[False Result] ValidateCrudFlsEmailMessageWhoIdWhatId throws error despite CRUD/FLS checks

[thepaulfox]

Salesforce Code Analyzer False Results Template

Description:
We have not found a way through any CRUD or FLS checks to avoid the ValidateCrudFlsEmailMessageWhoIdWhatId error in PMD.

Documentation:

sf scanner run --engine="pmd-appexchange" -t .
Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
 Location                                    Description                                        Category                    URL                                                                                                                 
 ─────────────────────────────────────────── ────────────────────────────────────────────────── ─────────────────────────── ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
 src/classes/ApprovalLwcService.cls:526        Method setTargetObjectId used with whoId/WhatId  AppExchange Security Review https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/ValidateCrudFlsEmailMessageWhoIdWhatId.md 
                                               with type SingleEmailMessage     

False Results Report:
The rule seems to run on any use of setTargetObjectId on a single email message, regardless of whether we check any access to the field being used. We have tried this with different queries, using stripInaccessible, and other common CRUD/FLS checks.

Steps To Reproduce:
Add the following code to an Apex file:

Messaging.SingleEmailMessage email = new Messaging.SingleEmailMessage();
User u = [SELECT Id from User where Id = :UserInfo.getUserId() WITH SECURITY_ENFORCED];
email.setTargetObjectId(u.Id);

Run sf scanner run --engine="pmd-appexchange" -t .

Expected Behavior:
The rule should not fire if the user has read access to the record Id being used. If there is another field related to emails that we should check, the documentation should be updated to include details of what to check.

Screenshots:

Desktop:

• Operating System. Sonoma 14.1
• Code Analyzer version. v3.20.0
• Salesforce CLI version. @salesforce/cli/2.27.6

Additional Context:

Workaround:
Adding //NOPMD on the lines to skip the PMD testing.

Urgency:
Low, we have added this as a false positive for now.

[bobalicious]

Quick question for clarification - does it highlight the following code in the same way?

Messaging.SingleEmailMessage email = new Messaging.SingleEmailMessage();
email.setTargetObjectId(UserInfo.getUserId());

[thepaulfox]

@bobalicious Yes, it highlights that code the same way.

[rrajaram-salesforce]

appreciate the feedback @thepaulfox and @bobalicious
Yes, please go ahead with //NOPMD where you believe this is not a vulnerability.

[git2gus]

This issue has been linked to a new work item: W-15080619