force.com source scanner - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Rami HawlyRami Hawly 

force.com source scanner

Hello,
We are trying to follow Salesforce guidelines on FLS/CRUD enforcement in Apex Code. Developers are supposed to honor the permissions set by administrators, therefore, when writing Apex code, developers are expected to check if the current user has premission to access/update/create/delete a record and its fields in Apex code.
As a first approach, and since we have a lot of classes and lines of code, we used helper methods to check for CRUD/FLS. Example:
public inherited sharing class AccessHelper {
    public Boolean checkAccess(SObjectType objectType, List<String> fields) {
        // … check access on fields
        // … throw exception in case to access
    }
    public Boolean checkUpdate(SObjectType objectType, List<String> fields) {
        // … check update on fields
        // … throw exception in case to access
    }
    public Boolean checkCreate(SObjectType objectType, List<String> fields) {
        // … check create permission on object and fields
        // … throw exception in case to access
    }
    public Boolean checkDelete(SObjectType objectType) {
        // … check if user can delete object
        // … throw exception in case to access
    }
}
In a controller or a batch class:
// … some code
if (AccessHelper.checkUpdate(MyObject.SObjectType, listFieldApiName) {
        update listOfMyObject;
}
This method of enforcing FLS/CRUD was allowing our code to pass the Force.com source scanner (https://security.secure.force.com/security/tools/forcecom/scanner) with no problem. But when we tried to scan our source code again this week the results were unexpected. We had we big number of CRUD update, create and delete issues. These issues are mostly, if not all, false positives.
We tried to change the method we are using and check for FLS/CRUD directly in the class where we are executing a DML, example:
if (SObjectType.MyObjectApiName.fields.myFieldName1.isUpdateable()
   && SObjectType.MyObjectApiName.fields.myFieldName1.isCreateable ()
   && SObjectType.MyObjectApiName.fields.myFieldName2.isUpdateable()
   && SObjectType.MyObjectApiName.fields.myFieldName2.isCreateable ())
{
        upsert listOfMyObject;
}
After running the scanner again this came as a false positive as well.
How are we supposed to write the CRUD/FLS checks in Apex code so they are detected by the source scanner?
 
sakshi nagpalsakshi nagpal
Hi Rami,

 Check similar answer-:
https://salesforce.stackexchange.com/questions/143518/security-scanner-enforcing-crud-auto-scanner-reported-issue?rq=1

 Thanks,
Sakshi
Rami HawlyRami Hawly
Hello Sakshi,

Thank you for your help.

I didn't metion in my question that these issues didn't appear in previous scans of our code. We were scanning the code again because we added new source. The main problem is that now we have to go through a huge number of issues and make sure they are all false positives. And even if we do, when we add new source again and re-scan our code, we will have trouble identifying new issues, if any.
Do you think the scanner has changed recently?

Thank You

Rami
Rami HawlyRami Hawly
Hello, 
It turned out that using inherited sharing for the helper class AccessHelper was causing this problem. we put it back to with sharing and all the flase positive issues related to CRUD create, update and delete were gone in the next scan.