stephen-carter-at-sf
commented
3 days ago First, what command did you run? If you used the "run dfa" command, then yes the analysis could indeed take a very long time given the nature of examining and walking all the possible paths. But there is no requirement to have the dfa perform at a certain time for security assessments. Lately, I feel like folks have been posting thinking that there are a set of requirements to have code analyzer run and perfectly pass before security assessment takes place. I don't believe this is the case. The goal of code analyzer is to help you detect obvious issues before the security assessment. But the tooling isn't perfect and is only meant to help... not be a hard fast requirement.
Maybe the phrasing over at https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_code_analyzer_scan.htm is what is confusing folks. It says
As an AppExchange partner submitting your managed package for security review, you must scan it with Salesforce Code Analyzer and provide test results in your solution’s AppExchange Security Review submission. This scan is in addition to the scan that you must complete using the tools provided in the Partner Security Portal.But if the results contain violations that are false positives or if the results are that a timeout has occurred... then those are indeed the results. Ideally you would have zero violations and everything would run without timing out... but that's not always the case. The goal is to simply run the report ahead of time and fix obvious issues, which simply just saves the security team some time. But if your code is too complex for the data flow analysis to finish within a given period of time.... then you simple report that along with the results from the "run" command.
Have you tried to resolve this issue yourself first?
Yes
Bug Description
Hello, we are preparing to upload the ISV package. Path evaluation timed out after 9000000 ms
There are over 50 methods with the above defect, and we are working to reduce code complexity. what is the maximum time required to pass the security standards?
There are some that pass after running for 3 hours, and there are others that pass after running for over 10 hours. If it just takes a long time and passes, is there no problem with the sequence? Or is there a standard for up to how many hours??
In another post on github, I read a message asking to test up to 52000000ms (about 14 hours). If it actually passes like that, is it a false positive or a pass?? I would appreciate it if you could tell me about the maximum time.
Output / Logs
Path evaluation timed out after 9000000 ms
Steps To Reproduce
Path evaluation timed out after 9000000 ms
Expected Behavior
Path evaluation timed out after 9000000 ms
Operating System
Windows 11 Pro / 23H2 / 22631.4037
Salesforce CLI Version
@salesforce/cli/2.60.13 win32-x64 node-v20.11.1
Code Analyzer Plugin (@salesforce/sfdx-scanner) Version
@salesforce/sfdx-scanner 4.5.0
Java Version
openjdk version "11.0.17" 2022-10-18 LTS
Additional Context (Screenshots, Files, etc)
No response
Workaround
No response
Urgency
High