Salesforce Code Analyzer

|
| By Shreya Duggal

Salesforce has introduced an important change for the AppExchange Managed Packages i.e. Introduction to the new tool ‘Salesforce Code Analyzer’. This tool needs to be executed if you want to publish or update a managed package.

Salesforce Code Analyzer reports must now be uploaded in the security review section while publishing or updating a package. For this, you will need to scan the code with the tool and get a report which will then be asked for submission in the security review. This change does not apply to unmanaged packages and packages that have passed the security review before the Summer ’23 release.

Introduction
Salesforce Code Analyzer is a tool that helps you find and fix security issues and gives you suggestions to be followed for best practices in coding related to your apex classes, lightning components, and Visualforce pages. By scanning the code with this tool you can improve the quality and security of your code which will also help you to reduce the time to create a package by lowering the chances of multiple failures and re-submission.

Here are some short explanations for a few list of issues that are given by this Tool

Missing CRUD violations – Sometimes while querying the fields from the object we forget to add the CRUD check for them so you will get this issue if you miss any. To resolve this issue earlier we had to add isAccessible(), isCreatable, and isUpdateable() checks for the main object and related object but in recent releases, this can be done by simply adding ‘WITH SECURITY_ENFORCED’ in the query.

Missing Apex Document – If there are any missing comments in the file header or function header this issue will show up. To resolve this you will need to add comments including the description, author name, dates, and any other information you want to add at the top of the file and top of the function.

The proper naming convention for classes, parameters, and variables – The proper naming convention for classes is that the first Letter of each word should be capitalized for example, SearchClass, for parameters and variables it should be in such a way that the first letter of the first word should be small and for the following words it should be capital for example, searchString. If any class or parameter does not follow this convention you will see it in the list.

Unescaped strings- If you are using dynamic queries to query from an object and have concatenated a variable in it with String.escapeSingleQuotes() function missing then you need to add this to resolve the error to create a package.

Missing parentheses for single-line code- We avoid adding parentheses for single lines of code but according to this tool, it is a best practice to add parentheses for all conditions. So this is a best practice which is up to you to follow or not follow.

Get Started

This tool uses Salesforce CLI in the background so you will need to install it on your computer and then run the commands. Make sure you have the latest version of CLI installed, to check that you will have to run ‘sf update’ command. Then make sure you have Java Development Kit (JDK) version 8 or later. Finally, install the software by running the command ‘sf plugins install @salesforce/sfdx-scanner’. Once this is done then you will have to follow the respective steps:

  1. You will have to store the code locally on your computer for the tool to check. Make sure it is the same version of the package you want to create.
  2. In the terminal or any other command line interface, change the directory to the top-level folder where the code is present.
  3. Then run the first scan by running the command ‘sf scanner run’, also specify ‘–category Security’, and give any name to the output file
  4. Once the first scan is done run the second scan by executing ‘sf scanner run dfa’, specifying –category Security and same way providing a name to the output file
  5. Then run the third scan by the ‘sf scanner run –engine pmd-appexchange’ command with a name as above and then you are done (this is an optional scan).
  6. Fix the list of issues and resubmit the code till the desired result is achieved.
  7. Document if there are any false errors listed.
  8. Upload the above three files in the security review section of the package, if you have any document related to false issues upload that also.

And then you are done. Once you execute all the steps and the security review gets passed you will be able to create a successfully managed package.

Leave a Reply

Your email address will not be published. Required fields are marked *