+ Start a Discussion
Testing Org 20Testing Org 20 

Managed Package Without Sharing Coming As Vulnerability IN Checkmarx Code Review

Hi ,

I am trying to build a managed package and while running a check marx code scane I am coming across the security risk on sharing keyword. And on further drilling it is stating like "All entry points to an app (Global or Controller classes) must use the 'with sharing' keyword. Classes without this keyword run without sharing if they are entry points to your code, or with the sharing policy of the caller. Do not omit the sharing declaration as this hides critical security information in side-effects that can change when code is refactored. Only declare classes as 'without sharing' if they are not entry points to your app and if they only modify objects whose security is managed by your code (such as wizard state, or fields in a site). It is a common misconception to believe that batch apex or async apex must run with the global keyword. This is not true, the only classes that must be global are those that expose webservices or are intended to be used by extension packages. All async apex should run as public in order to avoid creating privileged entry points to your app." My controllers have without sharing mentioned and I want it to execute in System Mode only so please can you suggest how to overcome the security risk.
sai man 1sai man 1
Hi ,

I also had a similar kind of issue . Please let me know if you have got any solution.
amit verma 31amit verma 31
I am also facing the same issue. Please let me know how to resolve this.