Khai's personal knowledge vault.

// Salesforce - Developer - Security - Checkmarx (Security Code Scanner):

Checkmarx is a Force.com source code analysis tool. The tool consumes your code 
and builds a tree that represents every possible code flow in the application.  
A set of rules is then applied to the parsed flow in order to detect possible 
quality and security issues.

An example of this functionality is the way in which Checkmarx searches for 
cross-site scripting vulnerabilities. The scanner will look for user controlled 
input, like in a URL parameter, that is reflected back to a VisualForce page 
without being properly encoded. If such a flow is detected, the tool reports 
that the codebase is vulnerable to cross-site scripting and lists the chain of 
function calls starting with the tainted data (source) and ending with the 
vulnerable rendering on the page (sink).

Salesforce.com has made a free version of the Checkmarx, referred to as the 
Force.com Security Source Scanner available to developers, for free, to assist 
in the development of trusted applications. It is highly recommended that all 
developers take advantage of this resource to improve their code with minimal 
time commitment!

To be elligible to use the free version of Checkmarx, your org must meet the 
following requirements:

1. Your org must contain less than 500,000 lines of code (excluding static 
   resources and packages which are not scanned).

2. You must have access to the email address associated to the username you 
   provide to the tool.

3. Your org must have the metadata api enabled.

4. You must have the "Author Apex" permission enabled for the username you 
   provide to the tool.

You can access the Force.com Security Source Scanner at the following URL: 
http://security.force.com/security/tools/forcecom/scanner

Submitting a job to the Force.com Security Source Scanner version of Checkmarx 
is fast and simple. Just visit the following URL and provide the Salesforce 
username for the org you wish to scan, and choose the rule set you wish to 
employ: http://security.force.com/security/tools/forcecom/scanner

Since the scanner is a free resource available to everyone, it works on a 
queueing system that prioritizes smaller jobs over larger jobs. A small job 
can take a couple of hours, a large job will usually take a day, and extremelely 
large jobs can take several days. To keep the system available for all to use 
in a reasonable time period, each organization is limited to 3 scans per month.

When submitting a job, you are given a list of rule sets to choose from. Below 
we have included the different rule sets and the kind of searches they employ: 

1. Security Profile

   a. Cross Site Scripting
   b. SOQL Injection
   c. SOSL Injection
   d. Frame Spoofing
   d. Access Control Issues

2. Quality Profile

   a. DML statements inside loops
   b. SOQL/SOSL inside loops
   c. Hardcoding Trigger.new[0]
   d. Hardcoding Trigger.old[0]
   e. Queries with no Where clause or no LIMIT clause
   f. Not bulkifying apex methods
   g. Async (@future) methods inside loops
   h. Hardcoding IDs
   i. Multiple triggers on same object
   j. Static Resource referencing

3. Salesforce1 Security Profile (Beta)
   Designed for applications with lots of client side javaScript:
   a. DOM-based Cross Site Scripting
   b. Sharing Violations
   c. SOQL/SOSL injection
   d. Reflected and Stored Cross Site Scripting

When the scanner completes, the email address associated with the username 
submitted to the scanner will receive an email with (up to) two attachments: 
A PDF report of all the issues identified together and an xml file in which the 
same information is provided in a structured format. If no attachments are sent, 
no issues were found by the scanner.

1. Go to /apex/Checkmarx_Demo in the Security Tools tab and download the 
   Checkmarx Report for this training org. 

2. Let's walk through the issues found by Checkmarx source code analysis in 
   this org.  

   Checkmarx sees an instance of outputText with escape = "false". It traces 
   down the function where the value is coming from. In the getWelcomeMessage() 
   function, there is no escaping being performed in Apex as well. Thus, this is 
   correctly marked as a Reflected XSS isuue.  

   There is almost the same code in the fixed XSS demo. But in that case, once 
   it gets to the getSecureWelcomeMessage() function, it sees that there is an 
   encoding function being called on the message before sending it to the UI, 
   and thus it is not marked as vulnerable. 

   In this case, the probability and numerical variables being used to construct 
   the SOQL query are coming from user input on the page without being escaped. 
   Thus, it is marked as a SOQL injection vulnerability by Checkmarx. 

Checkmarx does not currently possess the ability to detect insecure secret 
storage, open redirect, and missing FLS checks.