New Apex rules focusing on Salesforce core concepts

Hi Apex developers,

We are excited to announce the release of a new set of Apex rules focusing on the core concepts of Salesforce:

Security via access control

  • S5377: Sharing level should be specified in Apex Classes with SOQL/SOSL Queries or DML statements. (Vulnerability)
  • S5378: Executing SOQL, SOSL or DML queries without sharing or with inherited sharing is security sensitive. (Security Hotspot)

Governor limits

  • S5382: DML statements should not be used inside loops. (Bug)

Good tests

  • S5395: Test methods should not be annotated with “@isTest(SeeAllData=true)”. (Code Smell)
  • S5394: Tested code should be enclosed between “Test.StartTest()” and “Test.StopTest()”. (Code Smell)
  • S5386: System.runAs should be used to test user permissions. (Code Smell)

Maintainability and bug-free code

  • S5376: Triggers should process records in bulk. (Bug)
  • S5379: Record IDs should not be hardcoded. (Bug)
  • S5387: “getRecordTypeInfosByDeveloperName()” should be used instead of “getRecordTypeInfosByName()”. (Bug)
  • S5389: URLs of Salesforce pages should be relative, not absolute. (Bug)
  • S5390: Messages should not be hardcoded. (Code Smell)
  • S5384: Business logic should not be implemented inside Triggers. (Code Smell)

Here are examples of these rules in action:

For more information you can read the changelog.

You can already enjoy these new features on SonarCloud. As for SonarQube, this will be built-in the next version (8.0), and meanwhile Enterprise Edition users can get it by updating to v1.7 of the Apex analysis engine.

All feedback is welcome.