Apex Rules

Edit me

Best Practices

• ApexAssertionsShouldIncludeMessage: The second parameter of System.assert/third parameter of System.assertEquals/System.assertNotEqua…
• ApexUnitTestClassShouldHaveAsserts: Apex unit tests should include at least one assertion. This makes the tests more robust, and usi…
• ApexUnitTestMethodShouldHaveIsTestAnnotation: Apex test methods should have @isTest annotation.As testMethod keyword is deprecated, Salesforce …
• ApexUnitTestShouldNotUseSeeAllDataTrue: Apex unit tests should not use @isTest(seeAllData=true) because it opens up the existing database…
• AvoidGlobalModifier: Global classes should be avoided (especially in managed packages) as they can never be deleted or…
• AvoidLogicInTrigger: As triggers do not allow methods like regular classes they are less flexible and suited to apply …
• DebugsShouldUseLoggingLevel: The first parameter of System.debug, when using the signature with two parameters, is a LoggingLe…

Code Style

• ClassNamingConventions: Configurable naming conventions for type declarations. This rule reports type declarat…
• FieldNamingConventions: Configurable naming conventions for field declarations. This rule reports variable declarations …
• ForLoopsMustUseBraces: Avoid using ‘for’ statements without using surrounding braces. If the code formatting orindentati…
• FormalParameterNamingConventions: Configurable naming conventions for formal parameters of methods. This rule reports fo…
• IfElseStmtsMustUseBraces: Avoid using if..else statements without using surrounding braces. If the code formattingor indent…
• IfStmtsMustUseBraces: Avoid using if statements without using braces to surround the code block. If the codeformatting …
• LocalVariableNamingConventions: Configurable naming conventions for local variable declarations. This rule reports var…
• MethodNamingConventions: Configurable naming conventions for method declarations. This rule reports method decl…
• OneDeclarationPerLine: Apex allows the use of several variables declaration of the same type on one line. However, itcan…
• PropertyNamingConventions: Configurable naming conventions for property declarations. This rule reports property …
• VariableNamingConventions: Deprecated A variable naming conventions rule - customize this to your liking. Currently, itchecks for fina…
• WhileLoopsMustUseBraces: Avoid using ‘while’ statements without using braces to surround the code block. If the codeformat…

Design

• AvoidDeeplyNestedIfStmts: Avoid creating deeply nested if-then statements since they are harder to read and error-prone to …
• CognitiveComplexity: Methods that are highly complex are difficult to read and more costly to maintain. If you include…
• CyclomaticComplexity: The complexity of methods directly affects maintenance costs and readability. Concentrating too m…
• ExcessiveClassLength: Excessive class file lengths are usually indications that the class may be burdened with excessiv…
• ExcessiveParameterList: Methods with numerous parameters are a challenge to maintain, especially if most of them share th…
• ExcessivePublicCount: Classes with large numbers of public methods and attributes require disproportionate testing effo…
• NcssConstructorCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
• NcssMethodCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
• NcssTypeCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
• StdCyclomaticComplexity: Complexity directly affects maintenance costs is determined by the number of decision points in a…
• TooManyFields: Classes that have too many fields can become unwieldy and could be redesigned to have fewer field…

Documentation

• ApexDoc: This rule validates that: ApexDoc comments are present for classes, methods, and properties that …

Error Prone

• ApexCSRF: Having DML operations in Apex class constructor or initializers can have unexpected side effects:…
• AvoidDirectAccessTriggerMap: Avoid directly accessing Trigger.old and Trigger.new as it can lead to a bug. Triggers should be …
• AvoidHardcodingId: When deploying Apex code between sandbox and production environments, or installing Force.com App…
• AvoidNonExistentAnnotations: Apex supported non existent annotations for legacy reasons. In the future, use of such…
• EmptyCatchBlock: Empty Catch Block finds instances where an exception is caught, but nothing is done.In most circu…
• EmptyIfStmt: Empty If Statement finds instances where a condition is checked but nothing is done about it.
• EmptyStatementBlock: Empty block statements serve no purpose and should be removed.
• EmptyTryOrFinallyBlock: Avoid empty try or finally blocks - what’s the point?
• EmptyWhileStmt: Empty While Statement finds all instances where a while statement does nothing.If it is a timing …
• MethodWithSameNameAsEnclosingClass: Non-constructor methods should not have the same name as the enclosing class.
• TestMethodsMustBeInTestClasses: Test methods marked as a testMethod or annotated with @IsTest, but not residing in a tes…

Performance

• AvoidDmlStatementsInLoops: Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch …
• AvoidSoqlInLoops: New objects created within loops should be checked to see if they can created outside them and re…
• AvoidSoslInLoops: Sosl calls within loops can cause governor limit exceptions.

