In order to develop any app in Salesforce for AppExchange, we must need to follow the security guideline to pass the security review.
Security Profile
The scanner will help to detect the following security vulnerability types:
- Cross Site Scripting (reflected, stored, and DOM based)
- SOQL/SOSL Injection
- Access Control Issues (Sharing, FLS)
- Cross site request forgery attacks
- Arbitrary Redirects
- Overly permissive postMessage targets
Quality Profile
The Force.com Security Source Scanner will detect the following common Apex coding and design issues:
- DML statements inside loops
- SOQL/SOSL inside loops
- Hardcoding Trigger.new[0]
- Hardcoding Trigger.old[0]
- Queries with no Where clause or no LIMIT clause
- Not bulkifying apex methods
- Async (@future) methods inside loops
- Hardcoding IDs
- Multiple triggers on same object
- Static Resource referencing
- Multiple Visualforce forms in the same page
- Test methods without assert
Steps to scan
Prerequisites and Steps
- Linux based OS- I am using ubuntu.
- Install ant (Latest version)
- Download the latest version– it would be a zip file
- Extract that zip file- it will make a folder with name of PMD Zip file
- Open terminal and change your directory to that PMD folder
- Create a folder ‘scan’- you can manage your own – I just created to keep my stuffs in different folders. You just need to adjust the path in below given script while executing the script
- Download all XML files from here. Actually these are defined Rulesets for each type of code check. For example, performance.xml will check the performance issues in the apex code like SOQL/DMLs inside loop.
- Run the below given script.
./bin/run.sh pmd -d "./scan/ap_code/classes" -f html -R "./scan/security.xml,./scan/performance.xml,./scan/apexunit.xml" - reportfile "./scan/codereview.html" -language apex- “./scan/ap_code/classes” is directory path of folder where all apex code is.
- “./scan/security.xml,./scan/performance.xml,./scan/apexunit.xml” is comma separated paths of rulesets that we are going to execute
- ./scan/codereview.html” is direcoty path and name of file in which you are going to store the result of code scan.
- Now go to path and there should be a file codereview.html in scan folder with results
Links
- https://github.com/ayub-ansari/Static-Apex-Code-Check-Review-and-analysis
- https://pmd.github.io/pmd-5.5.2/pmd-apex/rules/index.html
- http://www.jitendrazaa.com/blog/salesforce/automated-code-review-for-apex-in-salesforce-static-code-analysis-video/
Wonderful beat ! I would like to apprentice while you amend your web site, how can i subscribe for
a blog website? The account aided me a acceptable deal.
I had been a little bit acquainted of this your broadcast offered bright clear idea
obviously like your website but you have to test the spelling on quite a few
of your posts. A number of them are rife with spelling issues and
I to find it very bothersome to tell the reality
nevertheless I will definitely come again again.
This is my first time visit at here and i am really pleassant
to read all at one place.
What’s up to all, for the reason that I am actually eager of reading this blog’s post to be
updated regularly. It contains nice stuff.
Usually I do not learn post on blogs, but I wish to say that this write-up very
compelled me to check out and do so! Your writing style has been surprised me.
Thanks, quite nice post.
When some one searches for his vital thing, thus he/she
needs to be available that in detail, therefore that thing
is maintained over here.
Simply wish to say your article is as amazing. The clarity for your submit is just excellent and that i could think you
are knowledgeable in this subject. Fine together with your permission allow me to clutch your RSS feed to stay up to date with impending post.
Thank you one million and please keep up the gratifying work.
You need to take part in a contest for one of the highest quality
websites on the web. I am going to highly recommend this website!
0mniartist asmr