Facing graph Engine error in DFA report

[keshav-ksolves]

We are encountering an error in the DFA report, which is necessary to get resolved for submitting our application for the Salesforce security review. The error message is as follows:

"Graph Engine reached the path expansion upper limit (1597). The analysis preemptively stopped running on this path to prevent an OutOfMemory error. Rerun Graph Engine and target this entry method with a larger heap space."

Note: This error is coming from a class that is currently global and we can't change that to public because that will not fulfill our requirement.

Steps to reproduce the behavior: Open VS Code Execute the following command: sf scanner run dfa --format csv --outfile CodeAnalyzerDFA.csv --target ./ --projectdir ./ --category Security

System: OS: Ubuntu 22.04.3 Scanner version: Code Analyzer v3

Urgency We have to submit package for security review.

Attaching the DFA report below: CodeAnalyzerDFA.csv

[stephen-carter-at-sf]

@keshav-ksolves Regarding the out of memory errors regarding heap space, have you tried going through our troubleshooting guide and recommendations: https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/troubleshooting.html https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/working-with-graph-engine.html#limitreached-errors

Please give this a try first and report back here.

[keshav-ksolves]

@stephen-carter-at-sf - Thanks for your response. These are the below findings:

1. In the first link, it is mentioned that outOfMemoryError occurs for js files, though in our case this error comes from an Apex class.
2. We have already tried the second method by increasing the memory though it results in another error in DFA report - Path evaluation timed out after 9000000 ms

Apart from this, we have already tried to increase the path limit by including --> pathlimit -1 in the command

Let me know if I am missing out on something.

[stephen-carter-at-sf]

There is a Issues using Salesforce Graph engine section of the troubleshooting page that I meant to refer you to. https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/troubleshooting.html

But if you have tried to increase the memory and with --sfgejvmargs flag, have increased the thread count with --rule-thread-count , and have increased the timeout with --rule-thread-timeout and still have no success... this might simply mean that you are hitting up against the limits of what our current version of Salesforce Graph Engine can do.

Increase the timeout and let it run over night... and let us know. And please try to use the latest version we have available (which has some memory fixes in it):

sf plugins install @salesforce/sfdx-scanner@latest-beta

[keshav-ksolves]

Hi @stephen-carter-at-sf - As you said, I tried to increase the time by around 30000000 ms(approx 8 hours), and after executing the command I received the Path evaluation timed out after 30000000 ms error.

Note: I have updated the scanner version as per your suggestion.

[keshav-ksolves]

Hi @stephen-carter-at-sf - Please respond on above comment. Thanks

[jfeingold35]

@keshav-ksolves , could you please clarify what version of the Code Analyzer you're on? What does sf plugins tell you?

[jfeingold35]

@keshav-ksolves , observation: It looks like you're on version 3.x. In v4.x, we've fixed the causes for most OutOfMemory errors. You might still see timeouts, but at least the memory issues will be resolved. Also, to be clear, OutOfMemory and Timeout errors are not blockers for security review. You can document them in your submission the same way you'd document any other false positive.

[jfeingold35]

@keshav-ksolves , additionally, the Writing Graph-Engine Friendly Code page has some tips for small refactors you can do to your code that will help alleviate timeouts. You may wish to consult that page.

[keshav-ksolves]

Hi @jfeingold35 - Thanks for your response. I have updated the scanner version to the latest beta version as suggested by @stephen-carter-at-sf. And we have followed the best practices as mentioned in the documentation. Apart from that, for mentioning in the false positive documentation could you please provide us any documentation or link that states that these type of errors doesn't affect security review as I have to mention it as a proof or clarification for the errors.

Thanks

[jfeingold35]

@keshav-ksolves , Step 8 on this page is "Document any false positives".

[keshav-ksolves]

Hi @jfeingold35 - I have gone through this article. Could you please provide me any documentation or link where it states that OutOfMemory and Timeout errors doesn't impact security review.

[stephen-carter-at-sf]

@keshav-ksolves I'll talk with our internal security review team about updating our https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_code_analyzer_scan.htm page with some more guidance on your questions. As developers, we don't know all that is required for security review for our ISV partners. But we will make sure to follow up with them.

[rrajaram-salesforce]

@keshav-ksolves Can I suggest you to setup a non-technical office hours using Partner Security Portal You will receive the relevant help around submission.

[stephen-carter-at-sf]

Internal response from someone from security:

I really don't want partners to do additional work of documenting timeouts/out of memory errors That has no benefit for partners or the reviewers; Partners are expected to upload the SFCA report anyway;

So just run the report and submit it with the security review.

Going to close this issue for now.

[keshav-ksolves]

Thanks @stephen-carter-at-sf @jfeingold35 for you support and help.