NEW(pmd): @W-17310939@: Add in 3 more AppExchange rules: AvoidApiSess…

…ionId, AvoidAuraWithLockerDisabled, AvoidDisableProtocolSecurity

packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml

@@ -5,23 +5,79 @@
          xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
     <description>AppExchange Security Rules</description>
 
+
+    <rule name="AvoidApiSessionId"
+          language="xml"
+          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+          message="Session ID use is not approved.">
+        <!-- TODO: NEED TO ADD IN externalInfoUrl ONCE WE HAVE A PERMANENT LOCATION FOR THE DOC PAGE -->
+        <description>Detects use of Api.Session_ID or GETSESSIONID() to retrieve a session ID.</description>
+        <priority>2</priority>
+        <!-- TODO: (NEED TO FINISHING GETTING LIST OF FILE EXTENSIONS FOR THIS RULE) This rule is associated with file extensions: ??, .object, .tab, .xml -->
+        <properties>
+            <property name="xpath">
+                <value><![CDATA[
+//text[
+contains(upper-case(@Text),"API.SESSION_ID")
+or
+contains(upper-case(@Text),"GETSESSIONID")
+]/..
+                ]]></value>
+            </property>
+        </properties>
+    </rule>
+
+
+    <rule name="AvoidAuraWithLockerDisabled"
+          language="xml"
+          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+          message="To enable Lightning Locker, update the apiVersion to version 40 or greater.">
+        <!-- TODO: NEED TO ADD IN externalInfoUrl ONCE WE HAVE A PERMANENT LOCATION FOR THE DOC PAGE -->
+        <description>Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.</description>
+        <priority>1</priority>
+        <!-- This rule is associated with file extensions: .remoteSite, .xml -->
+        <properties>
+            <property name="xpath">
+                <value><![CDATA[
+/document/AuraDefinitionBundle/apiVersion/text[number(@Text) lt 40]
+                ]]></value>
+            </property>
+        </properties>
+    </rule>
+
+
+    <rule name="AvoidDisableProtocolSecurity"
+          language="xml"
+          class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
+          message="Protocol security setting is disabled.">
+        <!-- TODO: NEED TO ADD IN externalInfoUrl ONCE WE HAVE A PERMANENT LOCATION FOR THE DOC PAGE -->
+        <description>Detects if &quot;Disable Protocol Security&quot; setting is true.</description>
+        <priority>3</priority>
+        <!-- This rule is associated with file extensions: .remoteSite, .xml -->
+        <properties>
+            <property name="xpath">
+                <value><![CDATA[
+/document/RemoteSiteSetting/disableProtocolSecurity/text[@Text="true"]
+                ]]></value>
+            </property>
+        </properties>
+    </rule>
+
+
     <rule name="AvoidInsecureHttpRemoteSiteSetting"
           language="xml"
           class="net.sourceforge.pmd.lang.rule.xpath.XPathRule"
           message="Avoid using insecure http urls in Remote Site Settings.">
-          <!-- TODO: NEED TO ADD IN externalInfoUrl ONCE WE HAVE A PERMANENT LOCATION FOR THE DOC PAGE -->
-        <description>Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.</description>
+        <!-- TODO: NEED TO ADD IN externalInfoUrl ONCE WE HAVE A PERMANENT LOCATION FOR THE DOC PAGE -->
+        <description>Detects instances of a Remote Site Settings that use HTTP. Use HTTPS instead.</description>
         <priority>3</priority>
+        <!-- This rule is associated with file extensions: .remoteSite, .xml -->
         <properties>
             <property name="xpath">
-                <value>
-<![CDATA[
+                <value><![CDATA[
 /document/RemoteSiteSetting/url/text[starts-with(lower-case(@Text),"http://")]
-]]>
-                </value>
+                ]]></value>
             </property>
         </properties>
     </rule>
-
-
 </ruleset>

packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java

@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidApiSessionIdTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+        // data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidApiSessionId");
+    }
+}

packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java

@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidAuraWithLockerDisabledTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+        // data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidAuraWithLockerDisabled");
+    }
+}

packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java

@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidDisableProtocolSecurityTest extends SimpleAggregatorTst {
+    @Override
+    protected void setUp() {
+        // The test data xml file for this rule's test will always be in the resources directory using a naming
+        // convention based off the package for this test and the rule being tested:
+        //     "resources/<TestPackageName>/xml/<RuleName>.xml".
+        // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+        // data xml file for this rule must be found at:
+        //      "resource/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml"
+        addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidDisableProtocolSecurity");
+    }
+}

packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When custom object weblinks use GETSESSIONID(), then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>6</expected-linenumbers>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <webLinks>
+        <!-- ... -->
+	    <url>{!REQUIRESCRIPT(&apos;/soap/ajax/26.0/connection.js&apos;)}
+		    sforce.connection.sessionId = &apos;{!GETSESSIONID()}&apos;;
+	    </url>
+    </webLinks>
+</CustomObject>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When custom object weblinks use API.Session_Id, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>6</expected-linenumbers>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <webLinks>
+        <!-- ... -->
+        <url>
+            /apex/something?id={!something__c.Id}&amp;sessionId={!$Api.Session_ID}&amp;instance={!$Api.Partner_Server_URL_260}
+        </url>
+    </webLinks>
+</CustomObject>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When custom tab uses API.Session_Id, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>4</expected-linenumbers>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<CustomTab xmlns="http://soap.sforce.com/2006/04/metadata">
+    <!-- ... -->
+    <url>
+        https://test.example.com/dummy.ph?param1={!API.Enterprise_Server_URL_540}&amp;sessionId={!API.Session_ID}&amp;param2={!Organization.Name}&amp;param3={!User.Email}
+    </url>
+</CustomTab>
+        ]]></code>
+    </test-code>
+
+</test-data>

packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When AuraDefinitionBundle has version less than 40, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>3</expected-linenumbers>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<AuraDefinitionBundle xmlns="http://soap.sforce.com/2006/04/metadata">
+    <apiVersion>39.0</apiVersion>
+    <!-- ... -->
+</AuraDefinitionBundle>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When AuraDefinitionBundle has version greater than 40, then do not report violation</description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<AuraDefinitionBundle xmlns="http://soap.sforce.com/2006/04/metadata">
+    <apiVersion>53.0</apiVersion>
+    <!-- ... -->
+</AuraDefinitionBundle>
+        ]]></code>
+    </test-code>
+
+</test-data>

packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<test-data
+        xmlns="http://pmd.sourceforge.net/rule-tests"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
+
+    <test-code>
+        <description>When RemoteSite Setting Disable Protocol Security is true, then report violation</description>
+        <expected-problems>1</expected-problems>
+        <expected-linenumbers>3</expected-linenumbers>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<RemoteSiteSetting xmlns="http://soap.sforce.com/2006/04/metadata">
+    <disableProtocolSecurity>true</disableProtocolSecurity>
+    <!-- ... -->
+</RemoteSiteSetting>
+        ]]></code>
+    </test-code>
+
+    <test-code>
+        <description>When RemoteSite Setting Disable Protocol Security is false, then do not report violation</description>
+        <expected-problems>0</expected-problems>
+        <code><![CDATA[
+<?xml version="1.0" encoding="UTF-8"?>
+<RemoteSiteSetting xmlns="http://soap.sforce.com/2006/04/metadata">
+    <disableProtocolSecurity>false</disableProtocolSecurity>
+    <!-- ... -->
+</RemoteSiteSetting>
+        ]]></code>
+    </test-code>
+
+</test-data>

packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml

@@ -5,32 +5,28 @@
         xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
 
     <test-code>
-        <description>When url contains http then violation should be reported</description>
+        <description>When url contains http, then report violation</description>
         <expected-problems>1</expected-problems>
-        <expected-linenumbers>6</expected-linenumbers>
+        <expected-linenumbers>4</expected-linenumbers>
         <expected-messages>
             <message>Avoid using insecure http urls in Remote Site Settings.</message>
         </expected-messages>
         <code><![CDATA[
 <?xml version="1.0" encoding="UTF-8"?>
 <RemoteSiteSetting xmlns="http://soap.sforce.com/2006/04/metadata">
-    <description>Used for Apex callout to mapping web service</description>
-    <disableProtocolSecurity>false</disableProtocolSecurity>
-    <isActive>true</isActive>
+    <!-- ... -->
     <url>http://www.maptestsite.net/mapping1</url>
 </RemoteSiteSetting>
         ]]></code>
     </test-code>
 
