Code Quality Assurance Overview
Below you can find all Code Quality Assurance (QA) activities for the EUDI Wallet project which ensure that the EUDI Wallet meets functional, non-functional, performance and security requirements on both Android and iOS platforms.
Each release is planned and validated according to the agreed roadmap milestones, ensuring traceability between development deliverables and test execution.
Releases undergo full verification and validation through a combination of manual and automated testing, with QA activities integrated across all development phases to detect and prevent defects early.
All testing artefacts are managed in GitHub under: eu-digital-identity-wallet/eudi-doc-testing-application
Code Quality Controls
SonarCloud works on a set of code quality checks and analyses code for multiple quality dimensions, across all stacks (Swift, Kotlin, Java, Python). The checks conducted can be further grouped into the following categories:
-
Security (protecting software from threats, attacks and unauthorised access):
- Security Vulnerabilities: Flaws in code or configuration that attackers can exploit to compromise the system. Through SonarCloud, the following security vulnerabilities have been identified: SQL Injection, Deserialisation, and Command Injection vulnerabilities.
- Security Hotspots based on OWASP Top 10 / CWE Mappings: OWASP Top 10 refers to a list of the 10 most critical web application security risks. CWE (Common Weakness Enumeration) refers to a standardised catalogue of software weaknesses. Vulnerabilities and hotspots can be mapped to these categories for classification.
-
Maintainability (measures how easily code can be understood, modified and extended):
- Code Smells: Patterns in code that indicate potential design or implementation issues. They are warnings that indicate potential bad coding practices. The corresponding list that is checked per type of repository is the default list provided by SonarCloud.
- Cognitive Complexity: A metric indicating how difficult code is to understand. It increases with nested logic, branching and poor readability. Details of the corresponding metric can be found here.
- Duplications: Repeated blocks of code. High duplication leads to more effort in applying changes and increases the risk of inconsistency.
-
Reliability (reflects how consistently software functions without failures):
- Bugs: Using static code analysis, it detects actual bugs that can cause runtime errors or incorrect behaviour.
- Unit Test Coverage: A measure of how much of the code is exercised by automated tests. Higher coverage generally increases confidence in reliability but does not guarantee the absence of bugs.
Test Types
Testing is organised across multiple levels to validate functionality, performance and security, ensuring comprehensive coverage throughout the development lifecycle:
| Test Type | Objective | Frequency |
|---|---|---|
| Unit | Component-level verification | Continuous |
| Functional | End-to-end behaviour validation | Per release |
| Security | Confidentiality, integrity and compliance | Per release |
| Performance | Response time, app stability, CPU and memory usage | Per release |
Unit Testing
- Objectives: Unit testing verifies the correctness of individual software components and is the first quality gate in the continuous integration (CI) pipeline. Unit testing supports early defect detection and continuous integration by ensuring each new change maintains baseline quality.
- Tools: Unit Testing Tools.
Functional Testing
- Objectives: Functional and end-to-end (E2E) testing ensures that each release behaves as expected according to defined epics and user stories.
- Requirements: The Functional Requirements against which the tests are executed.
- Test Specifications: The Functional Testing Specifications can be found here:
- Tools: Functional Testing Tools.
Security Testing
- Objectives: Security testing ensures the continuous security, integrity and resilience of the EUDI Wallet applications throughout their lifecycle. By integrating automated and manual security testing within a Secure Software Development Life Cycle (SDLC) and aligning with OWASP MASVS and MASTG standards, the framework enables early detection and remediation of vulnerabilities. It combines code analysis, penetration testing, and vulnerability management using tools such as SonarQube, OWASP Dependency-Check and DefectDojo to maintain compliance with recognised security standards and safeguard user trust in the EUDI Wallet ecosystem.
- Requirements and Test Specifications: The Security Requirements and Security Test Specifications of the EUDI Wallet.
- Tools: Security Testing Tools.
Performance Testing
- Objectives: Tests are conducted to evaluate the performance of the EUDI Wallet application under average user load across various mobile devices. This testing focuses on central processing unit (CPU) and memory usage, as well as network activity during common scenarios.
- Requirements: The Performance Requirements against which the tests are executed.
- Test Specifications: The Performance Test Specifications result from relevant default metrics.
- Tools: Performance Testing Tools.
Test Tools
The following table summarises the tools used in the applicable test types:
| Test Type | Tools |
|---|---|
| Unit | SonarCloud |
| Functional | Manual Testing - Supported by Serenity BDD for structured reporting and visual coverage Automation - Appium (for mobile automation on Android and iOS) - Java (test scripting language) - JUnit (test framework) Other Tools - IntelliJ IDEA (development and execution environment) - Maven (dependency and build management) - Appium Inspector (for element inspection and locator validation) - Xcode (for building and exporting iOS .ipa files) - Android packages: .apk packages retrieved manually from Firebase for testing). |
| Security | - OWASP MASVS/MASTG for mobile security verification - OWASP Dependency-Check for third-party library analysis - SQLCipher and Android Keystore for data protection - Burp Suite and MobSF for dynamic testing and static analysis |
| Performance | Android: Android Studio Profiler and App Inspection and iOS: Xcode Instruments for performance monitoring, memory usage and CPU/network profiling |
Reporting
Each release is accompanied by serenity-generated reports summarising test execution results and coverage.
Release Test Reports
| Release | Test Types | Report Links | Status |
|---|---|---|---|
| 2025.07.28 - Demo | Functional Security Performance |
- Functional test results - Security test results - Performance test results |
✅ Released |
| 2025.10.31 - Demo | Functional | - Functional test results | ✅ Released |
| 2025.12.xx - xxx | (to be added) | (to be added) | 🔄 In progress |
Older releases remain available in the reports directory of the testing repository.