Summary
Every application that partners submit to the ServiceNow store goes through a ","articleBody":"
Top ten failed certification checks
Summary
Every application that partners submit to the ServiceNow store goes through a rigorous vetting process called certification. Certification helps ensure that all applications published on the store are stable and architecturally sound. The process involves a large number of automated and some manual tests in areas from scripting to security and in the past few years the certification team has certified few hundreds of applications. This means that we have a considerable amount of data around which application checks are consistently passed but also which consistently failed.
\r\n\r\n
In order to demystify that process a little bit, I'm going to walk through the top ten most common certification failures and how to prevent them.
\r\n\r\n
10. Missing Roles for Modules
\r\nIssue: Some modules do not contain roles and would be visible based on the Application Menu roles. The application might have users with different roles like application admin and application user.
\r\n
Solution: Review modules and add roles depending on the use case.
\r\n
9. Dot walking to sys_id
\r\nIssue: It is not necessary to include the sys_id of a reference field when dot-walking, as in the following example:
\r\nvar id = current.caller_id.sys_id; // Wrong
\r\nThe value of a reference field is a sys_id. When you dot-walk to the sys_id, the system does an additional database query to retrieve the caller_id record, then retrieves the sys_id. This can lead to performance issues.
\r\n\r\n
Solution: Use the following statement based on the documentation found on Developer Portal.
\r\nvar id = current.getValue('caller_id'); // Right
\r\n\r\n
8. Missing ACLs for UI Pages
\r\nIssue: One or more UI Pages don't contain ACLs and can be force-browsed by unauthorized users.
\r\n
Solution: Restrict them by adding ACLs with roles on the end point URI without .do for read operation.
\r\n
7. Missing ACLs on Client Callable Script Include
\r\nIssue: One of more script includes are marked as client callable & lack the necessary ACLs. These can be misused by unauthorized users on the console/client side.
\r\n
Solution: Please restrict them by adding an ACL with type is client_callable_script_include and operation is execute for each client callable script include.
\r\n
6. Unsafe Jelly Statements
\r\nIssue: One or more ui macros or ui pages contains unsafe jelly statements that may make them vulnerable to XSS attacks.
\r\n
Solution: Please ensure "HTML and/or JS escape" for all those jelly statements as appropriate. You can find details here.
\r\n
5. Default Homepage Override
\r\nIssue: One or more homepages would override the default homepage as they don't contain an order or read roles.
\r\n
Solution: Set appropriate roles and an order greater than 3000.
\r\n
4. Missing Contact Support Module
\r\nIssue: There is no module under the application menu with details of support coverage.
\r\n
Solution: Add a support module in the application so customers know how to access a support contact in case that need arises. For any external UI link navigation, make sure to add the attributes rel="noopener noreferrer nofollow" to anchor tag to avoid tabnabbing issue risk.
\r\n
3. Missing or Inappropriate ACLs on Table
\r\nIssue: One or more tables is missing the appropriate ACLs and can be force browsed or accessed by inappropriate users.
\r\n
Solution: Add the necessary ACLs to the table.
\r\n
2. Unintended UI List Records
\r\nIssue: When personalizing a table list view while having an application selected in the application picker, that sys_ui_list record will be saved in in the selected application. If several users do this they will all be saved in the application, and this could result in orphaned records or unexpected behaviour when users browse to the list view.
\r\n
Solution: Be careful personalizing lists.
\r\n
1. Unconditioned UI Action
\r\nIssue: UI Actions with an empty condition field can be called by any logged-in user.
\r\n
Solution: Restrict UI actions:
- Restricting UI actions based on conditions
- Add 'Required Roles' for UI Action
\r\n
Note that you must be a Build Partner to list an application on the ServiceNow Store. If you are not a Build Partner Program participant and you want to develop and sell applications on the ServiceNow Store you can join the ServiceNow Partner Program. Learn More