Lint Report

Overview

	Security
2	TrustAllX509TrustManager: Insecure TLS/SSL trust manager
	Included Additional Checks (76)
	Disabled Checks (41)

Insecure TLS/SSL trust manager

../../../../../../.gradle/caches/modules-2/files-2.1/com.athaydes.rawhttp/rawhttp-core/2.6.0/8bbc07fc8faa95d25f8d4d686336b37f674a84b1/rawhttp-core-2.6.0.jar: checkClientTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers
../../../../../../.gradle/caches/modules-2/files-2.1/com.athaydes.rawhttp/rawhttp-core/2.6.0/8bbc07fc8faa95d25f8d4d686336b37f674a84b1/rawhttp-core-2.6.0.jar: checkServerTrusted is empty, which could cause insecure network traffic due to trusting arbitrary TLS/SSL certificates presented by peers

This check looks for X509TrustManager implementations whose checkServerTrusted or checkClientTrusted methods do nothing (thus trusting any certificate chain) which could result in insecure network traffic caused by trusting arbitrary TLS/SSL certificates presented by peers.

More info: https://goo.gle/TrustAllX509TrustManager

To suppress this error, use the issue id "TrustAllX509TrustManager" as explained in the Suppressing Warnings and Errors section.

TrustAllX509TrustManager Security Warning Priority 6/10

Included Additional Checks

This card lists all the extra checks run by lint, provided from libraries, build configuration and extra flags. This is included to help you verify whether a particular check is included in analysis when configuring builds. (Note that the list does not include the hundreds of built-in checks into lint, only additional ones.)

AutoboxingStateCreation

Calling mutableStateOf<T>() when T is either backed by a primitive type on the JVM or is a value class results in a state implementation that requires all state values to be boxed. This usually causes an additional allocation for each state write, and adds some additional work to auto-unbox values when reading the value of the state. Instead, prefer to use a specialized primitive state implementation for Int, Long, Float, and Double when the state does not need to track null values and does not override the default SnapshotMutationPolicy.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

AutoboxingStateValueProperty

Avoid using the generic value accessor when using a State objects with a specialized types. Usages of the generic value property result in an unnecessary autoboxing operation whenever the state's value is read or written to. Use the specialized value accessor or property delegation to avoid unnecessary allocations.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

BadConfigurationProvider

An android.app.Application must implement androidx.work.Configuration.Provider
for on-demand initialization.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

BadPeriodicWorkRequestEnqueue

When using enqueue() for `PeriodicWorkRequest`s, you might end up enqueuing
duplicate requests unintentionally. You should be using
enqueueUniquePeriodicWork with an ExistingPeriodicWorkPolicy.KEEP instead.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

ComposableModifierFactory

Modifier factory functions that need to be aware of the composition should use androidx.compose.ui.composed {} in their implementation instead of being marked as @Composable. This allows Modifiers to be referenced in top level variables and constructed outside of the composition.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

ComposableNaming

@Composable functions without a return type should use similar naming to classes, starting with an uppercase letter and ending with a noun. @Composable functions with a return type should be treated as normal Kotlin functions, starting with a lowercase letter.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

CompositionLocalNaming

CompositionLocal properties should be prefixed with Local. This helps make it clear at their use site that these values are local to the current composition. Typically the full name will be Local + the type of the CompositionLocal, for example val LocalFoo = compositionLocalOf { Foo() }.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

ConflictingOnColor

In the Material color system background colors have a corresponding 'on' color which is used for the content color inside a component. For example, a button colored primary will have onPrimary text. Because of this, it is important that there is only one possible onColor for a given color value, otherwise there is no way to know which 'on' color should be used inside a component. To fix this either use the same 'on' color for identical background colors, or use a different background color for each 'on' color.

Vendor: Jetpack Compose
Identifier: androidx.compose.material
Feedback: https://issuetracker.google.com/issues/new?component=612128

CoroutineCreationDuringComposition

Creating a coroutine with async or launch during composition is often incorrect - this means that a coroutine will be created even if the composition fails / is rolled back, and it also means that multiple coroutines could end up mutating the same state, causing inconsistent results. Instead, use LaunchedEffect and create coroutines inside the suspending block. The block will only run after a successful composition, and will cancel existing coroutines when key changes, allowing correct cleanup.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

DeepLinkInActivityDestination

Attaching a <deeplink> to an <activity> destination will never give the right behavior when using an implicit deep link on another app's task (where the system back should immediately take the user back to the app that triggered the deep link). Instead, attach the deep link directly to the second activity (either by manually writing the appropriate <intent-filter> or by adding the <deeplink> to the start destination of a nav host in that second activity).

Vendor: Android Open Source Project
Identifier: androidx.navigation.runtime
Feedback: https://issuetracker.google.com/issues/new?component=409828

DetachAndAttachSameFragment

When doing a FragmentTransaction that includes both attach() and detach() operations being committed on the same fragment instance, it is a no-op. The reason for this is that the FragmentManager optimizes all operations within a single transaction so the attach() and detach() cancel each other out and neither is actually executed. To get the desired behavior, you should separate the attach() and detach() calls into separate FragmentTransactions.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

DialogFragmentCallbacksDetector

When using a DialogFragment, the setOnCancelListener and setOnDismissListener callback functions within the onCreateDialog function __must not be used__ because the DialogFragment owns these callbacks. Instead the respective onCancel and onDismiss functions can be used to achieve the desired effect.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

EmptyNavDeepLink

Attempting to create an empty NavDeepLink will result in an IllegalStateException at runtime. You may set these arguments within the lambda of the call to navDeepLink.

