Deserializing an object from an untrusted source is security-sensitive. An attacker could modify the content of the data.
Encrypting Data Is Security-Sensitive
Encrypting data is security-sensitive. Although most encryption problems are solved or managed by Salesforce, care must be taken when relying on encryption.
Type Reflection Is Security Sensitive
Dynamically executing code is security-sensitive. If the code comes from an untrusted source, the untrusted source may be able to choose which code to run.
Using Cookies Is Security-Sensitive
Attackers can use widely-available tools to view the cookie and read the sensitive information. Even if the information is encoded in a way that is not human-readable, certain techniques could determine which encoding is being used, then decode the information.
Using UserInfo.GetSessionId() Is Security-Sensitive
The use of UserInfo.GetSessionId() is security-sensitive. Ensure that you need to do this.
New Visualforce Security Hotspots
Using GETSESSIONID() and $API.Session_Id is security-sensitive
The use of GETSESSIONID() and $API.Session_Id is security-sensitive. Ensure that you need to do this.
SonarQube™ Ant task has been updated to 188.8.131.52
SOQL Injection Rule updated and improved.(v4.3.11)
Open Redirect Rule updated and improved. (v4.3.11, v4.3.12)
Bug fixed in RightLineBracesPositions rule.
Bug fixed in Field Level Security Vulnerabilities rule. (v4.3.10)
Bug fixed in Preserve Stack Trace Rule (v4.3.12)
Bug fixed in Unescaped Source Rule (v4.3.12)
Removed Unescaped Source rule from default Apex profile (v4.3.12)
CodeScan for Lightning- Release notes