What are Aura: Aysnc Code and Sharing Violation vulnerabilities from the security review of the application(AppExchange)) - Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
reettik mitrareettik mitra 

What are Aura: Aysnc Code and Sharing Violation vulnerabilities from the security review of the application(AppExchange))

Best Answer chosen by reettik mitra
Todd HalfpennyTodd Halfpenny
Ah right. You should have got a detailed report attachment with some explicit examples of the code that caused these issues.

In reference to Sharing Violation it's likely you're not using "with sharing" in your apex... and in general terms this is almost always needed. You could look at this doc on Enforcing Object and Field Permissions (https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm) to see how to take this forward, and if you do a general web search for the topic you will find plenty of articles and libraries to assist (we have used fflib before).

There is also a Partner Chatter group for the SR (https://partners.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001s8Y), that is a useful place to ask specific quesitons, or if you feel you have a False Positive.

I'm guessing your source code scan result that you submitted with the SR application will have also highlighted the issues, or the CRUD/FLS ones at least.

As for "Aura: Aysnc Code" this is a new one to me I think. Might be best to ask this in the Partner Chatter, or to paste the info from the SR attachment here?

All Answers

Todd HalfpennyTodd Halfpenny
Sorry, I don't entirely understand your question. Could you please expand on it?
reettik mitrareettik mitra
I was creating an application to publish in app exchange and so I had submitted the application for security review but the report cointained:-

We have completed the security review of your application. Unfortunately, we have found some issues which concern us, and thus, at this time we cannot approve your application for final listing.  Trust and security are core values at Salesforce, and we are committed to working with you to resolve those issues. The following vulnerabilities need to be resolved:
-Aura: Aysnc Code
-Sharing Violation
Can you explain the actual reasons for these issues
Todd HalfpennyTodd Halfpenny
Ah right. You should have got a detailed report attachment with some explicit examples of the code that caused these issues.

In reference to Sharing Violation it's likely you're not using "with sharing" in your apex... and in general terms this is almost always needed. You could look at this doc on Enforcing Object and Field Permissions (https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm) to see how to take this forward, and if you do a general web search for the topic you will find plenty of articles and libraries to assist (we have used fflib before).

There is also a Partner Chatter group for the SR (https://partners.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F9300000001s8Y), that is a useful place to ask specific quesitons, or if you feel you have a False Positive.

I'm guessing your source code scan result that you submitted with the SR application will have also highlighted the issues, or the CRUD/FLS ones at least.

As for "Aura: Aysnc Code" this is a new one to me I think. Might be best to ask this in the Partner Chatter, or to paste the info from the SR attachment here?
This was selected as the best answer
reettik mitrareettik mitra
We didn't get any report usually we get on security review failure
Todd HalfpennyTodd Halfpenny
In  that case I would definitely join the Partner Chatter group and make a post there specifying that you didn't get a report back. This appears to be an error on Salesforce's part.
reettik mitrareettik mitra
Thank you for you support .I highly appreciate it!!!
reettik mitrareettik mitra
Upon further investigation I found out that I missed the 'with sharing ' in one of my apex class and also that apex class is used in the scheduler class. Is this the reason I am getting Aura: Aysnc Code security vulnerability?
Todd HalfpennyTodd Halfpenny

It doesn't sound like the "with sharing" and the "Aura: Async Code" issues are linked, though I could be wrong.

Again this might be something you can get help for in the Partner Chatter as the Salesforec SR team are also active in there.