Release Notes 4.3
CodeScan 4.3
New Features
New Apex Security Hotspots
Deserializing JSON Is Security-Sensitive: Deserializing an object from an untrusted source is security-sensitive. An attacker could modify the content of the data.
Encrypting Data Is Security-Sensitive: Encrypting data is security-sensitive. Although most encryption problems are solved or managed by Salesforce, care must be taken when relying on encryption.
Type Reflection Is Security Sensitive: Dynamically executing code is security-sensitive. If the code comes from an untrusted source, the untrusted source may be able to choose which code to run.
Using Cookies Is Security-Sensitive: Attackers can use widely available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Using UserInfo.GetSessionId() Is Security-Sensitive: The use of UserInfo.GetSessionId() is security-sensitive. Ensure that you need to do this.
New Visualforce Security Hotspots
Using GETSESSIONID() and $API.Session_Id is security-sensitive: The use of GETSESSIONID() and $API.Session_Id is security-sensitive. Ensure that you need to do this.
Quality Profiles
Removed Unescaped Source rule from default Apex profile (v4.3.12).
Removed deprecated rule javascript: S2228 from Salesforce Lightning Quality Profile (v4.3.9).
Enhancements
SonarQube™ Ant task has been updated to 2.6.0.1
SOQL Injection Rule updated and improved.(v4.3.11)
Open Redirect Rule updated and improved. (v4.3.11, v4.3.12)
Bug Fixes
Bug fixed in RightLineBracesPositions rule.
Bug fixed in Field Level Security Vulnerabilities rule. (v4.3.10)
Bug fixed in Preserve Stack Trace Rule (v4.3.12)
Bug fixed in Unescaped Source Rule (v4.3.12)
Last updated