Apex Rules

Best Practices

• ApexAssertionsShouldIncludeMessage: The second parameter of System.assert/third parameter of System.assertEquals/System.assertNotEqua…
• ApexUnitTestClassShouldHaveAsserts: Apex unit tests should include at least one assertion. This makes the tests more robust, and usi…
• ApexUnitTestClassShouldHaveRunAs: Apex unit tests should include at least one runAs method. This makes the tests more robust, and …
• ApexUnitTestMethodShouldHaveIsTestAnnotation: Apex test methods should have ‘@isTest’ annotation instead of the ‘testMethod’ keyword, as ‘testM…
• ApexUnitTestShouldNotUseSeeAllDataTrue: Apex unit tests should not use @isTest(seeAllData=true) because it opens up the existing database…
• AvoidGlobalModifier: Global classes should be avoided (especially in managed packages) as they can never be deleted or…
• AvoidLogicInTrigger: As triggers do not allow methods like regular classes they are less flexible and suited to apply …
• DebugsShouldUseLoggingLevel: The first parameter of System.debug, when using the signature with two parameters, is a LoggingLe…
• QueueableWithoutFinalizer: Detects when the Queueable interface is used but a Finalizer is not attached. It is best practice…
• UnusedLocalVariable: Detects when a local variable is declared and/or assigned but not used.

Code Style

• ClassNamingConventions: Configurable naming conventions for type declarations. This rule reports type declara…
• FieldDeclarationsShouldBeAtStart: Field declarations should appear before method declarations within a class.
• FieldNamingConventions: Configurable naming conventions for field declarations. This rule reports variable declarations …
• ForLoopsMustUseBraces: Avoid using ‘for’ statements without using surrounding braces. If the code formatting or indentat…
• FormalParameterNamingConventions: Configurable naming conventions for formal parameters of methods. This rule reports f…
• IfElseStmtsMustUseBraces: Avoid using if..else statements without using surrounding braces. If the code formatting or inden…
• IfStmtsMustUseBraces: Avoid using if statements without using braces to surround the code block. If the code formatting…
• LocalVariableNamingConventions: Configurable naming conventions for local variable declarations. This rule reports va…
• MethodNamingConventions: Configurable naming conventions for method declarations. This rule reports method dec…
• OneDeclarationPerLine: Apex allows the use of several variables declaration of the same type on one line. However, it ca…
• PropertyNamingConventions: Configurable naming conventions for property declarations. This rule reports property…
• WhileLoopsMustUseBraces: Avoid using ‘while’ statements without using braces to surround the code block. If the code forma…

Design

• AvoidBooleanMethodParameters: Boolean parameters in a system’s API can make method calls difficult to understand and …
• AvoidDeeplyNestedIfStmts: Avoid creating deeply nested if-then statements since they are harder to read and error-prone to …
• CognitiveComplexity: Methods that are highly complex are difficult to read and more costly to maintain. If you include…
• CyclomaticComplexity: The complexity of methods directly affects maintenance costs and readability. Concentrating too m…
• ExcessiveClassLength: Excessive class file lengths are usually indications that the class may be burdened with excessiv…
• ExcessiveParameterList: Methods with numerous parameters are a challenge to maintain, especially if most of them share th…
• ExcessivePublicCount: Classes with large numbers of public methods, attributes, and properties require disproportionate…
• NcssConstructorCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
• NcssMethodCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
• NcssTypeCount: This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of l…
• StdCyclomaticComplexity: Complexity directly affects maintenance costs is determined by the number of decision points in a…
• TooManyFields: Classes that have too many fields can become unwieldy and could be redesigned to have fewer field…
• UnusedMethod: Avoid having unused methods since they make understanding and maintaining code harder. This rule …

Documentation

• ApexDoc: This rule validates that: ApexDoc comments are present for classes, methods, and properties th…

