PMD

PMD is a source-code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. Its built-in rules detect common flaws in code, such as empty catch blocks or unused variables.

By default, the Code Analyzer scanner run command executes the PMD default Apex and Visualforce rules against compatible files.

You can change which rules are executed by using the flags described in the Code Analyzer Command Reference.

Refer to our FAQ for info on how to enable the PMD built-in rules for other languages.

If your code uses recently added language features such as user mode, you must run PMD 7. Which version of PMD your scans use depends on which version of Code Analyzer you installed. By default:

  • The Code Analyzer v4.x (beta) run command uses PMD 7.x.
  • The Code Analyzer v3.x (generally available), the run command uses PMD 6.55.0.

To scan your code with PMD 7.0.0-rc4 and its CPD version in Code Analyzer v3.x as a preview, use the —-preview-pmd7 flag to bypass the default. If your code uses recently added language features such as user mode, use PMD v7.x.

  • csv: the requested output file format

See the documentation for PMD 7, read the PMD 7 and its copy paste detector documentation.

In addition to the base PMD engine, Code Analyzer also includes a custom PMD variant, pmd-appexchange. The rules included in pmd-appexchange helps you prepare your managed packages for security review.

The pmd-appexchange engine is disabled by default. To run a PMD scan with the AppExchange ruleset, run sf scanner run with the --engine pmd-appexchange flag. For example:

sf scanner run --engine pmd-appexchange --target ./

For more information on the pmd-appexchange rules, see the pmd-appexchange Rule Reference.

To include an optional PMD scan with the AppExchange-specific ruleset in your AppExchange security review submission, run sf scanner run --engine pmd-appexchange and name the output file CodeAnalyzerPmdAppExchange.csv. For example:

sf scanner run --engine pmd-appexchange --format=csv --outfile=CodeAnalyzerPmdAppExchange.csv

For full instructions on preparing for the AppExchange security review with Code Analyzer, read Scan Your Solution with Salesforce Code Analyzer in the ISVforce Guide.