Apex Code Development You need to sign in to do that
Don't have an account?
reettik mitra What are Aura: Aysnc Code and Sharing Violation vulnerabilities from the security review of the application(AppExchange)
I was creating an application to publish in app exchange and so I had submitted the application for security review but the report cointained:-
We have completed the security review of your application. Unfortunately, we have found some issues which concern us, and thus, at this time we cannot approve your application for final listing. Trust and security are core values at Salesforce, and we are committed to working with you to resolve those issues. The following vulnerabilities need to be resolved:
-Aura: Aysnc Code
-Sharing Violation
Can anyone explain the actual reasons for these issues?
We have completed the security review of your application. Unfortunately, we have found some issues which concern us, and thus, at this time we cannot approve your application for final listing. Trust and security are core values at Salesforce, and we are committed to working with you to resolve those issues. The following vulnerabilities need to be resolved:
-Aura: Aysnc Code
-Sharing Violation
Can anyone explain the actual reasons for these issues?
You cannot pass security review with classes marked as without sharing, the security scanner will always report these files as being a security violation.
Without Sharing gets flagged by the security scanner because you can write code that disregards the organizations security model with it. It's important to only use without sharing when absolutely necessary, and that's why it always gets blanket flagged as a security violation.
The security scanner is a useful tool for determining security weaknesses in your application, but it should not be treated as if your org is insecure until you have fixed all the issues it points out. As you pointed out, some code will require the without sharing keyword and I have also seen the security scanner report false-positives on other security issues.
I recommend reviewing Example Responses to False Positives in Checkmarx Scan Results
I am unsure about Async Code violation. However, I recommend reporting this security vulnerabilities to Salesforce via email at security@salesforce.com
See Security Vulnerability Finding Submittal Guide to learn more
Let me know if this helps, if it does, please mark this answer as best so that others facing the same issue will find this information useful. Thank you
All Answers
You cannot pass security review with classes marked as without sharing, the security scanner will always report these files as being a security violation.
Without Sharing gets flagged by the security scanner because you can write code that disregards the organizations security model with it. It's important to only use without sharing when absolutely necessary, and that's why it always gets blanket flagged as a security violation.
The security scanner is a useful tool for determining security weaknesses in your application, but it should not be treated as if your org is insecure until you have fixed all the issues it points out. As you pointed out, some code will require the without sharing keyword and I have also seen the security scanner report false-positives on other security issues.
I recommend reviewing Example Responses to False Positives in Checkmarx Scan Results
I am unsure about Async Code violation. However, I recommend reporting this security vulnerabilities to Salesforce via email at security@salesforce.com
See Security Vulnerability Finding Submittal Guide to learn more
Let me know if this helps, if it does, please mark this answer as best so that others facing the same issue will find this information useful. Thank you