Salesforce Code Review is a process in the software development lifecycle that helps developers test the source code and identify bugs at an early stage of the development process. There are several code review tools available for reviewing code in Salesforce. Checkmarx is one of the best tools to help Salesforce developers boost their productivity and effectiveness during the SDFC phase.
Checkmarx is an accurate static analysis solution that helps identify different types of security vulnerabilities in your code. Developers can use it in the early stages of the SDLC as it identifies bugs and errors and provides practical solutions on how to address them. The Checkmarx framework supports more than 25 coding and scripting languages, including Apex, JS, Visualforce, and HTML.
Checkmarx offers two types of code analysis tools for developing Salesforce applications:
1. Force.com scanner
Force.com Security Source Scanner is a source analysis tool built right into the Force.com offering. Salesforce partners with Checkmarx to help users build trusted apps. You can only run one project at a time for free with Force.com. This project can contain 30,000 lines of code.
2. Checkmarx Static Analysis Suite
Force.com also uses the same Checkmarx tool, but this is a licensed version that can scan various projects with unlimited lines of code. It comes into availability with two versions, i.e., with a 1-year subscription or 3-year subscription.
| Force.com | Checkmarx CxSAST | |
| Project | Single | Unlimited |
| Lines of Code | 30000 | Unlimited |
| Supported Languages | Apex, VisualForce, JavaScript, HTML | More than 25+ coding and scripting languages |
| Customer Support | Feature not available | Available |
Process
The project rescan process is relatively easy. This can be done by submitting the Salesforce.com username to the Force.com security source scanner; the scanner will perform various code reviews and send an email for successful or unsuccessful job creation to the user’s associated email address. After the job is successfully created and the scan is complete, the archived result file will be emailed to the email address saved for the Apex username.
What are the Issues and Vulnerabilities?
The Force.com security resource scanner can detect the following Apex design and code issues:
- DML statements inside loops
- Hardcoding (IDs, List[0], etc)
- SOQL / SOSL inside loops
- Queries without WHERE clause or LIMIT clause
- Non-bulk apex methods
- Use the future method in a loop
- Multiple triggers on the same object
- Test method without using assert
Security vulnerabilities
The Force.com Security Source Scanner can detect:
1. Cross-Site Scripting
This vulnerability can occur if an attacker inserts unauthorized JavaScript, Visual Basic Script, HTML, or other content into a web page that another user is viewing. For example, an attacker can hijack a user’s session, send unauthorized transactions as a user, steal confidential information, or simply destroy the page by inserting a malicious script into the page.
Solution: Use HTMLENCODE where values are to be passed.
Example :
Insecure :
Secure :
2. SOQL / SOSL Injection
SOQL/SOSL injection is a common application security bug that results from insecure database queries against user-supplied data. This can happen when an unexpected value is given as input, and that input value is used in every SOQL/SOSL query, after which the value or purpose of the whole query changes.
Solution : Use input string with String.escapeSingleQuotes()
Example:
Insecure: Contact conObj = [SELECT Name,Id FROM Contact WHERE LastName =: stringInput LIMIT 1];
Secure: Contact conObj = [SELECT Name,Id FROM Contact WHERE LastName =: String.escapeSingleQuotes(stringInput) LIMIT 1];
3. CRUD Issues
The CRUD issue occurs when a user tries to find, insert, update, update, or delete any record without confirming whether the user has permission to operate or not.
Solution :
We can use any of the different tests available in Apex, such as B. isAccessible(), isUpdateable(), isQueryable(), isCreateable(), and so on. on fields as well as on objects.
Example :
Query:
If(Schema.sObjectType.Contact.isQueryable()){
Contact conObj = [SELECT Name,Id FROM Contact WHERE LastName =: String.escapeSingleQuotes(stringInput) LIMIT 1];
}
Insertion:
Contact conObj = new Contact();
if (Schema.sObjectType.Contact.fields.LastName.isCreateable()){
conObj.Title = chainDetail[0].Name;
}
if (Schema.sObjectType. Contact.fields.Email.isCreateable()){
conObj.ParentId = chainDetail[0].Agenthub__Deal_Agreed__c;
}
if (Schema.sObjectType.Contact.isCreateable() && conObj !=null){
Insert conObj;
}
Deletion:
if (Schema.sObjectType.Contact.isDeletable() && conObj !=null){
Delete conObj;
}
Update:
Contact conObj = new Contact();
conObj.Id = id;
if (Schema.sObjectType. Contact.fields.Email.isUpdateable()){
conObj.Email = ‘example@gmail.com’;
}
if (Schema.sObjectType.Contact. isUpdateable () && conObj !=null){
Update conObj;
}
4. Access Control Issues (Sharing, FLS)
FLS is defined as the Field Level Permission that defines access to objects and fields for users. FLS can be controlled in several ways, e.g., through sharing settings in the organization, where we can set the default access to public or private. We can organize sharing by the user, role, etc.
The Lightning component and Visualforce page data depend on the Apex class controller, and the Apex class does not require standard sharing. Apex class enforcement permissions are required so that no one can access these records and data that the user cannot access. Therefore, we need to use the keyword “share” in the class definition.
Example:
Insecure: public class ClassName{ .. }
Secure: public with secure class ClassName{ .. }
5. Frame Spoofing –
Frame Spoofing vulnerability occurs when:
- Data comes in software through an untrusted source.
- Source URL of iframe without being validated.
Conclusion
The main reason for code reviews is to ensure that the quality of your code remains as high as possible. In addition, code review limits the number of errors that occur in production. For companies looking to minimize application security risks, Checkmarx offers the possibility of eliminating vulnerabilities in the early SDLC phase. Compared with other source analysis tools, Checkmarx is widely accepted by the Salesforce development team because it seamlessly fits into the existing software development life cycle and helps in quick implementation to meet ever-evolving business development needs.
Want to hire the best Salesforce consulting partner to empower your teams and add value to your business? Get in touch with Cloud Analogy and discover how our CRM experts can help you successfully optimize Salesforce Implementation through their in-depth knowledge of the domain.
Sachin Arora
Scrum Master and Principal Solutions Architect
Sachin, a renowned Scrum Master and Principal Solutions Architect at Cloud Analogy, has rich experience when it comes to working on process improvement in a fast-paced environment maintaining high level of quality in all deliverables. Sachin's expertise lies in varied hardware and software environments including Cloud technologies such as Salesforce, AWS, Cloud Foundry & Google App Engine and Mobile.Hire the best Salesforce Development Company. Choose certified Salesforce Developers from Cloud Analogy now.