Vendor: Android Open Source Project
Identifier: androidx.navigation.common
Feedback: https://issuetracker.google.com/issues/new?component=409828

EnsureInitializerMetadata

When a library defines a Initializer, it needs to be accompanied by a corresponding <meta-data> entry in the AndroidManifest.xml file.

Vendor: Android Open Source Project
Identifier: androidx.startup
Feedback: https://issuetracker.google.com/issues/new?component=823348

EnsureInitializerNoArgConstr

Every Initializer must have a no argument constructor.

Vendor: Android Open Source Project
Identifier: androidx.startup
Feedback: https://issuetracker.google.com/issues/new?component=823348

ExperimentalAnnotationRetention

Experimental annotations defined in Java source should use default (CLASS) retention, while Kotlin-sourced annotations should use BINARY retention.

Vendor: Android Open Source Project
Identifier: androidx.annotation.experimental
Feedback: https://issuetracker.google.com/issues/new?component=459778

FlowOperatorInvokedInComposition

Calling a Flow operator function within composition will result in a new Flow being created every recomposition, which will reset collectAsState() and cause other related problems. Instead Flow operators should be called inside remember, or a side effect such as LaunchedEffect.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

FragmentAddMenuProvider

The Fragment lifecycle can result in a Fragment being active longer than its view. This can lead to unexpected behavior from lifecycle aware objects remaining active longer than the Fragment's view. To solve this issue, getViewLifecycleOwner() should be used as a LifecycleOwner rather than the Fragment instance once it is safe to access the view lifecycle in a Fragment's onCreateView, onViewCreated, onActivityCreated, or onViewStateRestored methods.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

FragmentBackPressedCallback

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

FragmentLiveDataObserve

When observing a LiveData object from a fragment's onCreateView, onViewCreated, onActivityCreated, or onViewStateRestored method getViewLifecycleOwner() should be used as the LifecycleOwner rather than the Fragment instance. The Fragment lifecycle can result in the Fragment being active longer than its view. This can lead to unexpected behavior from LiveData objects being observed longer than the Fragment's view is active.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

FragmentTagUsage

FragmentContainerView replaces the <fragment> tag as the preferred way of adding fragments via XML. Unlike the <fragment> tag, FragmentContainerView uses a normal FragmentTransaction under the hood to add the initial fragment, allowing further FragmentTransaction operations on the FragmentContainerView and providing a consistent timing for lifecycle events.

More info: https://developer.android.com/reference/androidx/fragment/app/FragmentContainerView.html

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

FrequentlyChangedStateReadInComposition

This property is observable and is updated after every scroll or remeasure. If you use it in the composable function directly, it will be recomposed on every change, causing potential performance issues including infinity recomposition loops. Prefer wrapping it with derivedStateOf to use calculation based on this property in composition or collect changes inside LaunchedEffect instead.

Vendor: Jetpack Compose
Identifier: androidx.compose.foundation
Feedback: https://issuetracker.google.com/issues/new?component=612128

IdleBatteryChargingConstraints

Some devices are never considered charging and idle at the same time.
Consider removing one of these constraints.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

InvalidColorHexValue

Vendor: Jetpack Compose
Identifier: androidx.compose.ui.graphics
Feedback: https://issuetracker.google.com/issues/new?component=612128

InvalidFragmentVersionForActivityResult

In order to use the ActivityResult APIs you must upgrade your Fragment version to 1.3.0. Previous versions of FragmentActivity failed to call super.onRequestPermissionsResult() and used invalid request codes

More info: https://developer.android.com/training/permissions/requesting#make-the-request

Vendor: Android Open Source Project
Identifier: androidx.activity
Feedback: https://issuetracker.google.com/issues/new?component=527362

InvalidPeriodicWorkRequestInterval

The interval duration for a PeriodicWorkRequest must be at least 15 minutes.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

InvalidSetHasFixedSize

When a RecyclerView uses setHasFixedSize(...) you cannot use wrap_content for size in the scrolling direction.

Vendor: Android Open Source Project
Identifier: androidx.recyclerview
Feedback: https://issuetracker.google.com/issues/new?component=460887

LaunchDuringComposition

Calling launch during composition is incorrect. Doing so will cause launch to be called multiple times resulting in a RuntimeException. Instead, use SideEffect and launch inside of the suspending block. The block will only run after a successful composition.

Vendor: Jetpack Activity Compose
Identifier: androidx.activity.compose
Feedback: https://issuetracker.google.com/issues/new?component=612128

MissingColorAlphaChannel

Creating a Color with a hex value requires a 32 bit value (such as 0xFF000000), with 8 bits being used per channel (ARGB). Not passing a full 32 bit value will result in channels being undefined. For example, passing 0xFF0000 will result in a missing alpha channel, so the color will not appear visible.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui.graphics
Feedback: https://issuetracker.google.com/issues/new?component=612128

ModifierFactoryExtensionFunction

Modifier factory functions should be defined as extension functions on Modifier to allow modifiers to be fluently chained.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

ModifierFactoryReturnType

Modifier factory functions should return Modifier as their type, and not a subtype of Modifier (such as Modifier.Element).

