Salesforce Code Review Tools

By: Sergii Grushai

May 8, 2020

Salesforce Code Review tools

Salesforce Application Development

PMD. SonarQube. CheckMarx. Code Scan

Salesforce Code check is a software development process which involves testing the source code to identify bugs at an early stage. It is an effective way to prevent bugs and errors at an early stage of software development process by improving the code quality.

Purpose and importance of the Code review?
Why should you use Salesforce review tools?
List of tools available for Salesforce AppExchange App Development
PMD
SonarQube
Check Marx
Code scan

Purpose and Importance of the Code check in Salesforce Application Development

Code quality is very important to the maintainability and longevity of the Salesforce application which ensures a consistent design and implementation. Below are few factors which effects the Salesforce Code quality.

Due to the lack of experience, some younger Salesforce AppExchange developers might be unaware of optimization techniques that could be applied on their code.

Cost of Repair in different development stages.

01. Lack of expertise

Due to the lack of experience, some young Salesforce AppExchange developers might be unaware of optimization techniques that could be applied on their code.

02. Distributed team

Team distributed over places having difference in agreement on the rules and techniques to be followed.

03. Company culture

Company focusing on quantity and pace over quality leading to be over-committing things and compromise on the quality.

04. Objective vs Subjective

There will always be the subjective factors differing from the facts and rules that may lead to compromise in the quality.

05. Pressing deadlines

The deadlines on cost and time will lead to the compromise.

The cost of Code quality improvement/repair increases with every next development stage. Below is the pictorial representation of the Cost of repair based in the different Salesforce development stages.

The above factors emphasize the importance of the code check process. Below are the main goals of the Code check process.

Defect free, well documented Salesforce application.
Application complying with Enterprise coding standards.
High Code quality increases the Market reputation.
Decreased cost of repair.

Review takes place during all stages of Salesforce development, except with small projects such as demos and experiments that are designed to be written quickly and probably thrown away. During the final stages of development, code reviews greatly reduces the number of regression bugs and ensure that company coding practices are not abandoned. Using best approaches of the review, the process can greatly mitigate the costlier QA defects that are found right before launch.

Better code check and code quality helps the Salesforce app in the below areas.

Salesforce AppExchange APplication Development

Salesforce AppExchange App Development

We perform custom Salesforce Development aligning with Salesforce

Salesforce Custom Development

We combine our Project Management and Salesforce Custom Development

Salesforce Health Check

We combine our Project Management and Salesforce Customizations

Salesforce Integrations

Peeklogic team integrates various apps with Salesforce CRM to make your

Better Salesforce apex check and code quality helps the Salesforce app in the below areas

Readability and Maintainability

Consistency

Performance

Exception Handling

Why should you use Code review tools for Salesforce App Development?

Code check can be carried out in many ways. Review tools are helpful for Salesforce AppExchange App Development Below are few of the effective review techniques

01. Over-the-shoulder

Salesforce AppExchange developer looks over the author's shoulder as the latter walks through the code

02. Email pass-around

Source code management system emails code to reviewers automatically after check-in is made. The code will be merged only when it is approved by the reviewer

03. Pair Programming

Two authors develop code together at the same workstation. One Salesforce AppExchange developer is called the driver who writes the code while another called the observer, reviews each line of code as it is typed in. The two programmers switch their roles frequently

04. Using Salesforce App apex review tools

Authors and reviewers use specialized tools designed for peer code review

A Code Analysis tool automates the code audit process. They help in static code check which is essential to deliver a reliable software application. With a review tool, a team can:

Create templates and checklists for certain types of reviews
Conduct remote, real-time reviews at each member’s convenience

Capture metrics automatically on your review process and defects

Available code check Salesforce App Development tools?

There are many code analysis tools available for Salesforce app development performing static check of Salesforce app apex, lightning and LWC codebase. Below are few things that can be considered while choosing a code check tool for the Salesforce AppExchange application.

