CheckMarx FLS Violations for Dynamic SObjects in Apex?

CheckMarx FLS Violations for Dynamic SObjects in Apex?

On February 23, 2025, Posted by , In Apex,Salesforce Technical Questions, With Comments Off on CheckMarx FLS Violations for Dynamic SObjects in Apex?
CheckMarx FLS Violations for Dynamic SObjects in Apex

Question:

In Salesforce Apex, handling objects dynamically using the generic SObject type allows for flexible and reusable code that can work across different Salesforce objects. However, this dynamic approach creates challenges for static code analysis tools like CheckMarx and PMD.

For example, consider the following code snippet where QuoteLineItem records are dynamically handled:

List<SObject> quoteLineItemsToUpdate = new List<SObject>();

Schema.SObjectType qliObjectType = Schema.getGlobalDescribe().get('QuoteLineItem');
Schema.DescribeSObjectResult qliDescribe = qliObjectType.getDescribe();

if (qliDescribe.isAccessible() && qliDescribe.isUpdateable()) {
    update quoteLineItemsToUpdate;
}

Even though explicit Field-Level Security (FLS) and CRUD checks are performed before the update operation, CheckMarx and PMD still flag this as a security violation. The reason seems to be that these tools rely on static analysis, which does not recognize FLS checks on dynamically referenced objects and fields.

I am facing similar FLS violations across multiple objects in my source code. Should I consider these as real security issues or false positives? What are the best ways to handle or document such findings?

Answer:

If you are correctly performing both object-level (isAccessible(), isUpdateable()) and field-level security checks before executing dynamic DML or SOQL queries, then these violations reported by CheckMarx and PMD are false positives. Static code analysis tools struggle with dynamic object and field access because they expect hardcoded references at compile time.

Master Salesforce with expert-led training at CRS Info Solutions in Salesforce training in Hyderabad. Gain hands-on experience in Admin, Developer (Apex), and Integration—join a free demo today!!!

To ensure proper security compliance, you can enhance your approach by using Security.stripInaccessible, which enforces field-level security dynamically:

Schema.DescribeSObjectResult qliDescribe = Schema.getGlobalDescribe().get('QuoteLineItem').getDescribe();

if (qliDescribe.isAccessible() && qliDescribe.isUpdateable()) {
    quoteLineItemsToUpdate = (List<SObject>) Security.stripInaccessible(AccessType.UPDATEABLE, quoteLineItemsToUpdate).getRecords();
    update quoteLineItemsToUpdate;
}

Explanation: This code first retrieves the schema description of the QuoteLineItem object and checks if it is accessible and updateable. If both conditions are met, it applies Security.stripInaccessible(AccessType.UPDATEABLE, quoteLineItemsToUpdate) to remove any fields the user does not have update access to. Finally, the sanitized records are updated, ensuring compliance with field-level security (FLS) before performing the DML operation.

If the necessary security checks are in place, you can document these violations as false positives in your security reports. One approach is to add comments in your code explaining that dynamic FLS checks are correctly implemented. If the tool allows exemptions, you can configure CheckMarx or PMD to mark these findings as false positives. Another option is to maintain a separate document listing known false positives for audit purposes, though this can be tedious. Additionally, testing the same logic with static object references may help confirm that the issue is purely a limitation of the analysis tool.

Launch Your Salesforce Career in Hyderabad’s Booming Tech Hub

Hyderabad has emerged as a leading hub for IT and cloud computing, with Salesforce driving digital transformation across industries.  Salesforce training in Hyderabad As businesses increasingly rely on Salesforce for CRM, AI, automation, and integration, the demand for certified professionals continues to soar. Top companies like Deloitte, Accenture, Infosys, TCS, and Wipro are actively seeking skilled Salesforce experts, making specialized training a key advantage for career growth.

If you’re looking to break into the Salesforce ecosystem, choosing the right training program is essential. CRS Info Solutions offers industry-focused Salesforce training in Gachibowli, covering Admin, Developer (Apex), and Integration modules. With hands-on projects, expert-led guidance, and real-world case studies, this program equips you with the skills needed to excel in Hyderabad’s competitive job market. Take the first step toward a rewarding career—enroll today and transform your future with Salesforce!!!

Comments are closed.