Starting November 20, the site will be set to read-only.
On December 4, 2023,
Apex Code Development (90768)
General Development (55146)
Visualforce Development (37251)
Lightning (18265)
APIs and Integration (17146)
Trailhead (11680)
Formulas & Validation Rules Discussion (11337)
Other Salesforce Applications (8116)
Jobs Board (6655)
Force.com Sites & Site.com (4842)
Mobile (2694)
You need to sign in to do that
Don't have an account?
IGCTO CxViewer reports 6 Test Methods With No Assert and no other warnings or threats. Can we proceed to security review without fixing these?
Even if not required to fix for securitty review, is there likely to be any benefit to fixing these?
Asserts test the functionality of the code (Does it do what it is supposed to)
If you are writing code to just cover lines, you may see unexpected results. Especially when you update other code that is interdependent. Good test classes cover both lines of code and desired functionality.
I am using many custom button in my app,which i am calling out through javascript like
{!REQUIRESCRIPT("/soap/ajax/10.0/connection.js")}
{!REQUIRESCRIPT("/soap/ajax/10.0/apex.js")}
var orderId = sforce.apex.execute("GenerateOrderPDF","attachToOrder", {parentId:"{!Order__c.Id}"});
window.location.href="/{!Order__c.Id}"
And the button which are using URL as a Content source like :
"https://c.ap1.visual.force.com/apex/Serviceorderbilling?id={!Service_Requests__c.Id}"
does this two make any security flaw in getting out security review process.
Test methods with no asserts are considered a violation of Security Review Best Practices. However, they will not warrant your application being flagged for failure simply because you do not meet this best practice. Asserts are in your own products' best interest, and while Checkmarx and the Security Review team frown upon not using asserts, you will still pass assuming you do not have any SOQL injections and/or XSS attack vectors.
Your custom buttons that use relative URLs are considered appropriate use of the Web Services API, and will not be flagged for failure so long as you do not use sforce.connection.login() with credentials (but a Session ID is okay if it is generated by $Api.Session_ID). You should never use a hard-coded URL. Instead, use a relative link, such as "/apex/ServiceOrderBilling?Id={!Service_Requests__c.Id}". There are no security concerns in regards to this type of link, unless that link calls an action function or constructor that may perform a DML as soon as the page is loaded.