Why do you believe it’s a false-positive/false-negative?
Sonarqube does not respect merged manifests. Altough usesCleartextTraffic and allowBackup are correctly configured inside the main manifest, the scanner alerts about application tags inside submodules.
This is an issue if you house e.g. activities inside application-tags in submodules.

Are you using

How can we reproduce the problem? Give us a self-contained snippet of code (formatted text, no screenshots)

<application>
        <activity
            android:name=".feature.sample.MyActivity"
            android:configChanges="orientation|keyboardHidden"/>
</application
<application
        android:name=".App"
        android:icon="@mipmap/app_icon_android_launch"
        android:roundIcon="@mipmap/app_icon_android_launch"
        android:theme="@style/AppTheme"
        android:supportsRtl="true"
        android:label="@string/app_name"
        android:usesCleartextTraffic="false"
        android:networkSecurityConfig="@xml/network_security_config"
        android:allowBackup="false"
        android:fullBackupContent="false"
        android:dataExtractionRules="@xml/data_extraction_rules">
Are there any other solutions than?
disabling the rule completely
adding the config to all manifests
marking the rule as safe manually for all manifests except main
              
Hello @woodii,
Thanks for reaching out. Unfortunately, our XML analyzer is not going cross-file and can’t understand that the property is already configured.
This is exactly the reason we had it as a “Security Hotspot”. This means the developer can review it and discard issues if they are not relevant.
About the solution, I think you decide what works best for you. If it doesn’t bring any value, but the noise, just disable it. If you think it’s still relevant, then mark issues as “Safe”.
For our side, we’ll take your feedback into consideration and will think about what we can do.
Best,

Margarita