Apex PMD: Problem: Validate CRUD permission before SOQL/DML operation

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
2
down vote

favorite












Background



I am using the Apex PMD plugin for VS Code and it's giving me this problem:




Validate CRUD permission before SOQL/DML operation




For this line of code:



insert contentVersion;


Which is part of this method:



private void attachReport(Id recordId) 

ContentVersion contentVersion = new ContentVersion(
versionData = Blob.valueOf(buffer.toStr()),
title = 'Import Report',
pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
FirstPublishLocationId = recordId);

insert contentVersion;



Questions



  1. Why am I getting the problem?

  2. What should I do to not get the problem?


Reference



  1. Github: VS Code Apex PMD

  2. PMD Project









share|improve this question



















  • 1




    prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
    – Mark Pond
    5 hours ago











  • @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
    – Robs
    5 hours ago
















up vote
2
down vote

favorite












Background



I am using the Apex PMD plugin for VS Code and it's giving me this problem:




Validate CRUD permission before SOQL/DML operation




For this line of code:



insert contentVersion;


Which is part of this method:



private void attachReport(Id recordId) 

ContentVersion contentVersion = new ContentVersion(
versionData = Blob.valueOf(buffer.toStr()),
title = 'Import Report',
pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
FirstPublishLocationId = recordId);

insert contentVersion;



Questions



  1. Why am I getting the problem?

  2. What should I do to not get the problem?


Reference



  1. Github: VS Code Apex PMD

  2. PMD Project









share|improve this question



















  • 1




    prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
    – Mark Pond
    5 hours ago











  • @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
    – Robs
    5 hours ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











Background



I am using the Apex PMD plugin for VS Code and it's giving me this problem:




Validate CRUD permission before SOQL/DML operation




For this line of code:



insert contentVersion;


Which is part of this method:



private void attachReport(Id recordId) 

ContentVersion contentVersion = new ContentVersion(
versionData = Blob.valueOf(buffer.toStr()),
title = 'Import Report',
pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
FirstPublishLocationId = recordId);

insert contentVersion;



Questions



  1. Why am I getting the problem?

  2. What should I do to not get the problem?


Reference



  1. Github: VS Code Apex PMD

  2. PMD Project









share|improve this question















Background



I am using the Apex PMD plugin for VS Code and it's giving me this problem:




Validate CRUD permission before SOQL/DML operation




For this line of code:



insert contentVersion;


Which is part of this method:



private void attachReport(Id recordId) 

ContentVersion contentVersion = new ContentVersion(
versionData = Blob.valueOf(buffer.toStr()),
title = 'Import Report',
pathOnClient = StringUtils.format('/Import-Report-0.txt', DateTime.now().getTime()),
FirstPublishLocationId = recordId);

insert contentVersion;



Questions



  1. Why am I getting the problem?

  2. What should I do to not get the problem?


Reference



  1. Github: VS Code Apex PMD

  2. PMD Project






apex visualstudiocode pmd static-code-analysis






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 5 hours ago

























asked 5 hours ago









Robs

1,196323




1,196323







  • 1




    prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
    – Mark Pond
    5 hours ago











  • @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
    – Robs
    5 hours ago












  • 1




    prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
    – Mark Pond
    5 hours ago











  • @MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
    – Robs
    5 hours ago







1




1




prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
– Mark Pond
5 hours ago





prior to that line of code are you checking that the running user has permission to create that type of record? (i.e. Schema.sObjectType.Contact.isCreatable())
– Mark Pond
5 hours ago













@MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
– Robs
5 hours ago




@MarkPond I've added additional code. As you can now see, I am not running that line of code. Should I always be doing this?
– Robs
5 hours ago










1 Answer
1






active

oldest

votes

















up vote
3
down vote













PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.



ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.



Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.



Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:



<rule ref="category/apex/security.xml/ApexCRUDViolation" 
message="Validate CRUD permission before SOQL/DML operation">


https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml



Related:



https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm



https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm



https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations






share|improve this answer






















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "459"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f233319%2fapex-pmd-problem-validate-crud-permission-before-soql-dml-operation%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    3
    down vote













    PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.



    ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.



    Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.



    Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:



    <rule ref="category/apex/security.xml/ApexCRUDViolation" 
    message="Validate CRUD permission before SOQL/DML operation">


    https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml



    Related:



    https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm



    https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm



    https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations






    share|improve this answer


























      up vote
      3
      down vote













      PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.



      ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.



      Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.



      Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:



      <rule ref="category/apex/security.xml/ApexCRUDViolation" 
      message="Validate CRUD permission before SOQL/DML operation">


      https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml



      Related:



      https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm



      https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm



      https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations






      share|improve this answer
























        up vote
        3
        down vote










        up vote
        3
        down vote









        PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.



        ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.



        Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.



        Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:



        <rule ref="category/apex/security.xml/ApexCRUDViolation" 
        message="Validate CRUD permission before SOQL/DML operation">


        https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml



        Related:



        https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm



        https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm



        https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations






        share|improve this answer














        PMD's Apex ruleset is checking to see that you are enforcing/respecting security in your code.



        ISV's Managed packages released to the AppExchange must do this as mandatory criteria in the security review process. The spirit of the requirement is to honor the access control configuration choices that org admins make within ISV application offerings. If an admin explicitly restricts access control for sharing/CRUD/FLS then ISV offerings should respect that.



        Theoretically, you should be able to remove this rule from the VS Code PMD ruleset (or build a custom ruleset xml which doesn't include it), if you don't want to be warned about a concern that may not apply to your application's situation.



        Looks like the VS Code PMD plugin allows for a custom ruleset. You could take this one here and customize it, removing the rules which are not important to you such as this one:



        <rule ref="category/apex/security.xml/ApexCRUDViolation" 
        message="Validate CRUD permission before SOQL/DML operation">


        https://github.com/pmd/pmd/blob/master/pmd-apex/src/main/resources/rulesets/apex/ruleset.xml



        Related:



        https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_classes_perms_enforcing.htm



        https://developer.salesforce.com/docs/atlas.en-us.secure_coding_guide.meta/secure_coding_guide/secure_coding_authorization_access_control.htm



        https://trailhead.salesforce.com/en/modules/data-leak-prevention/units/prevent-crud-and-fls-violations







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited 4 hours ago

























        answered 4 hours ago









        Mark Pond

        17.8k13083




        17.8k13083



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f233319%2fapex-pmd-problem-validate-crud-permission-before-soql-dml-operation%23new-answer', 'question_page');

            );

            Post as a guest













































































            Comments

            Popular posts from this blog

            Long meetings (6-7 hours a day): Being “babysat” by supervisor

            What does second last employer means? [closed]

            One-line joke