PMDソーススキャン拡張機能(VSCodeAdd-on)のご紹介

皆さん こんにちは!今までセールスフォースApex+VisualForceページのソースをスキャンしたことがありますか? ソースステップ数によりスキャン+対応の外注金額はかわりますが 大体200万以上かかると発注したことがあります。

セールスフォースプラットフォーム上製品開発、個別案件を開発する場合 セールスフォースのセキュリティ観点に応じてソースコード修正する必要があります。製品をAppExchangeへ公開する前にセキュリティレビュー手続きがありましてセキュリティ評価を通らないと公開できないようになるのをご注意くださいませ。

ではこのブログ範囲でアジェンダを二つ紹介いたします。

1. 従来セールスフォースアプリ開発に当たってどうやってセキュリティスキャン対応するか
2. 無償なセキュリティスキャンAdd-onのご紹介

1. 従来セールスフォースアプリ開発に当たってどうやってセキュリティスキャン対応するか

従来Apex+Visualforceソーススキャンする度に以下の二つサイトで実施可能

* [通常のSalesforce+checkmarxのAllianceのサイト](https://security.secure.force.com/security/tools/forcecom/scanner)

1社単位(スキャン対象セールスフォースカウントに紐づけるビジネスメールドメインがトラッキングされる)一年間:360,000ステップ数(行数)をスキャンできます。360,000ステップ数超えた場合継続に使いたかったら 有償ライセンスを購入する必要があります。

* [パートナー向けセキュリティスキャンサイト](https://security.secure.force.com/sourcescanner/)

Partner向けサイトなのでセールスフォースISVパートナーのみアクセス可能です。Packaging環境のアカウントでログインしてスキャン実施可能です。 セールスフォースソースだけでなくアプリの連携先のソースもスキャンできます。但し1パッケージ辺り3回しかスキャンできないのでご注意ください。 大規模な開発の場合セキュリティスキャンは何回か実施しないと終わらないから

2. 無償なセキュリティスキャンAdd-onのご紹介

この間、VSCode用PMDソーススキャン拡張機能(Add-on)を試してはじめたのでご紹介させていただきます。

上記のご紹介させていただく48ルールはデフォルトAdd-onインストール時 設定されていますが一部ルールは応用したくない場合(たとえば:コードスタイル、ソースドキュメンテーションとか)カスタム規則定義ファイルを作成しスキャン範囲指定をできます。

a)デフォルト規則ファイルのイメージ(XML形式)

<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Default ruleset used by the CodeClimate Engine for Salesforce.com Apex" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
   <description>Default ruleset used by the Code Climate Engine for Salesforce.com Apex</description>

   <!-- COMPLEXITY -->
   <rule ref="category/apex/design.xml/ExcessiveClassLength" message="Avoid really long classes (lines of code)">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="1000" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/ExcessiveParameterList" message="Avoid long parameter lists">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="4" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/ExcessivePublicCount" message="This class has too many public methods and attributes">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="25" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/NcssConstructorCount" message="The constructor has an NCSS line count of {0}">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="20" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/NcssMethodCount" message="The method {0}() has an NCSS line count of {1}">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="60" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/NcssTypeCount" message="The type has an NCSS line count of {0}">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="700" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="250" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/StdCyclomaticComplexity" message="The {0} ''{1}'' has a Standard Cyclomatic Complexity of {2}.">
      <priority>3</priority>
      <properties>
         <property name="reportLevel" value="10" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="250" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/TooManyFields" message="Too many fields">
      <priority>3</priority>
      <properties>
         <property name="maxfields" value="20" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/AvoidDeeplyNestedIfStmts" message="Deeply nested if..else statements are hard to read">
      <priority>3</priority>
      <properties>
         <property name="problemDepth" value="4" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/CyclomaticComplexity">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- PERFORMANCE -->
   <rule ref="category/apex/performance.xml/AvoidSoqlInLoops" message="Avoid Soql queries inside loops">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/performance.xml/AvoidSoslInLoops" message="Avoid Sosl queries inside loops">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/performance.xml/AvoidDmlStatementsInLoops" message="Avoid DML Statements inside loops">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/AvoidDirectAccessTriggerMap" message="Avoid directly accessing Trigger.old and Trigger.new">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/bestpractices.xml/AvoidLogicInTrigger" message="Avoid logic in triggers">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/bestpractices.xml/AvoidGlobalModifier" message="Avoid using global modifier">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/AvoidNonExistentAnnotations">
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/AvoidHardcodingId" message="Avoid hardcoding ID's">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="20"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>

