updates to android debug query

Jami Cogswell · Jami Cogswell · commit cf39cc090984 · 2022-08-15T15:49:59.000-04:00
diff --git a/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql b/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeTrue.ql
@@ -1,15 +1,13 @@
-// TODO: Fix up metadata
 /**
- * @name Debuggable set to true
- * @description The 'debuggable' attribute in the application section of the AndroidManifest.xml file should never be enabled in production builds // TODO: edit to be in-line wth guidelines
+ * @name Debuggable attribute enabled
+ * @description An enabled debugger can allow for entry points in the application or reveal sensitive information.
  * @kind problem
  * @problem.severity warning
- * @id java/android/debuggable-true // TODO: consider editing
- * @tags security                   // TODO: look into CWEs some more
+ * @id java/android/debuggable-attribute-enabled
+ * @tags security
  *       external/cwe/cwe-489
- *       external/cwe/cwe-710
- * @precision high                  // TODO: adjust once review query results and FP ratio
- * @security-severity 0.1           // TODO: auto-calculated: https://github.blog/changelog/2021-07-19-codeql-code-scanning-new-severity-levels-for-security-alerts/
+ * @precision very-high
+ * @security-severity 0.1
  */
 
 import java
@@ -18,5 +16,6 @@ import semmle.code.xml.AndroidManifest
 from AndroidXmlAttribute androidXmlAttr
 where
   androidXmlAttr.getName() = "debuggable" and
-  androidXmlAttr.getValue() = "true"
-select androidXmlAttr, "Warning: 'android:debuggable=true' set"
+  androidXmlAttr.getValue() = "true" and
+  not androidXmlAttr.getLocation().toString().matches("%/build/%")
+select androidXmlAttr, "The 'debuggable' attribute is enabled."
diff --git a/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected b/java/ql/test/query-tests/security/CWE-489/DebuggableAttributeTrue.expected
@@ -1 +1 @@
-| TestTrue.xml:7:5:17:30 | debuggable=true | Warning: 'android:debuggable=true' set |
+| TestTrue.xml:7:5:17:30 | debuggable=true | Warning: debuggable attribute enabled |
diff --git a/java/ql/test/query-tests/security/CWE-489/TestFalse.xml b/java/ql/test/query-tests/security/CWE-489/TestFalse.xml
@@ -24,6 +24,6 @@
                 <category android:name="android.intent.category.LAUNCHER" />
             </intent-filter>
         </activity>
-    </application> <!-- test -->
+    </application>
 
 </manifest>
diff --git a/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml b/java/ql/test/query-tests/security/CWE-489/TestNotSet.xml
@@ -23,6 +23,6 @@
                 <category android:name="android.intent.category.LAUNCHER" />
             </intent-filter>
         </activity>
-    </application> <!-- test -->
+    </application>
 
 </manifest>
diff --git a/java/ql/test/query-tests/security/CWE-489/TestTrue.xml b/java/ql/test/query-tests/security/CWE-489/TestTrue.xml
@@ -24,6 +24,6 @@
                 <category android:name="android.intent.category.LAUNCHER" />
             </intent-filter>
         </activity>
-    </application> <!-- test -->
+    </application>
 
 </manifest>

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-\| TestTrue.xml:7:5:17:30 \| debuggable=true \| Warning: 'android:debuggable=true' set \|`
	`1`	`+\| TestTrue.xml:7:5:17:30 \| debuggable=true \| Warning: debuggable attribute enabled \|`