Salesforce static code analysis
-
Upload
prasanna-deshpande- -
Category
Technology
-
view
301 -
download
3
Transcript of Salesforce static code analysis
Salesforce Static
code Analysis
An option to avoid most commonly done mistakes
- Prasanna DeshpandeHelpshift Inc.
Tweet - @_prasu_
Email - [email protected]
1
Pareto Principle or Pareto Rule
• 80% of software quality is maintained by 20% of
programmers
• 80% of bugs in an application are written by 20%
of developers
• 80% of bugs are fixed in 20% of time
2
What is static code analysis
• Static code analysis is a
method of computer program
debugging that is done by
examine in the code without
executing the program
• It is a technique that allows, at
the same time with unit-tests,
dynamic code analysis, code
review and others, to increase
code quality, increase its
reliability and decrease the
development time.
3
Who needs static code
analysis• Any medium-sized and large software development
company – to increase code reliability and decrease
its price
• Any small company and individual developers – in a
lesser extent – to drink coffee instead of searching
and fixing annoying bugs,
• Anyone, who supports any old code
4
Static code analysis advantages
• Allows to find bugs on early stages (the earlier the
bug was spotted, the cheaper it is to be fixed)
• High analysis speed
• Does not require to run the application, only an
access to source code and (not always) – to
preprocessed files
• Allows to locate bugs in code that is rarely executed
(exception handlers, for instance).
5
Static code analysis
disadvantages
• Possibility of false positive alarm on correct code,
• Correct positive alarms on old code, which works correctly and
which should better not be bothered, may be nauseous.
• Comparatively small class of bugs detected due to the exponential
difficulty of “honest” bug search.
• Does not detects logical errors (this is a drawback of almost all
automatic testing tools in contrast to code review and manually
written unit tests).
6
Available tools• Force.com Security Source
Scannerhttps://security.secure.force.com/sec
urity/tools/forcecom/scanner
• PMD http://pmd.sourceforge.net/snapshot/
pmd-apex/
• Checkmarxhttps://www.checkmarx.com/
• CodeScan -https://www.code-scan.com/
many more…
8
Force.com Security Source Scanner
Security Profile
• Cross Site Scripting (reflected, stored, and DOM
based)
• SOQL/SOSL Injection
• Access Control Issues (Sharing, FLS)
• Cross site request forgery attacks
• Arbitrary Redirects
• Overly permissive postMessage targets
• Static Resource referencing
• Multiple Visualforce forms in the same page
• Test methods without assert
Quality Profile
• DML statements inside loops
• SOQL/SOSL inside loops
• Hardcoding Trigger.new[0]
• Hardcoding Trigger.old[0]
• Queries with no Where clause or no LIMIT clause
• Not bulkifying apex methods
• Async (@future) methods inside loops
• Hardcoding IDs
• Multiple triggers on same object
10
Limitations of Force.com
security code scanner• Scan submissions to be less than 2 million source lines of code for
Partners
• Customers with production or enterprise organizations can scan
360000 lines of code in any 12 months period of time
• Each scan is less than 5000 lines of code for Personal users. And
sandbox cannot be scanned.
• Scanning cannot be done for application on the NA21 or CS32
instances due to technical limitation of access
• Inconsistent Scan results
11
Advantages of PMD
• Free and open source
• It can be part of ANT build script to generate error reports
• It can also be added to Jenkins job for scheduled code
scans
• Eclipse plugin available
• One can define their own custom rules1. Custom rules for Naming convention
2. Comments format
15
Available Rulesets from
PMD• ApexUnit
Should have asserts
shouldn't have SeeallData=true
• ComplexityToo many nested IF,
Excessive number of parameters for method,
Excessive length of class,
Excessive length of methods,
Excessive public variables,
Excessive class members
• PerformanceSOQL in for loops,
DML in for loops
• SecurityApex sharing violation,
Open redirects,
insecure endpoints,
XSS from parameters,
CRUD violation,
• Style - Naming conventions for Methods and classes.
16
How PMD works
Let’s find a bug with PMD help!
public class HotLeads {
public Lead getTopLead() {
return [SELECT … ] ;
}
}
17
How PMD works
Let’s find a bug: Sharing violation
public with sharing class HotLeads {
public Lead getTopLead() {
return [SELECT … ] ;
}
}
18
Mostly issues are categories in 2 types:
• Definitely a bug: public class Foo {}
• Might be a bug : public class without sharing Foo {}
Expected : public with sharing Foo {}
19
How PMD works
Let’s find one more bug
public void saveTopLead() {
insert new Lead(firstName='Astro');
}
20
How PMD works
Let’s find one more bug: CRUD and FLS
public void saveTopLead() {
Boolean canCreate =
Schema.sObjectType.Lead.fields.firstName.isCreateable();
if(canCreate) {
insert new Lead(firstName='Astro');
}
}
21
How to use PMD
• Download PMD from https://pmd.github.io/
• Create a ApexRules.xml
• Execute the PMD script./run.sh pmd -d "/Users/prasu/sfdc-app" -f html -R "apexrules.xml" -reportfile
“output.html"
./run.sh pmd -d "<SourceCodeFolder>" -f html -R "<ApexRulesFile>" -reportfile
“<OutputFileName"
22