SonarSource · github-actions · Sep 29, 2025 · Sep 29, 2025 · Sep 29, 2025
diff --git a/rules/S8038/apex/metadata.json b/rules/S8038/apex/metadata.json
@@ -0,0 +1,30 @@
+{
+  "title": "SOQL queries should use built-in security enforcement instead of manual Schema accessibility checks",
+  "type": "VULNERABILITY",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant/Issue",
+    "constantCost": "5 min"
+  },
+  "tags": [
+    "security",
+    "soql",
+    "salesforce"
+  ],
+  "defaultSeverity": "Blocker",
+  "ruleSpecification": "RSPEC-8038",
+  "sqKey": "S8038",
+  "scope": "Main",
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ],
+  "quickfix": "unknown",
+  "code": {
+    "impacts": {
+      "SECURITY": "BLOCKER",
+      "RELIABILITY": "BLOCKER",
+      "MAINTAINABILITY": "BLOCKER"
+    },
+    "attribute": "LOGICAL"
+  }
+}
diff --git a/rules/S8038/apex/rule.adoc b/rules/S8038/apex/rule.adoc
@@ -0,0 +1,68 @@
+This is an issue when manual field or object accessibility checks using `Schema.SObjectType` methods are performed before SOQL queries, instead of using built-in security enforcement clauses like `WITH SECURITY_ENFORCED` or `WITH USER_MODE`.
+
+== Why is this an issue?
+
+Manual accessibility checks using `Schema.SObjectType` methods before SOQL queries create several problems:
+
+**Code Complexity and Maintenance**: Manual checks require verbose, repetitive code that becomes harder to maintain as queries grow more complex. Each field and object must be individually validated, leading to lengthy conditional statements.
+
+**Incomplete Security Coverage**: Manual checks don't handle all security scenarios comprehensively. They may miss edge cases, relationship field security, or new security features like Restriction Rules that Salesforce introduces.
+
+**Error-Prone Implementation**: Developers can easily forget to check all necessary fields or objects, creating security gaps. The manual approach also doesn't provide detailed error information when access is denied.
+
+**Performance Impact**: Multiple describe calls can impact performance, especially in bulk operations or when checking many fields.
+
+**Scalability Issues**: As queries become more complex with subqueries and relationship fields, manual checks become increasingly difficult to implement correctly.
+
+Salesforce provides built-in security enforcement mechanisms that address all these concerns automatically and more reliably.
+
+=== What is the potential impact?
+
+Using manual accessibility checks instead of built-in security enforcement can lead to:
+
+* **Security vulnerabilities** from incomplete or incorrect manual validation
+* **Increased maintenance burden** due to verbose, repetitive code
+* **Performance degradation** from multiple describe operations
+* **Runtime errors** when security requirements change but manual checks aren't updated
+* **Inconsistent security enforcement** across different parts of the application
+
+== How to fix it
+
+Replace manual Schema accessibility checks with `WITH SECURITY_ENFORCED` clause in SOQL queries. This provides comprehensive field and object-level security enforcement with proper error handling.
+
+=== Code examples
+
+==== Noncompliant code example
+
+[source,apex,diff-id=1,diff-type=noncompliant]
+----
+if(Schema.SObjectType.Account.Fields.Name.isAccessible() &&
+   Schema.SObjectType.Account.Fields.Phone.isAccessible()) {
+    List<Account> accList = [Select Name,Phone from Account Limit 100]; // Noncompliant
+}
+----
+
+==== Compliant solution
+
+[source,apex,diff-id=1,diff-type=compliant]
+----
+try {
+    List<Account> accList = [Select Name,Phone from Account WITH SECURITY_ENFORCED Limit 100];
+} catch(System.QueryException ee) {
+    System.debug('Access denied to Account fields');
+}
+----
+
+== Resources
+
+=== Documentation
+
+ * Field Level Security in SOQL With SECURITY_ENFORCED - https://www.apexhours.com/field-level-security-in-soql-with-security_enforced[Comprehensive guide on using WITH SECURITY_ENFORCED clause for field-level security in SOQL queries]
+
+ * User Mode Database Operations - https://www.apexhours.com/secure-apex-code-with-user-mode-database-operations[Detailed explanation of WITH USER_MODE and other user mode database operations in Apex]
+
+ * Salesforce Developer Tips - https://www.apexhours.com/20-tips-for-salesforce-developers[Best practices for Salesforce developers including security enforcement in SOQL]
+
+=== Standards
+
+ * CWE-285: Improper Authorization - https://cwe.mitre.org/data/definitions/285.html[Weakness related to improper authorization checks that can lead to security vulnerabilities]
diff --git a/rules/S8038/metadata.json b/rules/S8038/metadata.json
@@ -0,0 +1,2 @@
+{
+}