Salesforce Static

code Analysis

An option to avoid most commonly done mistakes

- Prasanna DeshpandeHelpshift Inc.

Tweet - @_prasu_

Email - prasu@prasannadeshpande.com

1

Pareto Principle or Pareto Rule

• 80% of software quality is maintained by 20% of

programmers

• 80% of bugs in an application are written by 20%

of developers

• 80% of bugs are fixed in 20% of time

2

What is static code analysis

• Static code analysis is a

method of computer program

debugging that is done by

examine in the code without

executing the program

• It is a technique that allows, at

the same time with unit-tests,

dynamic code analysis, code

review and others, to increase

code quality, increase its

reliability and decrease the

development time.

3

Who needs static code

analysis• Any medium-sized and large software development

company – to increase code reliability and decrease

its price

• Any small company and individual developers – in a

lesser extent – to drink coffee instead of searching

and fixing annoying bugs,

• Anyone, who supports any old code

4

Static code analysis advantages

• Allows to find bugs on early stages (the earlier the

bug was spotted, the cheaper it is to be fixed)

• High analysis speed

• Does not require to run the application, only an

access to source code and (not always) – to

preprocessed files

• Allows to locate bugs in code that is rarely executed

(exception handlers, for instance).

5

Static code analysis

disadvantages

• Possibility of false positive alarm on correct code,

• Correct positive alarms on old code, which works correctly and

which should better not be bothered, may be nauseous.

• Comparatively small class of bugs detected due to the exponential

difficulty of “honest” bug search.

• Does not detects logical errors (this is a drawback of almost all

automatic testing tools in contrast to code review and manually

written unit tests).

6

How static code analysis

can be done for Salesforce?

7

Available tools• Force.com Security Source

Scannerhttps://security.secure.force.com/sec

urity/tools/forcecom/scanner

• PMD http://pmd.sourceforge.net/snapshot/

pmd-apex/

• Checkmarxhttps://www.checkmarx.com/

• CodeScan -https://www.code-scan.com/

many more…

8

Force.com security source scanner

9

Force.com Security Source Scanner

Security Profile

• Cross Site Scripting (reflected, stored, and DOM

based)

• SOQL/SOSL Injection

• Access Control Issues (Sharing, FLS)

• Cross site request forgery attacks

• Arbitrary Redirects

• Overly permissive postMessage targets

• Static Resource referencing

• Multiple Visualforce forms in the same page

• Test methods without assert

Quality Profile

• DML statements inside loops

• SOQL/SOSL inside loops

• Hardcoding Trigger.new[0]

• Hardcoding Trigger.old[0]

• Queries with no Where clause or no LIMIT clause

• Not bulkifying apex methods

• Async (@future) methods inside loops

• Hardcoding IDs

• Multiple triggers on same object

10

Limitations of Force.com

security code scanner• Scan submissions to be less than 2 million source lines of code for

Partners

• Customers with production or enterprise organizations can scan

360000 lines of code in any 12 months period of time

• Each scan is less than 5000 lines of code for Personal users. And

sandbox cannot be scanned.

• Scanning cannot be done for application on the NA21 or CS32

instances due to technical limitation of access

• Inconsistent Scan results

11

Report from Force.com Security source scanner

12

Detail view of scanner reported issue

13

PMD for Apex14

Advantages of PMD

• Free and open source

• It can be part of ANT build script to generate error reports

• It can also be added to Jenkins job for scheduled code

scans

• Eclipse plugin available

• One can define their own custom rules1. Custom rules for Naming convention

2. Comments format

15

Available Rulesets from

PMD• ApexUnit

Should have asserts

shouldn't have SeeallData=true

• ComplexityToo many nested IF,

Excessive number of parameters for method,

Excessive length of class,

Excessive length of methods,

Excessive public variables,

Excessive class members

• PerformanceSOQL in for loops,

DML in for loops

• SecurityApex sharing violation,

Open redirects,

insecure endpoints,

XSS from parameters,

CRUD violation,

• Style - Naming conventions for Methods and classes.

16

How PMD works

Let’s find a bug with PMD help!

public class HotLeads {

public Lead getTopLead() {

return [SELECT … ] ;

}

}

17

How PMD works

Let’s find a bug: Sharing violation

public with sharing class HotLeads {

public Lead getTopLead() {

return [SELECT … ] ;

}

}

18

Mostly issues are categories in 2 types:

• Definitely a bug: public class Foo {}

• Might be a bug : public class without sharing Foo {}

Expected : public with sharing Foo {}

19

How PMD works

Let’s find one more bug

public void saveTopLead() {

insert new Lead(firstName='Astro');

}

20

How PMD works

Let’s find one more bug: CRUD and FLS

public void saveTopLead() {

Boolean canCreate =

Schema.sObjectType.Lead.fields.firstName.isCreateable();

if(canCreate) {

insert new Lead(firstName='Astro');

}

}

21

How to use PMD

• Download PMD from https://pmd.github.io/

• Create a ApexRules.xml

• Execute the PMD script./run.sh pmd -d "/Users/prasu/sfdc-app" -f html -R "apexrules.xml" -reportfile

“output.html"

./run.sh pmd -d "<SourceCodeFolder>" -f html -R "<ApexRulesFile>" -reportfile

“<OutputFileName"

22

Sample Apex Rule File

23

Report generated by PMD Apex

24

25

Thank you!

26