Salesforce Application Code review available for Salesforce App Development?

There are many review tools for Salesforce Application Development performing static code analysis of Salesforce app apex, lightning and LWC codebase. Below are few things that can be considered while choosing a review code tool for the Salesforce AppExchange application development.

Code Review for Salesforce App

01. Prevent security vulnerabilities

The Cyber criminals have increasingly found ways to steal from businesses with applications—particularly web-based applications. So, it’s important to make sure the web applications hosted in Salesforce app store are secure. The Salesforce app apex review should be able to detect security issues such as cross site scripting, Prevent XSS in lightning applications, prevent SOQL/SOSL injections etc.

02. Pinpoint Performance bottlenecks

The performance bottlenecks like SOQL inside for loop, nested loops, heap limit issues etc needs to be addressed by the review tool for Salesforce Application.

03. Identify testing weaknesses

The tool checks on the test classes for the apex class as per the Salesforce app coding best practices such as assert statements, test data etc.

04. Enforce coding standards

Salesforce development documentation lists down the coding best practices and standards to be followed while writing code of Salesforce app. Tool should have the ruleset defining this standard of Salesforce Development.

05. Present bad coding practices

Identifying the bad coding practices and make sure the governor limits are adhered by the Salesforce App.

06. Find and remove complex unclean code.

A way to identify the commented line of code of Salesforce Application and unused methods in salesforce application apex method.

Below are few of the Salesforce app cool review tools that are tried and tested in Salesforce applications. Peeklogic – the Salesforce Development Company is more then happy to share our experience.

PMD
SonarQube
Check Marx
Code scan

PMD

PMD stands for Programming Mistake Detector. It is an open source tool for static code analysis for Apex and Visualforce pages which finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth. It contributed to Java, Apex and many other programming languages.

PMD features many built-in rules which are well documented in the Rule references for each language. They also support an extensive API to write your own rules based on the Salesforce AppExchange or user defined best practices.

PMD is most effective when it to integrated into the build process. PMD can be basically run by different mediums like as a Maven goal, Ant task, VS Code plugin, Command line etc. It can be run within the IDE as code is being written to identify flaws before they’re even compiled or pushed to the server.

PMD tool overview

PMD has a set of built-in rules available for both Apex and visualforce pages. Below is the defined ruleset available in PMD for Apex. All the ruleset is given a priority which defines the seriousness of the issue.

Best Practices

These rules will generally enforce the best approaches followed as per the Salesforce app development guidelines.
• ApexUnitTestClassShouldHaveAsserts: Test class methods having an assert statement to verify the test results is as per the design.
• ApexUnitTestShouldNotUseSeeAllDataTrue: Test class shouldn’t use the data from the org, instead test data must be created.
• AvoidLogicInTrigger: Trigger logic must be written in the separate handler classes.
• UnusedLocalVariable: A variable if declared must be used in the code somewhere.

Code Style

The rules which enforces a specific coding style that has been considered as a standard.
• ClassNamingConventions: Rule is to have the name of the class in pascal case.
• FieldDeclarationsShouldBeAtStart: All the field declarations to be at the start of the class.
• FieldNamingConventions: Fields should be named in camel case.
• ForLoopsMustUseBraces: The for loop should be opened and closed with braces.

Design

These rules help in identifying the design issues.
• AvoidDeeplyNestedIfStmts: Avoid using deeply nested if statements in the logic.
• ExcessiveClassLength: A class shouldn’t be burdened with excessive amount of functionalities.
• ExcessiveParameterList: A method in the class shouldn’t include too many parameters.
• TooManyFields: An object shouldn’t have too many custom fields created.

Documentation

They are rules related to code documentation.
• ApexDoc: It talks about the class level and method level comments to be added in the code for better readability.

