clean up android query and tests

2025-12-24 04:36:35 +01:00 · 2022-07-29 01:10:15 -04:00
parent cf39cc0909
commit fdb437552c
9 changed files with 70 additions and 21 deletions
--- a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.qhelp
@@ -4,35 +4,31 @@
 <qhelp>

 <overview>
-<p>The <code>debuggable</code> attribute in the application section of the AndroidManifest.xml file should
-never be enabled in production builds.</p>
-
-<p>ADD MORE/EDIT?</p>
+<p>When a debugger is enabled it could allow for entry points in the application or reveal sensitive information.</p>

 </overview>
 <recommendation>

-<p>Make sure that the <code>debuggable</code> attribute is set to false in production builds.</p>
+<p>In Android applications either set the <code>android:debuggable</code> attribute to <code>false</code>
+or do not include it in the manifest. The default value when not included is <code>false</code>.</p>

 </recommendation>
 <example>

-<p>In the example below, the <code>debuggable</code> attribute is set to <code>true</code>.</p>
+<p>In the example below, the <code>android:debuggable</code> attribute is set to <code>true</code>.</p>

+<sample src="DebuggableTrue.xml" />

-<p>The corrected version sets the <code>debuggable</code> attribute to <code>false</code>.</p>
+<p>The corrected version sets the <code>android:debuggable</code> attribute to <code>false</code>.</p>

+<sample src="DebuggableFalse.xml" />

 </example>
 <references>

 <li>
-  Java SE Documentation:
-  <a href="https://www.oracle.com/java/technologies/javase/codeconventions-statements.html#15395">Compound Statements</a>.
-</li>
-<li>
-  Wikipedia:
-  <a href="https://en.wikipedia.org/wiki/Indentation_style">Indentation style</a>.
+  Android Developers:
+  <a href="https://developer.android.com/guide/topics/manifest/application-element#debug">The android:debuggable attribute</a>.
 </li>

 </references>
--- a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
@@ -1,5 +1,5 @@
 /**
- * @name Debuggable attribute enabled
+ * @name Android debuggable attribute enabled
 * @description An enabled debugger can allow for entry points in the application or reveal sensitive information.
 * @kind problem
 * @problem.severity warning
@@ -7,7 +7,7 @@
 * @tags security
 *       external/cwe/cwe-489
 * @precision very-high
- * @security-severity 0.1
+ * @security-severity
 */

 import java
--- a/java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableFalse.xml
@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- GOOD: 'android:debuggable' set to false -->
+    <application
+        android:debuggable="false">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>
--- a/java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml
+++ b/java/ql/src/Security/CWE/CWE-489/DebuggableTrue.xml
@@ -0,0 +1,8 @@
+<manifest ... >
+    <!-- BAD: 'android:debuggable' set to true -->
+    <application
+        android:debuggable="true">
+        <activity ... >
+        </activity>
+    </application>
+</manifest>