Free Security Source Code Scanner Revisited

A IDE (Eclipse-based) alternative to the PDF output scan results has been available for a couple of months as described in this blog post Source Code Scanning. The “Scanning a project” section of the User Guide illustrates the benefit of having the scan results within the IDE: a perspective is provided that lets you click through the results and open the class or trigger at the lines that are significant.

A couple of things to note about the IDE-based version:

  • One step of the installation process took several minutes to complete and I was tempted to just cancel the installation so be patient.
  • The scan is still done remotely and takes many minutes to complete unlike similar tools for other languages in Eclipse. So it only makes sense to run the scan occasionally.

It is a few months since I have run the scanner and it identified about a dozen issues so was well worth the effort of running again. But the results do include a lot of false positives making it fairly time consuming to separate out the real issues. Here are two examples that caused many false positives.

The first is a pattern to automatically initialize custom settings to their default values by indirecting through a class and so avoid users having to click “Manage” on all the custom settings before the application can be used. The null guard ensures that there is only one DML operation performed but the scanner (understandably) sees this as a case of “DML statements inside loops” when the custom setting is referenced inside a loop in a trigger:

global with sharing class CustomSettings {
    global static DateConversionFactors__c getDateConversionFactors() {
        if (DateConversionFactors__c.getInstance() == null) {
            upsert new DateConversionFactors__c(SetupOwnerId = UserInfo.getOrganizationId());
        return DateConversionFactors__c.getInstance();
    // Other similar methods for other custom settings

The second is something that perhaps should be addressed in the scanner and concerns the “list or set iteration for loop”. In this example some SOQL is executed in the ProcessUtil.withoutApprovalProcess which is called once before the loop. But the scanner treats it as if it is within the loop and so incorrectly reports it as a “SOQL/SOSL statements inside loops” issue:

for (Id anId : ProcessUtil.withoutApprovalProcess(ids)) {
    // Other logic goes here

One thought on “Free Security Source Code Scanner Revisited

  1. Thanks Keith. I will have the team look into these issues. If you run into any other false positives you can reach out to the team at securecloud [at] salesforce [dot] com. We’re very invested in making sure we root out as many false positives as possible and ensure the results are cleaner.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s