Error Prone

They are rules to detect portion of code that are either broken, extremely confusing or prone to runtime errors.
• ApexCSRF: Not using DML operations in the apex class constructors or initializers to avoid security alert.
• AvoidDirectAccessTriggerMap: Avoid directly accessing the record using trigger events like Trigger.new or Trigger.old.
• AvoidHardcodingId: Avoid hardcoding of the record ids or parameter ids in the code.
• EmptyCatchBlock: The exception catch statement should have an error logging mechanism in place.

Performance

They are rules to raise a flag on suboptimal code which will lead to performance issues.
• AvoidDmlStatementsInLoops: Avoid DML statements within for loops and while loops to avoid hitting the governor limits.
• AvoidSoqlInLoops: Avoid using SOQL within loops to query records from the object.
• AvoidSoslInLoops: Not to use the SOSL within loops as well to avoid hitting governor limits.

Security

These rules highlight the probable security flaws in the code.
• ApexBadCrypto: The rule makes sure you are using randomly generated IVs and keys for Crypto calls.
• ApexCRUDViolation: The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.
• ApexSOQLInjection: This detects the usage of untrusted / unescaped variables in DML queries.
• ApexSharingViolations: It detects classes declared without explicit sharing mode if DML methods are used.

Visualforce

• VfCsrf: Avoid calling VF action upon page load as the action becomes vulnerable to CSRF.
• VfUnescapeEl: Avoid unescaped user-controlled content in EL as it results in XSS

Benefits

It is an Open source which doesn’t have any licensing cost involved.
It can run static code analysis standalone.
It can be part of ANT build to generate error reports or used as an Eclipse or VS Code plugin.
It can then be used as a quality gate, to enforce a coding standard for your code-base.
The Copy/Paste Detector (CPD) is an add-on to PMD that uses the Rabin–Karp string search algorithm to find duplicated code.

Limitations

PMD can review only Apex and visualforce pages. The code doesn’t review Lightning and LWC Components.
It is time consuming if conducted manually.
No capability to detect logical errors.
It cannot be used as a plus and play tool to list out all the issues in the org.

Peeklogic Jira Connector

Our Products

Smart Duplicate Manager

Our Products

Peeklogic Report Sender PRO

Our Products

Checkmarx for Salesforce App Development

Checkmarx is a highly accurate and flexible Source Code Analysis product for Salesforce Development that allows organizations to automatically scan pre-compiled code and identify hundreds of security vulnerabilities in the most prevalent coding languages.

Checkmarx offers two types of code analyzer tools for Salesforce app development. One is a free static code analyzer tool named force.com scanner formed by a collaboration of Checkmarx with Salesforce AppExchange which runs for only 1 Project at a time with a restriction of 30000 lines of code and supporting Apex, Visualforce, Javascript and HTML

Second is a licensed version named Checkmarx CxSAST with the capacity of unlimited projects and unlimited lines of code providing instant on-demand scanning and supporting more than 20+ languages. CxSAST comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language. Below are the basic differences between the 2 versions available.

With Salesforce AppExchange having 2500+ applications providing different services using the Apex code base, application security in a major concern. It mainly faces threats like cross site scripting (XSS), SOQL and SOSL injections, frame spoofing and more. Few of the main vulnerabilities Checkmarx has been able to detect are.

Cross Site Scripting
SOQL Injections
SOSL Injections
Frame Spoofing
Access Control Issues

Salesforce AppExchange App Development

Checkmarx suite during the static code check looks for data flows from Source to sinks

Sources

Sinks

Sanitizers

Examples of a vulnerable SOQL queries are below.

query1 = “Select Name, Status From Opportunity Where ID = ‘ ” +test+” ’ ”
query2 = “Select Id, Name, From Account LIMIT 5”

This approach will also lead to some false positives and false negatives. The trade between false positives and negatives must be defined. The code scan in the checkmarx can be done in an incremental way or load the whole source code together. The results after the full scan is provided as below.

There is a priority of the vulnerability already in place and so it is differentiated as High, medium and low risk vulnerabilities. Evaluating the whole source code, a risk level is also given in percentage.

