Skip to content

[apex] ApexCRUDViolation unable to detect insecure SOQL if it is a direct input argument #5788

Closed
#5814
Closed
[apex] ApexCRUDViolation unable to detect insecure SOQL if it is a direct input argument#5788
#5814
Labels
a:false-negativePMD doesn't flag a problematic piece of code
Milestone
7.15.0
@stephen-carter-at-sf

Description

@stephen-carter-at-sf
stephen-carter-at-sf
opened on Jun 2, 2025

Affects PMD Version: 7.13.0

Rule:

ApexCRUDViolation

Description:

The ApexCRUDViolation rule is failing to detect a violation if SOQL is passed in directly as an input argument instead of being on its own line.

Code Sample demonstrating the issue:

Although this code correctly reports a violation

public with sharing class Dummy {
    public void test() {
        Map<ID, Account> mapOfAccounts;
        List<Account> accountList = [
            SELECT Id, Name 
            FROM Account 
            WHERE Id IN :setOfAccountId
        ];
        mapOfAccounts = new Map<ID, Account>(accountList);
    }
}

the following does not:

public with sharing class Dummy {
    public void test() {
        Map<ID, Account> mapOfAccounts;
        mapOfAccounts = new Map<ID, Account>([
            SELECT Id, Name 
            FROM Account 
            WHERE Id IN :setOfAccountId
        ]);
    }
}

Expected outcome:

PMD should report a violation.

Running PMD through: [CLI | Ant | Maven | Gradle | Designer | Other]
CLI

Metadata

Metadata

Assignees

No one assigned

    Labels

    a:false-negativePMD doesn't flag a problematic piece of code

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions