sfcoe-ailabs

# ====================================================================== # CODE ANALYZER CONFIGURATION # To learn more about this configuration, visit: # https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/config-custom.html # ====================================================================== # The absolute folder path to which all other path values in this configuration may be relative to. # If unspecified, or if specified as null, then the value is automatically chosen to be the parent folder of your Code Analyzer # configuration file if it exists, or the current working directory otherwise. config_root: null # Last calculated by the config command as: "/Users/tim.paulaskas/Code/SalesforceCI" # Folder where to store log files. May be an absolute path or a path relative to config_root. # If unspecified, or if specified as null, then the value is automatically chosen to be your machine's default temporary directory. log_folder: code-analyzer-logs # Modified from: null # Rule override settings of the format rules.{engine_name}.{rule_name}.{property_name} = {override_value} where: # {engine_name} is the name of the engine containing the rule that you want to override. # {rule_name} is the name of the rule that you want to override. # {property_name} can either be: # 'severity' - [Optional] The severity level value that you want to use to override the default severity level for the rule # Possible values: 1 or 'Critical', 2 or 'High', 3 or 'Moderate', 4 or 'Low', 5 or 'Info' # 'tags' - [Optional] The string array of tag values that you want to use to override the default tags for the rule # ---- [Example usage]: --------------------- # rules: # eslint: # sort-vars: # severity: "Info" # tags: ["Recommended", "Suggestion"] # ------------------------------------------- rules: # ====================================================================== # ESLINT ENGINE RULE OVERRIDES # ====================================================================== eslint: '@lwc/lwc-platform/no-aura': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc-platform/no-aura-libs': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc-platform/no-community-import': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc-platform/no-create-context-provider': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-deprecated-module-import': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-dynamic-import-identifier': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-forcegen-namespace': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc-platform/no-inline-disable': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-create': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-dispatch': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-execute': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-execute-privileged': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-execute-raw-response': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-get-event': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-get-module': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-is-external-definition': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-load-definitions': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-module-instrumentation': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-module-storage': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-register': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-render': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-interop-sanitize': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-process-env': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc-platform/no-site-import': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc-platform/no-wire-service': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc-platform/valid-dynamic-import-hint': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc/no-api-reassignments': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc/no-async-operation': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc/no-attributes-during-construction': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc/no-deprecated': severity: 3 tags: # Modified from: ["Recommended","LWC","BestPractices","Javascript"] - Recommended '@lwc/lwc/no-disallowed-lwc-imports': severity: 3 tags: # Modified from: ["Recommended","LWC","BestPractices","Javascript"] - Recommended '@lwc/lwc/no-document-query': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc/no-inner-html': severity: 3 # Modified from: 2 tags: - Recommended - LWC - Security - Javascript '@lwc/lwc/no-leading-uppercase-api-name': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc/no-template-children': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc/no-unexpected-wire-adapter-usages': severity: 3 tags: # Modified from: ["Recommended","LWC","BestPractices","Javascript"] - Recommended '@lwc/lwc/no-unknown-wire-adapters': severity: 3 tags: # Modified from: ["Recommended","LWC","BestPractices","Javascript"] - Recommended '@lwc/lwc/prefer-custom-event': severity: 3 tags: - Recommended - LWC - BestPractices - Javascript '@lwc/lwc/valid-api': severity: 3 tags: # Modified from: ["Recommended","LWC","ErrorProne","Javascript"] - Recommended '@lwc/lwc/valid-graphql-wire-adapter-callback-parameters': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@lwc/lwc/valid-track': severity: 3 tags: # Modified from: ["Recommended","LWC","ErrorProne","Javascript"] - Recommended '@lwc/lwc/valid-wire': severity: 3 tags: # Modified from: ["Recommended","LWC","ErrorProne","Javascript"] - Recommended '@salesforce/lightning/valid-apex-method-invocation': severity: 3 tags: - Recommended - LWC - ErrorProne - Javascript '@typescript-eslint/ban-ts-comment': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-array-constructor': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion '@typescript-eslint/no-duplicate-enum-values': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-empty-object-type': severity: 3 tags: - Recommended - BestPractices - Typescript '@typescript-eslint/no-explicit-any': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion '@typescript-eslint/no-extra-non-null-assertion': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-misused-new': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-namespace': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion '@typescript-eslint/no-non-null-asserted-optional-chain': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-require-imports': severity: 3 # Modified from: 2 tags: - Recommended - ErrorProne - Typescript '@typescript-eslint/no-this-alias': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion '@typescript-eslint/no-unnecessary-type-constraint': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion '@typescript-eslint/no-unsafe-declaration-merging': severity: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-unsafe-function-type': severity: 2 tags: - Recommended - ErrorProne - Typescript '@typescript-eslint/no-unused-expressions': severity: 3 tags: - Recommended - BestPractices - Typescript '@typescript-eslint/no-unused-vars': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Typescript"] - Recommended - problem '@typescript-eslint/no-wrapper-object-types': severity: 3 # Modified from: 2 tags: - Recommended - ErrorProne - Typescript '@typescript-eslint/prefer-as-const': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion '@typescript-eslint/prefer-namespace-keyword': severity: 3 tags: - Recommended - BestPractices - Typescript '@typescript-eslint/triple-slash-reference': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Typescript"] - Recommended - suggestion 'constructor-super': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'for-direction': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'getter-return': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-async-promise-executor': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-case-declarations': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-class-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-compare-neg-zero': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-cond-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-const-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-constant-condition': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-control-regex': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-debugger': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-delete-var': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-dupe-args': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-dupe-class-members': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-dupe-else-if': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-dupe-keys': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-duplicate-case': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-empty': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-empty-character-class': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-empty-pattern': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-ex-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-extra-boolean-cast': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-fallthrough': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-func-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-global-assign': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-import-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-inner-declarations': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-invalid-regexp': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-irregular-whitespace': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-loss-of-precision': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-misleading-character-class': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-new-symbol': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-nonoctal-decimal-escape': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-obj-calls': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-octal': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - suggestion 'no-prototype-builtins': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-redeclare': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript"] - Recommended - suggestion 'no-regex-spaces': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-restricted-imports': severity: 3 tags: # Modified from: ["BestPractices","Javascript"] - Recommended - suggestion 