Open kryvyifedir opened 1 week ago
"Key" is a reserved word that I believe the security team is more comfortable flagging every time to alert you to at least check even though it might report false positives. I'll ask a member of our security team to respond to this thread to give more info.
What type of file is this getting flagged on? Is it xml, apex, or something else? I ask because I'm not sure if you can just add a suppressing annotation or comment for the violation that is being flagged. See https://docs.pmd-code.org/latest/pmd_userdocs_suppressing_warnings.html
@rrajaram-salesforce I was able to reproduce and it looks as if the ProtectSensitiveData rule isn't even looking at the code... it's just looking at the file names. For example, if I just take any sample salesforce project and rename one of the object fields, like /main/default/objects/SomeObject__c/fields/SomeField__c.field-meta.xml
to instead be /main/default/objects/SomeObject__c/fields/Key__c.field-meta.xml
then I get the violation
Key__c is a potential auth token in a custom AppExchange Security Review https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/ProtectSensitiveData.md
This is one of the pmd appexchange rules... but since it doesn't parse code - I don't see a mechanism that users can suppress the violation since it is purely based on file name. Does this rule have another mechanism it can look for to suppress false positives?
@kryvyifedir I understand your concern; Where the reported issue is not a security vulnerability, there is no need for the developer to do anything. There is no need to issue a false positive explanation either when submitting for security review; unlike the issues reported in Apex/VF/Aura etc,. where some business logic explanation may be warranted, for a security engineer to better understand the rational behind why a security pattern was not used. When the reviewers - that use the same rules - review the issue like this one, they will notice that the field does not carry an authentication token and will never report a vulnerability. However, unfortunately since there is no way to "track" the reported issue - in xml - as a false positive (Apex allows for annotations so that future PMD scans do not report the issue) the issue will be reported again in a future scan; but developers can ignore the reported issue. I can issue a fix that will not detect the string "key" - but I'm certain there are other strings that fall into a similar category where string matching will result in false positives. Infact, the rule is capable enough to report only those key words that map to a text data type and ignore any other data types (integer, date time etc,.) Hope this helps; I'll explore PMD further to see if there is a way to track previously reported issues as false positives in XML (similar to annotations or comments for Apex)
@rrajaram-salesforce Thank you for your response. Unfortunately, my concern is somewhat multi-faceted, so let me explain it a bit more.
Let's start from my specific example and my project:
And now, I want to address the issue that I have specifically with this check (without the context of my project):
Also, I appreciate that only text data type fields are being flagged but I think it would be nice also to check that the flagged field is not a formula (as you understand, users and code can't save any security info in this field, so if other fields in the table are not flagged - formula can't expose anything)
@kryvyifedir Just so you are aware @rrajaram-salesforce is on the SF Security Review team. He is saying, it doesn't raise concerns with him. I agree that we should work towards having this violation something you can exclude. It is simply at this point going to have to be an enhancement request for us to work on... so we will keep this issue open.
@stephen-carter-at-sf thank you for your support, I will be looking forward for the future updates for this. I am also planning a new release in November so I will be able to update this thread with the result of security review of my app
Have you verified this is Salesforce Code Analyzer specific?
Yes
Description
I have a 2GP package that was released on the AppExchange in June 2024. This package includes a couple of Custom sObjects that have "Keyc" fields. Since sfdx-scanner update to 4.2.0 these fields are flagged by "ProtectSensitiveData", with the issue: "Keyc is a potential auth token in the object".
Link to a .md file with the rule: https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/ProtectSensitiveData.md
While I understand the intent behind this rule, but it has a couple of problems behind it:
I can deal with it by reporting this as false-positive to SF Security Review Team, but this requires manual work every time I do a release
The bigger issue is that now, I can't use --engine pmd-appexchange in CI/CD since it will always produce an issue
Output / Logs
No response
Steps To Reproduce
Expected Behavior
No violations were found
Operating System
MacOS Sequoia 15.0
Salesforce CLI Version
@salesforce/cli/2.60.13 darwin-arm64 node-v20.13.1
Code Analyzer Plugin (@salesforce/sfdx-scanner) Version
@salesforce/sfdx-scanner 4.2.0 (4.2.0)
Additional Context (Screenshots, Files, etc)
No response
Workaround
I can report this to SF Security Team as false-positive, but I would have to do that every time I am releasing an update
Urgency
High