This document discusses static code analysis tools for Salesforce, including the Force.com Security Source Scanner and PMD. It describes how static code analysis can find bugs early by examining code without executing it. It provides details on the Force.com Scanner's security and quality profiles and limitations. It also explains how PMD works by scanning code for issues defined in rulesets and generating reports with potential bugs and violations.

1. Salesforce Static
code Analysis
An option to avoid most commonly done mistakes
- Prasanna Deshpande
Helpshift Inc.
Tweet - @_prasu_
Email - prasu@prasannadeshpande.com
1

2. Pareto Principle or Pareto Rule
• 80% of software quality is maintained by 20% of
programmers
• 80% of bugs in an application are written by 20%
of developers
• 80% of bugs are fixed in 20% of time
2

3. What is static code analysis
• Static code analysis is a
method of computer program
debugging that is done by
examine in the code without
executing the program
• It is a technique that allows, at
the same time with unit-tests,
dynamic code analysis, code
review and others, to increase
code quality, increase its
reliability and decrease the
development time.
3

4. Who needs static code
analysis
• Any medium-sized and large software development
company – to increase code reliability and decrease
its price
• Any small company and individual developers – in a
lesser extent – to drink coffee instead of searching
and fixing annoying bugs,
• Anyone, who supports any old code
4

5. Static code analysis advantages
• Allows to find bugs on early stages (the earlier the
bug was spotted, the cheaper it is to be fixed)
• High analysis speed
• Does not require to run the application, only an
access to source code and (not always) – to
preprocessed files
• Allows to locate bugs in code that is rarely executed
(exception handlers, for instance).
5

6. Static code analysis
disadvantages
• Possibility of false positive alarm on correct code,
• Correct positive alarms on old code, which works correctly and
which should better not be bothered, may be nauseous.
• Comparatively small class of bugs detected due to the exponential
difficulty of “honest” bug search.
• Does not detects logical errors (this is a drawback of almost all
automatic testing tools in contrast to code review and manually
written unit tests).
6

7. How static code analysis
can be done for Salesforce?
7

8. Available tools
• Force.com Security Source
Scanner
https://security.secure.force.com/sec
urity/tools/forcecom/scanner
• PMD
http://pmd.sourceforge.net/snapshot/
pmd-apex/
• Checkmarx
https://www.checkmarx.com/
• CodeScan -
https://www.code-scan.com/
many more…
8

9. Force.com security source scanner
9

10. Force.com Security Source Scanner
Security Profile
• Cross Site Scripting (reflected, stored, and DOM
based)
• SOQL/SOSL Injection
• Access Control Issues (Sharing, FLS)
• Cross site request forgery attacks
• Arbitrary Redirects
• Overly permissive postMessage targets
• Static Resource referencing
• Multiple Visualforce forms in the same page
• Test methods without assert
Quality Profile
• DML statements inside loops
• SOQL/SOSL inside loops
• Hardcoding Trigger.new[0]
• Hardcoding Trigger.old[0]
• Queries with no Where clause or no LIMIT clause
• Not bulkifying apex methods
• Async (@future) methods inside loops
• Hardcoding IDs
• Multiple triggers on same object
10

11. Limitations of Force.com
security code scanner
• Scan submissions to be less than 2 million source lines of code for
Partners
• Customers with production or enterprise organizations can scan
360000 lines of code in any 12 months period of time
• Each scan is less than 5000 lines of code for Personal users. And
sandbox cannot be scanned.
• Scanning cannot be done for application on the NA21 or CS32
instances due to technical limitation of access
• Inconsistent Scan results
11

12. Report from Force.com Security source scanner
12

13. Detail view of scanner reported issue
13

14. PMD for Apex
14

15. Advantages of PMD
• Free and open source
• It can be part of ANT build script to generate error reports
• It can also be added to Jenkins job for scheduled code
scans
• Eclipse plugin available
• One can define their own custom rules
1. Custom rules for Naming convention
2. Comments format
15

16. Available Rulesets from
PMD
• ApexUnit
Should have asserts
shouldn't have SeeallData=true
• Complexity
Too many nested IF,
Excessive number of parameters for method,
Excessive length of class,
Excessive length of methods,
Excessive public variables,
Excessive class members
• Performance
SOQL in for loops,
DML in for loops
• Security
Apex sharing violation,
Open redirects,
insecure endpoints,
XSS from parameters,
CRUD violation,
• Style - Naming conventions for Methods and classes.
16

17. How PMD works
Let’s find a bug with PMD help!
public class HotLeads {
public Lead getTopLead() {
return [SELECT … ] ;
}
}
17

18. How PMD works
Let’s find a bug: Sharing violation
public with sharing class HotLeads {
public Lead getTopLead() {
return [SELECT … ] ;
}
}
18

19. Mostly issues are categories in 2 types:
• Definitely a bug: public class Foo {}
• Might be a bug : public class without sharing Foo {}
Expected : public with sharing Foo {}
19

20. How PMD works
Let’s find one more bug
public void saveTopLead() {
insert new Lead(firstName='Astro');
}
20

21. How PMD works
Let’s find one more bug: CRUD and FLS
public void saveTopLead() {
Boolean canCreate =
Schema.sObjectType.Lead.fields.firstName.isCreateable();
if(canCreate) {
insert new Lead(firstName='Astro');
}
}
21

22. How to use PMD
• Download PMD from https://pmd.github.io/
• Create a ApexRules.xml
• Execute the PMD script
./run.sh pmd -d "/Users/prasu/sfdc-app" -f html -R "apexrules.xml" -reportfile
“output.html"
./run.sh pmd -d "<SourceCodeFolder>" -f html -R "<ApexRulesFile>" -reportfile
“<OutputFileName"
22

23. Sample Apex Rule File
23

24. Report generated by PMD Apex
24

25. 25

26. Thank you!
26