'no-self-assign': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-setter-return': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-shadow-restricted-names': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-sparse-arrays': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-this-before-super': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-undef': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-unexpected-multiline': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-unreachable': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-unsafe-finally': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-unsafe-negation': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-unsafe-optional-chaining': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-unused-labels': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-unused-vars': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript"] - Recommended - problem 'no-useless-backreference': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'no-useless-catch': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-useless-escape': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-var': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'no-with': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'prefer-const': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'prefer-rest-params': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'prefer-spread': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'require-yield': severity: 3 tags: # Modified from: ["Recommended","BestPractices","Javascript","Typescript"] - Recommended - suggestion 'use-isnan': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem 'valid-typeof': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","ErrorProne","Javascript","Typescript"] - Recommended - problem # ====================================================================== # RETIRE-JS ENGINE RULE OVERRIDES # ====================================================================== retire-js: 'LibraryWithKnownCriticalSeverityVulnerability': severity: 1 tags: # Modified from: ["Recommended","Security","Javascript"] - Recommended 'LibraryWithKnownHighSeverityVulnerability': severity: 2 tags: # Modified from: ["Recommended","Security","Javascript"] - Recommended 'LibraryWithKnownMediumSeverityVulnerability': severity: 3 tags: # Modified from: ["Recommended","Security","Javascript"] - Recommended 'LibraryWithKnownLowSeverityVulnerability': severity: 4 tags: # Modified from: ["Recommended","Security","Javascript"] - Recommended # ====================================================================== # REGEX ENGINE RULE OVERRIDES # ====================================================================== regex: 'NoTrailingWhitespace': severity: 5 tags: # Modified from: ["Recommended","CodeStyle","Apex"] - Recommended - CodeStyle 'AvoidTermsWithImplicitBias': severity: 5 tags: # Modified from: ["Recommended","BestPractices"] - Recommended 'AvoidOldSalesforceApiVersions': severity: 3 # Modified from: 2 tags: # Modified from: ["Recommended","Security","Xml"] - Recommended - Security 'AvoidGetHeapSizeInLoop': severity: 3 # Modified from: 2 tags: - Recommended - Performance - Apex 'MinVersionForAbstractVirtualClassesWithPrivateMethod': severity: 3 # Modified from: 2 tags: - Recommended - BestPractices - Apex # ====================================================================== # FLOWTEST ENGINE RULE OVERRIDES # ====================================================================== flowtest: 'PreventPassingUserDataIntoElementWithoutSharing': severity: 2 tags: - Recommended - Security - Xml 'PreventPassingUserDataIntoElementWithSharing': severity: 4 tags: - Recommended - Security - Xml # ====================================================================== # PMD ENGINE RULE OVERRIDES # ====================================================================== pmd: # Severity 1 - Critical Issues # Security Vulnerabilities: Hardcoded credentials, insecure API usage, injection risks, improper handling of authentication/authorization. # Breaking Functional Bugs: Code patterns that lead to runtime exceptions (e.g., null pointer dereferences, infinite loops), incorrect handling of exceptions (e.g., swallowing exceptions). # Regulatory Compliance Violations: Code violating legal/compliance policies (e.g., data exposure, GDPR/PII risks). 'ApexBadCrypto': # Hardcoded cryptographic keys/IVs. severity: 1 tags: - Security - Apex 'ApexDangerousMethods': # Use of insecure methods. severity: 1 tags: - Security - Apex 'ApexInsecureEndpoint': # HTTP usage instead of HTTPS. severity: 1 tags: - Security - Apex 'ApexSharingViolations': # Missing explicit sharing settings in DML classes. severity: 1 tags: - Security - Apex 'ApexSOQLInjection': # Dynamic SOQL/SOSL with untrusted variables. severity: 1 tags: - Security - Apex 'ApexXSSFromEscapeFalse': # Disabling escaping in addError messages. severity: 1 tags: - Security - Apex 'ApexXSSFromURLParam': # Unescaped/sanitized user input from URL parameters. severity: 1 tags: - Security - Apex 'ApexCSRF': # DML operations in class constructors or initializers. severity: 1 tags: - BreakingFunctionalBugs - Apex 'AvoidHardcodingId': # Hardcoded record IDs affecting deployments. severity: 1 tags: - RegulatoryCompliance - Apex 'VfCsrf': # Cross-Site Request Forgery in Visualforce. severity: 1 tags: - Security - Apex 'VfHtmlStyleTagXss': # XSS vulnerabilities in Visualforce <style> tags. severity: 1 tags: - Security - Apex 'VfUnescapeEl': # Unescaped EL in Visualforce leading to injection vulnerabilities. severity: 1 tags: - Security - Apex 'EqualComparison': # Using == in condition may lead to unexpected results. severity: 1 tags: - Security - Javascript # Severity 2 - High Issues # Stability & Reliability Risks: Race conditions, improper thread handling, use of deprecated/unsupported APIs. # Data Integrity Risks: Improper database transaction handling (e.g., lack of rollback), loss of precision in financial calculations. # Major Performance Bottlenecks: Inefficient loops, excessive resource consumption, unoptimized large object creation, memory leaks. 