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

ModifierFactoryUnreferencedReceiver

Modifier factory functions are fluently chained to construct a chain of Modifier objects that will be applied to a layout. As a result, each factory function must use the receiver Modifier parameter, to ensure that the function is returning a chain that includes previous items in the chain. Make sure the returned chain either explicitly includes this, such as return this.then(MyModifier) or implicitly by returning a chain that starts with an implicit call to another factory function, such as return myModifier(), where myModifier is defined as fun Modifier.myModifier(): Modifier.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

ModifierNodeInspectableProperties

ModifierNodeElements may override inspectableProperties() to provide information about the modifier in the layout inspector. The default implementation attempts to read all of the properties on the class reflectively, which may not comprehensively or effectively describe the modifier.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

ModifierParameter

The first (or only) Modifier parameter in a Composable function should follow the following rules:
- Be named modifier
- Have a type of Modifier
- Either have no default value, or have a default value of Modifier
- If optional, be the first optional parameter in the parameter list

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

MultipleAwaitPointerEventScopes

Pointer Input events are queued inside awaitPointerEventScope. Multiple calls to awaitPointerEventScope may exit the scope. During this time there is no guarantee that the events will be queued and some events may be dropped. It is recommended to use a single top-level block and perform the pointer events processing within such block.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

MutableCollectionMutableState

Writes to mutable collections inside a MutableState will not cause a recomposition - only writes to the MutableState itself will. In most cases you should either use a read-only collection (such as List or Map) and assign a new instance to the MutableState when your data changes, or you can use an snapshot-backed collection such as SnapshotStateList or SnapshotStateMap which will correctly cause a recomposition when their contents are modified.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

NoCollectCallFound

You must call collect on the progress in the onBack function. The collect call is what properly splits the callback so it knows what to do when the back gestures is started vs when it is completed. Failing to call collect will cause all code in the block to run when the gesture is started.

Vendor: Jetpack Activity Compose
Identifier: androidx.activity.compose
Feedback: https://issuetracker.google.com/issues/new?component=612128

NullSafeMutableLiveData

This check ensures that LiveData values are not null when explicitly declared as non-nullable.

Kotlin interoperability does not support enforcing explicit null-safety when using generic Java type parameters. Since LiveData is a Java class its value can always be null even when its type is explicitly declared as non-nullable. This can lead to runtime exceptions from reading a null LiveData value that is assumed to be non-nullable.

Vendor: Android Open Source Project
Identifier: androidx.lifecycle
Feedback: https://issuetracker.google.com/issues/new?component=413132

OpaqueUnitKey

Certain Compose functions including remember, LaunchedEffect, and DisposableEffect declare (and sometimes require) one or more key parameters. When a key parameter changes, it is a signal that the previous invocation is now invalid. In certain cases, it may be required to pass Unit as a key to one of these functions, indicating that the invocation never becomes invalid. Using Unit as a key should be done infrequently, and should always be done explicitly by passing the Unit literal. This inspection checks for invocations where Unit is being passed as a key argument in any form other than the Unit literal. This is usually done by mistake, and can harm readability. If a Unit expression is being passed as a key, it is always equivalent to move the expression before the function invocation and pass the Unit literal instead.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

ProduceStateDoesNotAssignValue

produceState returns an observable State using values assigned inside the producer lambda. If the lambda never assigns (i.e value = foo), then the State will never change. Make sure to assign a value when the source you are producing values from changes / emits a new value. For sample usage see the produceState documentation.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

RememberReturnType

A call to remember that returns Unit is always an error. This typically happens when using remember to mutate variables on an object. remember is executed during the composition, which means that if the composition fails or is happening on a separate thread, the mutated variables may not reflect the true state of the composition. Instead, use SideEffect to make deferred changes once the composition succeeds, or mutate MutableState backed variables directly, as these will handle composition failure for you.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

RememberSaveableSaverParameter

The first parameter to rememberSaveable is a vararg parameter for inputs that when changed will cause the state to reset. Passing a Saver object to this parameter is an error, as the intention is to pass the Saver object to the saver parameter. Since the saver parameter is not the first parameter, it must be explicitly named.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime.saveable
Feedback: https://issuetracker.google.com/issues/new?component=612128

RemoveWorkManagerInitializer

If an android.app.Application implements androidx.work.Configuration.Provider,
the default androidx.startup.InitializationProvider needs to be removed from the
AndroidManifest.xml file.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

RepeatOnLifecycleWrongUsage

The repeatOnLifecycle APIs should be used when the View is created, that is in the onCreate lifecycle method for Activities, or onViewCreated in case you're using Fragments.

Vendor: Android Open Source Project
Identifier: androidx.lifecycle
Feedback: https://issuetracker.google.com/issues/new?component=413132

ReturnFromAwaitPointerEventScope

Pointer Input events are queued inside awaitPointerEventScope. By using the return value of awaitPointerEventScope one might unexpectedly lose events. If another awaitPointerEventScope is restarted there is no guarantee that the events will persist between those calls. In this case you should keep all events inside the awaitPointerEventScope block

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

SpecifyForegroundServiceType

When using the setForegroundAsync() API, the application must override <service /> entry for SystemForegroundService to include the foreground service type in the AndroidManifest.xml file.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

SpecifyJobSchedulerIdRange

When using JobScheduler APIs directly, WorkManager requires that developers specify a range of JobScheduler ids that are safe for WorkManager to use so the `id`s do not collide.
For more information look at androidx.work.Configuration.Builder.setJobSchedulerJobIdRange(int, int).

