In Salesforce Apex, it is often necessary to handle objects and fields dynamically using the generic 'SObject' type. This approach allows for flexible and generic code that can work with different Salesforce objects without hardcoding specific object types. However, this dynamic nature poses a challenge for static code analysis tools like CheckMarx.
When using SObject in Apex, the type of the object and its fields are not known at compile time. For instance, consider the following code snippet:
List<SObject> quoteLineItemsToUpdate = new List<SObject>(); In this example, quoteLineItemListToUpdate is a list of SObject instances, retrieved dynamically. Even though explicit FLS and CRUD checks are performed, such as:
Schema.SObjectType qliObjectType = Schema.getGlobalDescribe().get('QuoteLineItem'); Schema.DescribeSObjectResult qliDescribe = qliObjectType.getDescribe(); if (qliDescribe.isAccessible() && qliDescribe.isUpdateable()) { update quoteLineItemsToUpdate; Force.com code scanner[checkMarx] is not recognize these checks as valid for the actual object type (QuoteLineItem), due to the dynamic nature of SObject. The tool relies on static analysis, where object types and field access permissions are known and fixed at compile time. Therefore, when dynamic objects are used, CheckMarx cannot confirm that proper security checks are applied.
I actually facing this FLS update violations for several objects in my source code from both Force.com code scanner[CheckMarx] and PMD analyzer also. I am not understanding , whether to consider these as real violations or false positives.
I would sincerely appreciate the solution and best suggestions over this. TIA.
