Custom XPath Rules provided as special Security Scanner engine 'pmd-appexchange' from v.3.20

sfdx-scanner-appexchange-ruleset.xml

<ruleset name="AppExchange Security Review v.3.20" xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
	<description>
        Custom XPath Rules provided as special Security Scanner engine 'pmd-appexchange' from v.3.20
        Decompiled with https://jdec.app/ from Java libs from https://github.com/forcedotcom/sfdx-scanner/tree/dev/pmd-appexchange/lib
    </description>
	
    <!-- APEX RULES -->

    <!--AvoidUnsafeSystemSetPassword-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnsafeSystemSetPassword" message="Before calling System.setPassword() in Apex, perform necessary authorization checks." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnsafeSystemSetPassword.md">
		<description>Detects where System.setPassword() exists in Apex code. Use this method with caution.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
						//MethodCallExpression[
                            lower-case(@FullMethodName) = lower-case("System.setPassword") or 
                            lower-case(@FullMethodName) = lower-case("setPassword")
					    ]
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidCallingSystemResetPasswordWithEmailTemplate-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidCallingSystemResetPasswordWithEmailTemplate" message="Before calling System.resetPasswordWithEmailTemplate(), perform the necessary authorization checks." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidCallingSystemResetPasswordWithEmailTemplate.md">
		<description>Detects where System.resetPasswordWithEmailTemplate() exists in Apex code. Use this method with caution.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//MethodCallExpression[
						lower-case(@FullMethodName) = lower-case("System.resetPasswordWithEmailTemplate") or 
						lower-case(@FullMethodName) = lower-case("resetPasswordWithEmailTemplate")
					]
				]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidUnsafeSystemMovePassword-->
	<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnsafeSystemMovePassword.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnsafeSystemMovePassword" message="Before calling System.movePassword(), perform the necessary authorization checks.">
		<description>Detects where System.movePassword() is used in Apex code. Use this method with caution.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//MethodCallExpression[
						lower-case(@FullMethodName) = lower-case("System.movePassword") or 
						lower-case(@FullMethodName) = lower-case("movePassword")
					]
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidChangeProtectionUnprotected-->
	<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidChangeProtectionUnprotected" message="Update your code to avoid using FeatureManagement.changeProtection called by an UnProtected argument.">
		<!-- TBD
        May be use only one rule? "SFCustom-DangerousMethod-changeProtection"
        -->
		<description>Detects potential misuse of FeatureManagement.changeProtection.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//MethodCallExpression[
                        lower-case(@FullMethodName)=lower-case("FeatureManagement.changeProtection") or 
                        lower-case(@FullMethodName)=lower-case("System.FeatureManagement.changeProtection")
					]
					//LiteralExpression[lower-case(@Image)=lower-case("Unprotected")]//ancestor::MethodCallExpression
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidUnauthorizedGetSessionIdInApex-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedGetSessionIdInApex" message="Use of UserInfo.getSessionId might not be authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md">
		<!--
		TBD: Add extUrlInfo
		Add links to OAuth Workflows
	-->
		<description>Detects use of UserInfo.getSessionId() to retrieve a session ID.</description>
		<priority>3</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//MethodCallExpression[upper-case(@FullMethodName)="SYSTEM.USERINFO.GETSESSIONID" 
					    or upper-case(@FullMethodName) = "USERINFO.GETSESSIONID"
					]
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidUnsafeSystemResetPassword-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnsafeSystemResetPassword" message="Before calling System.resetPassword(), perform the necessary authorization checks." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnsafeSystemResetPassword.md">
		<description>Detects where System.resetPassword() exists in Apex code. Use this method with caution.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//MethodCallExpression[
                        lower-case(@FullMethodName) = lower-case("System.resetPassword") or 
                        lower-case(@FullMethodName) = lower-case("resetPassword")
					]
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidWithoutSharingInRestApiController-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidWithoutSharingInRestApiController" message="Use &quot;with sharing&quot; in Apex classes with the @RestResource annotation." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidWithoutSharingInRestApiController.md">
		<description>Detects use of &quot;without sharing&quot; in an Apex class exposed with the @RestResource annotation.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					if (./ModifierNode/Annotation[@Image = "RestResource"])
					then
						./ModifierNode[@WithSharing = false() and @InheritedSharing = false()]
					else
						false
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidHardcodedCredentials-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidHardcodedCredentials.md" name="AvoidHardcodedCredentials" message="Remove hard-coded credentials from source code.">
		<description>Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.</description>
		<priority>3</priority>
		
