[apex] ApexCRUDViolationRule not reporting for Database.query

[wollamshram]

Affects PMD 7.0.0

Rule: ApexCRUDViolation

Description:

The ApexCRUDViolation rule does not report on potential CRUD violations if they are using the Database library to perform queries or DML, for example: Contact c = Database.query('SELECT Name FROM Contact');

The following methods are not yet considered by this rule:

• Database.countQuery(String query)
• Database.getQueryLocator(String query)
• Database.query(String queryString)

See https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_methods_system_database.htm for full API doc.

[nwcm]

Will confirm this issue still exists in 7.0.0-rc2

If someone can point me in a direction i can attempt to resolve

[jsotuyod]

Thanks for volunteering. I'm happy to give you some pointers.

This is the switch were different Database method calls are checked:

pmd/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java

Lines 203 to 231 in 37de19f

	switch (node.getMethodName().toLowerCase(Locale.ROOT)) {
	case "insert":
	case "insertasync":
	case "insertimmediate":
	checkForCRUD(node, data, IS_CREATEABLE);
	break;
	case "update":
	case "updateasync":
	case "updateimmediate":
	checkForCRUD(node, data, IS_UPDATEABLE);
	break;
	case "delete":
	case "deleteasync":
	case "deleteimmediate":
	checkForCRUD(node, data, IS_DELETABLE);
	break;
	case "undelete":
	checkForCRUD(node, data, IS_UNDELETABLE);
	break;
	case "upsert":
	checkForCRUD(node, data, IS_CREATEABLE);
	checkForCRUD(node, data, IS_UPDATEABLE);
	break;
	case "merge":
	checkForCRUD(node, data, IS_MERGEABLE);
	break;
	default:
	break;
	}

You would have to add the cases for those methods and check the type of operation. As these are read only methods, all checks should be as IS_ACCESSIBLE.

The add proper test cases. You can follow this PR as a general guide #3201

For what I see in the documentation you linked though, there are plenty more methods still unmaped.

[nwcm]

Thanks for the pointer, i'll take a look.

Another issue seems to be it ignores these methods when the class has the namespace. I would assume this is handled in the node traversal somehow