SAST for APEX
Problem to solve
Salesforce uses a specific language to manage flows and transactions.
Apex is a strongly typed, object-oriented programming language that allows developers to execute flow and transaction control statements on Salesforce servers in conjunction with calls to the API. Using syntax that looks like Java and acts like database stored procedures, Apex enables developers to add business logic to most system events, including button clicks, related record updates, and Visualforce pages. Apex code can be initiated by Web service requests and from triggers on objects.
PMD is an open source tool that is able to scan APEX code. Some of its rules are related to security: https://pmd.github.io/pmd-6.12.0/pmd_rules_apex_security.html.
We can consider to include this tool in our SAST offering to cover APEX.
Evaluate PMD (https://pmd.github.io/) to check if it can be included in our SAST tool.
- Compatible license
- Can execute in a job
- Can create machine-readable reports
What does success look like, and how can we measure that?
Number of projects scanned with PMD.
What is the type of buyer?
pmd-apexanalyzer gitlab-org/security-products/analyzers/pmd-apex!1 (merged)
pmd-apexanalyzer to sast orchestrator gitlab-org/security-products/sast!150 (merged)
- Use pmd for Apex analysis
package.xmland presence of
ApexClassdefinition for language detection
- Rely on presence of either
src/package.xml(in that order) for language detection