Is Apex safe?

Findings

Device Attributes Read Access

Flags items that access device attributes such as CPU, MAC address, or OS version.

low

Filesystem Read Access

Flags items that access and read files from the filesystem.

low

Filesystem Write Access

Flags items that create, modify, or delete files in the filesystem.

low

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This extension provides code-editing features for the Apex programming language in Visual Studio Code. Its main intention is to enhance developer productivity for Salesforce Apex development.

Key Features and Activities:

Localization and Internationalization: The code includes a robust localization system supporting multiple languages (e.g., English and Japanese), with message catalogs and dynamic label resolution.
VSCode API Usage: It makes extensive use of the VSCode API for output channels, notifications, progress reporting, and configuration management. For example, it creates output channels for command execution logs and uses VSCode's notification system to inform users of command results.
Salesforce CLI Integration: The extension interacts with the Salesforce CLI (SFDX) by spawning child processes to run CLI commands. It streams the output and error streams from these processes into VSCode output channels and notifications.
Telemetry: The extension collects telemetry data for product improvement, with respect for user opt-in/out settings. Telemetry is sent via Application Insights or written to a local file if enabled. The telemetry system is configurable and respects privacy settings.
Filesystem Activity: The extension reads and writes files related to Salesforce project configuration and logs (e.g., reading/writing JSON config files, log files, and test result files). It uses Node.js fs and path modules for these operations.
Network Activity: The extension communicates with Salesforce orgs via the Salesforce CLI and, in some cases, directly via HTTP requests for specific operations (e.g., retrieving logs or executing anonymous Apex code). All network activity is related to Salesforce development workflows.
Process Execution: It spawns child processes to execute Salesforce CLI commands. The code includes logic to handle process output, errors, and cancellation.
No Obfuscation: The code is minified for distribution but not obfuscated. Variable and function names are shortened, but there is no evidence of string encryption, control flow flattening, or other obfuscation techniques.

No Strong Indicators of Malicious Activity:

There is no evidence of data exfiltration, backdoors, or unauthorized code execution. All network and filesystem activity is consistent with the extension's stated purpose.
Telemetry is opt-in and documented, with clear configuration options for users to disable it.
All process executions are related to Salesforce CLI commands, and there is no evidence of arbitrary command execution or abuse.

Example of process execution (expected for CLI integration):

let t=YV(this.command.command,this.command.args,this.options);
return new mg(this.command,t,e);

This spawns a Salesforce CLI process and streams its output.

Example of telemetry (with opt-out):

this.userOptIn=t.get(Uo.TELEMETRY_CONFIG_ENABLED_ID,!0),this.userOptIn?this.createAppInsightsClient(e):this.dispose()

This respects the user's telemetry settings.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

low

process.env.VSCODE

nodejs

/extension/dist/index.js

low

process.env.PATHEXT

nodejs

/extension/dist/index.js

low

process.getuid

nodejs

/extension/dist/index.js

All API calls are available for Enterprise users

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

PrivateKey

/extension/node_modules/@octokit/openapi-types/types.d.ts

Unverified

PrivateKey

/extension/node_modules/yeoman-generator/node_modules/node-gyp/test/fixtures/certs.js

Unverified

GitHubOauth2

/extension/node_modules/@octokit/openapi-types/types.d.ts

Unverified

All secrets are available for Enterprise users

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-xx4v-prfh-6cgc

@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

CVSS:

GHSA-grv7-fg5c-xmjg

Uncontrolled resource consumption in braces

CVSS:

GHSA-h5c3-5r3r-rr8q

@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

CVSS:

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://www.slf4j.org/codes.html#version_mismatch

extension/dist/apex-jorje-lsp.jar/org/slf4j/LoggerFactory.class

https://www.slf4j.org/codes.html#multiple_bindings

extension/dist/apex-jorje-lsp.jar/org/slf4j/LoggerFactory.class

https://www.slf4j.org/codes.html#unsuccessfulInit

extension/dist/apex-jorje-lsp.jar/org/slf4j/LoggerFactory.class

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

normalize-package-data

Version:

2.5.0

parse-json

Version:

5.2.0

type-fest

Version:

0.6.0

All dependencies are available for Enterprise users

Licenses & Compliance

Compliance

Compliance status and certifications for the extension and its publisher

Salesforce

Salesforce clearly states that they maintain a comprehensive set of compliance certifications, including ISO 27001, which validates their commitment to security and trust. However, I could not find any specific information regarding a parent company or its ISO 27001 compliance.

Compliant

Salesforce

Salesforce has explicit declarations of GDPR compliance on its website, indicating that it maintains a comprehensive set of compliance certifications, including GDPR. Their data processing addendum ensures lawful data transfer outside of the EU, which aligns with GDPR requirements. As such, both Salesforce and its parent company (implicitly, as there is no separate parent company listed) are deemed compliant with GDPR.

Compliant

Salesforce

Salesforce actively supports CCPA compliance, offering tools such as Salesforce Shield and a Privacy Center for managing consumer rights. However, I could not find specific compliance declaration for a parent company because Salesforce operates independently. The findings indicate that while Salesforce facilitates CCPA compliance for its users, it doesn't provide explicit third-party certification or compliance status for itself.

Compliant

Licenses

BSD 3-Clause No Military License

View License

"Copyright (c) 2017, Salesforce.com, inc.\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without modification,\nare permitted provided that the following condition...