Update PMD rules to leverage native Security features (e.g. USER MODE)

[rsoesemann]

Hey dear team of the Security Scanner,

I know you are busy improving the Security Scanner which gets better every months. But one of your yore engines which is successful for the high adoption of your scanner needs you. PMD. As described in this ticket pmd/pmd#4368 PMD doesn't understand a few of the new native Security features announced lately on TDX23.

I am talking about such thing finally being usable and GA:

• User Mode in DML and SOQL/SOSL
• WITH SECURITY ENFORCE not recommended anymore by Daniel Balinger and Chris Peterson on TDX23
• Inherited Sharing (yes this is an older one)

Such a change in existing PMD rules is a bigger effort that I currently don't want to do on my own and finding volunteers is hard. Normally companies that are making use of PMD are good candidates. In the past I could win Gearset, Copado etc.

As Security is in Salesforce best interest I this time thought of you @johnbelosf @rmohan20

[git2gus]

This issue has been linked to a new work item: W-12714418

[rsoesemann]

@johnbelosf @rmohan20 I know PMD also doesn't yet support USER MODE but its OSS compared to the official Graph Engine. Is that on the roadmap and when will it come?

[johnbelosf]

We should be getting a new version of Apex Jorje in the coming weeks, which we need in order to support USER MODE. I'd expect it to ship sometime in June-July timeframe if all goes to plan.

[nwcm]

Happy to assist on these feature

As well as resolving the below which will be key in passing SF security reviews

pmd/pmd#2628
pmd/pmd#4526

[vc4u]

Is there any update on when this would be supported in Code Scanner engine? While USER MODE works with SOQL in latest engine, but it throws error in generated report when USER MODE is used in DML statements like update as user sObj.

[jfeingold35]

@vc4u , unfortunately, no update in this matter. PMD 7's still not out yet, and we're still in the process of assessing upgrade paths.

[rsoesemann]

@jfeingold35 its merged pmd/pmd#4605

[rsoesemann]

@jfeingold35 @johnbelosf is the scanner now using the latest PMD 7 Release Candiate as we discussed? Final PMD 7 will take for long and not contain Salesforce own JORJE Parser. So I think you need to rely on the RC at the moment.