Checkmarx tool review

BENEFITS

It is a web app where team can raise a request for the code scan and post processing results report will be shared on mail.
Checkmarx delivers a platform for DevOps and CI environments by redefining security’s role in the SDLC while operating at the speed of DevOps.
Solution enables engagement teams to analyze both live and in-development software source code
Reduces costs and eliminates the problem of having to deal with many security vulnerabilities close to release.

LIMITATIONS

It does not offer an in-house dynamic application security testing solution.
Engagement teams may not share the software or license keys with others.
Lacks report designer for creating custom reports.
Some rigid rule-sets result in false positives and false negatives.

SonarQube in Salesforce App Development

SonarQube is an automatic review code tool to detect bugs, vulnerabilities and code smells in the code. It can integrate with the existing workflow to enable continuous code inspection across the project branches.

It has a Community edition which is a free version, having features like static code analysis for about 15 languages. It also detects bugs and vulnerabilities, reviews security hotspots, generates code quality metrics etc. It also has the Developer and Enterprise edition with additional functionalities. We can visit the SonarQube documentation to know more on the additional features in the process of Salesforce Development.

The Apex analysis here has a great coverage of well-established quality standards. This capability is available throughout the development chain for automated check with self-hosted SonarQube or cloud-based SonarCloud. The rules here are mainly grouped under 4 buckets for Salesforce Apex.

Bugs

- URLs of Salesforce pages should be relative and not absolute
- DML statements should not be used inside loops.
- Record IDs should be hardcoded.
- Triggers should process records in bulk.
- Variables should not be self-assigned.

Code Smells

- Cognitive Complexity of functions should not be too high.
- Switch statements should have when else clauses.
- String literals should not be duplicated.
- SeeAllData should be false in test methods.
- Messages should not be hardcoded.

Vulnerabilities

- Sharing level should be specified in Apex classes with SOQL/SOSL queries or DML statements.
- Credentials should not be hard-coded.

Security Hotspot

- Executing SOQL, SOSL or DML queries without sharing or with sharing
- Using hardcoded IP addresses.

BENEFITS

It scans code based on predefined compliance rules for a project
SonarQube supports the Enterprise Value Delivery (EVD) methods for consistent delivery approach across projects.
Tracks historic data for the project.
Provides web browser enabled access for greater visibility for quality metrics.
Identifies issues prior to the code check ins

LIMITATIONS

It doesn’t support SAP ABAP.
SonarQube can only be used in conjunction with a current engagement.
Lacks compatibility information around tool integration versions and performance of some plugins.

CodeScan for Salesforce Application Development

Codescan is an end to end code analysis solution to ensure quality and security of orgs on the Salesforce AppExchange platform. It is lightning ready and exclusively available for Salesforce. They don’t have a free version to run the code base. Their mission is to empower Salesforce AppExchange developer teams in all levels to develop faster, better, cleaner and more efficient.

Codescan has around 500+ security and quality rules for Apex, Visualforce, Lightning and Metadata. It integrates directly with Salesforce and all popular CI/CD Pipelines. It mainly focuses on the below metrics.

Control Quality

CodeScan maintains the quality of the code throughout development while allowing you to customize own metrics of quality gates.

Track technical Debt

It provides the ability to track the amount of technical debt in the projects to plan the refactoring effort.

Save time on Code analysis

Reduces significant amount of time spent in manual apex review.

Boost Security

It makes sure the code is secure with selection of security rules on CWE and OWASP standards

Productivity

Automation of the reviews results in cleaner code in production and thus increase productivity.

Enforce standards

It applies coding rules and standards and standardizes the way we look at code and peer review process.

CodeScan supports both cloud based and self hosted options, the IDE plugins helps AppExchange developers to get the review on real time to address any issues with the code quality. It includes rich and intuitive dashboard with mission critical metrics. It has shown to reduce the production issues to be reduced by 60%.