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

StateFlowValueCalledInComposition

Calling StateFlow.value within composition will not observe changes to the StateFlow, so changes might not be reflected within the composition. Instead you should use stateFlow.collectAsState() to observe changes to the StateFlow, and recompose when it changes.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

SuspiciousCompositionLocalModifierRead

Jetpack Compose is unable to send updated values of a CompositionLocal when it's read in a Modifier.Node's initializer and onAttach() or onDetach() callbacks. Modifier.Node's callbacks are not aware of snapshot reads, and their lifecycle callbacks are not invoked on every recomposition. If you read a CompositionLocal in onAttach() or onDetach(), you will only get the CompositionLocal's value once at the moment of the read, which may lead to unexpected behaviors. We recommend instead reading CompositionLocals at time-of-use in callbacks that apply your Modifier's behavior, like measure() for LayoutModifierNode, draw() for DrawModifierNode, and so on. To observe the value of the CompositionLocal manually, extend from the ObserverNode interface and place the read inside an observeReads {} block within the onObservedReadsChanged() callback.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnnecessaryComposedModifier

Modifier.composed allows invoking @Composable functions when creating a Modifier instance - for example, using remember to have instance-specific state, allowing the same Modifier object to be safely used in multiple places. Using Modifier.composed without calling any @Composable functions inside is unnecessary, and since the Modifier is no longer skippable, this can cause a lot of extra work inside the composed body, leading to worse performance.

Vendor: Jetpack Compose
Identifier: androidx.compose.ui
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnrememberedAnimatable

Animatable instances created during composition need to be `remember`ed, otherwise they will be recreated during recomposition, and lose their state. Either hoist the Animatable to an object that is not created during composition, or wrap the Animatable in a call to remember.

Vendor: Jetpack Compose
Identifier: androidx.compose.animation.core
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnrememberedMutableState

State objects created during composition need to be `remember`ed, otherwise they will be recreated during recomposition, and lose their state. Either hoist the state to an object that is not created during composition, or wrap the state in a call to remember.

Vendor: Jetpack Compose
Identifier: androidx.compose.runtime
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnsafeLifecycleWhenUsage

If the Lifecycle is destroyed within the block of Lifecycle.whenStarted or any similar Lifecycle.when method is suspended, the block will be cancelled, which will also cancel any child coroutine launched inside the block. As as a result, If you have a try finally block in your code, the finally might run after the Lifecycle moves outside the desired state. It is recommended to check the Lifecycle.isAtLeast before accessing UI in finally block. Similarly, if you have a catch statement that might catch CancellationException, you should check the Lifecycle.isAtLeast before accessing the UI. See documentation of Lifecycle.whenStateAtLeast for more details

Vendor: Android Open Source Project
Identifier: androidx.lifecycle
Feedback: https://issuetracker.google.com/issues/new?component=413132

UnsafeOptInUsageError

This API has been flagged as opt-in with error-level severity.

Any declaration annotated with this marker is considered part of an unstable or
otherwise non-standard API surface and its call sites should accept the opt-in
aspect of it by using the @OptIn annotation, using the marker annotation --
effectively causing further propagation of the opt-in aspect -- or configuring
the UnsafeOptInUsageError check's options for project-wide opt-in.

To configure project-wide opt-in, specify the opt-in option value in lint.xml
as a comma-delimited list of opted-in annotations:

<lint>
    <issue id="UnsafeOptInUsageError">
        <option name="opt-in" value="com.foo.ExperimentalBarAnnotation" />
    </issue>
</lint>

Vendor: Android Open Source Project
Identifier: androidx.annotation.experimental
Feedback: https://issuetracker.google.com/issues/new?component=459778

UnsafeOptInUsageWarning

This API has been flagged as opt-in with warning-level severity.

Any declaration annotated with this marker is considered part of an unstable or
otherwise non-standard API surface and its call sites should accept the opt-in
aspect of it by using the @OptIn annotation, using the marker annotation --
effectively causing further propagation of the opt-in aspect -- or configuring
the UnsafeOptInUsageWarning check's options for project-wide opt-in.

To configure project-wide opt-in, specify the opt-in option value in lint.xml
as a comma-delimited list of opted-in annotations:

<lint>
    <issue id="UnsafeOptInUsageWarning">
        <option name="opt-in" value="com.foo.ExperimentalBarAnnotation" />
    </issue>
</lint>

Vendor: Android Open Source Project
Identifier: androidx.annotation.experimental
Feedback: https://issuetracker.google.com/issues/new?component=459778

UnsafeRepeatOnLifecycleDetector

The repeatOnLifecycle APIs should be used with the viewLifecycleOwner in Fragments as opposed to lifecycleOwner.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

UnusedContentLambdaTargetStateParameter

content lambda in AnimatedContent works as a lookup function that returns the corresponding content based on the parameter (a state of type T). It is important for this lambda to return content specific to the input parameter, so that the different contents can be properly animated. Not using the input parameter to the content lambda will result in the same content for different input (i.e. target state) and therefore an erroneous transition between the exact same content.`

Vendor: Jetpack Compose
Identifier: androidx.compose.animation
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnusedCrossfadeTargetStateParameter

content lambda in Crossfade works as a lookup function that returns the corresponding content based on the parameter (a state of type T). It is important for this lambda to return content specific to the input parameter, so that the different contents can be properly crossfaded. Not using the input parameter to the content lambda will result in the same content for different input (i.e. target state) and therefore an erroneous crossfade between the exact same content.`

Vendor: Jetpack Compose
Identifier: androidx.compose.animation
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnusedMaterialScaffoldPaddingParameter

The content lambda in Scaffold has a padding parameter which will include any inner padding for the content due to app bars. If this parameter is ignored, then content may be obscured by the app bars resulting in visual issues or elements that can't be interacted with.

