CodeScan 4.3

New Features

New Apex Security Hotspots

• Deserializing JSON Is Security-Sensitive: Deserializing an object from an untrusted source is security-sensitive. An attacker could modify the content of the data.

• Encrypting Data Is Security-Sensitive: Encrypting data is security-sensitive. Although most encryption problems are solved or managed by Salesforce, care must be taken when relying on encryption.

• Type Reflection Is Security Sensitive: Dynamically executing code is security-sensitive. If the code comes from an untrusted source, the untrusted source may be able to choose which code to run.

• Using Cookies Is Security-Sensitive: Attackers can use widely available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.

• Using UserInfo.GetSessionId() Is Security-Sensitive: The use of UserInfo.GetSessionId() is security-sensitive. Ensure that you need to do this.

New Visualforce Security Hotspots

• Using GETSESSIONID() and $API.Session_Id is security-sensitive: The use of GETSESSIONID() and $API.Session_Id is security-sensitive. Ensure that you need to do this.

Quality Profiles

• Removed Unescaped Source rule from default Apex profile (v4.3.12).

• Removed deprecated rule javascript: S2228 from Salesforce Lightning Quality Profile (v4.3.9).

Enhancements

• SonarQube™ Ant task has been updated to 2.6.0.1

• SOQL Injection Rule updated and improved.(v4.3.11)

• Open Redirect Rule updated and improved. (v4.3.11, v4.3.12)

Bug Fixes

• Bug fixed in RightLineBracesPositions rule.

• Bug fixed in Field Level Security Vulnerabilities rule. (v4.3.10)

• Bug fixed in Preserve Stack Trace Rule (v4.3.12)

• Bug fixed in Unescaped Source Rule (v4.3.12)