'ApexCRUDViolation': # Missing access permission checks before SOQL/SOSL/DML. severity: 2 tags: - Recommended - ErrorProne - Apex 'ApexOpenRedirect': # User-controlled redirections. severity: 2 tags: - Security - Compliance - Apex 'ApexSuggestUsingNamedCred': # Hardcoded credentials in API requests. severity: 2 tags: - Security - Compliance - Apex 'AvoidGlobalModifier': # global classes can never be deleted (especially in managed packages). severity: 2 tags: - Stability - Reliability - Apex 'AvoidNonExistentAnnotations': # Use of non-existent or outdated annotations. severity: 2 tags: - Stability - Reliability - Apex 'InaccessibleAuraEnabledGetter': # Missing required access modifiers in Summer ‘21+. severity: 2 tags: - Stability - Reliability - Apex 'AvoidNonRestrictiveQueries': # Unfiltered SOQL/SOSL queries on large data sets. severity: 2 tags: - Performance - Apex 'AvoidWithStatement': severity: 2 tags: - Security, - Javascript # Severity 3 - Medium Issues # Maintainability & Readability Concerns: Excessively long methods/classes, unused variables, dead code, lack of modularization. # Performance Optimizations: Inefficient collection usage (e.g., iterating through a large list instead of using a Set/Map), avoidable object instantiations. # Testability Concerns: Lack of dependency injection, excessive coupling, non-deterministic tests (e.g., time-dependent tests). 'AvoidDirectAccessTriggerMap': # Accessing Trigger.old and Trigger.new directly. severity: 3 tags: - BreakingFunctionalBugs - Apex 'AvoidLogicInTrigger': # Business logic inside triggers instead of handler classes. severity: 3 tags: - DataIntegrity - Apex 'EagerlyLoadedDescribeSObjectResult': # Using getDescribe() without lazy loading. severity: 3 tags: - Performance - Apex 'ExcessiveClassLength': # Large, overloaded classes. severity: 3 tags: - Maintainability - Readability - Apex 'ExcessiveParameterList': # Methods with too many parameters. severity: 3 tags: - Maintainability - Readability - Apex 'ExcessivePublicCount': # Classes with excessive public attributes/methods. severity: 3 tags: - Maintainability - Readability - Apex 'OperationWithHighCostInLoop': # Costly operations inside loops. severity: 3 tags: - Performance - Apex 'OperationWithLimitsInLoop': # DML, SOQL, SOSL, Email calls inside loops. severity: 3 tags: - Performance - Apex 'UnusedMethod': # Unused methods making code harder to maintain. severity: 3 tags: - Maintainability - Readability - Apex 'QueueableWithoutFinalizer': # Missing finalizers in Queueable jobs. severity: 3 tags: - Maintainability - Readability - Apex 'CognitiveComplexity': # Overly complex methods. severity: 3 tags: - Maintainability - Readability - Apex 'CyclomaticComplexity': # High branching complexity in methods. severity: 3 tags: - Maintainability - Readability - Apex 'StdCyclomaticComplexity': # Complexity exceeding recommended limits. severity: 3 tags: - Maintainability - Readability - Apex 'TooManyFields': # Classes with too many instance variables. severity: 3 tags: - Maintainability - Readability - Apex 'AvoidDebugStatements': # Excessive debug logging affecting performance. severity: 3 tags: - Performance - Apex 'ApexUnitTestClassShouldHaveAsserts': # Unit tests without assertions. severity: 3 tags: - Testability - Apex 'ApexUnitTestClassShouldHaveRunAs': # Unit tests without runAs. severity: 3 tags: - Testability - Apex 'ApexUnitTestMethodShouldHaveIsTestAnnotation': # Missing @isTest annotations. severity: 3 tags: - Testability - Apex 'ApexUnitTestShouldNotUseSeeAllDataTrue': # Test classes exposing real data. severity: 3 tags: - Testability - Apex 'MethodWithSameNameAsEnclosingClass': # Non-constructor methods should not have the same name as the enclosing class. severity: 3 tags: - Maintainability - Readability - Apex 'ScopeForInVariable': # Poor variable scoping reduces readability and increases logical errors. severity: 3 tags: - BestPractices - Apex 'TestMethodsMustBeInTestClasses': # Test methods should reside in @isTest classes for better organization. severity: 3 tags: - BestPractices - Testability - Apex 'UnreachableCode': # Code that will never be executed increases technical debt. severity: 3 tags: - BestPractices - Maintainability - Apex 'UseBaseWithParseInt': # Failing to specify a base in parseInt() may lead to unexpected behavior. severity: 3 tags: - BestPractices - Maintainability - Apex # Severity 4 - Low Issues # Coding Standards Violations: Inconsistent naming conventions, lack of method documentation, missing comments. # Minor Efficiency Issues: Unnecessary computations (e.g., redundant calculations), use of incorrect data structures (e.g., using a List instead of a Set for uniqueness). # Warnings for Future Issues: Methods/classes that might become problematic as the codebase scales. 