Best Practices
- ApexUnitTestClassShouldHaveAsserts: Apex unit tests should include at least one assertion. This makes the tests more robust, and usi…
- ApexUnitTestShouldNotUseSeeAllDataTrue: Apex unit tests should not use @isTest(seeAllData=true) because it opens up the existing database…
- AvoidGlobalModifier: Global classes should be avoided (especially in managed packages) as they can never be deleted or…
- AvoidLogicInTrigger: As triggers do not allow methods like regular classes they are less flexible and suited to apply …
Code Style
- ClassNamingConventions: Class names should always begin with an upper case character.
- ForLoopsMustUseBraces: Avoid using ‘for’ statements without using surrounding braces. If the code formatting orindentati…
- IfElseStmtsMustUseBraces: Avoid using if..else statements without using surrounding braces. If the code formattingor indent…
- IfStmtsMustUseBraces: Avoid using if statements without using braces to surround the code block. If the codeformatting …
- MethodNamingConventions: Method names should always begin with a lower case character, and should not contain underscores.
- VariableNamingConventions: A variable naming conventions rule - customize this to your liking. Currently, itchecks for fina…
- WhileLoopsMustUseBraces: Avoid using ‘while’ statements without using braces to surround the code block. If the codeformat…
Design
- AvoidDeeplyNestedIfStmts: Avoid creating deeply nested if-then statements since they are harder to read and error-prone to …
- CyclomaticComplexity: The complexity of methods directly affects maintenance costs and readability. Concentrating too m…
- ExcessiveClassLength: Excessive class file lengths are usually indications that the class may be burdened with excessiv…
- ExcessiveParameterList: Methods with numerous parameters are a challenge to maintain, especially if most of them share th…
- ExcessivePublicCount: Classes with large numbers of public methods and attributes require disproportionate testing effo…
- NcssConstructorCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
- NcssMethodCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
- NcssTypeCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
- StdCyclomaticComplexity: Complexity directly affects maintenance costs is determined by the number of decision points in a…
- TooManyFields: Classes that have too many fields can become unwieldy and could be redesigned to have fewer field…
Error Prone
- AvoidDirectAccessTriggerMap: Avoid directly accessing Trigger.old and Trigger.new as it can lead to a bug. Triggers should be …
- AvoidHardcodingId: When deploying Apex code between sandbox and production environments, or installing Force.com App…
- AvoidNonExistentAnnotations: Apex supported non existent annotations for legacy reasons. In the future, use of such…
- EmptyCatchBlock: Empty Catch Block finds instances where an exception is caught, but nothing is done. In most cir…
- EmptyIfStmt: Empty If Statement finds instances where a condition is checked but nothing is done about it.
- EmptyStatementBlock: Empty block statements serve no purpose and should be removed.
- EmptyTryOrFinallyBlock: Avoid empty try or finally blocks - what’s the point?
- EmptyWhileStmt: Empty While Statement finds all instances where a while statement does nothing. If it is a timin…
- MethodWithSameNameAsEnclosingClass: Non-constructor methods should not have the same name as the enclosing class.
Performance
- AvoidDmlStatementsInLoops: Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch …
- AvoidSoqlInLoops: New objects created within loops should be checked to see if they can created outside them and re…
- AvoidSoslInLoops: Sosl calls within loops can cause governor limit exceptions.
Security
- ApexBadCrypto: The rule makes sure you are using randomly generated IVs and keys for ‘Crypto’ calls.Hard-wiring …
- ApexCRUDViolation: The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation.Since…
- ApexCSRF: Check to avoid making DML operations in Apex class constructor/init method. This preventsmodifica…
- ApexDangerousMethods: Checks against calling dangerous methods.For the time being, it reports: Against ‘FinancialForce’…
- ApexInsecureEndpoint: Checks against accessing endpoints under plain http. You should always usehttps for security.
- ApexOpenRedirect: Checks against redirects to user-controlled locations. This prevents attackers fromredirecting us…
- ApexSharingViolations: Detect classes declared without explicit sharing mode if DML methods are used. Thisforces the dev…
- ApexSOQLInjection: Detects the usage of untrusted / unescaped variables in DML queries.
- ApexSuggestUsingNamedCred: Detects hardcoded credentials used in requests to an endpoint.You should refrain from hardcoding …
- ApexXSSFromEscapeFalse: Reports on calls to ‘addError’ with disabled escaping. The message passed to ‘addError’will be di…
- ApexXSSFromURLParam: Makes sure that all values obtained from URL parameters are properly escaped / sanitizedto avoid …
Additional rulesets
-
ApexUnit (
rulesets/apex/apexunit.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue
-
Braces (
rulesets/apex/braces.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ForLoopsMustUseBraces, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, WhileLoopsMustUseBraces
-
Complexity (
rulesets/apex/complexity.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
AvoidDeeplyNestedIfStmts, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, NcssConstructorCount, NcssMethodCount, NcssTypeCount, StdCyclomaticComplexity, TooManyFields
-
Default ruleset used by the CodeClimate Engine for Salesforce.com Apex (
rulesets/apex/ruleset.xml
):Default ruleset used by the Code Climate Engine for Salesforce.com Apex
It contains the following rules:
ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexUnitTestClassShouldHaveAsserts, ApexUnitTestShouldNotUseSeeAllDataTrue, ApexXSSFromEscapeFalse, ApexXSSFromURLParam, AvoidDeeplyNestedIfStmts, AvoidDirectAccessTriggerMap, AvoidDmlStatementsInLoops, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, AvoidNonExistentAnnotations, AvoidSoqlInLoops, AvoidSoslInLoops, ClassNamingConventions, CyclomaticComplexity, EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt, ExcessiveClassLength, ExcessiveParameterList, ExcessivePublicCount, ForLoopsMustUseBraces, IfElseStmtsMustUseBraces, IfStmtsMustUseBraces, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, NcssConstructorCount, NcssMethodCount, NcssTypeCount, StdCyclomaticComplexity, TooManyFields, VariableNamingConventions, WhileLoopsMustUseBraces
-
Empty Code (
rulesets/apex/empty.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
EmptyCatchBlock, EmptyIfStmt, EmptyStatementBlock, EmptyTryOrFinallyBlock, EmptyWhileStmt
-
Metrics temporary ruleset (
rulesets/apex/metrics.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
-
Performance (
rulesets/apex/performance.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
AvoidDmlStatementsInLoops, AvoidSoqlInLoops, AvoidSoslInLoops
-
Security (
rulesets/apex/security.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
ApexBadCrypto, ApexCRUDViolation, ApexCSRF, ApexDangerousMethods, ApexInsecureEndpoint, ApexOpenRedirect, ApexSharingViolations, ApexSOQLInjection, ApexSuggestUsingNamedCred, ApexXSSFromEscapeFalse, ApexXSSFromURLParam
-
Style (
rulesets/apex/style.xml
):Deprecated This ruleset is for backwards compatibility.
It contains the following rules:
AvoidDirectAccessTriggerMap, AvoidGlobalModifier, AvoidHardcodingId, AvoidLogicInTrigger, ClassNamingConventions, MethodNamingConventions, MethodWithSameNameAsEnclosingClass, VariableNamingConventions