Error Prone

• ApexCSRF: Having DML operations in Apex class constructor or initializers can have unexpected side effects:…
• AvoidDirectAccessTriggerMap: Avoid directly accessing Trigger.old and Trigger.new as it can lead to a bug. Triggers should be …
• AvoidHardcodingId: When deploying Apex code between sandbox and production environments, or installing Force.com App…
• AvoidNonExistentAnnotations: Apex supported non existent annotations for legacy reasons. In the future, use of such non-…
• AvoidStatefulDatabaseResult: Using instance variables of the following types (or collections of these types) within a stateful…
• EmptyCatchBlock: Empty Catch Block finds instances where an exception is caught, but nothing is done. In mos…
• EmptyIfStmt: Empty If Statement finds instances where a condition is checked but nothing is done about it.
• EmptyStatementBlock: Empty block statements serve no purpose and should be removed.
• EmptyTryOrFinallyBlock: Avoid empty try or finally blocks - what’s the point?
• EmptyWhileStmt: Empty While Statement finds all instances where a while statement does nothing. If it is a …
• InaccessibleAuraEnabledGetter: In the Summer ‘21 release, a mandatory security update enforces access modifiers on Apex properti…
• MethodWithSameNameAsEnclosingClass: Non-constructor methods should not have the same name as the enclosing class.
• OverrideBothEqualsAndHashcode: Override both ‘public Boolean equals(Object obj)’, and ‘public Integer hashCode()’, or override n…
• TestMethodsMustBeInTestClasses: Test methods marked as a testMethod or annotated with @IsTest, but not residing in a test c…
• TypeShadowsBuiltInNamespace: This rule finds Apex classes, enums, and interfaces that have the same name as a class, enum, or …

Performance

• AvoidDebugStatements: Debug statements contribute to longer transactions and consume Apex CPU time even when debug logs…
• AvoidNonRestrictiveQueries: When working with very large amounts of data, unfiltered SOQL or SOSL queries can quickly cause …
• EagerlyLoadedDescribeSObjectResult: This rule finds ‘DescribeSObjectResult’s which could have been loaded eagerly via ‘SObjectType.ge…
• OperationWithHighCostInLoop: This rule finds method calls inside loops that are known to be likely a performance issue. These …
• OperationWithLimitsInLoop: Database class methods, DML operations, SOQL queries, SOSL queries, Approval class methods, Email…

Security

• ApexBadCrypto: The rule makes sure you are using randomly generated IVs and keys for ‘Crypto’ calls. Hard-wiring…
• ApexCRUDViolation: The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation. Sinc…
• ApexDangerousMethods: Checks against calling dangerous methods. For the time being, it reports: Against ‘FinancialForc…
• ApexInsecureEndpoint: Checks against accessing endpoints under plain http. You should always use https for security.
• ApexOpenRedirect: Checks against redirects to user-controlled locations. This prevents attackers from redirecting u…
• ApexSharingViolations: Detect classes declared without explicit sharing mode if DML methods are used. This forces the de…
• ApexSOQLInjection: Detects the usage of untrusted / unescaped variables in DML queries.
• ApexSuggestUsingNamedCred: Detects hardcoded credentials used in requests to an endpoint. You should refrain from hardcoding…
• ApexXSSFromEscapeFalse: Reports on calls to ‘addError’ with disabled escaping. The message passed to ‘addError’ will be d…
• ApexXSSFromURLParam: Makes sure that all values obtained from URL parameters are properly escaped / sanitized to avoid…

Additional rulesets

• quickstart (rulesets/apex/quickstart.xml):

  Quickstart configuration of PMD for Salesforce.com Apex. Includes the rules that are most likely to apply everywhere.

  It contains the following rules:

  ApexBadCrypto,ApexCRUDViolation,ApexCSRF,ApexDangerousMethods,ApexDoc,ApexInsecureEndpoint,ApexOpenRedirect,ApexSharingViolations,ApexSOQLInjection,ApexSuggestUsingNamedCred,ApexUnitTestClassShouldHaveAsserts,ApexUnitTestClassShouldHaveRunAs,ApexUnitTestShouldNotUseSeeAllDataTrue,ApexXSSFromEscapeFalse,ApexXSSFromURLParam,AvoidDeeplyNestedIfStmts,AvoidDirectAccessTriggerMap,AvoidGlobalModifier,AvoidHardcodingId,AvoidLogicInTrigger,AvoidNonExistentAnnotations,ClassNamingConventions,CyclomaticComplexity,DebugsShouldUseLoggingLevel,EmptyCatchBlock,EmptyIfStmt,EmptyStatementBlock,EmptyTryOrFinallyBlock,EmptyWhileStmt,ExcessiveClassLength,ExcessiveParameterList,ExcessivePublicCount,FieldNamingConventions,ForLoopsMustUseBraces,FormalParameterNamingConventions,IfElseStmtsMustUseBraces,IfStmtsMustUseBraces,LocalVariableNamingConventions,MethodNamingConventions,MethodWithSameNameAsEnclosingClass,NcssConstructorCount,NcssMethodCount,NcssTypeCount,OneDeclarationPerLine,OperationWithHighCostInLoop,OperationWithLimitsInLoop,PropertyNamingConventions,StdCyclomaticComplexity,TooManyFields,WhileLoopsMustUseBraces