[BUG][1.14.0] Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path.

[sposinadevops]

Have you tried to resolve this issue yourself first?

• I confirm I have gone through the above steps and still have an issue to report.

Bug Description

501 @AuraEnabled
502 public static void deleteRecord(Id recordId){
String objParent=recordId.getSObjectType().getDescribe().getName();
UserRecordAccess objPer = [ SELECT RecordId, HasDeleteAccess
FROM UserRecordAccess
WHERE UserId =: UserInfo.getUserId() AND RecordId =: recordId ];
507 String queryString='SELECT Id FROM '+objParent+' WHERE Id = ''+recordId+''';
508 list lstSObject=Database.query(queryString);
if(objPer.HasDeleteAccess){
Delete lstSObject;
}
}

Output / Logs

[2026-01-15T20:47:08.476Z] Error sfge - Internal execution error while scanning entry point: C:\Users\extnhaley\Documents\Security Reports\sfdc-prod\unpackaged\main\default\classes\SL_ctrl_DynTbl.cls:502:24: Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Error and stacktrace: UnexpectedException: Did not expect empty query information. soqlValue=ApexValue(ApexSoqlValue) {status=INITIALIZED, declarationVertex=VariableDeclaration{properties={FirstChild=false, BeginLine=508, Type=List<SObject>, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=true, DefiningType=SL_ctrl_DynTbl, EndLine=508, Name_CaseSafe=lstsobject, childIdx=1, BeginColumn=23, Name=lstSObject}}, valueVertex=VariableExpression{properties={FirstChild=false, BeginLine=508, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=true, DefiningType=SL_ctrl_DynTbl, EndLine=508, Name_CaseSafe=querystring, childIdx=1, BeginColumn=49, Name=queryString}}, resolvedValues={VariableExpression{properties={FirstChild=false, BeginLine=508, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=true, DefiningType=SL_ctrl_DynTbl, EndLine=508, Name_CaseSafe=querystring, childIdx=1, BeginColumn=49, Name=queryString}}=BinaryExpression{properties={FirstChild=true, Operator=+, BeginLine=507, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=false, DefiningType=SL_ctrl_DynTbl, EndLine=507, childIdx=0, BeginColumn=28}}}, returnedFrom=null, invocableExpression=MethodCallExpressionVertex{fullMethodName=Database.query, referenceVertex=LazyVertex{result=ReferenceExpression{properties={FirstChild=true, Names=[Database], BeginLine=508, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=false, DefiningType=SL_ctrl_DynTbl, EndLine=508, Name_CaseSafe=database, childIdx=0, BeginColumn=34, ReferenceType=METHOD, Name=Database}}}, chainedNames=[Database], properties={FirstChild=true, FullMethodName=Database.query, BeginLine=508, FullMethodName_CaseSafe=database.query, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=false, DefiningType=SL_ctrl_DynTbl, EndLine=508, MethodName_CaseSafe=query, childIdx=0, BeginColumn=43, MethodName=query}}, method=null}: com.salesforce.rules.fls.apex.operations.ValidationConverter.extractFromSoqlValue(ValidationConverter.java:133);com.salesforce.rules.fls.apex.operations.ValidationConverter.getHolder(ValidationConverter.java:91);com.salesforce.rules.fls.apex.operations.ValidationConverter.convertToExpectedValidations(ValidationConverter.java:67);com.salesforce.rules.fls.apex.operations.FlsValidationCentral.createExpectedValidations(FlsValidationCentral.java:162);com.salesforce.rules.fls.apex.AbstractFlsVisitor.afterVisitDmlStatementVertex(AbstractFlsVisitor.java:97);com.salesforce.rules.fls.apex.DmlDeleteFlsRuleVisitor.afterVisit(DmlDeleteFlsRuleVisitor.java:17)


===
Also getting this error
[2026-01-15T20:47:08.472Z] Error sfge - Internal execution error while scanning entry point: C:\Users\extnhaley\Documents\Security Reports\sfdc-prod\unpackaged\main\default\classes\SL_ctrl_DynTbl.cls:9:26: Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Error and stacktrace: UnexpectedException: MethodCallExpressionVertex{fullMethodName=handlePlaceHolderFields, referenceVertex=LazyVertex{result=EmptyReferenceExpression{properties={FirstChild=true, BeginLine=265, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=false, DefiningType=SL_ctrl_DynTbl, EndLine=265, childIdx=0, BeginColumn=33}}}, chainedNames=[], properties={FirstChild=false, FullMethodName=handlePlaceHolderFields, BeginLine=265, FullMethodName_CaseSafe=handleplaceholderfields, DefiningType_CaseSafe=sl_ctrl_dyntbl, LastChild=true, DefiningType=SL_ctrl_DynTbl, EndLine=265, MethodName_CaseSafe=handleplaceholderfields, childIdx=1, BeginColumn=33, MethodName=handlePlaceHolderFields}}: com.salesforce.graph.symbols.PathScopeVisitor.popMethodInvocationScope(PathScopeVisitor.java:510);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterMethodCall(DefaultSymbolProviderVertexVisitor.java:308);com.salesforce.graph.ops.expander.ApexPathExpander.handleMethodCall(ApexPathExpander.java:681);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:532);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:523);com.salesforce.graph.ops.expander.ApexPathExpander.visit(ApexPathExpander.java:523)

Steps To Reproduce

place the above code in any sample class and run sf code-analyzer run --rule-selector sfge --target "./force-app/main/default/classes"

Expected Behavior

Should not error out and Should log how to bypass these errors

Operating System

mac os seqioa 15.7.3

Visual Studio Code Version

1.108.0

Extension Version

1.14.0

Salesforce CLI Version

salesforce/cli/2.117.6 darwin-arm64 node-v22.21.1

Code Analyzer CLI Plugin Version

5.8.0node

Node Version

No response

Java Version

No response

Python Version

No response

Additional Context (Screenshots, Files, etc)

No response

Workaround

Tried adding /* sfge-disable-next-line ApexFlsViolation */ but issue persists

Urgency

High