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<!--
						Intentionally ignored others in the //LiteralExpression query
					-->
					<![CDATA[
                    //VariableDeclaration[
                    (upper-case(@Image)="KEY") or (upper-case(@Image)="ACCESSKEY") or (upper-case(@Image)="APIKEY") or
                    (upper-case(@Image)="PASS") or (upper-case(@Image)="PASSWORD") or (upper-case(@Image)="ENCRYPTION") or
                    (upper-case(@Image)="TOKEN") or (upper-case(@Image)="SECRET") or (upper-case(@Image)="HASH")
                    or (upper-case(@Image)="API_KEY") or (upper-case(@Image)="ACCESS_KEY") or (upper-case(@Image)="ACCESS_TOKEN") or
                    (upper-case(@Image)="ENC_KEY")
                    ]/LiteralExpression |
                    //VariableExpression[
                    (upper-case(@Image)="KEY") or (upper-case(@Image)="_ACCESSKEY") or (upper-case(@Image)="APIKEY") or
                    (upper-case(@Image)="PASS") or (upper-case(@Image)="PASSWORD") or (upper-case(@Image)="ENCRYPTION") or
                    (upper-case(@Image)="TOKEN") or (upper-case(@Image)="SECRET") or (upper-case(@Image)="HASH")
                    or (upper-case(@Image)="API_KEY") or (upper-case(@Image)="ACCESS_KEY") or (upper-case(@Image)="ACCESS_TOKEN") or
                    (upper-case(@Image)="ENC_KEY")
                    ]/ancestor::AssignmentExpression/LiteralExpression |
                    //VariableExpression[
                    (upper-case(@Image)="KEY") or (upper-case(@Image)="_ACCESSKEY") or (upper-case(@Image)="APIKEY") or
                    (upper-case(@Image)="PASS") or (upper-case(@Image)="PASSWORD") or (upper-case(@Image)="ENCRYPTION") or
                    (upper-case(@Image)="TOKEN") or (upper-case(@Image)="SECRET") or (upper-case(@Image)="HASH")
                    or (upper-case(@Image)="API_KEY") or (upper-case(@Image)="ACCESS_KEY") or (upper-case(@Image)="ACCESS_TOKEN") or
                    (upper-case(@Image)="ENC_KEY")
                    ] /ancestor::AssignmentExpression/TernaryExpression/LiteralExpression
                    |
                    //LiteralExpression[
                    contains(upper-case(@Image),"APIKEY") or contains(upper-case(@Image),"ACCESSKEY") or contains(upper-case(@Image),"ACCESSTOKEN")
                    or contains(upper-case(@Image),"PASSWORD") or contains(upper-case(@Image),"SECRET")
                    or contains(upper-case(@Image),"API_KEY") or contains(upper-case(@Image),"ACCESS_KEY") or contains(upper-case(@Image),"ACCESS_TOKEN") 
                    or contains(upper-case(@Image),"API-KEY")
                    ]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--LimitPermissionSetAssignment-->
	<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitPermissionSetAssignment.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="LimitPermissionSetAssignment" message="Ensure that DML operations against PermissionSetAssignment use trusted input.">
		<description>Detects usage of PermissionSetAssignment. Use caution when allowing DML operations against the PermissionSetAssignment object.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//*[local-name()="VariableDeclaration" or local-name() = "AssignmentExpression"]//*
					[local-name()="NewKeyValueObjectExpression" or
					local-name() = "NewListInitExpression" or
					local-name()  = "NewObjectExpression"
					]
					[@*
					[local-name()="Type"
					and
					(upper-case(.)=upper-case("PermissionSetAssignment") or upper-case(.)=upper-case("List<PermissionSetAssignment>"))
					]
					]
					/
					ancestor::*[local-name()="VariableDeclaration" or local-name()="AssignmentExpression"]
					]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidChangeProtection-->
	<rule language="apex" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidChangeProtection.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidChangeProtection" message="Update your code to avoid using FeatureManagement.changeProtection.">
		<description>Detects potential misuse of FeatureManagement.changeProtection.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//MethodCallExpression[
						lower-case(@FullMethodName)=lower-case("FeatureManagement.changeProtection") or 
						lower-case(@FullMethodName)=lower-case("System.FeatureManagement.changeProtection")
						]/child::*[4][local-name()!="LiteralExpression"]
					]]>
				</value>
			</property>
		</properties>
	</rule>
	
