[BUG][code-analyzer] CLI v5 run command is not recognizing and flagging any lines that are missing USER_MODE Access Level in direct Map initializations

[vc4u]

Have you tried to resolve this issue yourself first?

• I confirm I have gone through the above steps and still have an issue to report.

Bug Description

sf code-analyzer CLI is not flagging any lines that are missing AccessLevel USER_MODE when the SOQL is used to initialize a new Map variable in Apex class.

Output / Logs

No response

Steps To Reproduce

1. Create an Apex class that have code like this:
   Map<ID, Account> mapOfAccounts; mapOfAccounts = new Map<ID, Account>([select id,name from account where id in:setOfAccountId]);

2. Run following command on a Class:
   sf code-analyzer run --rule-selector Recommended:Security --rule-selector AppExchange --output-file code-analyzer-results.json --output-file code-analyzer-report.html --output-file code-analyzer-report.csv

Expected Behavior

The SOQL should have been flagged with missing Access Level check.

Operating System

Windows 11 x64

Salesforce CLI Version

@salesforce/cli/2.90.4

Code Analyzer Plugin (code-analyzer) Version

code-analyzer 5.1.0

Node Version

node-v22.15.0

Java Version

java version "21.0.5" 2024-10-15 LTS

Python Version

Python 3.12.0

Additional Context (Screenshots, Files, etc)

No response

Workaround

No response

Urgency

Low

[stephen-carter-at-sf]

It appears that the PMD rule ApexCRUDViolation is able to detect the issue if you separate the SOQL statement on its own line like:

List<Account> accountList = [
    SELECT Id, Name 
    FROM Account 
    WHERE Id IN :setOfAccountId
];
mapOfAccounts = new Map<ID, Account>(accountList);

instead of

mapOfAccounts = new Map<ID, Account>([select id,name from account where id in:setOfAccountId]);

So please use this workaround for now.

I've forwarded this as a PMD issue and when they fix this on their end, then we will incorporate the update into Salesforce Code Analyzer: pmd/pmd#5788