function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
ShirinShirin 

Security review Issue

We have developed a Force.com application. This is completely on Force.com with no integration with other applications. We are using vf pages, java script and Jquery for developing a different UI. When we run the checkmarx scanner we did not have any errors but during security review SFDC team responded to us with few FLS errors.

 

Our team has fixed this but does anybody know how to identify these errors by using a specific scanner or otherwise so that we can check if there are any more FLS errors.

 

Thanks. Looking forward to your reply.

admintrmpadmintrmp

This is something you have to manually check over. Unfortunately Checkmarx cannot find every issue in your application, which is why they have a manual review. Make sure to look over your application completely to rectify any security issues and then submit your application again with a new Checkmarx report.

ygluckygluck

When submitting a scan via the portal (security.force.com) it allows you to select the set of issues/vulnerabilities it will scan for. In the "Scan Profile" field, select "Beta Rules (+CRUD/FLS)" to search for FLS vulnerabilities.

 

P.S. Keep in mind that this profile will not include some of the other critical vulnerabilities such as XSS and CSRF. So if you are looking for CRUD/FLS vulnerabilities you probably want to run your scan twice. Once with "All Rules" and once with "Beta Rules (+CRUD/FLS)".

 

Yoel Gluck

Product Security Team @ Salesforce.com