[BUG]InternalExecutionError when scanning my setCompetitors method

[andymills]

Description:
Graph Engine identified your source and sink, but you must manually verify that you have a sanitizer in this path. Then, add an engine directive to skip the path. Next, create a Github issue for the Code Analyzer team that includes the error and stack trace. After we fix this issue, check the Code Analyzer release notes for more info. Error and stacktrace: ClassCastException: class com.salesforce.graph.vertex.VariableExpressionVertex$Single cannot be cast to class com.salesforce.graph.vertex.ClassRefExpressionVertex (com.salesforce.graph.vertex.VariableExpressionVertex$Single and com.salesforce.graph.vertex.ClassRefExpressionVertex are in unnamed module of loader 'app'): com.salesforce.graph.symbols.JSONDeserializeFactory.lambda$static$0(JSONDeserializeFactory.java:52);com.salesforce.graph.ops.ApexStandardLibraryUtil.getStandardType(ApexStandardLibraryUtil.java:155);com.salesforce.graph.symbols.PathScopeVisitor.afterVisit(PathScopeVisitor.java:1244);com.salesforce.graph.symbols.DefaultSymbolProviderVertexVisitor.afterVisit(DefaultSymbolProviderVertexVisitor.java:800);com.salesforce.graph.vertex.MethodCallExpressionVertex.afterVisit(MethodCallExpressionVertex.java:79);com.salesforce.graph.ops.expander.ApexPathExpander.performAfterVisit(ApexPathExpander.java:577)

Documentation:
sfge.log

Method code where the error occurs:

 @RemoteAction
    public static string setGuidelines(string id, string guidelinesString) {
        GuidelineList deserializeResults;

        try {
            Type resultType = GuidelineList.class;
            deserializeResults = (GuidelineList)JSON.deserialize(guidelinesString, resultType);
        }
        catch (Exception ex) {
            return 'Invalid data';
        }

        if (
            Schema.sObjectType.Guideline__c.fields.Stroke__c.isAccessible() && 
            Schema.sObjectType.Guideline__c.fields.Colour__c.isAccessible() &&
            Schema.sObjectType.Guideline__c.fields.Name.isAccessible() &&
            Schema.sObjectType.Guideline__c.fields.Opportunity__c.isAccessible() &&
            Schema.sObjectType.Guideline__c.fields.InternalId__c.isAccessible() &&
            Schema.sObjectType.Guideline__c.fields.Pos__c.isAccessible()
       ) {
            List<Guideline__c> guidelines =  [select id, name, Pos__c, InternalId__c, Stroke__c, Colour__c from Guideline__c where Opportunity__c =: id]; 

            addUpdateGuidelines(id, deserializeResults.guidelines, guidelines);
            deleteGuidelines(id, deserializeResults.guidelines, guidelines);
            return 'Success';
       }else{
            return 'No read access';
       }
    }

Steps To Reproduce:
I ran the following scanner:
sf scanner run dfa --format=csv --outfile=CodeAnalyzerDFA.csv --target="./force-app/main/default" --projectdir="./force-app/main/default" --category="Security"

Expected Behavior:
If invalid data is passed in I expect it to return a string 'Invalid data'
If the user has no access then it returns 'no read access'
If everything is okay it returns 'Success'

Desktop:
Provide these details:

• Operating System: Windows 11
• Code Analyzer version: v3.20.0
• Salesforce CLI version: @salesforce/cli/2.23.20 win32-x64 node-v18.19.0

Additional Context:

Workaround:
Tried the directives to exclude from the engine, but it doesn't work
Urgency:
Medium

[git2gus]

This issue has been linked to a new work item: W-15080640

[stephen-carter-at-sf]

Marking this as a duplicate of #1497