Skip to content

Instantly share code, notes, and snippets.

@rsoesemann

rsoesemann/sfdx-scanner-appexchange-ruleset.xml

Last active January 12, 2024 11:30
Show Gist options
  • Save rsoesemann/93d4516e139fb00a2d7f2353ed8b5123 to your computer and use it in GitHub Desktop.
Save rsoesemann/93d4516e139fb00a2d7f2353ed8b5123 to your computer and use it in GitHub Desktop.
Download ZIP
Custom XPath Rules provided as special Security Scanner engine 'pmd-appexchange' from v.3.20
Raw
sfdx-scanner-appexchange-ruleset.xml
<ruleset name="AppExchange Security Review v.3.20" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
<description>
Custom XPath Rules provided as special Security Scanner engine 'pmd-appexchange' from v.3.20
Decompiled with https://jdec.app/ from Java libs from https://github.com/forcedotcom/sfdx-scanner/tree/dev/pmd-appexchange/lib
</description>
<!-- APEX RULES -->
<!--AvoidUnsafeSystemSetPassword-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnsafeSystemSetPassword" message="Before calling System.setPassword() in Apex, perform necessary authorization checks." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnsafeSystemSetPassword.md">
<description>Detects where System.setPassword() exists in Apex code. Use this method with caution.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[
lower-case(@FullMethodName) = lower-case("System.setPassword") or
lower-case(@FullMethodName) = lower-case("setPassword")
]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidCallingSystemResetPasswordWithEmailTemplate-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidCallingSystemResetPasswordWithEmailTemplate" message="Before calling System.resetPasswordWithEmailTemplate(), perform the necessary authorization checks." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidCallingSystemResetPasswordWithEmailTemplate.md">
<description>Detects where System.resetPasswordWithEmailTemplate() exists in Apex code. Use this method with caution.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[
lower-case(@FullMethodName) = lower-case("System.resetPasswordWithEmailTemplate") or
lower-case(@FullMethodName) = lower-case("resetPasswordWithEmailTemplate")
]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidUnsafeSystemMovePassword-->
<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnsafeSystemMovePassword.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnsafeSystemMovePassword" message="Before calling System.movePassword(), perform the necessary authorization checks.">
<description>Detects where System.movePassword() is used in Apex code. Use this method with caution.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[
lower-case(@FullMethodName) = lower-case("System.movePassword") or
lower-case(@FullMethodName) = lower-case("movePassword")
]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidChangeProtectionUnprotected-->
<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidChangeProtectionUnprotected" message="Update your code to avoid using FeatureManagement.changeProtection called by an UnProtected argument.">
<!-- TBD
May be use only one rule? "SFCustom-DangerousMethod-changeProtection"
-->
<description>Detects potential misuse of FeatureManagement.changeProtection.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[
lower-case(@FullMethodName)=lower-case("FeatureManagement.changeProtection") or
lower-case(@FullMethodName)=lower-case("System.FeatureManagement.changeProtection")
]
//LiteralExpression[lower-case(@Image)=lower-case("Unprotected")]//ancestor::MethodCallExpression
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidUnauthorizedGetSessionIdInApex-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedGetSessionIdInApex" message="Use of UserInfo.getSessionId might not be authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md">
<!--
TBD: Add extUrlInfo
Add links to OAuth Workflows
-->
<description>Detects use of UserInfo.getSessionId() to retrieve a session ID.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[upper-case(@FullMethodName)="SYSTEM.USERINFO.GETSESSIONID"
or upper-case(@FullMethodName) = "USERINFO.GETSESSIONID"
]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidUnsafeSystemResetPassword-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnsafeSystemResetPassword" message="Before calling System.resetPassword(), perform the necessary authorization checks." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnsafeSystemResetPassword.md">
<description>Detects where System.resetPassword() exists in Apex code. Use this method with caution.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[
lower-case(@FullMethodName) = lower-case("System.resetPassword") or
lower-case(@FullMethodName) = lower-case("resetPassword")
]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidWithoutSharingInRestApiController-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidWithoutSharingInRestApiController" message="Use &quot;with sharing&quot; in Apex classes with the @RestResource annotation." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidWithoutSharingInRestApiController.md">
<description>Detects use of &quot;without sharing&quot; in an Apex class exposed with the @RestResource annotation.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
if (./ModifierNode/Annotation[@Image = "RestResource"])
then
./ModifierNode[@WithSharing = false() and @InheritedSharing = false()]
else
false
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidHardcodedCredentials-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidHardcodedCredentials.md" name="AvoidHardcodedCredentials" message="Remove hard-coded credentials from source code.">
