I have an android application containing both java and kotlin codes. I want to scan its possible vulnerabilites using coverity sast tool version 2023.12.0. I follow the following steps:
./cov-configure --java
./cov-configure --kotlin
./cov-build --dir (path of idir file) --fs-capture-search (path of target source file) --no-command
./cov-analyze --dir (path of idir file) --aggressiveness-level high --android-security
cov emit command (I did not write it here because it just commit the result to localhost)
My scan results did not satisfy me, because it just scanned android manifest and some xml files. It found some vulnerabilities here, but when I look at the log file, i realized that it did not capture any Java or Kotlin code. So, what is my mistake? Why did it not scan Java or Kotlin files? If you use this tool, can you explain me how you make Android scans?