search

forcedotcom / sfdx-scanner

MIT License
208 stars 49 forks source link

[BUG] Error (1): Attribute without value #1460

Closed saurabh-coinbase closed 1 month ago

saurabh-coinbase commented 2 months ago

scanner run Issue Template

Fill out this template to submit your Code Analyzer issue.

Description:

Error (1): Attribute without value

Documentation:

Steps To Reproduce:

Install latest beta version: sf plugins install @salesforce/sfdx-scanner@latest-beta Expected Behavior:

Should not throw any error! Screenshots:

image

Desktop: Using in the Git CI/CD Pipeline

Additional Context:

Workaround:

if I use latest then it works finesf plugins install @salesforce/sfdx-scanner@latest Urgency:

We are facing some pmd errorException (Scanner Internal) which would be resolved under pmd 7.0 release version.

jfeingold35 commented 2 months ago

@saurabh-coinbase , can you post the file that causes the exception?

saurabh-coinbase commented 2 months ago

Yup @jfeingold35 it's here!

<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Default ruleset used by the CodeClimate Engine for Salesforce.com Apex" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
    <description>Salesforce Coinbase ruleset</description>

    <exclude-pattern>.*/.sfdx/.*</exclude-pattern>
    <!--
    * Note on priorities:
    *   1: hihgest level
    *   5: lowest level
    *
    *   1: must fix (CI will stop on any of those)
    *   2: should fix (CI might refuse the PR). Not fixing those will make the code difficult to understand, test or debug.
    *   3: default value
    *   4: generic code style, naming conventions, etc..
    *   5: for information no immediate action required
    -->

    <!-- SECURITY -->
    <rule ref="category/apex/security.xml/ApexBadCrypto" message="Apex Crypto should use random IV/key">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexDangerousMethods" message="Calling potentially dangerous method">
    <priority>1</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexInsecureEndpoint" message="Apex callouts should use encrypted communication channels">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexOpenRedirect" message="Apex classes should safely redirect to a known location">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" message="Consider using named credentials for authenticated callouts">
    <priority>1</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" message="Apex classes should escape addError strings">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexXSSFromURLParam" message="Apex classes should escape Strings obtained from URL parameters">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexSharingViolations" message="Apex classes should declare a sharing model if DML or SOQL is used">
    <priority>1</priority>
    </rule>

    <!--Performance-->
    <rule ref="category/apex/performance.xml/AvoidDebugStatements" >
    <priority>2</priority>
    </rule>
    <rule ref="category/apex/performance.xml/EagerlyLoadedDescribeSObjectResult" >
    <priority>2</priority>
    </rule>
    <rule ref="category/apex/performance.xml/OperationWithLimitsInLoop" >
    <priority>2</priority>
    </rule>

</ruleset>
jfeingold35 commented 2 months ago

@saurabh-coinbase , if this is an issue with PMD itself instead of our integration with PMD (which is what this certainly seems like), then you might be better off logging this against PMD's repo directly instead of with us.

saurabh-coinbase commented 2 months ago

@jfeingold35 I already created with PMD support team, they had mentioned the issue could be from Salesforce scanner end.

jfeingold35 commented 2 months ago

@saurabh-coinbase , I'm unable to reproduce locally with the ruleset you provided. Is there any additional setup that you haven't posted yet? Alternatively, is it only reproducible in a particular file?

saurabh-coinbase commented 2 months ago

@jfeingold35 below is the yml file, custom rule file already shared, that's all I have! 

name: Salesforce Code Quality

on:
    workflow_dispatch:
    workflow_call:

jobs:
    PMD:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v4
            - uses: actions/setup-node@v3
            - name: Setup Salesforce CLI
              run: |
                  npm install --global @salesforce/cli
                  sf plugins install @salesforce/sfdx-scanner@latest-beta
            - name: SF Code Analyzer - PMD
              run: |
                  sf scanner:run --engine pmd --target src --pmdconfig=pmd/apex-ruleset.xml --format table
jfeingold35 commented 2 months ago

