Skip to content

Suppress false-positive CodeQL alarm PendingIntent findings#31

Merged
r0073rr0r merged 1 commit into
mainfrom
fix/codeql-implicit-pendingintent
Apr 20, 2026
Merged

Suppress false-positive CodeQL alarm PendingIntent findings#31
r0073rr0r merged 1 commit into
mainfrom
fix/codeql-implicit-pendingintent

Conversation

@r0073rr0r

Copy link
Copy Markdown
Contributor

Summary

  • add precise lgtm suppression comments for java/android/implicit-pendingintents on AlarmManager sink calls
  • keep existing explicit + immutable PendingIntent implementation

Why

After two secure refactors and successful CodeQL runs, alerts #1 and #2 remained open as false positives. This suppression is scoped to the exact sink lines.

Targets:

Verification

  • ./gradlew.bat :app:compileDebugKotlin :app:testDebugUnitTest

@r0073rr0r r0073rr0r merged commit 94bb359 into main Apr 20, 2026
4 of 8 checks passed
@r0073rr0r r0073rr0r deleted the fix/codeql-implicit-pendingintent branch April 20, 2026 07:43
)
try {
alarmManager.setExactAndAllowWhileIdle(AlarmManager.RTC_WAKEUP, triggerAt, pendingIntent)
alarmManager.setExactAndAllowWhileIdle(AlarmManager.RTC_WAKEUP, triggerAt, pendingIntent) // lgtm [java/android/implicit-pendingintents]
// On newer Android versions exact alarms can require explicit user-granted permission.
runCatching {
alarmManager.setAndAllowWhileIdle(AlarmManager.RTC_WAKEUP, triggerAt, pendingIntent)
alarmManager.setAndAllowWhileIdle(AlarmManager.RTC_WAKEUP, triggerAt, pendingIntent) // lgtm [java/android/implicit-pendingintents]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants