ApexFlsViolationRule (Generally Available)

ApexFlsViolationRule detects Create, Read, Update, and Delete and Field-Level Security (CRUD/FLS) violations.

Source

@AuraEnabled-annotated methods. @InvocableMethod-annotated methods. @NamespaceAccessible-annotated methods. @RemoteAction-annotated methods. Any method returning a PageReference object. public-scoped methods on Visualforce Controllers.
global-scoped methods on any class. Messaging.InboundEmailResult handleInboundEmail() methods on implementations of Messaging.InboundEmailHandler. Any method targeted during invocation.

Sink

All DML operations and their Database.method() counterparts: delete, insert, merge, undelete, update, and upsert. SOQL queries and Database.query counterpart.

Sanitizer

Access check performed using Schema.DescribeSObjectResult. Acceptable only for operations that require CRUD-level checks such as DELETE, UNDELETE, and MERGE. Access check performed using Schema.DescribeFieldResult. Acceptable for operations that require FLS-level checks. Includes READ, INSERT, UPDATE, UPSERT for standard data objects and custom objects. SOQL queries that use WITH SECURITY_ENFORCED. Lists filtered by Security.stripInaccessible.

Match any violation message that you receive with these cases to understand more about the violation.

Validation-Type–validation is missing for Operation-Name operation on Object-Type with fields Comma-Separated-Fields

where:

Validation-Type

Type of validation to be added. CRUD requires object-level checks, and FLS requires field-level checks.

Operation-Name

Data operation that must be sanitized.

Object-Type

Object on which the data operations happen. If Graph Engine couldn’t guess the object type, you see the variable name or SFGE_Unresolved_Argument.

Comma-Separated-Fields

Fields on which the data operation works. If you see Unknown as the only field or as one of the fields, Graph Engine doesn't have enough information to guess the fields, and you must determine the unlisted fields manually.

Validation-Type validation is missing for Operation-Name operation on Object-Type with fields Comma-Separated-Fields–Graph Engine couldn't parse all objects and fields correctly. Manually confirm if the objects and fields involved in these segments have FLS checks: Unknown-Segments

where:

Validation-Type

Type of validation to be added. CRUD requires object-level checks, and FLS requires field-level checks.

Operation-Name

Data operation that must be sanitized.

Object-Type

Object on which the data operations happen. If Graph Engine couldn’t guess the object type, you see the variable name or SFGE_Unresolved_Argument.

Comma-Separated-Fields

Fields on which the data operation works. If you see Unknown as the only field or as one of the fields, Graph Engine doesn't have enough information to guess the fields, and you must determine the unlisted fields manually.

This case is the same as the common case, but also Graph Engine isn't confident about the object names or field names that it detected. You also see this clause when your field or object ends with __r. In both cases, review the relational field, object, and the unparsed segments to ensure that they have the required CRUD/FLS checks. Next, add an engine directive to force Graph Engine to ignore this warning in the next run.

The stripInaccessible warning is thrown for all stripInaccessible checks on READ access type. Graph Engine can't ensure that the sanitized value returned by SecurityDecision is the value used in the code that follows the check. Confirm the values manually, then add an engine directive to force Graph Engine to ignore this warning in the next run. Or, disable these violations by using the --rule-disable-warning-violation flag or by setting its corresponding environment variable, SFGE_RULE_DISABLE_WARNING_VIOLATION, to true.

Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a GitHub issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: [details]

Graph Engine encountered an error while walking this path. Manually verify that you have a sanitizer on the path, and then add an engine directive to skip the path. Next, create a GitHub issue for the Code Analyzer team that includes the error and stack trace so that we can research and resolve it. After we determine a fix for the issue, check Code Analyzer Release Notes for more info.