@saurabh-coinbase , okay, I've tried running that command with your custom ruleset against some of the sample Apex files we have on hand, and I can't reproduce this. That means it's probably dependent on the contents of the file being scanned. If you can narrow it down to a specific file or set of files and provide the contents of those files, I can continue to assist in debugging. But if not, then I'm afraid there's not much I can do to help.

saurabh-coinbase commented 1 month ago

@jfeingold35 There's another issue with the pipeline where 6 PMD violations were detected, but the PMD check did not fail based on the violations reported. image

jfeingold35 commented 1 month ago

@saurabh-coinbase , Use the --severity-threshold flag, as per our documentation.

saurabh-coinbase commented 1 month ago

Thank you so much @jfeingold35, I'm still getting Server_Internal error and not sure what could be the resolution for that.

jfeingold35 commented 1 month ago

@saurabh-coinbase , as I've mentioned, I'm unable to reproduce that behavior. If you can narrow it down to one or more specific files being passed into --target and post those files, then I can continue to help you debug, but if not, then there's really nothing more I can do.

stephen-carter-at-sf commented 1 month ago

Yeah I too am unable to reproduce. I am getting:

~/temp/tempProj: sf scanner run --pmdconfig customRuleSet.xml --target force-app --format table › Warning: @salesforce/cli update available from 2.40.7 to 2.41.8. › Warning: Plugin @salesforce/sfdx-scanner (4.1.0) differs from the version specified by sf (3.24.0) Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA Warning: The specified target wasn't processed by any engines. Use the --engine parameter to select a different engine or specify a different target. Specified target: force-app. About to run PMD with custom config in customRuleSet.xml. Please make sure that any custom rule references have already been added to the plugin through scanner:rule:add command. Executed engines: pmd-custom, retire-js. No rule violations found.

So it might be attached to how the rule is running on your specific codebase. @saurabh-coinbase Have you tried using PMD 7 independent of salesforce code analyzer to see if that errors?

stephen-carter-at-sf commented 1 month ago

Closing this for now since we haven't received a reply.

codefriar commented 1 week ago

I'm experiencing something very similar and have some additional information to add:

First, I've decomposed the scanner's execution of PMD and executed PMD directly, using the same options. Specifically:

sf scanner run --engine pmd --pmdconfig pmd/ruleset.xml --target "force-app/main/default/classes/MyClass.cls" --verbose

Translates to:

pmd check -R main.xml --file-list force-app/main/default/classes/MyClass.cls --verbose

What's interesting, is that the PMD command executes without issue. Using PMD 7.2.0. However, the scanner at @salesforce/sfdx-scanner 4.2.0 (latest-beta) throws this error:

About to run PMD with custom config in pmd/ruleset.xml. Please make sure that any custom rule references have already been added to the plugin through scanner:rule:add command.
Error (1): Attribute without value
Line: 3
Column: 1
Char: >

For the record, my pmd/ruleset.xml file's top ~10 lines are:

<?xml version="1.0" encoding="UTF-8" ?>
<ruleset name="Standard"
         xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd" >
    <description>Booz Allen Hamilton Salesforce Standard Ruleset</description>
    <rule ref="category/apex/design.xml/ExcessiveClassLength" >
        <priority>2</priority>
        <properties>
            <property name="minimum" value="1000" />
        </properties>
    </rule>

Specifically, line 3, mentioned in the error message: 

 xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd" >

Presumably relates to the final > on the line, as that's the only reference to > but ... this hasn't changed in a long time.

I will admit I expect there's some form of version disconnect between the latest best of the scanner and pmd 7.2...

I've tried debugging this with --verbose, etc. but i'm not getting enough information to figure it out.

codefriar commented 1 week ago

@jfeingold35 @stephen-carter-at-sf Just adding y'all back to this