-
-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathruleset.xml
More file actions
310 lines (264 loc) · 11.7 KB
/
ruleset.xml
File metadata and controls
310 lines (264 loc) · 11.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
<?xml version="1.0" encoding="UTF-8"?>
<ruleset name="Default"
xmlns="http://pmd.sourceforge.net/ruleset/2.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 https://pmd.sourceforge.io/ruleset_2_0_0.xsd">
<description>
This ruleset checks the code for discouraged programming constructs.
</description>
<!-- Only rules that don't overlap with CheckStyle! -->
<rule ref="category/java/bestpractices.xml/AvoidPrintStackTrace"/>
<rule ref="category/java/bestpractices.xml/AvoidStringBufferField"/>
<rule ref="category/java/bestpractices.xml/AvoidUsingHardCodedIP"/>
<rule ref="category/java/bestpractices.xml/ConstantsInInterface"/>
<rule ref="category/java/bestpractices.xml/ExhaustiveSwitchHasDefault"/>
<rule ref="category/java/bestpractices.xml/LiteralsFirstInComparisons"/>
<!-- CheckStyle can't handle this switch behavior -> delegated to PMD -->
<rule ref="category/java/bestpractices.xml/NonExhaustiveSwitch"/>
<rule ref="category/java/bestpractices.xml/OneDeclarationPerLine">
<properties>
<property name="strictMode" value="true"/>
</properties>
</rule>
<rule ref="category/java/bestpractices.xml/PreserveStackTrace"/>
<rule ref="category/java/bestpractices.xml/SimplifiableTestAssertion"/>
<rule ref="category/java/bestpractices.xml/SystemPrintln"/>
<rule ref="category/java/bestpractices.xml/UnusedAssignment"/>
<rule ref="category/java/bestpractices.xml/UnusedFormalParameter"/>
<rule ref="category/java/bestpractices.xml/UnusedPrivateField"/>
<rule ref="category/java/bestpractices.xml/UnusedPrivateMethod"/>
<rule ref="category/java/bestpractices.xml/UseCollectionIsEmpty"/>
<rule ref="category/java/bestpractices.xml/UseEnumCollections"/>
<rule ref="category/java/bestpractices.xml/UseStandardCharsets"/>
<rule ref="category/java/bestpractices.xml/UseTryWithResources"/>
<!-- Native code is platform dependent; Loading external native libs might pose a security threat -->
<rule ref="category/java/codestyle.xml/AvoidUsingNativeCode"/>
<rule ref="category/java/codestyle.xml/IdenticalCatchBranches"/>
<rule ref="category/java/codestyle.xml/LambdaCanBeMethodReference"/>
<rule ref="category/java/codestyle.xml/NoPackage"/>
<rule ref="category/java/codestyle.xml/PrematureDeclaration"/>
<rule ref="category/java/codestyle.xml/UnnecessarySemicolon"/>
<rule ref="category/java/design.xml">
<!-- Sometimes abstract classes have just fields -->
<exclude name="AbstractClassWithoutAnyMethod"/>
<!-- Using RuntimeExceptions is ok -->
<exclude name="AvoidCatchingGenericException"/>
<exclude name="AvoidThrowingRawExceptionTypes"/>
<!-- Limit too low -->
<exclude name="AvoidDeeplyNestedIfStmts"/>
<!-- Limit too low -->
<exclude name="CouplingBetweenObjects"/>
<!-- Limit too low -->
<exclude name="CyclomaticComplexity"/>
<!-- Makes entity classes impossible -->
<exclude name="DataClass"/>
<!-- Used commonly particular in bigger methods with upstream throws -->
<exclude name="ExceptionAsFlowControl"/>
<!-- Limit too low -->
<exclude name="ExcessiveImports"/>
<!-- Handled by TooManyFields/TooManyMethods -->
<exclude name="ExcessivePublicCount"/>
<!-- Prohibits accessing members using multiple depths -->
<exclude name="LawOfDemeter"/>
<!-- No effect -->
<exclude name="LoosePackageCoupling"/>
<!-- Prohibits singleton pattern -->
<exclude name="MutableStaticState"/>
<!-- Checks LoC, already handled by Checkstyle -->
<exclude name="NcssCount"/>
<!-- Some override methods or Junit require this -->
<exclude name="SignatureDeclareThrowsException"/>
<!-- Reports FP for equals methods -->
<exclude name="SimplifyBooleanReturns"/>
<!-- Limit too low -->
<exclude name="TooManyFields"/>
<!-- Limit too low -->
<exclude name="TooManyMethods"/>
<!-- Limit too low -->
<exclude name="UseObjectForClearerAPI"/>
</rule>
<rule ref="category/java/design.xml/AvoidDeeplyNestedIfStmts">
<properties>
<property name="problemDepth" value="4"/>
</properties>
</rule>
<rule ref="category/java/design.xml/CouplingBetweenObjects">
<properties>
<property name="threshold" value="100"/>
</properties>
</rule>