   <!-- NAMING -->
   <rule ref="category/apex/codestyle.xml/ClassNamingConventions" message="Class names should begin with an uppercase character">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/codestyle.xml/MethodNamingConventions" message="Method name does not begin with a lower case character.">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="1" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/MethodWithSameNameAsEnclosingClass" message="Classes should not have non-constructor methods with the same name as the class">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/codestyle.xml/VariableNamingConventions" message="{0} variable {1} should begin with {2}">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- TESTS -->
   <rule ref="category/apex/bestpractices.xml/ApexUnitTestClassShouldHaveAsserts" message="Apex unit test classes should have at least one System.assert() or assertEquals() or AssertNotEquals() call">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Bug Risk" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/bestpractices.xml/ApexUnitTestShouldNotUseSeeAllDataTrue" message="@isTest(seeAllData=true) should not be used in Apex unit tests because it opens up the existing database data for unexpected modification by tests">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Bug Risk" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- SECURITY -->
   <rule ref="category/apex/security.xml/ApexSharingViolations" message="Apex classes should declare a sharing model if DML or SOQL is used">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexInsecureEndpoint" message="Apex callouts should use encrypted communication channels">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexCSRF" message="Avoid making DML operations in Apex class constructor/init method">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexOpenRedirect" message="Apex classes should safely redirect to a known location">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexSOQLInjection" message="Apex classes should escape variables merged in DML query">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="20" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexXSSFromURLParam" message="Apex classes should escape Strings obtained from URL parameters">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="20" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" message="Apex classes should escape addError strings">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="20" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexBadCrypto" message="Apex Crypto should use random IV/key">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexCRUDViolation" message="Validate CRUD permission before SOQL/DML operation">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="150"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexDangerousMethods" message="Calling potentially dangerous method">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="50"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" message="Consider using named credentials for authenticated callouts">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="20"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>

   <!-- BRACES -->
   <rule ref="category/apex/codestyle.xml/IfStmtsMustUseBraces" message="Avoid using if statements without curly braces">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/codestyle.xml/WhileLoopsMustUseBraces" message="Avoid using 'while' statements without curly braces">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/codestyle.xml/IfElseStmtsMustUseBraces" message="Avoid using 'if...else' statements without curly braces">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
         </properties>
   </rule>
   <rule ref="category/apex/codestyle.xml/ForLoopsMustUseBraces" message="Avoid using 'for' statements without curly braces">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- EMPTY -->
   <rule ref="category/apex/errorprone.xml/EmptyCatchBlock" message="Avoid empty catch blocks">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
         </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyIfStmt" message="Avoid empty 'if' statements">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
         </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyWhileStmt" message="Avoid empty 'while' statements">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyTryOrFinallyBlock" message="Avoid empty try or finally blocks">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyStatementBlock" message="Avoid empty block statements.">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- STYLE -->
   <rule ref="category/apex/codestyle.xml/OneDeclarationPerLine">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

  <!-- Visual Force -->
  <rule ref="category/vf/security.xml/VfCsrf" >
        <priority>3</priority>
    </rule>

    <rule ref="category/vf/security.xml/VfUnescapeEl" >
        <priority>3</priority>
    </rule>
</ruleset>
  • カスタム規則設定方法 カスタマイズファイルののイメージ(XML形式、ネーミング例:my_apex_ruleset.xml)
<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Default ruleset used by the CodeClimate Engine for Salesforce.com Apex" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
   <description>Default ruleset used by the Code Climate Engine for Salesforce.com Apex</description>

   <!-- COMPLEXITY -->
   <rule ref="category/apex/design.xml/ExcessiveClassLength" message="Avoid really long classes (lines of code)">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="1000" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/ExcessivePublicCount" message="This class has too many public methods and attributes">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="25" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/NcssConstructorCount" message="The constructor has an NCSS line count of {0}">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="20" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/NcssMethodCount" message="The method {0}() has an NCSS line count of {1}">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="60" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/NcssTypeCount" message="The type has an NCSS line count of {0}">
      <priority>3</priority>
      <properties>
         <property name="minimum" value="700" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="250" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/StdCyclomaticComplexity" message="The {0} ''{1}'' has a Standard Cyclomatic Complexity of {2}.">
      <priority>3</priority>
      <properties>
         <property name="reportLevel" value="10" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="250" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/TooManyFields" message="Too many fields">
      <priority>3</priority>
      <properties>
         <property name="maxfields" value="20" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/AvoidDeeplyNestedIfStmts" message="Deeply nested if..else statements are hard to read">
      <priority>3</priority>
      <properties>
         <property name="problemDepth" value="4" />
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/design.xml/CyclomaticComplexity">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Complexity" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- PERFORMANCE -->
   <rule ref="category/apex/performance.xml/AvoidSoqlInLoops" message="Avoid Soql queries inside loops">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/performance.xml/AvoidSoslInLoops" message="Avoid Sosl queries inside loops">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/performance.xml/AvoidDmlStatementsInLoops" message="Avoid DML Statements inside loops">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/AvoidDirectAccessTriggerMap" message="Avoid directly accessing Trigger.old and Trigger.new">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Performance" />
         <property name="cc_remediation_points_multiplier" value="150" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/bestpractices.xml/AvoidLogicInTrigger" message="Avoid logic in triggers">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="200" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/bestpractices.xml/AvoidGlobalModifier" message="Avoid using global modifier">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/AvoidNonExistentAnnotations">
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/AvoidHardcodingId" message="Avoid hardcoding ID's">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="20"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>
   <!-- TESTS -->
   <rule ref="category/apex/bestpractices.xml/ApexUnitTestClassShouldHaveAsserts" message="Apex unit test classes should have at least one System.assert() or assertEquals() or AssertNotEquals() call">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Bug Risk" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/bestpractices.xml/ApexUnitTestShouldNotUseSeeAllDataTrue" message="@isTest(seeAllData=true) should not be used in Apex unit tests because it opens up the existing database data for unexpected modification by tests">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Bug Risk" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- SECURITY -->
   <rule ref="category/apex/security.xml/ApexSharingViolations" message="Apex classes should declare a sharing model if DML or SOQL is used">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexInsecureEndpoint" message="Apex callouts should use encrypted communication channels">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexCSRF" message="Avoid making DML operations in Apex class constructor/init method">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="100" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexOpenRedirect" message="Apex classes should safely redirect to a known location">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexSOQLInjection" message="Apex classes should escape variables merged in DML query">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="20" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexXSSFromURLParam" message="Apex classes should escape Strings obtained from URL parameters">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="20" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" message="Apex classes should escape addError strings">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="20" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexBadCrypto" message="Apex Crypto should use random IV/key">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security" />
         <property name="cc_remediation_points_multiplier" value="50" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexCRUDViolation" message="Validate CRUD permission before SOQL/DML operation">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="150"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexDangerousMethods" message="Calling potentially dangerous method">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="50"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>
   <rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" message="Consider using named credentials for authenticated callouts">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Security"/>
         <property name="cc_remediation_points_multiplier" value="20"/>
         <property name="cc_block_highlighting" value="false"/>
      </properties>
   </rule>

   <rule ref="category/apex/errorprone.xml/EmptyIfStmt" message="Avoid empty 'if' statements">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
         </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyWhileStmt" message="Avoid empty 'while' statements">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyTryOrFinallyBlock" message="Avoid empty try or finally blocks">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>
   <rule ref="category/apex/errorprone.xml/EmptyStatementBlock" message="Avoid empty block statements.">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

   <!-- STYLE -->
   <rule ref="category/apex/codestyle.xml/OneDeclarationPerLine">
      <priority>3</priority>
      <properties>
         <!-- relevant for Code Climate output only -->
         <property name="cc_categories" value="Style" />
         <property name="cc_remediation_points_multiplier" value="5" />
         <property name="cc_block_highlighting" value="false" />
      </properties>
   </rule>

  <!-- Visual Force -->
  <rule ref="category/vf/security.xml/VfCsrf" >
        <priority>3</priority>
    </rule>

    <rule ref="category/vf/security.xml/VfUnescapeEl" >
        <priority>3</priority>
    </rule>
</ruleset>

VSCode=>File=>Preferences=>Setting=>”pmd”キーワードを検索して満たせるオプションを以下の画像の通り変えてください。

カスタム規則設定イメージ

最後:ソーススキャン実行後スキャン結果は以下と同じようなイメージになります。

スキャン結果

以上。

Happy Coding!

Posted in Apex, Coding Rules, Salesforce, Vietnam Offshore on Feb 06, 2019