<description>Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<!--
Intentionally ignored others in the //LiteralExpression query
-->
<![CDATA[
//VariableDeclaration[
(upper-case(@Image)="KEY") or (upper-case(@Image)="ACCESSKEY") or (upper-case(@Image)="APIKEY") or
(upper-case(@Image)="PASS") or (upper-case(@Image)="PASSWORD") or (upper-case(@Image)="ENCRYPTION") or
(upper-case(@Image)="TOKEN") or (upper-case(@Image)="SECRET") or (upper-case(@Image)="HASH")
or (upper-case(@Image)="API_KEY") or (upper-case(@Image)="ACCESS_KEY") or (upper-case(@Image)="ACCESS_TOKEN") or
(upper-case(@Image)="ENC_KEY")
]/LiteralExpression |
//VariableExpression[
(upper-case(@Image)="KEY") or (upper-case(@Image)="_ACCESSKEY") or (upper-case(@Image)="APIKEY") or
(upper-case(@Image)="PASS") or (upper-case(@Image)="PASSWORD") or (upper-case(@Image)="ENCRYPTION") or
(upper-case(@Image)="TOKEN") or (upper-case(@Image)="SECRET") or (upper-case(@Image)="HASH")
or (upper-case(@Image)="API_KEY") or (upper-case(@Image)="ACCESS_KEY") or (upper-case(@Image)="ACCESS_TOKEN") or
(upper-case(@Image)="ENC_KEY")
]/ancestor::AssignmentExpression/LiteralExpression |
//VariableExpression[
(upper-case(@Image)="KEY") or (upper-case(@Image)="_ACCESSKEY") or (upper-case(@Image)="APIKEY") or
(upper-case(@Image)="PASS") or (upper-case(@Image)="PASSWORD") or (upper-case(@Image)="ENCRYPTION") or
(upper-case(@Image)="TOKEN") or (upper-case(@Image)="SECRET") or (upper-case(@Image)="HASH")
or (upper-case(@Image)="API_KEY") or (upper-case(@Image)="ACCESS_KEY") or (upper-case(@Image)="ACCESS_TOKEN") or
(upper-case(@Image)="ENC_KEY")
] /ancestor::AssignmentExpression/TernaryExpression/LiteralExpression
|
//LiteralExpression[
contains(upper-case(@Image),"APIKEY") or contains(upper-case(@Image),"ACCESSKEY") or contains(upper-case(@Image),"ACCESSTOKEN")
or contains(upper-case(@Image),"PASSWORD") or contains(upper-case(@Image),"SECRET")
or contains(upper-case(@Image),"API_KEY") or contains(upper-case(@Image),"ACCESS_KEY") or contains(upper-case(@Image),"ACCESS_TOKEN")
or contains(upper-case(@Image),"API-KEY")
]
]]>
</value>
</property>
</properties>
</rule>
<!--LimitPermissionSetAssignment-->
<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitPermissionSetAssignment.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="LimitPermissionSetAssignment" message="Ensure that DML operations against PermissionSetAssignment use trusted input.">
<description>Detects usage of PermissionSetAssignment. Use caution when allowing DML operations against the PermissionSetAssignment object.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//*[local-name()="VariableDeclaration" or local-name() = "AssignmentExpression"]//*
[local-name()="NewKeyValueObjectExpression" or
local-name() = "NewListInitExpression" or
local-name() = "NewObjectExpression"
]
[@*
[local-name()="Type"
and
(upper-case(.)=upper-case("PermissionSetAssignment") or upper-case(.)=upper-case("List<PermissionSetAssignment>"))
]
]
/
ancestor::*[local-name()="VariableDeclaration" or local-name()="AssignmentExpression"]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidChangeProtection-->
<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidChangeProtection.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidChangeProtection" message="Update your code to avoid using FeatureManagement.changeProtection.">
<description>Detects potential misuse of FeatureManagement.changeProtection.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//MethodCallExpression[
lower-case(@FullMethodName)=lower-case("FeatureManagement.changeProtection") or
lower-case(@FullMethodName)=lower-case("System.FeatureManagement.changeProtection")
]/child::*[4][local-name()!="LiteralExpression"]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidUnauthorizedApiSessionIdInApex-->
<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedApiSessionIdInApex" message="Use of API.Session_ID might not be authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md">
<description>Detects use of Api.Session_ID to retrieve a session ID.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//LiteralExpression[
contains(upper-case(@Image),upper-case("{!API.Session_ID}"))
]
]]>
</value>
</property>
</properties>
</rule>
<!-- VISUALFORCE RULES -->
<!--AvoidUnauthorizedGetSessionIdInVisualforce-->
<rule language="vf" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedGetSessionIdInVisualforce" message="Use of session ID with GETSESSIONID is not authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md">
<!--
TBD: Add extUrlInfo
Add links to OAuth Workflows
-->
<description>Detects use of GETSESSIONID() to retrieve a session ID in Visualforce code.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<!--
Note: Don't be alarmed by the use of /Arguments
This is done to avoid situations like this:
var a="{!GETSESSIONID}";
juse in case there is controller var that can be exposed this this
Use of /Arguments ensures that this is actually method call to GETSESSIONID
-->
<![CDATA[
//Expression/Identifier[upper-case(@Image)="GETSESSIONID"]/parent::Expression/Arguments/parent::Expression
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidUnauthorizedApiSessionIdVisualforce-->
<rule language="vf" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedApiSessionIdVisualforce" message="Retrieval of session ID using API.Session_ID is not authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md">
<!--
TBD: Add extUrlInfo
Add links to OAuth Workflows
-->
<description>Detects use of Api.Session_ID to retrieve a session ID in Visualforce code.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<!--
Ideally should use ancestor::Expression instead of ../..
But, not sure if there is an ancestor somewhere that is also an Expression
-->
<![CDATA[
//Expression/Identifier[upper-case(@Image)="$API"]/parent::Expression/
DotExpression/Identifier[upper-case(@Image)="SESSION_ID"]/parent::DotExpression/parent::Expression
]]>
</value>
</property>
</properties>
</rule>
<!-- JAVASCRIPT -->
<!--AvoidLwcBubblesComposedTrue-->
<rule language="ecmascript" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidLwcBubblesComposedTrue" message="Avoid setting both Lightning Web component bubbles and composed=true at the same time.">
<description>Detects Lightning Web Component event configurations where bubbles and composed are both set to true. To avoid sharing sensitive information unintentionally, use this configuration with caution.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//ObjectLiteral[
ObjectProperty/Name[@Image="bubbles"]/parent::ObjectProperty/KeywordLiteral[@Image="true"]
and
ObjectProperty/Name[@Image="composed"]/parent::ObjectProperty/KeywordLiteral[@Image="true"]
]
]]>
</value>
</property>
</properties>
</rule>
<!-- HTML -->
<!--UseLwcDomManual-->
<rule language="html" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/UseLwcDomManual.md" name="UseLwcDomManual" message="Protect against XSS when using lwc:dom=&quot;manual&quot;.">
<description>Detects instances of lwc:dom=&quot;manual&quot; that could allow unintentional or malicious user input. Don't allow user input on these elements.</description>
<priority>3</priority>
<example>
<![CDATA[
<template><div class="chart slds-var-m-around_medium slds-theme_default cursor" lwc:dom="manual"></div></template>
&
If template has a direct user input. Then XSS is possible.
]]>
</example>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//*[@*[local-name()="lwc:dom" and .="manual"]]
]]>
</value>
</property>
</properties>
</rule>
<!-- Metadata XML -->
<!--AvoidLmcIsExposedTrue-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidLmcIsExposedTrue" message="Use Lightning Message Channel with isExposed set to false." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidLmcIsExposedTrue.md">
<description>Detects a Lightning Message Channel with isExposed=true, which isn’t allowed in managed packages.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/LightningMessageChannel/isExposed/text[@Image="true"]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidApiSessionId-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidApiSessionId" message="Session ID use is not approved." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidApiSessionId.md">
<!--
TBD: Add extUrlInfo
Add links to OAuth Workflows
-->
<description>Detects use of Api.Session_ID to retrieve a session ID.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
//text[
contains(upper-case(@Image),"API.SESSION_ID")
or
contains(upper-case(@Image),"GETSESSIONID")
]/..
]]>
</value>
</property>
</properties>
</rule>
<!--UpgradeLwcLockerSecuritySupport-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="UpgradeLwcLockerSecuritySupport" message="To enable Lightning Locker, update the API version to version 40 or greater." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/UpgradeLwcLockerSecuritySupport.md">
<description>Detects use of API versions with Lightning Locker disabled. Use API version 40 or greater.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<!--
This may not be needed; as LWC is available only from version 46!
https://developer.salesforce.com/docs/component-library/documentation/en/lwc/lwc.security_locker_api_setting
-->
<![CDATA[
/LightningComponentBundle/apiVersion/text[number(@Image) lt 40]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidUnauthorizedApiSessionIdInFlows-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedApiSessionIdInFlows" message="$Api.Session_ID usage is not approved." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md">
<description>Detects use of session ID in SOAP API calls in flows.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/Flow//elementReference/text[upper-case(@Image)="$API.SESSION_ID"]
]]>
</value>
</property>
</properties>
</rule>
<!--UseHttpsCallbackUrl-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="UseHttpsCallbackUrl" message="Update to secure Oauth callback URL over HTTPS." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/UseHttpsCallbackUrl.md">
<description>Detects instances of an OAuth callback URL that uses HTTP. Use HTTPS instead.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/ConnectedApp/oauthConfig/callbackUrl/text[contains(lower-case(@Image),"http://")]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidJsLinksInCustomObject-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJsLinksInCustomObject" message="Avoid clickable JavaScript-style URLs." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJsLinksInCustomObject.md">
<description>Detects instances of JavaScript-style URLs (javascript:) in Salesforce DOM components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/CustomObject//url/text[contains(upper-case(@Image),"JAVASCRIPT:")]/..
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidJavaScriptWeblink-->
<rule language="xml" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJavaScriptWeblink.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJavaScriptWeblink" message="Avoid using JavaScript in web links.">
<description>Detects use of custom JavaScript actions in web links.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/CustomPageWebLink/openType/text[@Image="onClickJavaScript"]/..
]]>
</value>
</property>
</properties>
</rule>
<!--LimitConnectedAppScope-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="LimitConnectedAppScope" message="Update the connected app request to limited scope instead of full scope." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitConnectedAppScope.md">
<description>Detects if a connected app uses full scope. Explain this use case in your AppExchange security review submission.</description>
<priority>3</priority>
<!--
TBD: What if the developer chooses ALL the scopes instead of just full??
Create an issue for this
-->
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/ConnectedApp/oauthConfig/scopes/text[upper-case(@Image)="FULL"]
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidSystemModeInFlows-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidSystemModeInFlows.md" name="AvoidSystemModeInFlows" message="Reconfigure to avoid running flows in system mode.">
<description>Detects where default mode must be used in flows instead of system mode.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
(/Flow/runInMode/text[@Image="SystemModeWithoutSharing"] | /Flow/runInMode/text[@Image="SystemModeWithSharing"])
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidJavaScriptHomePageComponent-->
<rule language="xml" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJavaScriptHomePageComponent" message="Avoid JavaScript in a home page component body.">
<description>Detects use of custom JavaScript actions in home page components.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/HomePageComponent/body/text[contains(upper-case(@Image),upper-case('<script '))
or
contains(upper-case(@Image),upper-case('javascript:'))
]
]]>
</value>
</property>
</properties>
</rule>
<!--ProtectSensitiveData-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/ProtectSensitiveData.md" name="ProtectSensitiveData" message="To store secrets, use Protected Custom settings or Protected Custom metadata.">
<description>Detects where sensitive data must be stored with Protected Custom metadata or Protected Custom settings.</description>
<priority>3</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
(
//CustomObject/visibility/text[@Image="Public"]
/ancestor::CustomObject/customSettingsType/ancestor::CustomObject/fields/fullName/text
[contains(upper-case(@Image), "KEY") or contains(upper-case(@Image),"ACCESSKEY") or
contains(upper-case(@Image),"PASS") or contains(upper-case(@Image),"PASSWORD") or contains(upper-case(@Image),"ENCRYPT") or
contains(upper-case(@Image),"TOKEN") or contains(upper-case(@Image),"SECRET") or contains(upper-case(@Image),"HASH")]
)
|
(
//CustomObject/visibility/text[@Image="Public"]
/ancestor::CustomObject/fields/fullName/text
[contains(upper-case(@Image),"KEY") or contains(upper-case(@Image),"ACCESSKEY") or
contains(upper-case(@Image),"PASS") or contains(upper-case(@Image),"PASSWORD") or contains(upper-case(@Image),"ENCRYPT") or
contains(upper-case(@Image),"TOKEN") or contains(upper-case(@Image),"SECRET") or contains(upper-case(@Image),"HASH")]
)
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidJsLinksInWebLinks-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJsLinksInWebLinks" message="Avoid clickable JavaScript-style URLs." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJsLinksInWebLinks.md">
<description>Detects instances of JavaScript-style URLs (javascript:) in Salesforce DOM components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/CustomPageWebLink/url/text[contains(upper-case(@Image),"JAVASCRIPT:")]/..
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidJavaScriptCustomRule-->
<rule language="xml" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJavaScriptCustomRule.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJavaScriptCustomRule" message="Avoid using JavaScript to execute custom button actions.">
<description>Detects use of custom JavaScript actions in custom rules.</description>
<priority>2</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/CustomObject/webLinks/openType/text[@Image="onClickJavaScript"]/..
]]>
</value>
</property>
</properties>
</rule>
<!--AvoidAuraWithLockerDisabled-->
<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidAuraWithLockerDisabled" message="To enable Lightning Locker, update the apiVersion to version 40 or greater." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidAuraWithLockerDisabled.md">
<description>Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.</description>
<priority>1</priority>
<properties>
<property name="version" value="2.0"/>
<property name="xpath">
<value>
<![CDATA[
/AuraDefinitionBundle/apiVersion/text[number(@Image) lt 40]
]]>
</value>
</property>
</properties>
</rule>
</ruleset>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment