You need to sign in to do that
Don't have an account?
Preyanka Ghosh
Controller without sharing is not allowed in Managed package Checkmarx Code Review
Hello Team,
I am trying to build a managed package and while running a checkmark code scan I am getting below message grouped as "Apex Serious Security Risk"
Message from Checkmarx: "All entry points to an app (Global or Controller classes) must use the 'with sharing' keyword. Classes without this keyword run without sharing if they are entry points to your code, or with the sharing policy of the caller. Do not omit the sharing declaration as this hides critical security information in side-effects that can change when code is refactored. Only declare classes as 'without sharing' if they are not entry points to your app and if they only modify objects whose security is managed by your code (such as wizard state, or fields in a site). It is a common misconception to believe that batch apex or async apex must run with the global keyword. This is not true, the only classes that must be global are those that expose webservices or are intended to be used by extension packages. All async apex should run as public in order to avoid creating privileged entry points to your app."
My controllers have without sharing mentioned and I wanted it to execute in System Mode only, hence could you please suggest how to overcome the security risk.
Thanks
I am trying to build a managed package and while running a checkmark code scan I am getting below message grouped as "Apex Serious Security Risk"
Message from Checkmarx: "All entry points to an app (Global or Controller classes) must use the 'with sharing' keyword. Classes without this keyword run without sharing if they are entry points to your code, or with the sharing policy of the caller. Do not omit the sharing declaration as this hides critical security information in side-effects that can change when code is refactored. Only declare classes as 'without sharing' if they are not entry points to your app and if they only modify objects whose security is managed by your code (such as wizard state, or fields in a site). It is a common misconception to believe that batch apex or async apex must run with the global keyword. This is not true, the only classes that must be global are those that expose webservices or are intended to be used by extension packages. All async apex should run as public in order to avoid creating privileged entry points to your app."
My controllers have without sharing mentioned and I wanted it to execute in System Mode only, hence could you please suggest how to overcome the security risk.
Thanks
Can you try without mentioning the "with/withsout sharing" key word on class definition?
Thanks,
Ishwar Shinde
Yes by default, apex code run in system context. But If I am not mentioning with/without sharing, I am getting the same error message from checkmarx.
Hence I have mentioned without sharing in my controller class but no luck. As per the message I am receiving, I have to mentioned with sharing, but I donot want to do so as I want it to be run in System context.
Thanks
Preyanka