Salesforce.com Inc. is a global cloud computing company headquartered in San Francisco, California. Salesforce.com is best known for its customer relationship management (CRM) products like Sales Cloud, Service Cloud, Chatter and Salesforce1 platform etc. These days companies are using it to streamline their Sales or service process. To Implement Salesforce some time it does require to write Apex and Visualforce code. In this article I will discuss about how a customer, Project manager, administrator and developer make sure whether the code written for their uses are followed Apex coding standard as well as avoid vulnerabilities Security issues. This article will also help Salesforce ISV partners to ensure that the app they are developing for AppExchange will pass a security review in first attempt. Below are the few ways to review/scan the code
- Peer reviewing
- Hire technical expert for code review
- Use some automated tool like Checkmarx
Now follow the below instruction to use Ckeckmarx
Create Checkmarx account
It’s very easy to create Checkmarx account, to do that open the link on your browser https://www.cxcloud.com/CxSaasPortal/Login.aspx?logout=true and then click on Signup link as shown in the following screenshot
To know more about enterprise use and pricing contact Checkmarx Sales representative.
How to use Checkmarx?
To use this app follow the below instructions
- Click on Create New Project button as shown in the following screenshot
- It will redirect you to a new window where you have to enter new project details (like Name. Scan Type etc) and click on Next button
- On the next screen you will get the option to select your source code origin, In this demo I will upload code in zip file and click on Next as shown in the following screenshot
Note:- Zip file contains noting but all code that you want to scan.
- On the next screen select zip file and click on Scan button to start scan process.
- As soon as scan completed click on View Results link to view details, take help from the following screenshot
- On the detail results page you will get options to open code viewer by clicking on button Open Code Viewer, You will also get options to Delete Scan Details, and Export options to. You will also get number of risk in this example #8 and other details like Start date, end date Scan risk etc under Scan Details section.
- Click on Export Report link and select PDF full to download the result in PDF format, so you can share this detail result with your developer, customers etc.
- PDF will contains Detailed Vulnerability Description.
This tool is user friendly and easy to use. If you are project manager or system administrator and some one ask you to review code don’t get tens use this tool #Adminrock 🙂
You can also use “Force.com Security Source Code Scanner” tool powered by Checkmarx, It’s a free web based tool. It’s required only Salesforce user name ( User must have Author Apex permission and The organization must contain less than 500,000 lines of code). For the same source organization/username, scans will be automatically rejected if a scan request was submitted in the last 2hours or there is an outstanding scan request in the queue. For automated submissions of scans, please do not scan the same organization more than twice per week. If you want to run your own scanner then contact Checkmarx to purchase license.