diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml
index 9dbca504..90497845 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/main/resources/sfca/rulesets/AppExchange_xml.xml
@@ -5,23 +5,79 @@
xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
AppExchange Security Rules
+
+
+
+ Detects use of Api.Session_ID or GETSESSIONID() to retrieve a session ID.
+ 2
+
+
+
+
+
+
+
+
+
+
+
+ Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
+ 1
+
+
+
+
+
+
+
+
+
+
+
+ Detects if "Disable Protocol Security" setting is true.
+ 3
+
+
+
+
+
+
+
+
+
-
- Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.
+
+ Detects instances of a Remote Site Settings that use HTTP. Use HTTPS instead.
3
+
-
-
-
+ ]]>
-
-
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java
new file mode 100644
index 00000000..72c712ec
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidApiSessionIdTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidApiSessionIdTest extends SimpleAggregatorTst {
+ @Override
+ protected void setUp() {
+ // The test data xml file for this rule's test will always be in the resources directory using a naming
+ // convention based off the package for this test and the rule being tested:
+ // "resources//xml/.xml".
+ // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+ // data xml file for this rule must be found at:
+ // "resource/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml"
+ addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidApiSessionId");
+ }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java
new file mode 100644
index 00000000..34df3608
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidAuraWithLockerDisabledTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidAuraWithLockerDisabledTest extends SimpleAggregatorTst {
+ @Override
+ protected void setUp() {
+ // The test data xml file for this rule's test will always be in the resources directory using a naming
+ // convention based off the package for this test and the rule being tested:
+ // "resources//xml/.xml".
+ // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+ // data xml file for this rule must be found at:
+ // "resource/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml"
+ addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidAuraWithLockerDisabled");
+ }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java
new file mode 100644
index 00000000..c40e44be
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/java/sfca/rulesets/appexchange_xml/AvoidDisableProtocolSecurityTest.java
@@ -0,0 +1,16 @@
+package sfca.rulesets.appexchange_xml;
+
+import net.sourceforge.pmd.test.SimpleAggregatorTst;
+
+public class AvoidDisableProtocolSecurityTest extends SimpleAggregatorTst {
+ @Override
+ protected void setUp() {
+ // The test data xml file for this rule's test will always be in the resources directory using a naming
+ // convention based off the package for this test and the rule being tested:
+ // "resources//xml/.xml".
+ // In this case "sfca.rulesets.appexchange_xml" is the package name of this test file. Thus, the associated test
+ // data xml file for this rule must be found at:
+ // "resource/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml"
+ addRule("sfca/rulesets/AppExchange_xml.xml", "AvoidDisableProtocolSecurity");
+ }
+}
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml
new file mode 100644
index 00000000..6ad7254f
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidApiSessionId.xml
@@ -0,0 +1,58 @@
+
+
+
+
+ When custom object weblinks use GETSESSIONID(), then report violation
+ 1
+ 6
+
+
+
+
+
+ {!REQUIRESCRIPT('/soap/ajax/26.0/connection.js')}
+ sforce.connection.sessionId = '{!GETSESSIONID()}';
+
+
+
+ ]]>
+
+
+
+ When custom object weblinks use API.Session_Id, then report violation
+ 1
+ 6
+
+
+
+
+
+
+ /apex/something?id={!something__c.Id}&sessionId={!$Api.Session_ID}&instance={!$Api.Partner_Server_URL_260}
+
+
+
+ ]]>
+
+
+
+ When custom tab uses API.Session_Id, then report violation
+ 1
+ 4
+
+
+
+
+ https://test.example.com/dummy.ph?param1={!API.Enterprise_Server_URL_540}&sessionId={!API.Session_ID}¶m2={!Organization.Name}¶m3={!User.Email}
+
+
+ ]]>
+
+
+
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml
new file mode 100644
index 00000000..d7eca006
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidAuraWithLockerDisabled.xml
@@ -0,0 +1,32 @@
+
+
+
+
+ When AuraDefinitionBundle has version less than 40, then report violation
+ 1
+ 3
+
+
+ 39.0
+
+
+ ]]>
+
+
+
+ When AuraDefinitionBundle has version greater than 40, then do not report violation
+ 0
+
+
+ 53.0
+
+
+ ]]>
+
+
+
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml
new file mode 100644
index 00000000..841b91a7
--- /dev/null
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidDisableProtocolSecurity.xml
@@ -0,0 +1,32 @@
+
+
+
+
+ When RemoteSite Setting Disable Protocol Security is true, then report violation
+ 1
+ 3
+
+
+ true
+
+
+ ]]>
+
+
+
+ When RemoteSite Setting Disable Protocol Security is false, then do not report violation
+ 0
+
+
+ false
+
+
+ ]]>
+
+
+
\ No newline at end of file
diff --git a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml
index 96213e75..0414c8c8 100644
--- a/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml
+++ b/packages/code-analyzer-pmd-engine/pmd-rules/src/test/resources/sfca/rulesets/appexchange_xml/xml/AvoidInsecureHttpRemoteSiteSetting.xml
@@ -5,32 +5,28 @@
xsi:schemaLocation="http://pmd.sourceforge.net/rule-tests https://pmd.sourceforge.net/rule-tests_1_0_0.xsd">
- When url contains http then violation should be reported
+ When url contains http, then report violation
1
- 6
+ 4
Avoid using insecure http urls in Remote Site Settings.
- Used for Apex callout to mapping web service
- false
- true
+
http://www.maptestsite.net/mapping1
]]>
- When url contains https then violation should not be reported
+ When url contains https, then do not report violation
0
- Used for Apex callout to mapping web service
- false
- true
+
https://www.maptestsite.net/mapping1
]]>
diff --git a/packages/code-analyzer-pmd-engine/src/constants.ts b/packages/code-analyzer-pmd-engine/src/constants.ts
index 4bb3ef15..df17229e 100644
--- a/packages/code-analyzer-pmd-engine/src/constants.ts
+++ b/packages/code-analyzer-pmd-engine/src/constants.ts
@@ -66,7 +66,7 @@ export const DEFAULT_FILE_EXTENSIONS: Record = {
// helps to list the file extensions for each metadata type. For example, the RemoteSiteSettings page
// https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_remotesitesetting.htm
// specifies that .remoteSite is the file extension for remote site settings files.
- '.remoteSite'
+ '.object', '.tab', '.remoteSite'
]
}
diff --git a/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts b/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts
index 75ab4e5d..faba706b 100644
--- a/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts
+++ b/packages/code-analyzer-pmd-engine/src/pmd-rule-mappings.ts
@@ -398,6 +398,21 @@ export const RULE_MAPPINGS: Record