PMD AppExchange Rules Reference
The PMD AppExchange rules help you prepare your second-generation managed packages (managed 2GP) for security review. To select these rules, use --rule-selector AppExchange. For example, to run the recommended AppExchange rules:
You typically store the source code for a second-generation managed package (managed 2GP) in a Salesforce DX project, which you then usually add to a version control system, such as GitHub. The managed 2GP source consists of metadata component files that define your Salesforce app. These files are stored in one or more package directories in your Salesforce DX project; the default package directory is called force-app.
The metadata component files that make up your 2GP package can be in one of these formats:
- Source format: The default and recommended format when working with Salesforce DX projects. The metadata component files are in XML format and they all have the
.xmlfile extension. - Mdapi format: The format specified by Metadata API. Each metadata component has a different file extension, although the content is still XML. For example, permission sets are stored in a single file with the extension
.permissionsetand custom objects are in a single file with the extension.object.
If you use source format, then you don't need to do any custom configuration because Code Analyzer by default analyzes XML files that have the .xml extension. However, if you use mdapi format in your Salesforce DX project, then you must update your code-analyzer.yml configuration file so Code Analyzer correctly analyzes these XML files with different extension. Specifically, you must add the file extensions of all your app's metadata types to the file_extensions:xml option under the pmd engine section.
For example, this code-analyzer.yml snippet results in Code Analyzer correctly running the PMD AppExchange rules on custom objects, permission sets, layouts, and flows that are in mdapi format:
See Metadata Types in the Metadata API Developer Guide for reference information for all metadata types and their file extensions.
Description: Detects use of Api.Session_ID or GETSESSIONID() to retrieve a session ID.
Severity: High (2)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Bad] Code that causes a violation:
-
[Bad] Code that causes a violation:
Description: Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
Severity: Critical (1)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects if "Disable Protocol Security" setting is true.
Severity: Moderate (3)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects use of hard coded credentials in Aura components.
Severity: High (2)
Tags: AppExchange, Security, Html
Example(s):
-
[Bad] Code that causes a violation:
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
-
[Good] Code that does not cause a violation:
Description: Detects instances of a Remote Site Settings that use HTTP. Use HTTPS instead.
Severity: Moderate (3)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects use of custom JavaScript actions in custom rules.
Severity: High (2)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects use of custom JavaScript actions in home page components.
Severity: High (2)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects use of JavaScript-style URLs (javascript:) in components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.
Severity: Critical (1)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects use of custom JavaScript actions in web links.
Severity: High (2)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects a Lightning Message Channel with isExposed=true, which isn’t allowed in managed packages.
Severity: High (2)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects if S-Controls are used since they should not be used in managed packages.
Severity: Critical (1)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
Description: Detects use of aura
Severity: High (2)
Tags: AppExchange, Security, Html
Example(s):
-
[Bad] Code that causes a violation:
Description: Detects if a connected app uses full scope instead of limited scope. Explain this use case in your AppExchange security review submission.
Severity: Moderate (3)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation:
Description: Detects where sensitive data must be stored with Protected Custom metadata or Protected Custom settings. Protected custom settings or protected custom metadata should be used to store secrets. Refer to the "Protect Secrets Using Platform Features" Trailhead module for more guidance.
Severity: Moderate (3)
Tags: AppExchange, Security, Xml
Description: Detects instances of an OAuth callback URL that uses HTTP. Use HTTPS instead.
Severity: Moderate (3)
Tags: AppExchange, Security, Xml
Example(s):
-
[Bad] Code that causes a violation:
-
[Bad] Code that causes a violation:
-
[Good] Code that does not cause a violation: