Skip to content

Instantly share code, notes, and snippets.

@shanerk

shanerk/apex_checkmarx_ruleset.xml

Created October 21, 2020 20:22
Show Gist options
  • Save shanerk/b397646c37b0849c3a8b3473768c4d95 to your computer and use it in GitHub Desktop.
Save shanerk/b397646c37b0849c3a8b3473768c4d95 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
apex_checkmarx_ruleset.xml
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Default ruleset used by the CodeClimate Engine for Salesforce.com Apex" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
<description>Default ruleset used by the Code Climate Engine for Salesforce.com Apex</description>
<exclude-pattern>.*/.sfdx/.*</exclude-pattern>
<!-- COMPLEXITY
<rule ref="category/apex/design.xml/ExcessiveClassLength" message="Avoid really long classes (lines of code)">
<priority>3</priority>
<properties>
<property name="minimum" value="1000" />
</properties>
</rule>
<rule ref="category/apex/design.xml/ExcessiveParameterList" message="Avoid long parameter lists">
<priority>3</priority>
<properties>
<property name="minimum" value="4" />
</properties>
</rule>
<rule ref="category/apex/design.xml/ExcessivePublicCount" message="This class has too many public methods and attributes">
<priority>3</priority>
<properties>
<property name="minimum" value="25" />
</properties>
</rule>
<rule ref="category/apex/design.xml/NcssConstructorCount" message="The constructor has an NCSS line count of {0}">
<priority>3</priority>
<properties>
<property name="minimum" value="20" />
</properties>
</rule>
<rule ref="category/apex/design.xml/NcssMethodCount" message="The method {0}() has an NCSS line count of {1}">
<priority>3</priority>
<properties>
<property name="minimum" value="60" />
</properties>
</rule>
<rule ref="category/apex/design.xml/NcssTypeCount" message="The type has an NCSS line count of {0}">
<priority>3</priority>
<properties>
<property name="minimum" value="700" />
</properties>
</rule>
<rule ref="category/apex/design.xml/TooManyFields" message="Too many fields">
<priority>3</priority>
<properties>
<property name="maxfields" value="20" />
</properties>
</rule>
<rule ref="category/apex/design.xml/AvoidDeeplyNestedIfStmts" message="Deeply nested if..else statements are hard to read">
<priority>3</priority>
<properties>
<property name="problemDepth" value="4" />
</properties>
</rule>
<rule ref="category/apex/design.xml/CognitiveComplexity">
<properties>
<property name="classReportLevel" value="50" />
<property name="methodReportLevel" value="15" />
</properties>
</rule>
-->
<!-- PERFORMANCE -->
<rule ref="category/apex/performance.xml/AvoidSoqlInLoops" message="Avoid Soql queries inside loops">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/performance.xml/AvoidSoslInLoops" message="Avoid Sosl queries inside loops">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/performance.xml/AvoidDmlStatementsInLoops" message="Avoid DML Statements inside loops">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/AvoidDirectAccessTriggerMap" message="Avoid directly accessing Trigger.old and Trigger.new">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/bestpractices.xml/AvoidLogicInTrigger" message="Avoid logic in triggers">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/bestpractices.xml/AvoidGlobalModifier" message="Avoid using global modifier">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/AvoidNonExistentAnnotations">
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/AvoidHardcodingId" message="Avoid hardcoding ID's">
<priority>3</priority>
<properties>
</properties>
</rule>
<!-- NAMING
<rule ref="category/apex/codestyle.xml/ClassNamingConventions" message="Class names should begin with an uppercase character">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/codestyle.xml/MethodNamingConventions" message="Method name does not begin with a lower case character.">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/MethodWithSameNameAsEnclosingClass" message="Classes should not have non-constructor methods with the same name as the class">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/codestyle.xml/VariableNamingConventions" message="{0} variable {1} should begin with {2}">
<priority>3</priority>
<properties>
</properties>
</rule>
-->
<!-- TESTS -->
<!--
<rule ref="category/apex/bestpractices.xml/ApexAssertionsShouldIncludeMessage">
<priority>4</priority>
</rule>
<rule ref="category/apex/bestpractices.xml/ApexUnitTestMethodShouldHaveIsTestAnnotation" >
<priority>4</priority>
</rule>
-->
<rule ref="category/apex/bestpractices.xml/ApexUnitTestClassShouldHaveAsserts" message="Apex unit test classes should have at least one System.assert() or assertEquals() or AssertNotEquals() call">
<priority>3</priority>
<properties>
</properties>
</rule>
<!--
<rule ref="category/apex/bestpractices.xml/ApexUnitTestShouldNotUseSeeAllDataTrue" message="@isTest(seeAllData=true) should not be used in Apex unit tests because it opens up the existing database data for unexpected modification by tests">
<priority>3</priority>
<properties>
</properties>
</rule>
-->
<!-- SECURITY -->
<rule ref="category/apex/security.xml/ApexSharingViolations" message="Apex classes should declare a sharing model if DML or SOQL is used">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexInsecureEndpoint" message="Apex callouts should use encrypted communication channels">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexCSRF" message="Avoid making DML operations in Apex class constructor/init method">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexOpenRedirect" message="Apex classes should safely redirect to a known location">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexSOQLInjection" message="Apex classes should escape variables merged in DML query">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexXSSFromURLParam" message="Apex classes should escape Strings obtained from URL parameters">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" message="Apex classes should escape addError strings">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexBadCrypto" message="Apex Crypto should use random IV/key">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexCRUDViolation" message="Validate CRUD permission before SOQL/DML operation">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexDangerousMethods" message="Calling potentially dangerous method">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" message="Consider using named credentials for authenticated callouts">
<priority>3</priority>
<properties>
</properties>
</rule>
<!-- BRACES -->
<!--
<rule ref="category/apex/codestyle.xml/IfStmtsMustUseBraces" message="Avoid using if statements without curly braces">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/codestyle.xml/WhileLoopsMustUseBraces" message="Avoid using 'while' statements without curly braces">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/codestyle.xml/IfElseStmtsMustUseBraces" message="Avoid using 'if...else' statements without curly braces">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/codestyle.xml/ForLoopsMustUseBraces" message="Avoid using 'for' statements without curly braces">
<priority>3</priority>
<properties>
</properties>
</rule>
-->
<!-- EMPTY -->
<!--
<rule ref="category/apex/errorprone.xml/EmptyCatchBlock" message="Avoid empty catch blocks">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/EmptyIfStmt" message="Avoid empty 'if' statements">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/EmptyWhileStmt" message="Avoid empty 'while' statements">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/EmptyTryOrFinallyBlock" message="Avoid empty try or finally blocks">
<priority>3</priority>
<properties>
</properties>
</rule>
<rule ref="category/apex/errorprone.xml/EmptyStatementBlock" message="Avoid empty block statements.">
<priority>3</priority>
<properties>
</properties>
</rule>
-->
<!-- STYLE -->
<!--
<rule ref="category/apex/codestyle.xml/OneDeclarationPerLine">
<priority>3</priority>
<properties>
</properties>
</rule>
-->
<!-- Visual Force -->
<rule ref="category/vf/security.xml/VfCsrf" >
<priority>3</priority>
</rule>
<rule ref="category/vf/security.xml/VfUnescapeEl" >
<priority>3</priority>
</rule>
</ruleset>
@shanerk
Copy link
Author

shanerk commented Oct 21, 2020

I've commented out all the rules that are not relevant to Checkmarx and therefore not require for security review. The list of included rules are as follows:

  • DML statements inside loops
  • SOQL/SOSL inside loops
  • Hardcoding Trigger.new[0]
  • Hardcoding Trigger.old[0]
  • Queries with no Where clause or no LIMIT clause
  • Not bulkifying apex methods
  • Async (@future) methods inside loops
  • Hardcoding IDs
  • Multiple triggers on same object
  • Static Resource referencing
  • Multiple Visualforce forms in the same page
  • Test methods without assert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment