ApexFlsViolationRule (Generally Available)
ApexFlsViolationRule detects Create, Read, Update, and Delete and Field-Level Security (CRUD/FLS) violations.
- Source
@AuraEnabled-annotated methods.@InvocableMethod-annotated methods.@NamespaceAccessible-annotated methods.@RemoteAction-annotated methods. Any method returning aPageReferenceobject.public-scoped methods on Visualforce Controllers.
global-scoped methods on any class.Messaging.InboundEmailResult handleInboundEmail()methods on implementations ofMessaging.InboundEmailHandler. Any method targeted during invocation.- Sink
All DML operations and their
Database.method()counterparts: delete, insert, merge, undelete, update, and upsert. SOQL queries and Database.query counterpart.- Sanitizer
Access check performed using Schema.DescribeSObjectResult. Acceptable only for operations that require CRUD-level checks such as DELETE, UNDELETE, and MERGE. Access check performed using Schema.DescribeFieldResult. Acceptable for operations that require FLS-level checks. Includes READ, INSERT, UPDATE, UPSERT for standard data objects and custom objects. SOQL queries that use WITH SECURITY_ENFORCED. Lists filtered by Security.stripInaccessible.
Match any violation message that you receive with these cases to understand more about the violation.
Validation-Type–validation is missing for Operation-Name operation on Object-Type with fields Comma-Separated-Fields
where:
- Validation-Type
Type of validation to be added. CRUD requires object-level checks, and FLS requires field-level checks.
- Operation-Name
Data operation that must be sanitized.
- Object-Type
Object on which the data operations happen. If Graph Engine couldn’t guess the object type, you see the variable name or SFGE_Unresolved_Argument.
- Comma-Separated-Fields
Fields on which the data operation works. If you see Unknown as the only field or as one of the fields, Graph Engine doesn't have enough information to guess the fields, and you must determine the unlisted fields manually.
Validation-Type validation is missing for Operation-Name operation on Object-Type with fields Comma-Separated-Fields–Graph Engine couldn't parse all objects and fields correctly. Manually confirm if the objects and fields involved in these segments have FLS checks: Unknown-Segments
where:
- Validation-Type
Type of validation to be added. CRUD requires object-level checks, and FLS requires field-level checks.
- Operation-Name
Data operation that must be sanitized.
- Object-Type
Object on which the data operations happen. If Graph Engine couldn’t guess the object type, you see the variable name or SFGE_Unresolved_Argument.
- Comma-Separated-Fields
Fields on which the data operation works. If you see Unknown as the only field or as one of the fields, Graph Engine doesn't have enough information to guess the fields, and you must determine the unlisted fields manually.
This case is the same as the common case, but also Graph Engine isn't confident about the object names or field names that it detected. You also see this clause when your field or object ends with __r. In both cases, review the relational field, object, and the unparsed segments to ensure that they have the required CRUD/FLS checks. Next, add an engine directive to force Graph Engine to ignore this warning in the next run.
The stripInaccessible warning is thrown for all stripInaccessible checks on READ access type. Graph Engine can't ensure that the sanitized value returned by SecurityDecision is the value used in the code that follows the check. Confirm the values manually, then add an engine directive to force Graph Engine to ignore this warning in the next run. Or, disable these violations by using the --rule-disable-warning-violation flag or by setting its corresponding environment variable, SFGE_RULE_DISABLE_WARNING_VIOLATION, to true.
Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a GitHub issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: [details]
Graph Engine encountered an error while walking this path. Manually verify that you have a sanitizer on the path, and then add an engine directive to skip the path. Next, create a GitHub issue for the Code Analyzer team that includes the error and stack trace so that we can research and resolve it. After we determine a fix for the issue, check Code Analyzer Release Notes for more info.
- YouTube: Create, Read, Update, and Delete (CRUD) and Field-Level Security (FLS) Violations
- Apex Developer Guide: Enforce Security With the stripInaccessible Method
- Apex Developer Guide: Enforcing Object and Field Permissions
- Apex Developer Guide: Filter SOQL Queries Using WITH SECURITY_ENFORCED
- Salesforce Code Analyzer FAQ