search

forcedotcom / sfdx-scanner

MIT License
209 stars 49 forks source link

[BUG] Scanner rule list does not include pmd-appexchange rules #1432

Closed pavelt-addepar closed 3 months ago

pavelt-addepar commented 3 months ago

Description: The command sf scanner rule list does not list pmd-appexchange rules.

Documentation:

Output of sf scanner rule list --verbose:

›   Warning: Plugin @salesforce/sfdx-scanner (4.0.0) differs from the version specified by sf (3.23.0)
Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/dist/pmd7/lib/pmd-visualforce-7.0.0.jar]: [category/visualforce/bestpractices.xml, category/visualforce/codestyle.xml, category/visualforce/design.xml, category/visualforce/documentation.xml, category/visualforce/errorprone.xml, category/visualforce/multithreading.xml, category/visualforce/performance.xml, category/visualforce/security.xml, META-INF/maven/net.sourceforge.pmd/pmd-visualforce/pom.xml]
Warning: Cataloger: Dropping XML file [META-INF/maven/net.sourceforge.pmd/pmd-visualforce/pom.xml] since its path does not conform to Rulesets or Category.
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/dist/pmd7/lib/pmd-apex-7.0.0.jar]: [category/apex/bestpractices.xml, category/apex/codestyle.xml, category/apex/design.xml, category/apex/documentation.xml, category/apex/errorprone.xml, category/apex/multithreading.xml, category/apex/performance.xml, category/apex/security.xml, rulesets/apex/quickstart.xml, META-INF/maven/net.sourceforge.pmd/pmd-apex/pom.xml]
Warning: Cataloger: Dropping XML file [META-INF/maven/net.sourceforge.pmd/pmd-apex/pom.xml] since its path does not conform to Rulesets or Category.
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/pmd-appexchange/lib/sfca-pmd-visualforce-0.12.jar]: [category/visualforce/sfca_visualforce_security.xml, rulesets/visualforce/sfcaruleset.xml]
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/pmd-appexchange/lib/sfca-pmd-xml-0.12.jar]: [category/xml/sfca_xml_security.xml, rulesets/xml/sfcaruleset.xml]
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/pmd-appexchange/lib/sfca-pmd-html-0.12.jar]: [category/html/sfca_html_security.xml, rulesets/html/sfcaruleset.xml]
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/pmd-appexchange/lib/sfca-pmd-sfmetadata-0.12.jar]: [category/sfmetadata/sfca_sfmetadata_security.xml, rulesets/sfmetadata/sfcaruleset.xml]
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/pmd-appexchange/lib/sfca-pmd-javascript-0.12.jar]: [category/ecmascript/sfca_ecmascript_security.xml, rulesets/ecmascript/sfcaruleset.xml]
Cataloger: XML files collected from JAR [/Users/hello/.local/share/sf/node_modules/@salesforce/sfdx-scanner/pmd-appexchange/lib/sfca-pmd-apex-0.12.jar]: [category/apex/sfca_apex_security.xml, rulesets/apex/sfcaruleset.xml

Steps To Reproduce:

Using sdfx-scanner@4.0.0 execute sf scanner rule list --verbose (as above). In the output it's visible that it's loading file category/apex/sfca_apex_security.xml from sfca-pmd-apex-0.12.jar. Open the jar file and then open the XML file - and pick a rule at random - for instance AvoidHardcodedCredentials. That rule does not appear in the result/output.

As a result, the pmd-appexchange engine does not appear anywhere in the results.

Expected Behavior: pmd-appexchange rules should be listed in the output.

Desktop:

Urgency: Not urgent.

johnbelosf commented 3 months ago

This is working as intended. As per our docs the command "Lists all the generally available rules in the catalog that are enabled by default." So pmd-appexchange rules are not included. You can find out more about the pmd-appexchange rules in our docs (link here)

We do want to improve how we display the currently configured rule catalog (not just the default one), but that is something in our long term roadmap.

pavelt-addepar commented 3 months ago

Thank you for the quick response - that's good to know!