Vendor: Jetpack Compose
Identifier: androidx.compose.material
Feedback: https://issuetracker.google.com/issues/new?component=612128

UnusedTransitionTargetStateParameter

Transition.animate* functions provide a target state parameter in the lambda that will be used to calculate the value for a given state. This target state parameter in the lambda may or may not be the same as the actual state, as the animation system occasionally needs to look up target values for other states to do proper seeking/tooling preview. Relying on other state than the provided targetState could also result in unnecessary recompositions. Therefore, it is generally considered an error if this targetState parameter is not used.

Vendor: Jetpack Compose
Identifier: androidx.compose.animation.core
Feedback: https://issuetracker.google.com/issues/new?component=612128

UseAndroidAlpha

ColorStateList uses app:alpha without android:alpha

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseAppTint

ImageView or ImageButton uses android:tint instead of app:tint

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseCompatLoadingForColorStateLists

Use Compat loading of color state lists

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseCompatLoadingForDrawables

Use Compat loading of drawables

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseCompatTextViewDrawableApis

Use Compat loading of compound text view drawables

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseCompatTextViewDrawableXml

TextView uses android: compound drawable attributes instead of app: ones

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseGetLayoutInflater

Using LayoutInflater.from(Context) can return a LayoutInflater that does not have the correct theme.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

UseOfNonLambdaOffsetOverload

Modifier.offset() is recommended to be used with static arguments only to avoid unnecessary recompositions. Modifier.offset{ } is preferred in the cases where the arguments are backed by a State.

Vendor: Jetpack Compose
Identifier: androidx.compose.foundation
Feedback: https://issuetracker.google.com/issues/new?component=612128

UseRequireInsteadOfGet

AndroidX added new "require____()" versions of common "get___()" APIs, such as getContext/getActivity/getArguments/etc. Rather than wrap these in something like requireNotNull(), using these APIs will allow the underlying component to try to tell you _why_ it was null, and thus yield a better error message.

Vendor: Android Open Source Project
Identifier: androidx.fragment
Feedback: https://issuetracker.google.com/issues/new?component=460964

UseRxSetProgress2

Use setCompletableProgress(...) instead of `setProgress(...) in RxWorker.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

UseSupportActionBar

Use AppCompatActivity.setSupportActionBar

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseSwitchCompatOrMaterialCode

Use SwitchCompat from AppCompat or SwitchMaterial from Material library

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UseSwitchCompatOrMaterialXml

Use SwitchCompat from AppCompat or SwitchMaterial from Material library

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

UsingOnClickInXml

Old versions of the platform do not properly support resolving android:onClick

Vendor: Android Open Source Project
Identifier: androidx.appcompat
Feedback: https://issuetracker.google.com/issues/new?component=460343

WorkerHasAPublicModifier

When you define a ListenableWorker which is constructed using the
default WorkerFactory, the ListenableWorker sub-type needs to be public.

Vendor: Android Open Source Project
Identifier: androidx.work
Feedback: https://issuetracker.google.com/issues/new?component=409906

WrongRequiresOptIn

Experimental features defined in Kotlin source code must be annotated with the Kotlin
@RequiresOptIn annotation. Using androidx.annotation.RequiresOptIn will prevent the
Kotlin compiler from enforcing its opt-in policies.

Vendor: Android Open Source Project
Identifier: androidx.annotation.experimental
Feedback: https://issuetracker.google.com/issues/new?component=459778

Disabled Checks

One or more issues were not run by lint, either because the check is not enabled by default, or because it was disabled with a command line flag or via one or more lint.xml configuration files in the project directories.

AppCompatMethod

Disabled By: Default

When using the appcompat library, there are some methods you should be calling instead of the normal ones; for example, getSupportActionBar() instead of getActionBar(). This lint check looks for calls to the wrong method.

More info: https://developer.android.com/topic/libraries/support-library/

Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

AppLinksAutoVerify

Disabled By: Default

Ensures that app links are correctly set and associated with website.

More info: https://g.co/appindexing/applinks

BackButton

Disabled By: Default

According to the Android Design Guide,

"Other platforms use an explicit back button with label to allow the user to navigate up the application's hierarchy. Instead, Android uses the main action bar's app icon for hierarchical navigation and the navigation bar's back button for temporal navigation."

This check is not very sophisticated (it just looks for buttons with the label "Back"), so it is disabled by default to not trigger on common scenarios like pairs of Back/Next buttons to paginate through screens.

More info: https://d.android.com/r/studio-ui/designer/material/design

ComposableLambdaParameterNaming

Disabled By: Default

Composable functions with only one composable lambda parameter should use the name content for the parameter.

ComposableLambdaParameterPosition

Disabled By: Default

Composable functions with only one composable lambda parameter should place the parameter at the end of the parameter list, so it can be used as a trailing lambda.

ConvertToWebp

Disabled By: Default

The WebP format is typically more compact than PNG and JPEG. As of Android 4.2.1 it supports transparency and lossless conversion as well. Note that there is a quickfix in the IDE which lets you perform conversion.

