SAST for APEX

Problem to solve

Salesforce uses a specific language to manage flows and transactions.

From https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_intro_what_is_apex.htm:

Apex is a strongly typed, object-oriented programming language that allows developers to execute flow and transaction control statements on Salesforce servers in conjunction with calls to the API. Using syntax that looks like Java and acts like database stored procedures, Apex enables developers to add business logic to most system events, including button clicks, related record updates, and Visualforce pages. Apex code can be initiated by Web service requests and from triggers on objects.

PMD is an open source tool that is able to scan APEX code. Some of its rules are related to security: https://pmd.github.io/pmd-6.12.0/pmd_rules_apex_security.html.

We can consider to include this tool in our SAST offering to cover APEX.

Intended users

Sam, Security Analyst: https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst

Proposal

Evaluate PMD (https://pmd.github.io/) to check if it can be included in our SAST tool.

Compatible license
Can execute in a job
Can create machine-readable reports

What does success look like, and how can we measure that?

Number of projects scanned with PMD.

What is the type of buyer?

CISO

Development Log

Status

backend Add pmd-apex analyzer gitlab-org/security-products/analyzers/pmd-apex!1 (merged)
backend Add pmd-apex analyzer to ~sast orchestrator gitlab-org/security-products/sast!150 (merged)

Decisions

Use pmd for Apex analysis
~~Rely on package.xml and presence of ApexClass definition for language detection~~
Rely on presence of either sfdx-project.json or src/package.xml (in that order) for language detection

Edited Aug 16, 2019 by Lucas Charles