'ClassNamingConventions': # Enforcing class naming conventions. severity: 4 tags: - CodeStyle - Readability - Apex 'FieldNamingConventions': # Standardized variable naming. severity: 4 tags: - CodeStyle - Readability - Apex 'MethodNamingConventions': # Proper naming conventions for methods. severity: 4 tags: - CodeStyle - Readability - Apex 'FormalParameterNamingConventions': # Naming consistency for method parameters. severity: 4 tags: - CodeStyle - Readability - Apex 'PropertyNamingConventions': # Enforcing naming conventions for properties. severity: 4 tags: - CodeStyle - Readability - Apex 'LocalVariableNamingConventions': # Standardization of local variables. severity: 4 tags: - CodeStyle - Readability - Apex 'FieldDeclarationsShouldBeAtStart': # Fields should appear before methods. severity: 4 tags: - CodeStyle - Readability - Apex 'OneDeclarationPerLine': # Only one variable per line. severity: 4 tags: - CodeStyle - Readability - Apex 'DebugsShouldUseLoggingLevel': # System.debug should use LoggingLevel. severity: 4 tags: - CodeStyle - Readability - Apex 'AvoidDeeplyNestedIfStmts': # Prevents difficult-to-read nested conditions. severity: 4 tags: - CodeStyle - Readability - Apex # Severity 5 - Lowest Issues # Minor Code Style Issues: Indentation, spacing, unused imports, unnecessary explicit type declarations. # Suggestions for Improvement: Encouraging use of Java 8+ features (e.g., lambda expressions), recommended API usage patterns (e.g., StringBuilder instead of String concatenation in loops). 'IfElseStmtsMustUseBraces': # Enforces {} on if-else statements. severity: 5 tags: - CodeStyle - Readability - Apex 'IfStmtsMustUseBraces': # Requires {} in if statements. severity: 5 tags: - CodeStyle - Readability - Apex 'WhileLoopsMustUseBraces': # Enforces {} in while loops. severity: 5 tags: - CodeStyle - Readability - Apex 'ForLoopsMustUseBraces': # Requires {} in for loops. severity: 5 tags: - CodeStyle - Readability - Apex 'ApexDoc': # Enforces ApexDoc comments on methods, classes, and properties. severity: 5 tags: - CodeStyle - Readability - Apex 'EmptyCatchBlock': # Catches exceptions but does nothing. severity: 5 tags: - CodeStyle - Readability - Apex 'EmptyIfStmt': # if condition exists but does nothing. severity: 5 tags: - CodeStyle - Readability - Apex 'EmptyStatementBlock': # Empty {} blocks should be removed. severity: 5 tags: - CodeStyle - Readability - Apex 'EmptyTryOrFinallyBlock': # Unused try or finally blocks. severity: 5 tags: - CodeStyle - Readability - Apex 'EmptyWhileStmt': # Empty while loops. severity: 5 tags: - CodeStyle - Readability - Apex 'GlobalVariable': # Potential false positives for global variables. severity: 5 tags: - BestPractices - Javascript 'AvoidTrailingComma': # Trailing commas are a minor formatting issue and do not impact execution. severity: 5 tags: - CodeStyle - Readability - Apex # ====================================================================== # CPD ENGINE RULE OVERRIDES # ====================================================================== cpd: 'DetectCopyPasteForApex': severity: 5 tags: - Recommended - Design - Apex 'DetectCopyPasteForJavascript': severity: 5 tags: - Recommended - Design - Javascript 'DetectCopyPasteForTypescript': severity: 5 tags: - Recommended - Design - Typescript 'DetectCopyPasteForVisualforce': severity: 5 tags: - Recommended - Design - Visualforce # Engine specific custom configuration settings of the format engines.{engine_name}.{property_name} = {value} where: # {engine_name} is the name of the engine containing the setting that you want to override. # {property_name} is the name of a property that you would like to override. # Each engine may have its own set of properties available to help customize that particular engine's behavior. engines: # ====================================================================== # ESLINT ENGINE CONFIGURATION # To learn more about this configuration, visit: # https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/engine-eslint.html#eslint-configuration-reference # ====================================================================== eslint: # Whether to turn off the 'eslint' engine so that it is not included when running Code Analyzer commands. disable_engine: false # Your project's main ESLint configuration file. May be an absolute path or a path relative to the config_root. # If null and auto_discover_eslint_config is true, then Code Analyzer will attempt to discover/apply it automatically. # Currently only legacy ESLInt config files are supported. # See https://eslint.org/docs/v8.x/use/configure/configuration-files to learn more. eslint_config_file: null # Your project's ".eslintignore" file. May be an absolute path or a path relative to the config_root. # If null and auto_discover_eslint_config is true, then Code Analyzer will attempt to discover/apply it automatically. # See https://eslint.org/docs/v8.x/use/configure/ignore#the-eslintignore-file to learn more. eslint_ignore_file: null # Whether to have Code Analyzer automatically discover/apply any ESLint configuration and ignore files from your workspace. auto_discover_eslint_config: true # Whether to turn off the default base configuration that supplies the standard ESLint rules for JavaScript files. disable_javascript_base_config: false # Whether to turn off the default base configuration that supplies the LWC rules for JavaScript files. disable_lwc_base_config: false # Whether to turn off the default base configuration that supplies the standard rules for TypeScript files. disable_typescript_base_config: true # Extensions of the files in your workspace that will be used to discover rules. # To associate file extensions to the standard ESLint JavaScript rules, LWC rules, or custom JavaScript-based # rules, add them under the 'javascript' language. To associate file extensions to the standard TypeScript # rules or custom TypeScript-based rules, add them under the 'typescript' language. To allow