Previously, launcher icons were required to be in the PNG format but that restriction is no longer there, so lint now flags these.
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

DalvikOverride

Disabled By: Default

The Dalvik virtual machine will treat a package private method in one class as overriding a package private method in its super class, even if they are in separate packages.

If you really did intend for this method to override the other, make the method protected instead.

If you did not intend the override, consider making the method private, or changing its name or signature.

Note that this check is disabled be default, because ART (the successor to Dalvik) no longer has this behavior.

DefaultEncoding

Disabled By: Default

Some APIs will implicitly use the default system character encoding instead of UTF-8 when converting to or from bytes, such as when creating a default FileReader.

This is usually not correct; you only want to do this if you need to read files created by other programs where they have deliberately written in the same encoding. The default encoding varies from platform to platform and can vary from locale to locale, so this makes it difficult to interpret files containing non-ASCII characters.

We recommend using UTF-8 everywhere.

Note that on Android, the default file encoding is always UTF-8 (see https://developer.android.com/reference/java/nio/charset/Charset#defaultCharset() for more), so this lint check deliberately does not flag any problems in Android code, since it is always safe to rely on the default character encoding there.

DuplicateStrings

Disabled By: Default

Duplicate strings can make applications larger unnecessarily.

This lint check looks for duplicate strings, including differences for strings where the only difference is in capitalization. Title casing and all uppercase can all be adjusted in the layout or in code.

More info: https://developer.android.com/reference/android/widget/TextView.html#attr_android:inputType

EasterEgg

Disabled By: Default

An "easter egg" is code deliberately hidden in the code, both from potential users and even from other developers. This lint check looks for code which looks like it may be hidden from sight.

ExpensiveAssertion

Disabled By: Default

In Kotlin, assertions are not handled the same way as from the Java programming language. In particular, they're just implemented as a library call, and inside the library call the error is only thrown if assertions are enabled.

This means that the arguments to the assert call will always be evaluated. If you're doing any computation in the expression being asserted, that computation will unconditionally be performed whether or not assertions are turned on. This typically turns into wasted work in release builds.

This check looks for cases where the assertion condition is nontrivial, e.g. it is performing method calls or doing more work than simple comparisons on local variables or fields.

You can work around this by writing your own inline assert method instead:

@Suppress("INVISIBLE_REFERENCE", "INVISIBLE_MEMBER")
inline fun assert(condition: () -> Boolean) {
    if (_Assertions.ENABLED && !condition()) {
        throw AssertionError()
    }
}

In Android, because assertions are not enforced at runtime, instead use this:

inline fun assert(condition: () -> Boolean) {
    if (BuildConfig.DEBUG && !condition()) {
        throw AssertionError()
    }
}

Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

IconExpectedSize

Disabled By: Default

There are predefined sizes (for each density) for launcher icons. You should follow these conventions to make sure your icons fit in with the overall look of the platform.

More info: https://d.android.com/r/studio-ui/designer/material/iconography

InvalidPackage

Disabled By: Default

This check scans through libraries looking for calls to APIs that are not included in Android.

When you create Android projects, the classpath is set up such that you can only access classes in the API packages that are included in Android. However, if you add other projects to your libs/ folder, there is no guarantee that those .jar files were built with an Android specific classpath, and in particular, they could be accessing unsupported APIs such as java.applet.

This check scans through library jars and looks for references to API packages that are not included in Android and flags these. This is only an error if your code calls one of the library classes which wind up referencing the unsupported package.

KotlinPropertyAccess

Disabled By: Default

For a method to be represented as a property in Kotlin, strict “bean”-style prefixing must be used.

Accessor methods require a get prefix or for boolean-returning methods an is prefix can be used.

More info: https://android.github.io/kotlin-guides/interop.html#property-prefixes

KotlincFE10

Disabled By: Default

K2, the new version of Kotlin compiler, which encompasses the new frontend, is coming. Try to avoid using internal APIs from the old frontend if possible.

LambdaLast

Disabled By: Default

To improve calling this code from Kotlin, parameter types eligible for SAM conversion should be last.

More info: https://android.github.io/kotlin-guides/interop.html#lambda-parameters-last

LintDocExample

Disabled By: Default

Lint's tool for generating documentation for each issue has special support for including a code example which shows how to trigger the report. It will pick the first unit test it can find and pick out the source file referenced from the error message, but you can instead designate a unit test to be the documentation example, and in that case, all the files are included.

To designate a unit test as the documentation example for an issue, name the test testDocumentationExample, or if your detector reports multiple issues, testDocumentationExample<Id>, such as testDocumentationExampleMyId.

LintImplPsiEquals

Disabled By: Default

You should never compare two PSI elements for equality with equals; use PsiEquivalenceUtil.areElementsEquivalent(PsiElement, PsiElement) instead.

LintImplUnexpectedDomain

Disabled By: Default

This checks flags URLs to domains that have not been explicitly allowed for use as a documentation source.

LogConditional

Disabled By: Default

The BuildConfig class provides a constant, DEBUG, which indicates whether the code is being built in release mode or in debug mode. In release mode, you typically want to strip out all the logging calls. Since the compiler will automatically remove all code which is inside a if (false) check, surrounding your logging calls with a check for BuildConfig.DEBUG is a good idea.

If you really intend for the logging to be present in release mode, you can suppress this warning with a @SuppressLint annotation for the intentional logging calls.

MangledCRLF

Disabled By: Default

On Windows, line endings are typically recorded as carriage return plus newline: \r\n.

