Merge pull request #1309 from forcedotcom/d/W-13222948-b

NEW (PMD): @W-13222948@: Added AppExchange PMD subvariant

package.json

@@ -91,6 +91,7 @@
 		"/messages",
 		"/npm-shrinkwrap.json",
 		"/oclif.manifest.json",
+		"/pmd-appexchange",
 		"/html-templates",
 		"/retire-js",
 		"/oclif.lock"

pmd-appexchange/docs/AvoidApiSessionId.md

@@ -0,0 +1,18 @@
+AvoidApiSessionId[](#avoidapisessionid)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Session ID use is not approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidAuraWithLockerDisabled.md

@@ -0,0 +1,18 @@
+AvoidAuraWithLockerDisabled[](#avoidaurawithlockerdisabled)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To enable Lightning Locker, update the apiVersion to version 40 or greater.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidCallingSystemResetPasswordWithEmailTemplate.md

@@ -0,0 +1,18 @@
+AvoidCallingSystemResetPasswordWithEmailTemplate[](#avoidcallingsystemresetpasswordwithemailtemplate)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Before calling System.resetPasswordWithEmailTemplate(), perform the necessary authorization checks.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects where System.resetPasswordWithEmailTemplate() exists in Apex code. Use this method with caution.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidChangeProtection.md

@@ -0,0 +1,18 @@
+AvoidChangeProtection[](#avoidchangeprotection)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Update your code to avoid using FeatureManagement.changeProtection.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects potential misuse of FeatureManagement.changeProtection.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md

@@ -0,0 +1,18 @@
+AvoidChangeProtectionUnprotected[](#avoidchangeprotectionunprotected)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Update your code to avoid using FeatureManagement.changeProtection called by an UnProtected argument.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects potential misuse of FeatureManagement.changeProtection.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidHardcodedCredentials.md

@@ -0,0 +1,47 @@
+AvoidHardcodedCredentials[](#avoidhardcodedcredentials)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Remove hard-coded credentials from source code.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Identifies hard-coded credentials in source code that must be protected using Protected Custom metadata or Protected Custom settings.
+
+**Example(s):**
+
+   Correct Method
+
+```
+<?xml version="1.0" encoding="UTF-8"?>
+            <CustomObject xmlns="http://soap.sforce.com/2006/04/metadata">
+               <customSettingsType>List</customSettingsType>
+                  <enableFeeds>false</enableFeeds>
+                  <label>Username</label>
+                  <visibility>Protected</visibility>
+               </CustomObject>
+```
+
+Incorrect Method
+
+```
+public with sharing class test3 {
+         public test3() {
+         String key = 'supersecurepassword';
+         HttpRequest req = new HttpRequest();
+         req.setEndpoint('https://www.example.com/test?APIKEY='+key);
+         req.setMethod('GET');
+         Http http = new Http();
+         HTTPResponse res = http.send(req);
+         return res.getBody();
+      }
+```
+
+
+
+        
+

pmd-appexchange/docs/AvoidJavaScriptCustomRule.md

@@ -0,0 +1,18 @@
+AvoidJavaScriptCustomRule[](#avoidjavascriptcustomrule)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using JavaScript to execute custom button actions.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of custom JavaScript actions in custom rules.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidJavaScriptHomePageComponent.md

@@ -0,0 +1,18 @@
+AvoidJavaScriptHomePageComponent[](#avoidjavascripthomepagecomponent)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid JavaScript in a home page component body.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of custom JavaScript actions in home page components.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidJavaScriptWeblink.md

@@ -0,0 +1,18 @@
+AvoidJavaScriptWeblink[](#avoidjavascriptweblink)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using JavaScript in web links.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of custom JavaScript actions in web links.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidJsLinksInCustomObject.md

@@ -0,0 +1,18 @@
+AvoidJsLinksInCustomObject[](#avoidjslinksincustomobject)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid clickable JavaScript-style URLs.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects instances of JavaScript-style URLs (javascript:) in Salesforce DOM components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidJsLinksInWebLinks.md

@@ -0,0 +1,18 @@
+AvoidJsLinksInWebLinks[](#avoidjslinksinweblinks)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid clickable JavaScript-style URLs.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects instances of JavaScript-style URLs (javascript:) in Salesforce DOM components, such as web links and buttons. Avoid JavaScript-style URLs in managed packages.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidLmcIsExposedTrue.md

@@ -0,0 +1,18 @@
+AvoidLmcIsExposedTrue[](#avoidlmcisexposedtrue)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use Lightning Message Channel with isExposed set to false.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects a Lightning Message Channel with isExposed=true, which isn’t allowed in managed packages.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidLwcBubblesComposedTrue.md

@@ -0,0 +1,18 @@
+AvoidLwcBubblesComposedTrue[](#avoidlwcbubblescomposedtrue)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid setting both Lightning Web component bubbles and composed=true at the same time.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects Lightning Web Component event configurations where bubbles and composed are both set to true. To avoid sharing sensitive information unintentionally, use this configuration with caution.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidSystemModeInFlows.md

@@ -0,0 +1,18 @@
+AvoidSystemModeInFlows[](#avoidsystemmodeinflows)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Reconfigure to avoid running flows in system mode.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects where default mode must be used in flows instead of system mode.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInApex.md

@@ -0,0 +1,18 @@
+AvoidUnauthorizedApiSessionIdInApex[](#avoidunauthorizedapisessionidinapex)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use of API.Session_ID might not be authorized.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdInFlows.md

@@ -0,0 +1,18 @@
+AvoidUnauthorizedApiSessionIdInFlows[](#avoidunauthorizedapisessionidinflows)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   $Api.Session_ID usage is not approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of session ID in SOAP API calls in flows.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidUnauthorizedApiSessionIdVisualforce.md

@@ -0,0 +1,18 @@
+AvoidUnauthorizedApiSessionIdVisualforce[](#avoidunauthorizedapisessionidvisualforce)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Retrieval of session ID using API.Session_ID is not authorized.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID in Visualforce code.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInApex.md

@@ -0,0 +1,18 @@
+AvoidUnauthorizedGetSessionIdInApex[](#avoidunauthorizedgetsessionidinapex)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use of UserInfo.getSessionId might not be authorized.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of UserInfo.getSessionId() to retrieve a session ID.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidUnauthorizedGetSessionIdInVisualforce.md

@@ -0,0 +1,18 @@
+AvoidUnauthorizedGetSessionIdInVisualforce[](#avoidunauthorizedgetsessionidinvisualforce)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Use of session ID with GETSESSIONID is not authorized.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of GETSESSIONID() to retrieve a session ID in Visualforce code.
+
+**Example(s):**
+
+
+