New Apex Security Hotspots
- Deserializing JSON Is Security-Sensitive
- Deserializing an object from an untrusted source is security-sensitive. An attacker could modify the content of the data.
- Encrypting Data Is Security-Sensitive
- Encrypting data is security-sensitive. Although most encryption problems are solved or managed by Salesforce, care must be taken when relying on encryption.
- Type Reflection Is Security Sensitive
- Dynamically executing code is security-sensitive. If the code comes from an untrusted source, the untrusted source may be able to choose which code to run.
- Using Cookies Is Security-Sensitive
- Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
- Using UserInfo.GetSessionId() Is Security-Sensitive
- The use of UserInfo.GetSessionId() is security-sensitive. Ensure that you need to do this.
New Visualforce Security Hotspots
- Using GETSESSIONID() and $API.Session_Id is security-sensitive
- The use of GETSESSIONID() and $API.Session_Id is security-sensitive. Ensure that you need to do this.
- Sonarqube Ant task has been updated to 220.127.116.11
- SOQL Injection Rule updated and improved.(v4.3.11)
- Open Redirect Rule updated and improved. (v4.3.11, v4.3.12)
- Bug fixed in RightLineBracesPositions rule.
- Bug fixed in Field Level Security Vulnerabilities rule. (v4.3.10)
- Bug fixed in Preserve Stack Trace Rule (v4.3.12)
- Bug fixed in Unescaped Source Rule (v4.3.12)
- Removed Unescaped Source rule from default Apex profile (v4.3.12)
CodeScan for Lightning- Release notes