SAST for APEX
Problem to solve
Salesforce uses a specific language to manage flows and transactions.
From https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_intro_what_is_apex.htm:
Apex is a strongly typed, object-oriented programming language that allows developers to execute flow and transaction control statements on Salesforce servers in conjunction with calls to the API. Using syntax that looks like Java and acts like database stored procedures, Apex enables developers to add business logic to most system events, including button clicks, related record updates, and Visualforce pages. Apex code can be initiated by Web service requests and from triggers on objects.
PMD is an open source tool that is able to scan APEX code. Some of its rules are related to security: https://pmd.github.io/pmd-6.12.0/pmd_rules_apex_security.html.
We can consider to include this tool in our SAST offering to cover APEX.
Intended users
Sam, Security Analyst: https://about.gitlab.com/handbook/marketing/product-marketing/roles-personas/#sam-security-analyst
Proposal
Evaluate PMD (https://pmd.github.io/) to check if it can be included in our SAST tool.
-
Compatible license -
Can execute in a job -
Can create machine-readable reports
What does success look like, and how can we measure that?
Number of projects scanned with PMD.
What is the type of buyer?
CISO
Development Log
Status
-
backend Add pmd-apex
analyzer gitlab-org/security-products/analyzers/pmd-apex!1 (merged) -
backend Add pmd-apex
analyzer to ~sast orchestrator gitlab-org/security-products/sast!150 (merged)
Decisions
- Use pmd for Apex analysis
Rely onpackage.xml
and presence ofApexClass
definition for language detection- Rely on presence of either
sfdx-project.json
orsrc/package.xml
(in that order) for language detection