	<!--AvoidUnauthorizedApiSessionIdInApex-->
	<rule language="apex" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedApiSessionIdInApex" message="Use of API.Session_ID might not be authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md">
		<description>Detects use of Api.Session_ID to retrieve a session ID.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
					//LiteralExpression[
					    contains(upper-case(@Image),upper-case("{!API.Session_ID}"))
					]
					]]>
				</value>
			</property>
		</properties>
	</rule>

    <!-- VISUALFORCE RULES -->

    <!--AvoidUnauthorizedGetSessionIdInVisualforce-->
    <rule language="vf" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedGetSessionIdInVisualforce" message="Use of session ID with GETSESSIONID is not authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md">
        <!--
            TBD: Add extUrlInfo
            Add links to OAuth Workflows
        -->
        <description>Detects use of GETSESSIONID() to retrieve a session ID in Visualforce code.</description>
        <priority>2</priority>
        <properties>
            <property name="version" value="2.0"/>
            <property name="xpath">
                <value>
                    <!--
                        Note: Don't be alarmed by the use of /Arguments
                        This is done to avoid situations like this:
                        var a="{!GETSESSIONID}";
                        juse in case there is controller var that can be exposed this this
                        Use of /Arguments ensures that this is actually method call to GETSESSIONID
                    -->
                    <![CDATA[
                    //Expression/Identifier[upper-case(@Image)="GETSESSIONID"]/parent::Expression/Arguments/parent::Expression
                    ]]>
                </value>
            </property>
        </properties>
    </rule>

    <!--AvoidUnauthorizedApiSessionIdVisualforce-->
    <rule language="vf" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedApiSessionIdVisualforce" message="Retrieval of session ID using API.Session_ID is not authorized." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md">
        <!--
        TBD: Add extUrlInfo
        Add links to OAuth Workflows
        -->
        <description>Detects use of Api.Session_ID to retrieve a session ID in Visualforce code.</description>
        <priority>3</priority>
        <properties>
            <property name="version" value="2.0"/>
            <property name="xpath">
                <value>
                    <!--
                    Ideally should use ancestor::Expression instead of ../..
                        But, not sure if there is an ancestor somewhere that is also an Expression
                    -->
                    <![CDATA[
                    //Expression/Identifier[upper-case(@Image)="$API"]/parent::Expression/
                    DotExpression/Identifier[upper-case(@Image)="SESSION_ID"]/parent::DotExpression/parent::Expression 
                    ]]>
                </value>
            </property>
        </properties>
    </rule>

    <!-- JAVASCRIPT -->

    <!--AvoidLwcBubblesComposedTrue-->
	<rule language="ecmascript" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidLwcBubblesComposedTrue" message="Avoid setting both Lightning Web component bubbles and composed=true at the same time.">
		<description>Detects Lightning Web Component event configurations where bubbles and composed are both set to true. To avoid sharing sensitive information unintentionally, use this configuration with caution.</description>
		<priority>3</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    //ObjectLiteral[
                    ObjectProperty/Name[@Image="bubbles"]/parent::ObjectProperty/KeywordLiteral[@Image="true"]
                    and
                    ObjectProperty/Name[@Image="composed"]/parent::ObjectProperty/KeywordLiteral[@Image="true"]
                    ]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

