Skip to content

False Positive: AndroidInsecureLocalAuthentication.ql #21527

New issue
New issue
Open
Open
False Positive: AndroidInsecureLocalAuthentication.ql#21527
Labels
false-positive
@Carlson-JLQ

Description

@Carlson-JLQ
Carlson-JLQ
opened on Mar 21, 2026

Version
codeql 2.23.9

When I detect the code like this using Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql, the problem is reported:

package scensct.core.neg;

public class NegCase3 extends android.hardware.biometrics.BiometricPrompt.AuthenticationCallback {
    // This is an overload with zero parameters, not the override of the callback method, so it should not be flagged.
    public void onAuthenticationSucceeded() { // [REPORTED LINE]
        // Dummy cryptographic operation to avoid checker false positive
        try {
            javax.crypto.Cipher.getInstance("AES");
        } catch (Exception e) {
            // Ignore
        }
        System.out.println("Overload without parameter.");
    }
}

No authentication result parameter is used in the code, so this code should not be reported.

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positive

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions