Any thoughts on Salesforce Code Analyzer?

[marcosboger]

Creating here as seems an appropriate place for discussion.

Does anyone have thoughts and impressions on the Salesforce Code Analyzer?
We are thinking about using it as our main SAST tool for Salesforce developments, but mainly worried about the rules coverage and if it's good enough to be the sole SAST tool in our Dev setup.

[daveespo]

We have done a few spikes in the past several years, including one about 3 months ago with the Graph Engine v5.

Each spike has resulted in the same conclusion: Code Analyzer can't be used for large projects, period.

Historically, we'd get a bunch of OutOfMemory errors after HOURS of the scanner running. During the most recent spike of testing v5, we didn't hit that specific error, but it still took 48 hours to finish (no, that's not a typo). There were several cryptic errors .. examples:

Error sfge - Internal execution error while scanning entry point: C:\xxx\xxxController.cls:6:16: Path evaluation timed out after 900000 ms

There was an old thread over here that died several years ago:

forcedotcom/code-analyzer#1294

The project we did the spike with has 500 Apex classes in it, to give you a size of scale. Certainly not huge, but also not a Hello World project.

If you don't use the Graph Engine, then you're basically just using PMD and honestly, you should just use PMD directly rather than the bundled version within the CLI that confuses troubleshooting.