Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Kotlin static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your KOTLIN code

Filtered: 62 rules found

cwe

Impact

Clean code attribute

Return values should not be ignored when they contain the operation status code
Bug
Exposing Java objects through JavaScript interfaces is security-sensitive
Security Hotspot
Obfuscation should be enabled for release builds
Vulnerability
Server-side requests should not be vulnerable to traversing attacks
Vulnerability
Accessing files should not lead to filesystem oracle attacks
Vulnerability
Environment variables should not be defined from untrusted input
Vulnerability
Using remote artifacts without authenticity and integrity checks is security-sensitive
Security Hotspot
Counter Mode initialization vectors should not be reused
Vulnerability
XML operations should not be vulnerable to injection attacks
Vulnerability
JSON operations should not be vulnerable to injection attacks
Vulnerability
Thread suspensions should not be vulnerable to Denial of Service attacks
Vulnerability
Enabling file access for WebViews is security-sensitive
Security Hotspot
Enabling JavaScript support for WebViews is security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Mobile database encryption keys should not be disclosed
Vulnerability
Using unencrypted files in mobile applications is security-sensitive
Security Hotspot
Using biometric authentication without a cryptographic solution is security-sensitive
Security Hotspot
Using unencrypted databases in mobile applications is security-sensitive
Security Hotspot
Authorizing non-authenticated users to use keys in the Android KeyStore is security-sensitive
Security Hotspot
Applications should not create session cookies from untrusted input
Vulnerability
Reflection should not be vulnerable to injection attacks
Vulnerability
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
OS commands should not be vulnerable to argument injection attacks
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Server-side templates should not be vulnerable to injection attacks
Vulnerability
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Dynamic code execution should not be vulnerable to injection attacks
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
Accessing Android external storage is security-sensitive
Security Hotspot
Receiving intents is security-sensitive
Security Hotspot
Broadcasting intents is security-sensitive
Security Hotspot
NoSQL operations should not be vulnerable to injection attacks
Vulnerability
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Deserialization should not be vulnerable to injection attacks
Vulnerability
Endpoints should not be vulnerable to reflected cross-site scripting (XSS) attacks
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Secure random number generators should not output predictable values
Vulnerability
Database queries should not be vulnerable to injection attacks
Vulnerability
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Regular expressions should not be vulnerable to Denial of Service attacks
Vulnerability
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
LDAP queries should not be vulnerable to injection attacks
Vulnerability
OS commands should not be vulnerable to command injection attacks
Vulnerability
Hard-coded credentials are security-sensitive
Security Hotspot
Password hashing functions should use an unpredictable salt
Vulnerability
Code annotated as deprecated should not be used
Code Smell
All code should be reachable
Bug
"equals(Any?)" and "hashCode()" should be overridden in pairs
Bug
Useless "if(true) {...}" and "if(false){...}" blocks should be removed
Bug
Jump statements should not occur in "finally" blocks
Bug
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell

Obfuscation should be enabled for release builds

intentionality - complete

security

Vulnerability

Obfuscation makes reverse engineering significantly more difficult by making code harder to understand. This helps to deter malicious actors from easily discovering vulnerabilities or stealing proprietary algorithms in publicly deployed software. It is therefore recommended to enable obfuscation in release builds.

Why is this an issue?

How can I fix it?

More Info

When you build a release version of your application, you’re creating a distributable package of your code. Without obfuscation, the compiled code retains readable names and structures, making it much easier for someone to reverse-engineer your application. This means they can potentially understand your code’s logic, extract sensitive information like API keys, or even modify your application for malicious purposes. Obfuscation scrambles these names and structures, making it significantly harder to reverse-engineer and understand, thus protecting your intellectual property and sensitive data.

Release builds are meant for distribution to end users and is therefore under constant scrutiny. Skipping obfuscation in these builds creates a serious vulnerability. While debugging builds often disable obfuscation for easier troubleshooting, failing to enable it for release builds exposes your application to unnecessary risks.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2025 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Sonar helps developers write Clean Code.
Privacy Policy | Cookie Policy | Terms of Use

In-IDE

SaaS

Self-Hosted