Salesforce Static code Analysis An option to avoid most commonly done mistakes - Prasanna Deshpande Helpshift Inc. Tweet - @_prasu_ Email - [email protected] 1

Salesforce static code analysis

Embed Size (px)

Citation preview

Salesforce Static

code Analysis

An option to avoid most commonly done mistakes

- Prasanna DeshpandeHelpshift Inc.

Tweet - @_prasu_

Email - [email protected]


Pareto Principle or Pareto Rule

• 80% of software quality is maintained by 20% of


• 80% of bugs in an application are written by 20%

of developers

• 80% of bugs are fixed in 20% of time


What is static code analysis

• Static code analysis is a

method of computer program

debugging that is done by

examine in the code without

executing the program

• It is a technique that allows, at

the same time with unit-tests,

dynamic code analysis, code

review and others, to increase

code quality, increase its

reliability and decrease the

development time.


Who needs static code

analysis• Any medium-sized and large software development

company – to increase code reliability and decrease

its price

• Any small company and individual developers – in a

lesser extent – to drink coffee instead of searching

and fixing annoying bugs,

• Anyone, who supports any old code


Static code analysis advantages

• Allows to find bugs on early stages (the earlier the

bug was spotted, the cheaper it is to be fixed)

• High analysis speed

• Does not require to run the application, only an

access to source code and (not always) – to

preprocessed files

• Allows to locate bugs in code that is rarely executed

(exception handlers, for instance).


Static code analysis


• Possibility of false positive alarm on correct code,

• Correct positive alarms on old code, which works correctly and

which should better not be bothered, may be nauseous.

• Comparatively small class of bugs detected due to the exponential

difficulty of “honest” bug search.

• Does not detects logical errors (this is a drawback of almost all

automatic testing tools in contrast to code review and manually

written unit tests).


How static code analysis

can be done for Salesforce?


Available tools• Force.com Security Source



• PMD http://pmd.sourceforge.net/snapshot/


• Checkmarxhttps://www.checkmarx.com/

• CodeScan -https://www.code-scan.com/

many more…


Force.com security source scanner


Force.com Security Source Scanner

Security Profile

• Cross Site Scripting (reflected, stored, and DOM


• SOQL/SOSL Injection

• Access Control Issues (Sharing, FLS)

• Cross site request forgery attacks

• Arbitrary Redirects

• Overly permissive postMessage targets

• Static Resource referencing

• Multiple Visualforce forms in the same page

• Test methods without assert

Quality Profile

• DML statements inside loops

• SOQL/SOSL inside loops

• Hardcoding Trigger.new[0]

• Hardcoding Trigger.old[0]

• Queries with no Where clause or no LIMIT clause

• Not bulkifying apex methods

• Async (@future) methods inside loops

• Hardcoding IDs

• Multiple triggers on same object


Limitations of Force.com

security code scanner• Scan submissions to be less than 2 million source lines of code for


• Customers with production or enterprise organizations can scan

360000 lines of code in any 12 months period of time

• Each scan is less than 5000 lines of code for Personal users. And

sandbox cannot be scanned.

• Scanning cannot be done for application on the NA21 or CS32

instances due to technical limitation of access

• Inconsistent Scan results


Report from Force.com Security source scanner


Detail view of scanner reported issue


PMD for Apex14

Advantages of PMD

• Free and open source

• It can be part of ANT build script to generate error reports

• It can also be added to Jenkins job for scheduled code


• Eclipse plugin available

• One can define their own custom rules1. Custom rules for Naming convention

2. Comments format


Available Rulesets from

PMD• ApexUnit

Should have asserts

shouldn't have SeeallData=true

• ComplexityToo many nested IF,

Excessive number of parameters for method,

Excessive length of class,

Excessive length of methods,

Excessive public variables,

Excessive class members

• PerformanceSOQL in for loops,

DML in for loops

• SecurityApex sharing violation,

Open redirects,

insecure endpoints,

XSS from parameters,

CRUD violation,

• Style - Naming conventions for Methods and classes.


How PMD works

Let’s find a bug with PMD help!

public class HotLeads {

public Lead getTopLead() {

return [SELECT … ] ;




How PMD works

Let’s find a bug: Sharing violation

public with sharing class HotLeads {

public Lead getTopLead() {

return [SELECT … ] ;




Mostly issues are categories in 2 types:

• Definitely a bug: public class Foo {}

• Might be a bug : public class without sharing Foo {}

Expected : public with sharing Foo {}


How PMD works

Let’s find one more bug

public void saveTopLead() {

insert new Lead(firstName='Astro');



How PMD works

Let’s find one more bug: CRUD and FLS

public void saveTopLead() {

Boolean canCreate =


if(canCreate) {

insert new Lead(firstName='Astro');




How to use PMD

• Download PMD from https://pmd.github.io/

• Create a ApexRules.xml

• Execute the PMD script./run.sh pmd -d "/Users/prasu/sfdc-app" -f html -R "apexrules.xml" -reportfile


./run.sh pmd -d "<SourceCodeFolder>" -f html -R "<ApexRulesFile>" -reportfile



Sample Apex Rule File


Report generated by PMD Apex



Thank you!