PMD

PMD is a source-code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. Its built-in rules detect common flaws in code, such as empty catch blocks or unused variables.

By default, the Code Analyzer scanner run command executes the PMD default Apex and Visualforce rules against compatible files.

You can change which rules are executed by using the flags described in the Code Analyzer Command Reference.

Refer to our FAQ for info on how to enable the PMD built-in rules for other languages.

In addition to the base PMD engine, Code Analyzer also includes a custom PMD variant, pmd-appexchange. The rules included in pmd-appexchange helps you prepare your managed packages for security review.

The pmd-appexchange engine is disabled by default. To run a PMD scan with the AppExchange ruleset, run sf scanner run with the --engine pmd-appexchange flag. For example:

sf scanner run --engine pmd-appexchange --target ./

For more information on the pmd-appexchange rules, see the pmd-appexchange Rule Reference.

To include an optional PMD scan with the AppExchange-specific ruleset in your AppExchange security review submission, run sf scanner run --engine pmd-appexchange and name the output file CodeAnalyzerPmdAppExchange.csv. For example:

sf scanner run --engine pmd-appexchange --format csv --outfile CodeAnalyzerPmdAppExchange.csv

For full instructions on preparing for the AppExchange security review with Code Analyzer, read Scan Your Solution with Salesforce Code Analyzer in the ISVforce Guide.