3.8

Release notes

This is the release of CodeScan 3.8 including support for SonarQube 6.4+.

New Feature:

  1. Suppress Unit Test Violations

    • Supresses violations on unit tests. Rules can be configured global or individually to not raise violations inside unit tests.

New Apex rules:

  1. Controller Naming Convention
    • Controller class names should end with “Controller”. Only classes linked to a page as a controller or extension is considered.
  2. Law of demeter
    • Each unit should have only limited knowledge about other units: only units “closely” related to the current unit.
  3. God class
    • The God Class rule detects the God Class design flaw using metrics. God classes do too many things, are very big and overly complex. They should be split apart to be more object-oriented.
  4. Controller variable could be declared transient
    • Consider marking this variable as transient to avoid Salesforce page limits on view-state.
  5. Avoid inline CSS style attributes
    • This rule detects the usage of HTML “style” attributes to make sure that all CSS styles are defined in CSS classes.
  6. @AuraEnabled should have proper error handling
    • @AuraEnabled actions require error handling and should throw AuraHandledException.
  7. Avoid DML In Unit Tests functions
    • Avoid DML which creates data in unit test functions. These functions should be moved into helper functions and re-used.
  8. Avoid creating cookies with isSecure disabled
    • The isSecure parameter indicates whether the cookie can be accessed through HTTPS. By setting isSecure=false, sensitive cookies may be exposed when sending the cookie over an unsecure connection.
  9. Avoid Hard Coded Error Messages
    • Error messages that are passed to the client should use custom labels. This allows the message to be translated and modified more easily
  10. API Version Check
    • This rule checks that the class is configured to use a recent version of the Salesforce API. The minimum and maximum version is configurable.
  11. Avoid SOQL calls in controller getter methods
    • This rule checks for SOQL being called in getter methods of Controllers/Extensions. SOQL methods called in getter methods should use the lazily-loading design pattern.

Improved Apex rules:

  1. Unused Local Variables
    • Late binding of variables passed to Database.query is now resolved. Variables only used in a string which is passed to Database.query is no longer ‘unused’.
  2. Unnecessary Local Before Return
    • Various false positive fixes. Also a statementOrderMatters option to configure whether statements must be on consecutive lines.
  3. Unit test method should include System.Assert
    • Option to supply a list of classes or methods which function as external assertions.
  4. Too many methods
    • Counts getX and setX type methods. These methods should be converted into accessors.
  5. Unused Modifier
    • Now finds:
      • Annotations marked as abstract.
      • Nested annotations marked as static.
      • Nested annotations within another interface or annotation marked as public.
      • Classes, interfaces or annotations nested within an annotation marked as public or static.
      • Nested enums marked as static.
  6. Avoid Hard Coded Credentials
    • Fixed false positive 
      req.setHeader(‘Authorization’, ‘Bearer ’ + UserInfo.getSessionId());
      Open Redirect A few extra rules have been added. URLs may now be prefixed with:
      • / (%2F)
      • System.URL.getCurrentRequestURL() or System.URL.getSalesforceBaseURL()
      • Any URL, e.g. http://some-domain.com
  7. CSRF
    • Now checks whether the in-built CSRF protection is turned on
  8. Avoid calling methods before initializers in constructors
    • Local variables should be initialized before calling other methods in the class. Since the constructor may not be fully initialized, the methods may fail due to the state of the object.
  9. Avoid Using Hard Coded Salesforce Id
    • Improved identification of Ids
  10. Class naming convention
    • Added ‘allow underscores’ property. This allows enforcing of camel case rules to class names.

New VisualForce rules:

  1. Use Double Quotes to Define Attributes
    • Double quotes should be used to define all attributes in VisualForce. Unescaped output rule is deprecated due to it being superceded
  2. Avoid multiple apex:forms on a page
    • Multiple forms increase a page’s view state and is not recommended
  3. Empty Method in Abstract Class should be abstract
    • Updates to rule fix false positives.
  4. API Version Check
    • This rule checks that the page is configured to use a recent version of the Salesforce API. The minimum and maximum version is configurable.
  5. Avoid high apex:actionpoller interval
    • Carefully consider the effect of your action method being called repeatedly by an apex:actionPoller at the interval you specify, especially if it’s used on a page that will be widely distributed, or open continuously.
  6. Lightning rule: Check for lightning migration issues for apex:page attributes
    • This rule looks for apex:page attributes that may no longer work in lightning.
  7. Lightning rule: Check for lightning migration issues for apex:iframe
    • This rule looks for apex:iframe usage which may no longer work in lightning.
  8. Lightning rule: Check for lightning migration issues for apex:enhancedList
    • This rule looks for apex:enhancedList usage which may no longer work in lightning.
  9. Lightning rule: Check for lightning migration issues for hard coded ID links
    • This rule checks for links that refer directly to a record ID. Direct links to records aren’t supported in Lightning Experience.
  10. Lightning rule: Check for lightning migration issues for the session object
    • This rule checks for usages of API session token: $Api.Session_ID or GETSESSIONID(). Lightning Experience does not have access to the API session token.
  11. Lightning rule: Check for lightning migration issues for salesforce.com and force.com links
    • This rule checks for usages of force.com or salesforce.com which may cause issues if you decide to swap to My Domain or in Lightning Experience.

Updated VisualForce rules:

  1. Security Rules
    • Lots of false postives and false negatives have been fixed.
  2. Useless Parentheses
    • New tests take out possibility of a false positive on multiple logical operators
  3. Missing Static Method In Non Instantiatable Class
    • New tests test for nested factory methods and ignore builder pattern

Parsing fixes:

  • VisualForce parser has been completely rewritten. Many parsing exceptions in VisualForce are now resolved.

  • For loops

    for (;; (2 | 3)){ … }

     

  • SOQL Parameter prefix

    [select … :+ param]

     

  • Aura macros (eq/ne/gt/etc)

    {! something eq else }

     

Improvements:

  • Support for CodeScan for SonarQube 6.4
  • Updated and improved documentation
  • New VisualForce parser
  • New IntelliJ plugin
  • Violations on the same line are now displayed instead of hidden
  • Performance improvements

Bug Fixes:

  • Updated Apex Custom Rule-Designer with new parser, and displays more information
  • Updated CodeScan-Bundler to work around some 3rd-party library changes.
    • Xmx is now passed to ant by default
    • Git template project
  • DU analysis hangs in some scenarios.
  • NPath complexity calculation wasn’t calculating return value logic correctly.
  • Recursion bug in SOQLInjection (3.8.2)
  • DML functions (insert/merge/etc) now work in more complex situations like merge ((Account)something) ((Account)else);
  • Fixed licensing issue in SQ 6.7
  • Fixed some rule documentation (3.8.5)