forcedotcom / sfdx-scanner

MIT License
217 stars 49 forks source link

[BUG] LimitReached / InternalExecutionError when have @AuraEnabled on an Apex function #1323

Open Sourciluss667 opened 9 months ago

Sourciluss667 commented 9 months ago

scanner run dfa Issue Template

Fill out this template to submit your Code Analyzer issue.

Description:

I run sf scanner run dfa --format=csv --outfile=CodeAnalyzerDFA.csv --target="./force-app/main/default/classes/helpers/LeewayOrganizationName.cls" --projectdir="./" --category="Security" --sfgejvmargs "-Xmx4g" but got InternalExecutionError on a specific function. I tried lot of things (remove path limit, increase heap size, etc) but always have InternalExecutionError. I notice if I remove @AuraEnabled(cacheable=false), I don't have the issue anymore!

Documentation:

sfge.log

Steps To Reproduce:

My function call 2 others functions with @AuraEnabled too, with 2 if statements.

  @AuraEnabled(cacheable=false)
  public static String refetchOrganizationName() {
    String organizationName = LeewayRecordLeewayMasterAccount.fetchAndSaveOrganizationName();
    if (organizationName == null) {
      organizationName = LeewayRecordLeewayAccount.fetchAndSaveOrganizationName();

      if (organizationName == null) {
        return null;
      }
    }

    return organizationName;
  }

NB: LeewayRecordLeewayMasterAccount.fetchAndSaveOrganizationName() and LeewayRecordLeewayAccount.fetchAndSaveOrganizationName() doesn't have error when run scanner on theses files.

Expected Behavior:

No problems in output file.

Screenshots:

Desktop:

OS: macOS Sonoma v14.1 Code Analyzer version: latest Salesforce CLI version: @salesforce/cli/2.22.7 darwin-arm64 node-v20.10.0

Additional Context:

Workaround:

Without @AuraEnabled, the scan work correctly, but I can't remove it because my code doesn't work without it.

Urgency:

This block us to launch our Security review

jfeingold35 commented 9 months ago

@Sourciluss667 , you can document this as a false positive just as you would any others, so this isn't a blocker. Also, the reason that removing the @AuraEnabled annotation resolves the issue is because @AuraEnabled is one of the keywords that marks the method as an entry point for data flow analysis. This is clearly indicated in the documentation. Also-also, please include what the actual error message is, so we know what the actual problem is.

git2gus[bot] commented 8 months ago

This issue has been linked to a new work item: W-15080639

rmohan20 commented 7 months ago

Duplicate of #1294