Security

• ApexBadCrypto: The rule makes sure you are using randomly generated IVs and keys for ‘Crypto’ calls.Hard-wiring …
• ApexCRUDViolation: The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.Since…
• ApexCSRF: Deprecated The rule has been moved to another ruleset. Use instead ApexCSRF.
• ApexDangerousMethods: Checks against calling dangerous methods.For the time being, it reports: Against ‘FinancialForce’…
• ApexInsecureEndpoint: Checks against accessing endpoints under plain http. You should always usehttps for security.
• ApexOpenRedirect: Checks against redirects to user-controlled locations. This prevents attackers fromredirecting us…
• ApexSharingViolations: Detect classes declared without explicit sharing mode if DML methods are used. Thisforces the dev…
• ApexSOQLInjection: Detects the usage of untrusted / unescaped variables in DML queries.
• ApexSuggestUsingNamedCred: Detects hardcoded credentials used in requests to an endpoint.You should refrain from hardcoding …
• ApexXSSFromEscapeFalse: Reports on calls to ‘addError’ with disabled escaping. The message passed to ‘addError’will be di…
• ApexXSSFromURLParam: Makes sure that all values obtained from URL parameters are properly escaped / sanitizedto avoid …

Additional rulesets

• ApexUnit (rulesets/apex/apexunit.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue

• Braces (rulesets/apex/braces.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  ForLoopsMustUseBraces, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, WhileLoopsMustUseBraces

• Complexity (rulesets/apex/complexity.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  AvoidDeeplyNestedIfStmts, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, NcssConstructorCount, NcssMethodCount, NcssTypeCount, StdCyclomaticComplexity, TooManyFields

• Default ruleset used by the CodeClimate Engine for Salesforce.com Apex (rulesets/apex/ruleset.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexDoc, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue, ApexXSSFromEscapeFalse, ApexXSSFromURLParam, AvoidDeeplyNestedIfStmts, AvoidDirectAccessTriggerMap, AvoidDmlStatementsInLoops, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, AvoidNonExistentAnnotations, AvoidSoqlInLoops, AvoidSoslInLoops, ClassNamingConventions, CyclomaticComplexity, EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, ForLoopsMustUseBraces, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, NcssConstructorCount, NcssMethodCount, NcssTypeCount, OneDeclarationPerLine, StdCyclomaticComplexity, TooManyFields, VariableNamingConventions, WhileLoopsMustUseBraces

• Empty Code (rulesets/apex/empty.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt

• Metrics temporary ruleset (rulesets/apex/metrics.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  CyclomaticComplexity

• Performance (rulesets/apex/performance.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  AvoidDmlStatementsInLoops, AvoidSoqlInLoops, AvoidSoslInLoops

• quickstart (rulesets/apex/quickstart.xml):

  Quickstart configuration of PMD for Salesforce.com Apex. Includes the rules that are most likely to apply everywhere.

  It contains the following rules:

  ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexDoc, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue, ApexXSSFromEscapeFalse, ApexXSSFromURLParam, AvoidDeeplyNestedIfStmts, AvoidDirectAccessTriggerMap, AvoidDmlStatementsInLoops, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, AvoidNonExistentAnnotations, AvoidSoqlInLoops, AvoidSoslInLoops, ClassNamingConventions, CyclomaticComplexity, DebugsShouldUseLoggingLevel, EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, FieldNamingConventions, ForLoopsMustUseBraces, FormalParameterNamingConventions, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, LocalVariableNamingConventions, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, NcssConstructorCount, NcssMethodCount, NcssTypeCount, OneDeclarationPerLine, PropertyNamingConventions, StdCyclomaticComplexity, TooManyFields, WhileLoopsMustUseBraces

• Security (rulesets/apex/security.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam

• Style (rulesets/apex/style.xml):

  Deprecated This ruleset is for backwards compatibility.

  It contains the following rules:

  AvoidDirectAccessTriggerMap, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, ClassNamingConventions, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, VariableNamingConventions