You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
sf scanner run --engine="pmd-appexchange" -t .
Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
Location Description Category URL
─────────────────────────────────────────── ────────────────────────────────────────────────── ─────────────────────────── ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────
src/classes/ApprovalLwcService.cls:526 Method setTargetObjectId used with whoId/WhatId AppExchange Security Review https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/ValidateCrudFlsEmailMessageWhoIdWhatId.md
with type SingleEmailMessage
False Results Report:
The rule seems to run on any use of setTargetObjectId on a single email message, regardless of whether we check any access to the field being used. We have tried this with different queries, using stripInaccessible, and other common CRUD/FLS checks.
Steps To Reproduce:
Add the following code to an Apex file:
Messaging.SingleEmailMessage email = new Messaging.SingleEmailMessage();
User u = [SELECT Id from User where Id = :UserInfo.getUserId() WITH SECURITY_ENFORCED];
email.setTargetObjectId(u.Id);
Run sf scanner run --engine="pmd-appexchange" -t .
Expected Behavior:
The rule should not fire if the user has read access to the record Id being used. If there is another field related to emails that we should check, the documentation should be updated to include details of what to check.
Screenshots:
Desktop:
Operating System. Sonoma 14.1
Code Analyzer version. v3.20.0
Salesforce CLI version. @salesforce/cli/2.27.6
Additional Context:
Workaround:
Adding //NOPMD on the lines to skip the PMD testing.
Urgency:
Low, we have added this as a false positive for now.
The text was updated successfully, but these errors were encountered:
Salesforce Code Analyzer False Results Template
Description:
We have not found a way through any CRUD or FLS checks to avoid the ValidateCrudFlsEmailMessageWhoIdWhatId error in PMD.
Documentation:
False Results Report:
The rule seems to run on any use of setTargetObjectId on a single email message, regardless of whether we check any access to the field being used. We have tried this with different queries, using stripInaccessible, and other common CRUD/FLS checks.
Steps To Reproduce:
Add the following code to an Apex file:
Run
sf scanner run --engine="pmd-appexchange" -t .
Expected Behavior:
The rule should not fire if the user has read access to the record Id being used. If there is another field related to emails that we should check, the documentation should be updated to include details of what to check.
Screenshots:
Desktop:
Additional Context:
Workaround:
Adding //NOPMD on the lines to skip the PMD testing.
Urgency:
Low, we have added this as a false positive for now.
The text was updated successfully, but these errors were encountered: