[BUG] Consolidation of InternalExecutionError for "manual verify that you have a sanitizer" issues.

[stephen-carter-at-sf]

Have you tried to resolve this issue yourself first?

Yes

Bug Description

The Salesforce Graph Engine has a number of cases that currently not supported. These manifest themselves to users with an error message that says:

Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ...

Since this is occurring more frequently, we would like to consolidate all user reported cases in this issue to clean up our issue backlog.

If you have received this error. Please add a comment below with your stack trace instead of creating a new issue. Otherwise, the issue you create will just be duplicated to this one.

Output / Logs

No response

Steps To Reproduce

sf scanner run dfa ...

Expected Behavior

People expect this to just work and give proper violation messages instead of telling them to create an issue for our team to look at.

Operating System

Various

Salesforce CLI Version

Various

Code Analyzer Plugin (@salesforce/sfdx-scanner) Version

Various

Java Version

Various

Additional Context (Screenshots, Files, etc)

No response

Workaround

No response

Urgency

Low

[stephen-carter-at-sf]

Issues where this has been reported:

• https://github.com/forcedotcom/sfdx-scanner/issues/1004
• https://github.com/forcedotcom/sfdx-scanner/issues/1009
• https://github.com/forcedotcom/sfdx-scanner/issues/1015
• https://github.com/forcedotcom/sfdx-scanner/issues/1028
• https://github.com/forcedotcom/sfdx-scanner/issues/1043
• https://github.com/forcedotcom/sfdx-scanner/issues/1044
• https://github.com/forcedotcom/sfdx-scanner/issues/1143
• https://github.com/forcedotcom/sfdx-scanner/issues/1171
• https://github.com/forcedotcom/sfdx-scanner/issues/1175
• https://github.com/forcedotcom/sfdx-scanner/issues/1177
• https://github.com/forcedotcom/sfdx-scanner/issues/1181
• https://github.com/forcedotcom/sfdx-scanner/issues/1188
• https://github.com/forcedotcom/sfdx-scanner/issues/1191
• https://github.com/forcedotcom/sfdx-scanner/issues/1216
• https://github.com/forcedotcom/sfdx-scanner/issues/1217
• https://github.com/forcedotcom/sfdx-scanner/issues/1336
• https://github.com/forcedotcom/sfdx-scanner/issues/1337
• https://github.com/forcedotcom/sfdx-scanner/issues/1338
• https://github.com/forcedotcom/sfdx-scanner/issues/1339
• https://github.com/forcedotcom/sfdx-scanner/issues/1340
• https://github.com/forcedotcom/sfdx-scanner/issues/1341
• https://github.com/forcedotcom/sfdx-scanner/issues/1375
• https://github.com/forcedotcom/sfdx-scanner/issues/1385
• https://github.com/forcedotcom/sfdx-scanner/issues/1386
• https://github.com/forcedotcom/sfdx-scanner/issues/1387
• https://github.com/forcedotcom/sfdx-scanner/issues/1406
• https://github.com/forcedotcom/sfdx-scanner/issues/1477
• https://github.com/forcedotcom/sfdx-scanner/issues/1493
• https://github.com/forcedotcom/sfdx-scanner/issues/1500

[git2gus[bot]]

This issue has been linked to a new work item: W-15923250

[jason-actico]

I'm facing this same issue and I need to submit my org for a security review this week. Should I go ahead and submit it or will this violation cause me to fail the security review?

Correct me if I'm wrong, but this is a bug in the Salesforce Code Analyzer, right?

@rmohan20 @stephen-carter-at-sf

[yippie]

I just received this error:

Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: NullPointerException: null: java.base/java.util.concurrent.ConcurrentSkipListMap.computeIfAbsent(ConcurrentSkipListMap.java:1459);com.salesforce.graph.vertex.SyntheticTypedVertex.get(SyntheticTypedVertex.java:41);com.salesforce.graph.symbols.apex.ApexMapValue.apply(ApexMapValue.java:188);com.salesforce.graph.symbols.PathScopeVisitor.handleApexValueMethod(PathScopeVisitor.java:1487);com.salesforce.graph.symbols.PathScopeVisitor.afterVisit(PathScopeVisitor.java:1242);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterVisit(DefaultSymbolProviderVertexVisitor.java:800)

[jvg123]

We received 6 of these, all with identical error and stack:

UnexpectedException: 
BooleanExpression{properties={FirstChild=false, Operator=&&, BeginLine=35, DefiningType_CaseSafe=utils, LastChild=false, DefiningType=Utils, EndLine=35, childIdx=1, BeginColumn=14}}: com.salesforce.graph.ops.MethodTypeMatchUtil.getTypeFromSymbol(MethodTypeMatchUtil.java:167);
com.salesforce.graph.ops.MethodTypeMatchUtil.parameterTypesMatch(MethodTypeMatchUtil.java:150);
com.salesforce.graph.ops.MethodUtil.getInvoked(MethodUtil.java:358);
com.salesforce.graph.ops.MethodUtil.getInvoked(MethodUtil.java:158);
com.salesforce.graph.ops.MethodUtil.getPaths(MethodUtil.java:703);
com.salesforce.graph.ops.expander.ApexPathExpander.resolveMethodCall(ApexPathExpander.java:849)

Example code structure (names changed):

public with sharing class SubClass extends BaseClass{
    @AuraEnabled
    public static CustomApexType[] methodName(
        String someId,
        String anotherId
    ) {
        return BaseClass.methodName(
            new SubClass(null, someId),
            anotherId
        );
    }
}

Side note: adding /* sfge-disable-stack ApexFlsViolationRule */ to these methods has no effect