Salesforce Appexchange Checkmarx Major Issues

Every Organization that creates it’s own App faces this huge challenge of getting the clearance from Salesforce Security Review. After completing the checkmarx clearances we submi the app for a final Security Review to Salesforce. This is the step where your app is human tested in testing org as well as in packaging org. This rigorous testing is mostly on the app security and functinality. I have seen several apps not passing this final Salesforce Security review and that too multiple times. Several of my last projects in 2016 have been just to do a line by line code review of the entire app and suggest changes before submitting for final review. Since a final review takes atleast 4-6 weeks most of the intelligent clients strategize this properly and get the code review and indepth analysis done with Salesforce wizards or experts. Now, in this blog I will explain some of the major issues and their solutions which are found in the Salesforce Security Review.

Following are the list of major issues found in the app:

1.SOQL SOSL Injection


3.Stored  XSS

4.Reflected XSS



These four are the major as well as the common issues found in the app.

I am sure you guys also must have come across these issues if you have worked on the Salesforce app. Now we will discuss one by one about these issues in detail. I will explain you the reason for the occurence of these issues as well as the possible solutions which could help you in overcoming these issues.

SOQL and SOSLSOQL and  SOSL Injection

So the first major issue that is faced by the developers for developing any Salesforce App is  SOQL SOSL Injection.

Reason For Occurrence:

The SOQL SOSL Injection issue occurs when there is need for the user supplied input and if this input is being used for the dynamic SOQL query. In such a scenario what happens is if a user provides an unexcepected value which is not validated then it could change the meaning of whole query.

Example: String Str= ‘SELECT Id, Name, Employee__c FROM Contact  WHERE  Employee__c= +StrList’


Now In this kind of query where special characters are used for fetching data the meaning of whole query changes.

solutionSOLUTION: To remove the SOQL-SOSL Injection error from our code. We have to use the String.EscapeSingleQuotes()  method in the dynamic query wherever an user input has been provided in the query.

Now we will use the String.EscapeSingleQuotes() method for correcting the above query So that it does not throw the SOQL-SOSL injection Error.


3d human with a red question mark


CRUD issues occurs in Salesforce when we are trying  to insert, update, or delete the records without validating whether the user has access to records or not. If we do not use the isAccessible check while performing CRUD operations in Apex then we will get the CRUD related errors from Salesforce Security review.

solutionSolution: We need to apply the isAccessible check before Inserting, Updating or Deleting any record for validating the permission level of these records. There are different  ways of checking the permission level for Updating, Inserting and Deletion of records.

Following are the ways of writing different types of validation for CRUD Type Issues:

Updation Check:  update (1)




Code for Updating the Record;


create (1)Creation Check:



Code for Creating the new Record;


remove (1)Deletion Check:



Code for Deleting the Record;


access1Accessible Check:



Code for querying the Account__c Field From Lead;



Cross Site Scripting(XSS): Cross Site Scripting errors occur when the user inserts the malicious Javascript or Html Code into the web page. This malicious script can help the user in stealing the confidential information. Therefore It is a breach of security for Salesforce. Hence we get these  Scripting errors.

solutionSolution: For removing the Scripting Errors We will have to perform Encoding wherever the user uses Javascript or Html Code. There are different types of encoding that we use for Javascript and HTML Code.

JSONCODE : It is used for Encoding String within a Javascript Context.




document.getElementById(‘{!$Component.monthclosedate}’).disabled=Boolean(‘{!JSONCODE(IF(m.is_Disable,”true”, “false”))}”);


HTML ENCODING : It is used for Encoding the HTML characters So that the interpretation of characters does not change.



<apex:inputtext value=”{!MyTextValues}”/>

The above function might throw an Scripting since it will be taking user input as value. To prevent the above code from getting the Scripting error we will have to encode the above method with HTML formatting.



<apex:inputtext value= “{!HTMLENCODE(MyTextValues)}”/>

Author: AJ

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

× How can I help you?