[BUG] FLS validation is missing for [INSERT] operation on [Invoice__c] with field(s) [Unknown].

[RiyazRanger]

Describe the bug FLS validation is missing for [INSERT] operation on [Invoicec] with field(s) [Unknown]. FLS validation is missing for [UPDATE] operation on [Invoicec] with field(s) [Unknown].

Rule : ApexFlsViolationRule

"Urgency": How is this Business stopping? We are planning to publish an application on App Exchange , due to this error we are stuck on not able to publish

To Reproduce Steps to reproduce the behavior:

@AuraEnabled public static Invoicec invUpsertPermissionCheck(List<Invoicec> invList){ // Save the updated record //update invoiceRecord; if (Invoice__c.SObjectType.getDescribe().isCreateable() &&

        Schema.sObjectType.Invoice__c.fields.Invoice_status__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Account__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Contact__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.To_Email_Addresses__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Email_CC__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Email_Bcc__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Billing_Address__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Term__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Invoice_Date__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Due_Date__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.PlaceOfSupply__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Authorized_Sign__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Amounts_are__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Message_Of_Invoice__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Message_On_Statement__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Terms_And_Condition__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Amount_In_Words__c.isCreateable() &&
        Schema.sObjectType.Invoice__c.fields.Company_Name__c.isCreateable() &&

        Invoice__c.SObjectType.getDescribe().isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Invoice_status__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Account__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Contact__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.To_Email_Addresses__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Email_CC__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Email_Bcc__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Billing_Address__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Term__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Invoice_Date__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Due_Date__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.PlaceOfSupply__c.isUpdateable() && 
        Schema.sObjectType.Invoice__c.fields.Authorized_Sign__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Amounts_are__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Message_Of_Invoice__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Message_On_Statement__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Terms_And_Condition__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Amount_In_Words__c.isUpdateable() &&
        Schema.sObjectType.Invoice__c.fields.Company_Name__c.isUpdateable()

    ) {
        upsert invList[0];
        return invList[0];
    }else{
        return null;
    }
}

Expected behavior i have resolve this error to pass security review: FLS validation is missing for [INSERT] operation on [Invoice__c] with field(s) [Unknown].

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

OS: iOS Scanner Version: v0.1.1 sfdx-cli/7.209.6 darwin-x64 node-v18.15.0 Additional context Add any other context about the problem here.

"Workaround": Have you found any ways to sidestep the problem? No

[johnbelosf]

Hi @RiyazRanger quick question - how do you know that the invoice records in invList only contain the fields that you're checking create/update permissions for? Have you considered using stripInaccessible? (https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_class_System_Security.htm?&_ga=2.98372698.458285507.1695030905-45447492.1693816767#topic-title)

[RiyazRanger]

i Created Wrapper for this to send value to the invList below is my wrapper class @AuraEnabled public static Invoicec convertWrapperToInv(InvoiceFormWrapper invWrapObj){ Invoicec inv = new Invoicec(); if(invWrapObj.invId != null && invWrapObj.invId != ''){ System.debug('Inside the invId not null cond'); inv = new Invoicec(Id=invWrapObj.invId); }else{ inv.Invoice_statusc = invWrapObj.invStatus; //Always passing Draft as value incase of creation } //inv.Name = invWrapObj.name; //Need to know the naming convention inv.Accountc = invWrapObj.accId; inv.Contactc = invWrapObj.conId; inv.To_Email_Addressesc = invWrapObj.primaryConEmailAddresses; //NewlyCreated - Need to create a field for this inv.Email_CCc = invWrapObj.ccEmailAddresses; inv.Email_Bcc__c = invWrapObj.bccEmailAddresses; inv.Billing_Addressc = invWrapObj.billingAddress; inv.Termc = invWrapObj.termLabel; //term ==> Not use inv.Invoice_Date__c = invWrapObj.invoiceDate; inv.Due_Datec = invWrapObj.dueDate; inv.PlaceOfSupplyc = invWrapObj.placeOfSupply; //NewlyCreated - Need to create a field for this inv.Authorized_Sign__c= invWrapObj.authSign; inv.Amounts_arec = invWrapObj.parentTaxSelectedOption; inv.Message_Of_Invoicec = invWrapObj.msgOnInv; inv.Terms_And_Conditionc = invWrapObj.termsAndCond;

    Decimal strToDec = invWrapObj.total != null ? decimal.valueOf(invWrapObj.total) : 0.0;
    inv.Amount_In_Words__c =  invWrapObj.currencyCode + ' ' +invWrapObj.currencyCodeName + ' '+
                                InvoiceFormController.getCurrencyInWords(strToDec) + ' Only';

    inv.Message_On_Statement__c = invWrapObj.msgOnStmt;
    inv.Company_Name__c = invWrapObj.companyName;

    return inv;
}

[vc4u]

We're getting kind of similar error in one of our scan as well, but not sure if the issue is same. Can anyone confirm if this is new issue or the same as this?

ContentDocumentLink cdl= new ContentDocumentLink();
cdl.ContentDocumentId   = cvId;
cdl.LinkedEntityId      = recordId;
cdl.ShareType           = 'V';
cdl.Visibility          = 'AllUsers';
Database.SaveResult sr  = Database.insert(cdl, AccessLevel.USER_MODE);

At line Database.insert we're getting following error in DFA report:

FLS validation is missing for [INSERT] operation on [ContentDocumentLink] with field(s) [ContentDocumentId,LinkedEntityId,ShareType,Visibility].

In any case, the scanner should not be reporting a violation at all on this DML statement.

[jfeingold35]

@vc4u , I'm fairly confident this is a separate issue.

[jfeingold35]

@vc4u , the behavior you're mentioning here actually has significant overlap with #1180 . We can probably roll it into that Issue. But it's not related to this one.

[vc4u]

@jfeingold35 Thanks for confirming. Whatever works best for you and the team, just didn't want to add something to issues that may already be addressed in another logged bug :-)

[RiyazRanger]

@johnbelosf any Update on this query

[git2gus[bot]]

This issue has been linked to a new work item: W-15080471