     <test-code>
-        <description>When url contains https then violation should not be reported</description>
+        <description>When url contains https, then do not report violation</description>
         <expected-problems>0</expected-problems>
         <code><![CDATA[
 <?xml version="1.0" encoding="UTF-8"?>
 <RemoteSiteSetting xmlns="http://soap.sforce.com/2006/04/metadata">
-    <description>Used for Apex callout to mapping web service</description>
-    <disableProtocolSecurity>false</disableProtocolSecurity>
-    <isActive>true</isActive>
+    <!-- ... -->
     <url>https://www.maptestsite.net/mapping1</url>
 </RemoteSiteSetting>
         ]]></code>

packages/code-analyzer-pmd-engine/src/constants.ts

@@ -66,7 +66,7 @@ export const DEFAULT_FILE_EXTENSIONS: Record<Language, string[]> = {
         //         helps to list the file extensions for each metadata type. For example, the RemoteSiteSettings page
         //           https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_remotesitesetting.htm
         //         specifies that .remoteSite is the file extension for remote site settings files.
-        '.remoteSite'
+        '.object', '.tab', '.remoteSite'
     ]
 }
 

packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts

@@ -398,6 +398,21 @@ export const RULE_MAPPINGS: Record<string, {severity: SeverityLevel, tags: strin
     // =================================================================================================================
     //   SFCA-PMD-RULES - APPEXCHANGE XML RULES
     // =================================================================================================================
+    "AvoidApiSessionId": {
+        severity: SeverityLevel.High,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
+    },
+
+    "AvoidAuraWithLockerDisabled": {
+        severity: SeverityLevel.Critical,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
+    },
+
+    "AvoidDisableProtocolSecurity": {
+        severity: SeverityLevel.Moderate,
+        tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]
+    },
+
     "AvoidInsecureHttpRemoteSiteSetting": {
         severity: SeverityLevel.Moderate,
         tags: [/* NOT RECOMMENDED */  APP_EXCHANGE_TAG, COMMON_TAGS.CATEGORIES.SECURITY, COMMON_TAGS.LANGUAGES.XML]

packages/code-analyzer-pmd-engine/test/test-data/pmdGoldfiles/rules_allLanguages.goldfile.json

@@ -231,6 +231,28 @@
       "https://docs.pmd-code.org/pmd-doc-{{PMD_VERSION}}/pmd_rules_ecmascript_codestyle.html#assignmentinoperand"
     ]
   },
+  {
+    "name": "AvoidApiSessionId",
+    "severityLevel": 2,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Xml"
+    ],
+    "description": "Detects use of Api.Session_ID or GETSESSIONID() to retrieve a session ID.",
+    "resourceUrls": []
+  },
+  {
+    "name": "AvoidAuraWithLockerDisabled",
+    "severityLevel": 1,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Xml"
+    ],
+    "description": "Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.",
+    "resourceUrls": []
+  },
   {
     "name": "AvoidConsoleStatements",
     "severityLevel": 3,
@@ -282,6 +304,17 @@
       "https://docs.pmd-code.org/pmd-doc-{{PMD_VERSION}}/pmd_rules_apex_errorprone.html#avoiddirectaccesstriggermap"
     ]
   },
+  {
+    "name": "AvoidDisableProtocolSecurity",
+    "severityLevel": 3,
+    "tags": [
+      "AppExchange",
+      "Security",
+      "Xml"
+    ],
+    "description": "Detects if \"Disable Protocol Security\" setting is true.",
+    "resourceUrls": []
+  },
   {
     "name": "AvoidGlobalModifier",
     "severityLevel": 3,
@@ -328,7 +361,7 @@
       "Security",
       "Xml"
     ],
-    "description": "Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.",
+    "description": "Detects instances of a Remote Site Settings that use HTTP. Use HTTPS instead.",
     "resourceUrls": []
   },
   {