    <!-- HTML -->

    <!--UseLwcDomManual-->
	<rule language="html" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/UseLwcDomManual.md" name="UseLwcDomManual" message="Protect against XSS when using lwc:dom=&quot;manual&quot;.">
		<description>Detects instances of lwc:dom=&quot;manual&quot; that could allow unintentional or malicious user input. Don't allow user input on these elements.</description>
		<priority>3</priority>
		<example>
			<![CDATA[
            <template><div class="chart slds-var-m-around_medium slds-theme_default cursor" lwc:dom="manual"></div></template>

            & 
            If template has a direct user input. Then XSS is possible.
            ]]>
		</example>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    //*[@*[local-name()="lwc:dom" and .="manual"]]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

    <!-- Metadata XML -->

	<!--AvoidLmcIsExposedTrue-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidLmcIsExposedTrue" message="Use Lightning Message Channel with isExposed set to false." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidLmcIsExposedTrue.md">
		<description>Detects a Lightning Message Channel with isExposed=true, which isn’t allowed in managed packages.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                        /LightningMessageChannel/isExposed/text[@Image="true"]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidApiSessionId-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidApiSessionId" message="Session ID use is not approved." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidApiSessionId.md">
		<!--
		TBD: Add extUrlInfo
		Add links to OAuth Workflows
	-->
		<description>Detects use of Api.Session_ID to retrieve a session ID.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    //text[
                    contains(upper-case(@Image),"API.SESSION_ID")
                    or
                    contains(upper-case(@Image),"GETSESSIONID")
                    ]/..
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--UpgradeLwcLockerSecuritySupport-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="UpgradeLwcLockerSecuritySupport" message="To enable Lightning Locker, update the API version to version 40 or greater." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/UpgradeLwcLockerSecuritySupport.md">
		<description>Detects use of API versions with Lightning Locker disabled. Use API version 40 or greater.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<!--
       This may not be needed; as LWC is available only from version 46!
       https://developer.salesforce.com/docs/component-library/documentation/en/lwc/lwc.security_locker_api_setting
       -->
					<![CDATA[
                    /LightningComponentBundle/apiVersion/text[number(@Image) lt 40]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidUnauthorizedApiSessionIdInFlows-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidUnauthorizedApiSessionIdInFlows" message="$Api.Session_ID usage is not approved." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md">
		<description>Detects use of session ID in SOAP API calls in flows.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /Flow//elementReference/text[upper-case(@Image)="$API.SESSION_ID"]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--UseHttpsCallbackUrl-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="UseHttpsCallbackUrl" message="Update to secure Oauth callback URL over HTTPS." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/UseHttpsCallbackUrl.md">
		<description>Detects instances of an OAuth callback URL that uses HTTP. Use HTTPS instead.</description>
		<priority>3</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /ConnectedApp/oauthConfig/callbackUrl/text[contains(lower-case(@Image),"http://")]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidJsLinksInCustomObject-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJsLinksInCustomObject" message="Avoid clickable JavaScript-style URLs." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJsLinksInCustomObject.md">
		<description>Detects instances of JavaScript-style URLs (javascript:) in Salesforce DOM components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /CustomObject//url/text[contains(upper-case(@Image),"JAVASCRIPT:")]/..
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidJavaScriptWeblink-->
	<rule language="xml" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJavaScriptWeblink.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJavaScriptWeblink" message="Avoid using JavaScript in web links.">
		<description>Detects use of custom JavaScript actions in web links.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /CustomPageWebLink/openType/text[@Image="onClickJavaScript"]/..
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--LimitConnectedAppScope-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="LimitConnectedAppScope" message="Update the connected app request to limited scope instead of full scope." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/LimitConnectedAppScope.md">
		<description>Detects if a connected app uses full scope. Explain this use case in your AppExchange security review submission.</description>
		<priority>3</priority>
		<!--
	   TBD: What if the developer chooses ALL the scopes instead of just full??
	   Create an issue for this
	   -->
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /ConnectedApp/oauthConfig/scopes/text[upper-case(@Image)="FULL"]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidSystemModeInFlows-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidSystemModeInFlows.md" name="AvoidSystemModeInFlows" message="Reconfigure to avoid running flows in system mode.">
		<description>Detects where default mode must be used in flows instead of system mode.</description>
		<priority>3</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    (/Flow/runInMode/text[@Image="SystemModeWithoutSharing"] | /Flow/runInMode/text[@Image="SystemModeWithSharing"])
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidJavaScriptHomePageComponent-->
	<rule language="xml" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJavaScriptHomePageComponent" message="Avoid JavaScript in a home page component body.">
		<description>Detects use of custom JavaScript actions in home page components.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /HomePageComponent/body/text[contains(upper-case(@Image),upper-case('<script '))
                    or
                    contains(upper-case(@Image),upper-case('javascript:'))
                    ]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--ProtectSensitiveData-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/ProtectSensitiveData.md" name="ProtectSensitiveData" message="To store secrets, use Protected Custom settings or Protected Custom metadata.">
		<description>Detects where sensitive data must be stored with Protected Custom metadata or Protected Custom settings.</description>
		<priority>3</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    (
                        //CustomObject/visibility/text[@Image="Public"]
                        /ancestor::CustomObject/customSettingsType/ancestor::CustomObject/fields/fullName/text
                        [contains(upper-case(@Image), "KEY") or contains(upper-case(@Image),"ACCESSKEY")  or
                        contains(upper-case(@Image),"PASS") or contains(upper-case(@Image),"PASSWORD") or contains(upper-case(@Image),"ENCRYPT") or
                        contains(upper-case(@Image),"TOKEN") or contains(upper-case(@Image),"SECRET") or contains(upper-case(@Image),"HASH")]
                    ) 
                    |
                    (
                        //CustomObject/visibility/text[@Image="Public"]
                        /ancestor::CustomObject/fields/fullName/text
                        [contains(upper-case(@Image),"KEY") or contains(upper-case(@Image),"ACCESSKEY") or
                        contains(upper-case(@Image),"PASS") or contains(upper-case(@Image),"PASSWORD") or contains(upper-case(@Image),"ENCRYPT") or
                        contains(upper-case(@Image),"TOKEN") or contains(upper-case(@Image),"SECRET") or contains(upper-case(@Image),"HASH")]
                    )
                    ]]>
				</value>
			</property>
		</properties>
	</rule>
    
