -> "uses-permission".equals(childNode.getNodeName()))
.noneMatch(childNode -> hasToolsNodeValue(childNode, "removeAll"));
}
}
1 change: 1 addition & 0 deletions sonar-xml-plugin/src/main/java/org/sonar/plugins/xml/checks/security/android/Utils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ private Utils() {
}

public static final String ANDROID_MANIFEST_XMLNS = "http://schemas.android.com/apk/res/android";
public static final String ANDROID_MANIFEST_TOOLS = "http://schemas.android.com/tools";
public static final String ANDROID_MANIFEST_FILENAME = "AndroidManifest.xml";

public static boolean isAndroidManifestFile(XmlFile file) {
Expand Down
14 changes: 14 additions & 0 deletions .../test/java/org/sonar/plugins/xml/checks/security/android/AndroidPermissionsCheckTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,18 @@ void not_manifest() {
SonarXmlCheckVerifier.verifyNoIssue(Paths.get("AnyFileName.xml").toString(), new AndroidPermissionsCheck());
}

@Test
void should_not_raise_on_tools_node_remove() {
SonarXmlCheckVerifier.verifyIssues(Paths.get("ToolsNodeRemove/AndroidManifest.xml").toString(), new AndroidPermissionsCheck());
}

@Test
void should_not_raise_on_tools_node_remove_all() {
SonarXmlCheckVerifier.verifyNoIssue(Paths.get("ToolsNodeRemoveAll/AndroidManifest.xml").toString(), new AndroidPermissionsCheck());
}

@Test
void should_raise_on_tools_node_remove_all_with_wrong_tag() {
SonarXmlCheckVerifier.verifyIssues(Paths.get("ToolsNodeRemoveAllWrongTag/AndroidManifest.xml").toString(), new AndroidPermissionsCheck());
}
}
11 changes: 11 additions & 0 deletions ...gin/src/test/resources/checks/AndroidPermissionsCheck/ToolsNodeRemove/AndroidManifest.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" package="com.example.myapp">

<!-- Compliant -->
<uses-permission android:name="android.permission.ACCEPT_HANDOVER" tools:node="remove"/>

<!-- Noncompliant@+1 {{Make sure the use of "ACCESS_BACKGROUND_LOCATION" permission is necessary.}} -->
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" />
<!-- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -->

</manifest>
11 changes: 11 additions & 0 deletions .../src/test/resources/checks/AndroidPermissionsCheck/ToolsNodeRemoveAll/AndroidManifest.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools"
package="com.example.myapp">

<!-- Compliant -->
<uses-permission android:name="android.permission.ACCEPT_HANDOVER" tools:node="removeAll"/>
<!-- Compliant -->
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>

</manifest>

13 changes: 13 additions & 0 deletions ...t/resources/checks/AndroidPermissionsCheck/ToolsNodeRemoveAllWrongTag/AndroidManifest.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools"
package="com.example.myapp">

<!-- Compliant -->
<something-random android:name="android.permission.ACCEPT_HANDOVER" tools:node="removeAll"/>

<!-- Noncompliant@+1 {{Make sure the use of "ACCESS_BACKGROUND_LOCATION" permission is necessary.}} -->
<uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION"/>
<!-- ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -->

</manifest>

Loading