Salesforce Graph Engine (Developer Preview)
Salesforce Graph Engine is an open-source Salesforce tool that performs complex analysis on Apex code and identifies security vulnerabilities and code issues. Graph Engine also performs more complex checks than an average static-analysis tool, because Graph Engine uses data-flow analysis.
Run this command to view the list of available Salesforce Graph Engine rules along with some information:
See Salesforce Graph Engine Rules Reference for additional details.
For information on how to modify rule settings, such as their severity or tags, see Customize Your Configuration. While the examples show modifying rules for the ESLint and Regex engines, you use the same process to modify Salesforce Graph Engine rules.
Data-flow analysis is a multi-step process.
- The Apex Jorje compiler analyzes your code and returns a parse tree.
- Graph Engine translates the parse tree into vertices and adds them to the Apache TinkerPop graph database.
- Graph Engine builds code paths starting from each identified entry point.
- Graph Engine walks each code path and applies the selected rules at every vertex along with contextual data. The rule evaluates this information and, if applicable, creates violations.
After Graph Engine completes walking the paths, it returns all issues collected as rule violations.
Rules register interest in specific types of vertices. For example, a Create, Read, Update, Delete, and Field-Level Security (CRUD/FLS) rule expresses interest in all vertices that perform Data Manipulation Language (DML) operations.
You can configure the Salesforce Graph Engine with the settings listed in this table. See Customize the Configuration for details on how to apply the settings.
| Field | Type | Description |
|---|---|---|
disable_engine | boolean | Whether to turn off the 'sfge' engine so that it is not included when running Code Analyzer commands. Default value is false. |
disable_limit_reached_violations | boolean | Whether to prevent 'sfge' from throwing LimitReached violations for complex paths. By default, Salesforce Graph Engine attempts to detect complex paths that might cause OutOfMemory errors, and throws LimitReached violations for these paths to continue evaluating other paths safely. The allowed complexity is dynamically calculated based on the max Java heap size available, but in some cases you may desire to disable this check in addition to increasing java_max_heap_size. Default value is false. |
java_command | string | Indicates the specific 'java' command associated with the JRE or JDK to use for the 'sfge' engine. May be provided as the name of a command that exists on the path, or an absolute file path location. If unspecified, or specified as null, then an attempt will be made to automatically discover a 'java' command from your environment. Default value is null. |
java_max_heap_size | string | Specifies the maximum size (in bytes) of the Java heap. The specified value is appended to the '-Xmx' Java command option. The value must be a multiple of 1024, and greater than 2MB. Append the letters 'k', 'K', 'kb', or 'KB' to indicate kilobytes, 'm', 'M', 'mb', or 'MB' to indicate megabytes, and 'g', 'G', 'gb', or 'GB' to indicate gigabytes. If unspecified, or specified as null, then the JVM will dynamically choose a default value at runtime based on system configuration. Default value is null. |
java_thread_count | number | Specifies the number of Java threads available for parallel execution. Increasing the thread count allows for Salesforce Graph Engine to evaluate more paths at the same time. Default value is 4. |
java_thread_timeout | number | Specifies the maximum time (in milliseconds) a specific Java thread may execute before Salesforce Graph Engine issues a Timeout violation. Default value is 900000. |