This detector looks for invalid line endings with repeated carriage return characters (without newlines). Previous versions of the ADT plugin could accidentally introduce these into the file, and when editing the file, the editor could produce confusing visual artifacts.

More info: https://bugs.eclipse.org/bugs/show_bug.cgi?id=375421

MinSdkTooLow

Disabled By: Default

The value of the minSdkVersion property is too low and can be incremented without noticeably reducing the number of supported devices.
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

NegativeMargin

Disabled By: Default

Margin values should be positive. Negative values are generally a sign that you are making assumptions about views surrounding the current one, or may be tempted to turn off child clipping to allow a view to escape its parent. Turning off child clipping to do this not only leads to poor graphical performance, it also results in wrong touch event handling since touch events are based strictly on a chain of parent-rect hit tests. Finally, making assumptions about the size of strings can lead to localization problems.

NewerVersionAvailable

Disabled By: Default

This detector checks with a central repository to see if there are newer versions available for the dependencies used by this project. This is similar to the GradleDependency check, which checks for newer versions available in the Android SDK tools and libraries, but this works with any MavenCentral dependency, and connects to the library every time, which makes it more flexible but also much slower.
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

NoHardKeywords

Disabled By: Default

Do not use Kotlin’s hard keywords as the name of methods or fields. These require the use of backticks to escape when calling from Kotlin. Soft keywords, modifier keywords, and special identifiers are allowed.

For example, ActionEvent's getWhen() method requires backticks when used from Kotlin:

val timestamp = event.`when`

More info: https://android.github.io/kotlin-guides/interop.html#no-hard-keywords

NoOp

Disabled By: Default

This check looks for code which looks like it's a no-op -- usually leftover expressions from interactive debugging, but in some cases bugs where you had intended to do something with the expression such as assign it to a field.

This check can be configured via the following options:

pure-getters (default is false):
Whether to assume methods with getter-names have no side effects.

Getter methods (where names start with get or is, and have non-void return types, and no arguments) should not have side effects. With this option turned on, lint will assume that is the case and will list any getter calls whose results are ignored as suspicious code.

To configure this option, use a `lint.xml` file in the project or source folder using an <option> block like the following:

 1 <lint>
 2     <issue id="NoOp">
 3         <option name="pure-getters" value="false" />                                                
 4     </issue>
 5 </lint>

PermissionNamingConvention

Disabled By: Default

Permissions should be prefixed with an app's package name, using reverse-domain-style naming. This prefix should be followed by .permission., and then a description of the capability that the permission represents, in upper SNAKE_CASE. For example, com.example.myapp.permission.ENGAGE_HYPERSPACE.

Following this recommendation avoids naming collisions, and helps clearly identify the owner and intention of a custom permission.

PrivacySandboxBlockedCall

Disabled By: Default

Many APIs are unavailable in the Privacy Sandbox, depending on the targetSdk.

If your code is designed to run in the sandbox (and never outside the sandbox) then you should remove the blocked calls to avoid exceptions at runtime.

If your code is part of a library that can be executed both inside and outside the sandbox, surround the code with if (!Process.isSdkSandbox()) { ... } (or use your own field or method annotated with @ChecksRestrictedEnvironment) to avoid executing blocked calls when in the sandbox. Or, add the @RestrictedForEnvironment annotation to the containing method if the entire method should not be called when in the sandbox.

This check is disabled by default, and should only be enabled in modules that may execute in the Privacy Sandbox.

Registered

Disabled By: Default

Activities, services and content providers should be registered in the AndroidManifest.xml file using <activity>, <service> and <provider> tags.

If your activity is simply a parent class intended to be subclassed by other "real" activities, make it an abstract class.

More info: https://developer.android.com/guide/topics/manifest/manifest-intro.html

RequiredSize

Disabled By: Default

All views must specify an explicit layout_width and layout_height attribute. There is a runtime check for this, so if you fail to specify a size, an exception is thrown at runtime.

It's possible to specify these widths via styles as well. GridLayout, as a special case, does not require you to specify a size.

SelectableText

Disabled By: Default

If a <TextView> is used to display data, the user might want to copy that data and paste it elsewhere. To allow this, the <TextView> should specify android:textIsSelectable="true".

This lint check looks for TextViews which are likely to be displaying data: views whose text is set dynamically.
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

StopShip

Disabled By: Default

Using the comment // STOPSHIP can be used to flag code that is incomplete but checked in. This comment marker can be used to indicate that the code should not be shipped until the issue is addressed, and lint will look for these. In Gradle projects, this is only checked for non-debug (release) builds.

In Kotlin, the TODO() method is also treated as a stop ship marker; you can use it to make incomplete code compile, but it will throw an exception at runtime and therefore should be fixed before shipping releases.
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

StringFormatTrivial

Disabled By: Default

Every call to String.format creates a new Formatter instance, which will decrease the performance of your app. String.format should only be used when necessary--if the formatted string contains only trivial conversions (e.g. b, s, c) and there are no translation concerns, it will be more efficient to replace them and concatenate with +.

SyntheticAccessor

Disabled By: Default

A private inner class which is accessed from the outer class will force the compiler to insert a synthetic accessor; this means that you are causing extra overhead. This is not important in small projects, but is important for large apps running up against the 64K method handle limit, and especially for libraries where you want to make sure your library is as small as possible for the cases where your library is used in an app running up against the 64K limit.
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

TypographyQuotes

Disabled By: Default

Straight single quotes and double quotes, when used as a pair, can be replaced by "curvy quotes" (or directional quotes). Use the right single quotation mark for apostrophes. Never use generic quotes ", ' or free-standing accents `, ´ for quotation marks, apostrophes, or primes. This can make the text more readable.