CodeScan differentiates from the other Open source Salesforce Development review tools, with its capacity to check not only Apex and Visualforce issues, but also Lightning Component and Javascript related issues and standards. Compared to around 35 checks in PMD, codescan offers 500 ruleset.

BENEFITS

It increases product quality with best practice standards and effective governance.
Integration with JIRA and a host of other tools are available through SonarQube.
CodeScan IDE Plugins provide real-time automated feedback “as you type”.
Apart from Apex and Visualforce, it also has rules for lightning aura and web components.

LIMITATIONS

It is not open source. License cost is involved.
Possibility of false positive alarm on correct code.
No capability to detect logical errors.

S4 - SaaS Security Scanner for Salesforce

DigitSec’s flagship product, S4, is a one-of-a-kind product designed to rapidly identify insecurities in SaaS environments. S4 identifies vulnerabilities in Apex code developed using the Force.com development environment. It is a cloud-based application and uses a combination of static code analysis and runtime testing.

Below is the 4-step process implemented by S4:

Review Environment Configuration

S4 for Salesforce reviews the configurations of a Salesforce org and identifies flaws

Scan Source Code

S4 uses a robust client-side static code analysis engine to create call flows to identify CRUD/FLS flaws. It uses data flow analysis to associate Visualforce components to their associated controllers.

Generate Custom Fuzzer

S4 uses white-box fuzzing to rapidly identify injection flaws within Force.com code. All vulnerabilities identified during run-time testing contain Proof of Concept (PoC) exploits. This ensures there are no false positives.

Fuzz Live Salesforce Run-time Instance

S4 launches the custom fuzzer in the installed organization and can be scaled out to as many organizations as needed. All code analyzed remains within the organization preserving intellectual property of the code base.

S4 Design

S4 can be run in both production and in a staging or test environment such as Salesforce Sandbox. The following design represents S4’s system architecture:

Salesforce Metadata API
Used to retrieve, deploy, create, update or delete customizafion informafion such as custom object definifions and page layouts.
Salesforce Tooling API
Helps you build custom development tools or apps for Lightning Platform applicafions.
Salesforce Database
A powerful and intuifive data persistence layer.
Static Engine
Parses your code and converts it into runnable commands.
Runtime Engine
Provides objects to Javascript so it can interact with the outside world.

S4 Key Features

01.

Static Code Analysis

S4 uses a robust client-side static code analysis engine to create call flows to identify CRUD/FLS flaws. It uses data flow analysis to associate Visualforce components to their assoc. controllers.

02.

White-box Fuzz Testing

S4 uses white-box fuzzing to rapidly identify injection flaws within cloud services. All vulnerabilities identified during runtime testing contain Proof of Concept (PoC) exploits. This ensures there are no false positives.

03.

Signature Based Testing

S4 comes with various signatures, or patterns known to cause common vulnerabilities in code. Based on these different signature, S4 can uncover flaws other security scanners might miss.

04.

Lightning Components

S4 analyzes the security elements and flaws associated with Lightning components.

05.

Unlimited Scale Out

S4 is installed per organization and can be scaled out to as many organizations as needed. All code analyzed remains within the organization preserving intellectual property of the code base.

06.

No Code Limits

With S4, there are no limitations on the size the code base being scanned. This is to ensure your Salesforce instance will recieve an accurate and complete security review.

07.

Unlimited Scans

There is no limit in regards to the number of scans you can run on a single Salesforce instance. With unlimited scans, S4 can become a part of your organiztations regular security testing.

08.

Salesforce Apex Code Vulnarability tracking

Vulnerability Tracking

S4 saves the different vulnerabilities it finds in cases. These cases can then be tracked in Salesforce to allow for easier analysis and remediation.

S4 Results

With one click, users can pull up an Application Security Report comprised of detailed findings from S4’s scan. Each finding is prioritized based on the level of risk and impact to the organization’s data. From there, S4 provides remediation recommendations and clear guidance on how to effectively fix findings

Need Help with Salesforce App Development?

Austin, TX 78759, USA