Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] DML Inside of Apex Properties Not Evaluated for User_Mode AccessLevel. #1716

Open
cubiccompass opened this issue Jan 12, 2025 · 2 comments
Open

[BUG] DML Inside of Apex Properties Not Evaluated for User_Mode AccessLevel. #1716

cubiccompass opened this issue Jan 12, 2025 · 2 comments
Labels
WaitingForFixFromPMD Waiting for PMD to fix an issue so that we can incorporate the fix into Salesforce Code Analyzer

Comments

@cubiccompass
Copy link

Have you tried to resolve this issue yourself first?

Yes

Bug Description

SELECT queries / DML inside of Apex properties missing AccessLevel.USER_MODE are not flagged for ApexCRUDViolation.

public with sharing class MyClass{
   private ID m_pid;
   
   public MyClass(ID parentId){
      this.m_pid = parentId; 
   }
   
   public List<SObject> ChildRecords{
      get{
        // Missing WITH USER_MODE. Not flagged for ApexCRUDViolation.
         return [SELECT Id, Name FROM ChildRecord__c WHERE ParentId=:m_pid];
      }
   }
   
   public List<SObject> queryChildRecords()
         // Missing WITH USER_MODE. Flagged for ApexCRUDViolation.
         return [SELECT Id, Name FROM ChildRecord__c WHERE ParentId=:m_pid]; 
   }
}

Output / Logs

No response

Steps To Reproduce

  1. Create an Apex class with a property. Get and Set accessors.
  2. Add DML within the accessors that does not define an AccessLevel
  3. Run scanner: sf scanner run --format csv --outfile CodeAnalyzerGeneral.csv --target ./ --category Security
  4. Output of scan does not identify any violations within the Apex properties.

Expected Behavior

Expected scanner to identify and recommend AccessLevel USER_MODE within any DML in properties.

Operating System

MacOS Sequoia 15.1

Salesforce CLI Version

2.71.6-df87f59.

Code Analyzer Plugin (@salesforce/sfdx-scanner) Version

4.7.0

Additional Context (Screenshots, Files, etc)

No response

Workaround

Search all files for the pattern get{ and manually review all DML for missing AccessLevel.

Urgency

Low
Open
@stephen-carter-at-sf
Copy link
Collaborator

@cubiccompass Thanks for reporting this issue. I have forwarded this issue over to pmd/pmd#5463 where you can monitor the progress. As soon as PMD resolves this issue, we will report back here.

@stephen-carter-at-sf stephen-carter-at-sf added the WaitingForFixFromPMD Waiting for PMD to fix an issue so that we can incorporate the fix into Salesforce Code Analyzer label Jan 13, 2025
@cubiccompass
Copy link
Author

Thanks @stephen-carter-at-sf .

btw - I also submitted Case #469508448 as a related issue.

In the course of trying to reproduce this using the Checkmarx security scanner, I found the online scanner is no longer generating reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
WaitingForFixFromPMD Waiting for PMD to fix an issue so that we can incorporate the fix into Salesforce Code Analyzer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cubiccompass @stephen-carter-at-sf