Static Apex Code Check Review and Analysis – No Need of Checkmarx

Static Apex Code Check Review and Analysis in Salesforce involves assessing the quality, performance, security, and maintainability of Apex code before deployment. In order to develop any app in Salesforce for AppExchange, we must need to follow the security guideline to pass the security review. Here’s a structured approach for performing such a review:

Code Quality Checks

a. Enforce Coding Standards

  • Use Salesforce Naming Conventions: Ensure variables, methods, and classes follow consistent naming conventions (e.g., camelCase for variables, PascalCase for classes).
  • Commenting: Check if the code is properly documented with meaningful comments.
  • Readable Code: Avoid complex or nested logic that reduces code readability.

b. Analyze Code Design

  • Ensure Apex code adheres to object-oriented principles:
    • Single Responsibility Principle: Each class/method should have a clear, single purpose.
    • Avoid Hardcoding: Use Custom Settings, Custom Metadata, or Custom Labels for configurable values.

Security Analysis

a. Enforce Salesforce Security Best Practices

CRUD/FLS Enforcement: Ensure all SOQL and DML operations enforce CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security).

if (Schema.sObjectType.Account.fields.Name.isAccessible()) { 
Account acc = [SELECT Name FROM Account WHERE Id = :accountId]; 
}

Avoid SOQL Injection: Use bind variables in SOQL queries to prevent injection attacks.

//Secure Example: 
List<Account> accounts = [SELECT Id FROM Account WHERE Name = :searchTerm];

b. Secure Sharing and Access

  • Use the “with sharing” keyword in classes unless there’s a valid reason to omit it.
  • Verify sensitive operations have proper profile/permission validations.

Performance Optimization

a. Efficient SOQL/DML Usage

SOQL in Loops: Avoid SOQL queries inside loops.

// Incorrect: for (Contact c : contacts) { Account acc = [SELECT Name FROM Account WHERE Id = :c.AccountId]; }

// Correct: Set<Id> accountIds = new Set<Id>(); for (Contact c : contacts) { accountIds.add(c.AccountId); } Map<Id, Account> accounts = new Map<Id, Account>( [SELECT Name FROM Account WHERE Id IN :accountIds] );

Governor Limits: Ensure code is optimized to stay within Salesforce governor limits (e.g., SOQL limit of 100 queries per transaction).

b. Bulkification

  • Ensure all triggers and classes are bulkified to handle multiple records in a single execution context.
public static void updateContacts(List<Contact> contacts) { 
    List<Contact> contactsToUpdate = new List<Contact>(); 
    for (Contact c : contacts) {
        if (c.AccountId != null) { 
            c.Description = 'Updated by bulk operation'; contactsToUpdate.add(c); 
        } 
    } 
    if (!contactsToUpdate.isEmpty()) { 
        update contactsToUpdate;
    }
}

c. Other checklists

The Force.com Security Source Scanner will detect the following common Apex coding and design issues:

  • DML statements inside loops
  • SOQL/SOSL inside loops
  • Hardcoding Trigger.new[0]
  • Hardcoding Trigger.old[0]
  • Queries with no Where clause or no LIMIT clause
  • Not bulkifying apex methods
  • Async (@future) methods inside loops
  • Hardcoding IDs
  • Multiple triggers on same object
  • Static Resource referencing
  • Multiple Visualforce forms in the same page
  • Test methods without assert

Code Analysis Tools

a. Salesforce Code Analysis Tools

  • Salesforce Code Analyzer (CLI): Use the Salesforce CLI to run static code analysis on Apex, LWC, and metadata files. It includes PMD (Programming Mistake Detector) rules.
  • PMD Extension in Visual Studio Code

b. Other Tools

  • PMD: A popular static analysis tool for checking Apex code quality.
  • Checkmarx/SonarQube: Use these for advanced security and performance checks.

c. Apex Replay Debugger

  • Use the Apex Replay Debugger to review transaction execution and debug issues in static code.

Steps to scan 

In VS Code Editor

  • You can perform Apex static code analysis in Visual Studio Code (VSCode) using the Apex PMD extension
  • Install the Apex PMD extension 
  • Open a class or trigger in VSCode 
  • Execute “Apex Static Analysis: On File” from the command palette 
  • Enable the “Run On File Save” checkbox to automatically run PMD in the background and display results each time you save a file 
  • You can also use custom rules written in Java. To do this, you can:
  • Ensure the jar file containing your custom rules is on the classpath
  • Use the additionalClassPaths setting to add additional folders to the classpath 
  • Apex static code analysis can help you identify issues in your codebase, such as:
  • bugs, programming errors, stylistic errors, suspicious constructs, code smells, and security vulnerabilities. 
  • You can also use the Sonar language analyzer to evaluate your code.

8 thoughts on “Static Apex Code Check Review and Analysis – No Need of Checkmarx”

  1. Wonderful beat ! I would like to apprentice while you amend your web site, how can i subscribe for
    a blog website? The account aided me a acceptable deal.

    I had been a little bit acquainted of this your broadcast offered bright clear idea

  2. obviously like your website but you have to test the spelling on quite a few
    of your posts. A number of them are rife with spelling issues and
    I to find it very bothersome to tell the reality
    nevertheless I will definitely come again again.

  3. Usually I do not learn post on blogs, but I wish to say that this write-up very
    compelled me to check out and do so! Your writing style has been surprised me.

    Thanks, quite nice post.

  4. Simply wish to say your article is as amazing. The clarity for your submit is just excellent and that i could think you
    are knowledgeable in this subject. Fine together with your permission allow me to clutch your RSS feed to stay up to date with impending post.
    Thank you one million and please keep up the gratifying work.

  5. You need to take part in a contest for one of the highest quality
    websites on the web. I am going to highly recommend this website!
    0mniartist asmr

Comments are closed.