Static Apex Code Check Review and Analysis- No Need of Checkmarx

In order to develop any app in Salesforce for AppExchange, we must need to follow the security guideline to pass the security review.

Security Profile

The scanner will help to detect the following security vulnerability types:

  • Cross Site Scripting (reflected, stored, and DOM based)
  • SOQL/SOSL Injection
  • Access Control Issues (Sharing, FLS)
  • Cross site request forgery attacks
  • Arbitrary Redirects
  • Overly permissive postMessage targets

Quality Profile

The Security Source Scanner will detect the following common Apex coding and design issues:

  • DML statements inside loops
  • SOQL/SOSL inside loops
  • Hardcoding[0]
  • Hardcoding Trigger.old[0]
  • Queries with no Where clause or no LIMIT clause
  • Not bulkifying apex methods
  • Async (@future) methods inside loops
  • Hardcoding IDs
  • Multiple triggers on same object
  • Static Resource referencing
  • Multiple Visualforce forms in the same page
  • Test methods without assert

Steps to scan 

Prerequisites and Steps

  • Linux based OS- I am using ubuntu.
  • Install ant (Latest version)
  • Download the latest version– it would be a zip file
  • Extract that zip file- it will make a folder with name of PMD Zip file
  • Open terminal and change your directory to that PMD folder
  • Create a folder ‘scan’- you can manage your own – I just created to keep my stuffs in different folders. You just need to adjust the path in below given script while executing the script
  • Download all XML files from here. Actually these are defined Rulesets for each type of code check. For example, performance.xml will check the performance issues in the apex code like SOQL/DMLs inside loop.
  • Run the below given script.
    ./bin/ pmd -d "./scan/ap_code/classes" -f html -R "./scan/security.xml,./scan/performance.xml,./scan/apexunit.xml"   - reportfile "./scan/codereview.html" -language apex
    • “./scan/ap_code/classes” is directory path of folder where all apex code is.
    • “./scan/security.xml,./scan/performance.xml,./scan/apexunit.xml” is comma separated paths of rulesets that we are going to execute
    • ./scan/codereview.html” is direcoty path and name of file in which you are going to store the result of code scan.
  • Now go to path and there should be a file codereview.html in scan folder with results


8 thoughts on “Static Apex Code Check Review and Analysis- No Need of Checkmarx”

  1. Wonderful beat ! I would like to apprentice while you amend your web site, how can i subscribe for
    a blog website? The account aided me a acceptable deal.

    I had been a little bit acquainted of this your broadcast offered bright clear idea

  2. obviously like your website but you have to test the spelling on quite a few
    of your posts. A number of them are rife with spelling issues and
    I to find it very bothersome to tell the reality
    nevertheless I will definitely come again again.

  3. Usually I do not learn post on blogs, but I wish to say that this write-up very
    compelled me to check out and do so! Your writing style has been surprised me.

    Thanks, quite nice post.

  4. Simply wish to say your article is as amazing. The clarity for your submit is just excellent and that i could think you
    are knowledgeable in this subject. Fine together with your permission allow me to clutch your RSS feed to stay up to date with impending post.
    Thank you one million and please keep up the gratifying work.

  5. You need to take part in a contest for one of the highest quality
    websites on the web. I am going to highly recommend this website!
    0mniartist asmr

Comments are closed.