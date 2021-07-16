Static analysis is used in the development of quality software. Source code, among other artifacts, is analyzed statically. The static analysis includes analyzing data from Salesforce sources such as Apex, Visualforce, Lightning, and more.

Analysis tools may be used to analyze Code and/or Code comments. Code analysis code includes Code Coverage, Code Complexity, Code Duplication, and more. Code analysis Code comments include Code Documenting Code, Code Block Commenting Code, and more. Code analysis tools may be used to analyze Code and/or Code comments in order to determine the quality of code and why it is written in such away.

It can also be used for improving the quality of Code (and Code Comments) as well as how source code can be refactored or otherwise modified as needed. Analysis results are available when comparing data from Salesforce sources between different versions of the same artifact, between artifacts from different projects, or across teams within an organization over time.

Static code analyzer For Salesforce

A good static-code analyzer works like a spell checker for your source code. It scans the components in your system and flags those components that might have an issue with coding standards or security vulnerabilities. The scan will generate a report of where the errors are which you can then drill down into to find out the exact source of the error.

You can then fix it, compile it again and rerun the same analysis tool to verify if there are any more issues or not. The Salesforce environment has evolved over time. From basic Apex to complex Lightning Components, Visualforce pages, and JavaScript. Static analysis of every part of Salesforce is necessary as the code becomes more complex.

Code scanning tools can be deployed to find hard-to-find code problems. Code analysis tools also detect security vulnerabilities in Apex, Visualforce, and Lightning Code. Code scanning tools provide error detection within the Salesforce code base before runtime or during testing. Salesforce best practices highly recommend using static analysis for every developer and CI (Continuous Integration) build.

Code scanners can be deployed as part of automated testing or independently to provide error detection for Apex, Visualforce, and Lightning Code. These tools help identify complex coding problems such as dup-in resource leaks, and dead code at the source code level before your application is deployed.

Static analysis tools to analyze

* Apex * Visualforce * Lightning * JavaScript * HTML5 Static Code Analysis Tools have come a long way in the past few years. The first tool I used was ‘ HQ ‘. It wasn’t very user-friendly and took a lot of effort to get the command line interface right for each file that needed scanning Then came the Binary Ninja.

This is one of the most advanced static binary analysis (SBA) platforms currently available, giving you unmatched insight into your compiled code with features like zero-shot memory analysis, symbolic execution, and Collision handling. You will be amazed by all its features, as well as what it can do if you are responsible enough to code right.

Many tools out there that are easily accessible, some for free, and some paid depending on your needs or whatever you prefer. You can choose from a lot of static analysis tools, based on what suits you best. However, it’s very important to note that not all code scanning software is created equal. Some provide more information, others don’t have the depth required to analyze your Salesforce code with pinpoint accuracy.

Whatever your choice maybe, I am going to focus on two great static code analysis (SCA) tools in this article and why they should be the first choice when developing Apex & VisualForce inside Salesforce: * SonarCloud by SonarSource (paid version ) * Codelye by Codelye (free version). As it is widely known, Salesforce is an application that runs inside a web browser. Thus, every single element in your Salesforce code must be valid HTML5 markup.

However, you can’t rely on the compiler to make sure that all of your components are perfectly clean and comply with current standards. It will only tell you if there’s something wrong, but not what and how to fix it. For example, we’ve had cases where UAT environments have been running for weeks or more without showing any signs of an issue, yet when deployed in production, our front-end was full of errors.

Static code analysis tools are here to analyze each line of codes as they’re written; the goal is to catch these kinds of potential issues upfront and resolve them before they become a problem.

Typical Code Analysis Tool functions

Code Quality Reporting

Code Duplication

Code Clutter & Noise (e.g. too many unnecessary comments, dead code)

Code Complexity ( e.g .: cyclomatic complexity metrics , control flow graph )

Code Security Issues ( e.g .: potential SQL injection, cross-site scripting and other vulnerabilities )

Code Metrics/Code Smells Reports ( e.g .: duplicated code, method length, class size ).

Code Hints / Code Snippets / Code Template Wizards [automatically inserts code for developers] : (done by tool or manually): CQS, DRY…; Code

Code Templates (e.g.: class name prefix, import statements…)

Code Execution Data Collection for profiling. Code Usage Tracking.

What I like to see

” Code Analytics “, and Visualization of Code Data, Reporting on Code Quality Issues – [A code report should show each item with greater than X number of violations]. Tools that provide integrated support for source version control systems such as Subversion/Git come up trumps here by supporting a rich set of functionalities.

If you’re accustomed to other development environments, static code analysis tools will be the natural choice for you. However, as mentioned above, Salesforce has its limitations, so it’s good to know when not to use static code analysis tools such as Codescan, in order to avoid false positives.