ApexCRUDViolation: check for object-level delete permission does not work

[illarionova]

I am trying to check for object-level delete permission on a custom object before performing a DML delete operation on it.

The check is performed as it is shown in documentation here: https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm.

public with sharing class TestClassApex {
    public static void exampleMethod() {
        List<CBConfig__c> configs = [SELECT Id FROM CBConfig__c WITH SECURITY_ENFORCED];
        if (Schema.SObjectType.CBConfig__c.isDeletable()) {
            delete configs;
        }
    }
}

I'm running the check through:

sf scanner run --format csv --outfile CodeAnalyzerGeneral.csv --target ./ --category Security

And getting ApexCRUDViolation.

I'm using @salesforce/sfdx-scanner@latest-beta version 4.1. I also tried with the version 3.23.

[johnbelosf]

Thanks for raising @illarionova! That specific rule likely needs to be updated to match current best practices - we are aware there are some gaps between how rules are setup and the latest best practice.

These days we recommend using User Mode for queries and database operations as per our docs

We are currently working on overhauling our core Code Analyzer architecture to make it easier for us to help you understand which rules align with the latest best practice, which will likely lead to us contributing updates to rules in engines such as PMD later in the year / early next year.

[git2gus]

This issue has been linked to a new work item: W-15703310

[rsoesemann]

Related ticket in the PMD repo pmd/pmd#4997