[apex] ApexCRUDViolationRule not reporting for Database.query #2628

wollamshram · 2020-07-02T13:27:29Z

Affects PMD 7.0.0

Description:

The ApexCRUDViolation rule does not report on potential CRUD violations if they are using the Database library to perform queries or DML, for example: Contact c = Database.query('SELECT Name FROM Contact');

The following methods are not yet considered by this rule:

Database.countQuery(String query)
Database.getQueryLocator(String query)
Database.query(String queryString)

See https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_methods_system_database.htm for full API doc.

The text was updated successfully, but these errors were encountered:

nwcm · 2023-04-30T02:53:59Z

Will confirm this issue still exists in 7.0.0-rc2

If someone can point me in a direction i can attempt to resolve

jsotuyod · 2023-04-30T03:42:07Z

Thanks for volunteering. I'm happy to give you some pointers.

This is the switch were different Database method calls are checked:

pmd/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/security/ApexCRUDViolationRule.java

Lines 203 to 231 in 37de19f

    
           switch (node.getMethodName().toLowerCase(Locale.ROOT)) { 
        
           case "insert": 
        
           case "insertasync": 
        
           case "insertimmediate": 
        
               checkForCRUD(node, data, IS_CREATEABLE); 
        
               break; 
        
           case "update": 
        
           case "updateasync": 
        
           case "updateimmediate": 
        
               checkForCRUD(node, data, IS_UPDATEABLE); 
        
               break; 
        
           case "delete": 
        
           case "deleteasync": 
        
           case "deleteimmediate": 
        
               checkForCRUD(node, data, IS_DELETABLE); 
        
               break; 
        
           case "undelete": 
        
               checkForCRUD(node, data, IS_UNDELETABLE); 
        
               break; 
        
           case "upsert": 
        
               checkForCRUD(node, data, IS_CREATEABLE); 
        
               checkForCRUD(node, data, IS_UPDATEABLE); 
        
               break; 
        
           case "merge": 
        
               checkForCRUD(node, data, IS_MERGEABLE); 
        
               break; 
        
           default: 
        
               break; 
        
           }

You would have to add the cases for those methods and check the type of operation. As these are read only methods, all checks should be as IS_ACCESSIBLE.

The add proper test cases. You can follow this PR as a general guide #3201

For what I see in the documentation you linked though, there are plenty more methods still unmaped.

nwcm · 2023-04-30T06:26:20Z

Thanks for the pointer, i'll take a look.

Another issue seems to be it ignores these methods when the class has the namespace. I would assume this is handled in the node traversal somehow

oowekyala changed the title ~~ApexCRUDViolationRule not reporting on operations which use Database library~~ [apex] ApexCRUDViolationRule not reporting on operations which use Database library Jul 4, 2020

oowekyala added the a:false-positive PMD flags a piece of code that is not problematic label Jul 4, 2020

jonathanwiesel mentioned this issue Apr 6, 2021

[apex] ApexCRUDViolation doesn't report Database class DMLs, inline no-arg object instantiations and inline list initialization #3201

Closed

jonathanwiesel mentioned this issue Jun 30, 2021

[apex] Add ApexCRUDViolation support for database class, inline no-arg object construction DML and inline list initialization DML #3373

Merged

4 tasks

adangel added a:false-negative PMD doesn't flag a problematic piece of code and removed a:false-positive PMD flags a piece of code that is not problematic labels Jul 2, 2021

adangel mentioned this issue Oct 23, 2021

[apex] Fix for #3576 - Added new configuration properties *AuthMethodPattern and *AuthMethodTypeParamIndex to ApexCRUDViolation rule #3577

Merged

4 tasks

adangel changed the title ~~[apex] ApexCRUDViolationRule not reporting on operations which use Database library~~ [apex] ApexCRUDViolationRule not reporting Database.query Dec 16, 2022

adangel changed the title ~~[apex] ApexCRUDViolationRule not reporting Database.query~~ [apex] ApexCRUDViolationRule not reporting for Database.query Dec 16, 2022

adangel mentioned this issue Dec 16, 2022

[apex] ApexCRUDViolation: Recognize User Mode in SOQL + DML #4146

Closed

nwcm mentioned this issue Apr 30, 2023

Update PMD rules to leverage native Security features (e.g. USER MODE) forcedotcom/sfdx-scanner#1026

Closed

jsotuyod added the needs:pmd7-revalidation The issue hasn't yet been retested vs PMD 7 and may be stale label Mar 17, 2024

jsotuyod removed the needs:pmd7-revalidation The issue hasn't yet been retested vs PMD 7 and may be stale label Apr 2, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[apex] ApexCRUDViolationRule not reporting for Database.query #2628

[apex] ApexCRUDViolationRule not reporting for Database.query #2628

wollamshram commented Jul 2, 2020 •

edited by jsotuyod

Loading

nwcm commented Apr 30, 2023

jsotuyod commented Apr 30, 2023

nwcm commented Apr 30, 2023

[apex] ApexCRUDViolationRule not reporting for Database.query #2628

[apex] ApexCRUDViolationRule not reporting for Database.query #2628

Comments

wollamshram commented Jul 2, 2020 • edited by jsotuyod Loading

nwcm commented Apr 30, 2023

jsotuyod commented Apr 30, 2023

nwcm commented Apr 30, 2023

wollamshram commented Jul 2, 2020 •

edited by jsotuyod

Loading