More info: https://en.wikipedia.org/wiki/Quotation_mark

Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

UnknownNullness

Disabled By: Default

To improve referencing this code from Kotlin, consider adding explicit nullness information here with either @NonNull or @Nullable.

This check can be configured via the following options:

ignore-deprecated (default is false):
Whether to ignore classes and members that have been annotated with @Deprecated.

Normally this lint check will flag all unannotated elements, but by setting this option to true it will skip any deprecated elements.

To configure this option, use a `lint.xml` file in the project or source folder using an <option> block like the following:

 1 <lint>
 2     <issue id="UnknownNullness">
 3         <option name="ignore-deprecated" value="false" />                                           
 4     </issue>
 5 </lint>

More info: https://developer.android.com/kotlin/interop#nullability_annotations

Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

UnsupportedChromeOsHardware

Disabled By: Default

The <uses-feature> element should not require this unsupported large screen hardware feature. Any <uses-feature> not explicitly marked with required="false" is necessary on the device to be installed on. Ensure that any features that might prevent it from being installed on a ChromeOS, large screen, or foldable device are reviewed and marked as not required in the manifest.

More info: https://developer.android.com/topic/arc/manifest.html#incompat-entries

Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

UnusedIds

Disabled By: Default

This resource id definition appears not to be needed since it is not referenced from anywhere. Having id definitions, even if unused, is not necessarily a bad idea since they make working on layouts and menus easier, so there is not a strong reason to delete these.

The unused resource check can ignore tests. If you want to include resources that are only referenced from tests, consider packaging them in a test source set instead.

You can include test sources in the unused resource check by setting the system property lint.unused-resources.include-tests =true, and to exclude them (usually for performance reasons), use lint.unused-resources.exclude-tests =true.

Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

ValidActionsXml

Disabled By: Default

Ensures that an actions XML file is properly formed
Note: This issue has an associated quickfix operation in Android Studio and IntelliJ IDEA.

VulnerableCordovaVersion

Disabled By: Default

The version of Cordova used in the app is vulnerable to security issues. Please update to the latest Apache Cordova version.

More info: https://cordova.apache.org/announcements/2015/11/20/security.html

WrongThreadInterprocedural

Disabled By: Default

Searches for interprocedural call paths that violate thread annotations in the program. Tracks the flow of instantiated types and lambda expressions to increase accuracy across method boundaries.

More info: https://developer.android.com/guide/components/processes-and-threads.html#Threads

Suppressing Warnings and Errors

Lint errors can be suppressed in a variety of ways:

1. With a @SuppressLint annotation in the Java code
2. With a tools:ignore attribute in the XML file
3. With a //noinspection comment in the source code
4. With ignore flags specified in the build.gradle file, as explained below
5. With a lint.xml configuration file in the project
6. With a lint.xml configuration file passed to lint via the --config flag
7. With the --ignore flag passed to lint.

To suppress a lint warning with an annotation, add a @SuppressLint("id") annotation on the class, method or variable declaration closest to the warning instance you want to disable. The id can be one or more issue id's, such as "UnusedResources" or {"UnusedResources","UnusedIds"}, or it can be "all" to suppress all lint warnings in the given scope.

To suppress a lint warning with a comment, add a //noinspection id comment on the line before the statement with the error.

To suppress a lint warning in an XML file, add a tools:ignore="id" attribute on the element containing the error, or one of its surrounding elements. You also need to define the namespace for the tools prefix on the root element in your document, next to the xmlns:android declaration:
xmlns:tools="http://schemas.android.com/tools"

To suppress a lint warning in a build.gradle file, add a section like this:

android {
    lintOptions {
        disable 'TypographyFractions','TypographyQuotes'
    }
}

Here we specify a comma separated list of issue id's after the disable command. You can also use warning or error instead of disable to change the severity of issues.

To suppress lint warnings with a configuration XML file, create a file named lint.xml and place it at the root directory of the module in which it applies.

The format of the lint.xml file is something like the following:

<?xml version="1.0" encoding="UTF-8"?>
<lint>
    <!-- Ignore everything in the test source set -->
    <issue id="all">
        <ignore path="\*/test/\*" />
    </issue>

    <!-- Disable this given check in this project -->
    <issue id="IconMissingDensityFolder" severity="ignore" />

    <!-- Ignore the ObsoleteLayoutParam issue in the given files -->
    <issue id="ObsoleteLayoutParam">
        <ignore path="res/layout/activation.xml" />
        <ignore path="res/layout-xlarge/activation.xml" />
        <ignore regexp="(foo|bar)\.java" />
    </issue>

    <!-- Ignore the UselessLeaf issue in the given file -->
    <issue id="UselessLeaf">
        <ignore path="res/layout/main.xml" />
    </issue>

    <!-- Change the severity of hardcoded strings to "error" -->
    <issue id="HardcodedText" severity="error" />
</lint>

To suppress lint checks from the command line, pass the --ignore flag with a comma separated list of ids to be suppressed, such as:
$ lint --ignore UnusedResources,UselessLeaf /my/project/path

For more information, see https://developer.android.com/studio/write/lint.html#config