New Apex Rules
- Avoid Insecure Digest Algorithms
- MD5 and SHA-1 algorithms are no longer considered secure because it's too easy to create a hash collision between to message contents.
- Avoid Salesforce System Class Names
- Classes with names that already exist as internal classes will take precedence due to namespacing.
- Avoid Nested Switch Statements
- Avoid creating nested 'switch' statements since they are error-prone, harder to read and harder to maintain.
- Avoid Reversed Operators
- Reversing operators may be a bug, or at the very least make it hard to read.
- Avoid Using HTTP Referer Headers
- HTTP Referer headers can be modified by attackers. Making a decision based on the value of the referer can be dangerous.
- Catch Block Should Do More Than Rethrow
- Catch blocks that do nothing but rethrow an exception should either be changed or removed.
- Field Level Security Vulnerabilities
- This rule makes sure that the code checks for access permissions before running a SOQL, SOSL, or DML operation.
- Single Method Singleton
- Avoid using overloaded getInstance methods.
- Statements Should Be On Separate Lines
- Statements should be on separate lines to increase readability and maintainability.
- Suspicious For Loop Incrementer
- Incrementers which do not match the body of the for loop could be a bug.
- Ternary operators that can be simplified with || or &&
- Ternary operators with the form `condition ? literalBoolean : foo` or `condition ? foo : literalBoolean` can be simplified.
- Unexpected Casting of Types
- When arithmetic is performed on a type, the type remains the same even if the result is a different type. This can return an unexpected result.
Updated Apex Rules
- Division By Zero
- Division by zero exception may occur when zero could be the denominator to a division or modulo operation.
- Apex Classes should use Random IV/Key
- Now checks for EncodingUtil.base64Decode(key);
New Visualforce Rules
- Avoid using GETSESSIONID() and $API.Session_Id
- Lightning Experience does not have access to the API session token. Visualforce pages that access the session ID should be tested within Lightning Experience.
- External Script and Style Resources Should Be Avoided
- Including content from untrusted sources can lead to various security issues including include injection of malware.
- Require CSRF Protection On GET Requests
- Require CSRF protection on GET requests must be enabled from the Visual Force Page settings.
- Unencoded Formulas In Style Tags XSS
- Makes sure that all values obtained from URL parameters are properly escaped / sanitized to avoid XSS attacks.
- Unescaped Value Could Cause XSS
- Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. Using unescaped parameters can be a security risk.
- Avoid Apex Tags Within Script
- Avoid using <apex:*> tags within <script> tags for readability and security.
- Improved documentation on vulnerabilities including links to OWASP and CERT explanations.
- Support for Inherited Sharing Keywords in Apex - Salesforce Documentation
- Code coverage that does not match the current state of the codebase no longer causes unrecoverable errors.
- Fixed bug that caused component files to not scan correctly (v4.2.2)
- The rule "Class with only Private Constructors should be Final" has been deprecated and removed completely. Classes are final by default therefore this rule is unnecessary.
- SonarQube 7.6 Support
- A selection of new rules have been added to the default Quality Profiles (4.2.1).