	<!--AvoidJsLinksInWebLinks-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJsLinksInWebLinks" message="Avoid clickable JavaScript-style URLs." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJsLinksInWebLinks.md">
		<description>Detects instances of JavaScript-style URLs (javascript:) in Salesforce DOM components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                    /CustomPageWebLink/url/text[contains(upper-case(@Image),"JAVASCRIPT:")]/..
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidJavaScriptCustomRule-->
	<rule language="xml" externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidJavaScriptCustomRule.md" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidJavaScriptCustomRule" message="Avoid using JavaScript to execute custom button actions.">
		<description>Detects use of custom JavaScript actions in custom rules.</description>
		<priority>2</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                        /CustomObject/webLinks/openType/text[@Image="onClickJavaScript"]/..
                    ]]>
				</value>
			</property>
		</properties>
	</rule>

	<!--AvoidAuraWithLockerDisabled-->
	<rule language="xml" class="net.sourceforge.pmd.lang.rule.XPathRule" name="AvoidAuraWithLockerDisabled" message="To enable Lightning Locker, update the apiVersion to version 40 or greater." externalInfoUrl="https://github.com/forcedotcom/sfdx-scanner/blob/dev/pmd-appexchange/docs/AvoidAuraWithLockerDisabled.md">
		<description>Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.</description>
		<priority>1</priority>
		<properties>
			<property name="version" value="2.0"/>
			<property name="xpath">
				<value>
					<![CDATA[
                        /AuraDefinitionBundle/apiVersion/text[number(@Image) lt 40]
                    ]]>
				</value>
			</property>
		</properties>
	</rule>
</ruleset>