for the # discovery of custom rules that are associated with any other language, then add the associated file # extensions under the 'other' language. file_extensions: javascript: - .js - .cjs - .mjs typescript: - .ts other: [] # ====================================================================== # RETIRE-JS ENGINE CONFIGURATION # To learn more about this configuration, visit: # https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/engine-retire-js.html#retirejs-configuration-reference # ====================================================================== retire-js: # Whether to turn off the 'retire-js' engine so that it is not included when running Code Analyzer commands. disable_engine: false # ====================================================================== # REGEX ENGINE CONFIGURATION # To learn more about this configuration, visit: # https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/engine-regex.html#regex-configuration-reference # ====================================================================== regex: # Whether to turn off the 'regex' engine so that it is not included when running Code Analyzer commands. disable_engine: true # Custom rules to be added to the 'regex' engine of the format custom_rules.{rule_name}.{rule_property_name} = {value} where: # {rule_name} is the name you would like to give to your custom rule # {rule_property_name} is the name of one of the rule properties. You may specify the following rule properties: # 'regex' - The regular expression that triggers a violation when matched against the contents of a file. # 'file_extensions' - The extensions of the files that you would like to test the regular expression against. # 'description' - A description of the rule's purpose # 'violation_message' - [Optional] The message emitted when a rule violation occurs. # This message is intended to help the user understand the violation. # Default: 'A match of the regular expression {regex} was found for rule {rule_name}: {description}' # 'severity' - [Optional] The severity level to apply to this rule by default. # Possible values: 1 or 'Critical', 2 or 'High', 3 or 'Moderate', 4 or 'Low', 5 or 'Info' # Default: 3 # 'tags' - [Optional] The string array of tag values to apply to this rule by default. # Default: ['Recommended'] # ---- [Example usage]: --------------------- # engines: # regex: # custom_rules: # "NoTodoComments": # regex: /\/\/[ \t]*TODO/gi # file_extensions: [".apex", ".cls", ".trigger"] # description: "Prevents TODO comments from being in apex code." # violation_message: "A comment with a TODO statement was found. Please remove TODO statements from your apex code." # severity: "Info" # tags: ["TechDebt"] # ------------------------------------------- custom_rules: PMDSuppressWarningsGlobal: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\b(?!\.)[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags usage of @SuppressWarnings with the global 'PMD' suppression. violation_message: >- The @SuppressWarnings contains a global 'PMD' suppression, which should be reviewed for proper use or bypass approval. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDAvoidGlobalModifier: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.AvoidGlobalModifier\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: >- Flags usage of @SuppressWarnings with 'PMD.AvoidGlobalModifier' to ensure its use is justified. violation_message: >- The @SuppressWarnings contains 'PMD.AvoidGlobalModifier', which should be reviewed for proper use or bypass approval. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexBadCrypto: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.ApexBadCrypto\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags suppression of 'PMD.ApexBadCrypto'. violation_message: Review suppression of 'PMD.ApexBadCrypto'. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexCSRF: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.ApexCSRF\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags suppression of 'PMD.ApexCSRF'. violation_message: Review suppression of 'PMD.ApexCSRF'. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexCRUDViolation: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.ApexCRUDViolation\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags suppression of 'PMD.ApexCRUDViolation'. violation_message: Review suppression of 'PMD.ApexCRUDViolation'. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexDangerousMethods: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.ApexDangerousMethods\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags suppression of 'PMD.ApexDangerousMethods'. violation_message: Review suppression of 'PMD.ApexDangerousMethods'. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexInsecureEndpoint: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.ApexInsecureEndpoint\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags suppression of 'PMD.ApexInsecureEndpoint'. violation_message: Review suppression of 'PMD.ApexInsecureEndpoint'. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexOpenRedirect: regex: >- /^@SuppressWarnings\(\s*'([^']*\bPMD\.ApexOpenRedirect\b[^']*)'\s*\)(?!\s*\/\/\s*Bypass Security:\s+[A-Za-z0-9]+-\d+\s*\(Security-approved\))/gim description: Flags suppression of 'PMD.ApexOpenRedirect'. violation_message: Review suppression of 'PMD.ApexOpenRedirect'. severity: 1 tags: - Must - Security - CodeQuality file_extensions: - .apex - .cls - .trigger PMDApexSharingViolations: