Checkmarx | search
Click here to view Checkmarx news from 60+ newspapers.
Bookmark or Share- security - How Checkmarx works - Salesforce Stack ExchangeSalesforce has a license to run Checkmarx scanners on premise in order to scan third party code. The code never leaves Salesforce -- it is pulled from the organization in which your code resides to the Checkmarx instances running on our servers. We manage these instances, but it is a Checkmarx scanner engine underneath.
- checkmarx - Source Scanner Cross Site Request Forgery (XSRF) spanning ...And often times Checkmarx will report both the intended flow and the vulnerable flow as two different paths. Therefore the short answer is that yes, this flow is a false positive, but you are still vulnerable because of another flow. Hope that makes sense. If you have more questions, please book an office hour with the security team.
- checkmarx - Reflected XSS problem - Salesforce Stack ExchangeCheckmarx is flagging these lines as Reflected XSS,Lately I have been doing a lot of research on this but couldn't solve this one can someone point me as to why these are major security threats?
- Checkmarx and JSON.serialize - Salesforce Stack ExchangeCheckmarx recommends using JSENCODE, HTMLENCODE, URLENCODE etc to fix the vulnerability and shut the scanner up. My question: really? I think it's a false positive. In what situation JSON.serialize would fail to properly escape quotes and / or html tags?
- Checkmarx Security Scanner FLS Issues - Salesforce Stack ExchangeCheckmarx does actually have a limit (500 or there abouts) for any one of the types of security issue that it will find (we know this because we have 1000s of CRUD/FLS false positives). Checkmarx cannot detect CRUD/FLS enforcement that is done earlier in a code flow but via a separate method call (hence our 1000s of false positives) but it does ...
More