<rule ref="category/java/design.xml/CyclomaticComplexity">
<properties>
<property name="classReportLevel" value="150"/>
<property name="methodReportLevel" value="25"/>
<property name="cycloOptions" value=""/>
</properties>
</rule>
<rule ref="category/java/design.xml/ExcessiveImports">
<properties>
<property name="minimum" value="200"/>
</properties>
</rule>
<rule ref="category/java/design.xml/TooManyFields">
<properties>
<property name="maxfields" value="50"/>
</properties>
</rule>
<rule ref="category/java/design.xml/TooManyMethods">
<properties>
<property name="maxmethods" value="100"/>
</properties>
</rule>
<rule ref="category/java/errorprone.xml/AssignmentToNonFinalStatic"/>
<rule ref="category/java/errorprone.xml/AvoidDecimalLiteralsInBigDecimalConstructor"/>
<rule ref="category/java/errorprone.xml/AvoidMultipleUnaryOperators"/>
<rule ref="category/java/errorprone.xml/AvoidUsingOctalValues"/>
<rule ref="category/java/errorprone.xml/BrokenNullCheck"/>
<rule ref="category/java/errorprone.xml/ComparisonWithNaN"/>
<rule ref="category/java/errorprone.xml/DoNotCallGarbageCollectionExplicitly"/>
<rule ref="category/java/errorprone.xml/DontImportSun"/>
<rule ref="category/java/errorprone.xml/DontUseFloatTypeForLoopIndices"/>
<rule ref="category/java/errorprone.xml/EqualsNull"/>
<rule ref="category/java/errorprone.xml/IdempotentOperations"/>
<rule ref="category/java/errorprone.xml/ImplicitSwitchFallThrough"/>
<rule ref="category/java/errorprone.xml/InstantiationToGetClass"/>
<rule ref="category/java/errorprone.xml/InvalidLogMessageFormat"/>
<rule ref="category/java/errorprone.xml/JumbledIncrementer"/>
<rule ref="category/java/errorprone.xml/MisplacedNullCheck"/>
<rule ref="category/java/errorprone.xml/MoreThanOneLogger"/>
<rule ref="category/java/errorprone.xml/NonStaticInitializer"/>
<rule ref="category/java/errorprone.xml/ReturnFromFinallyBlock"/>
<rule ref="category/java/errorprone.xml/SingletonClassReturningNewInstance"/>
<rule ref="category/java/errorprone.xml/UnconditionalIfStatement"/>
<rule ref="category/java/errorprone.xml/UnnecessaryCaseChange"/>
<rule ref="category/java/errorprone.xml/UselessOperationOnImmutable"/>
<rule ref="category/java/multithreading.xml">
<!-- Just bloats code; improved in JEP-491/Java 24+ -->
<exclude name="AvoidSynchronizedAtMethodLevel"/>
<!-- NOPE -->
<exclude name="DoNotUseThreads"/>
<!-- Doesn't detect nested thread safe singleton pattern -->
<exclude name="NonThreadSafeSingleton"/>
<!-- Should relevant for fields that use multithreading which is rare -->
<exclude name="UseConcurrentHashMap"/>
</rule>
<rule ref="category/java/performance.xml">
<!-- This was fixed in Java 10 -->
<exclude name="AvoidFileStream"/>
<!-- Used everywhere and has neglectable performance impact -->
<exclude name="AvoidInstantiatingObjectsInLoops"/>
<!-- Handled by checkstyle -->
<exclude name="RedundantFieldInitializer"/>
<!-- Nowadays optimized by compiler; No code bloating needed -->
<exclude name="UseStringBufferForStringAppends"/>
</rule>
<rule ref="category/java/performance.xml/TooFewBranchesForSwitch">
<properties>
<!-- If you have one case only please use a if -->
<property name="minimumNumberCaseForASwitch" value="2"/>
</properties>
</rule>
<rule ref="category/java/security.xml"/>
<rule name="AvoidSystemSetterCall"
language="java"
message="Setters of java.lang.System should not be called unless really needed"
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
<description>
Calling setters of java.lang.System usually indicates bad design and likely causes unexpected behavior.
For example, it may break when multiple Threads are setting the value.
It may also overwrite user defined options or properties.
Try to pass the value only to the place where it's really needed and use it there accordingly.
</description>
<priority>3</priority>
<properties>
<property name="xpath">
<value>
<![CDATA[
//MethodCall[starts-with(@MethodName,'set')]/TypeExpression[pmd-java:typeIsExactly('java.lang.System')]
]]>
</value>
</property>
</properties>
</rule>
<rule name="AvoidPostConstruct"
language="java"
message="Avoid @PostConstruct"
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
<description>
Using a `@PostConstruct` method is usually only done when field injection is used and initialization needs to be performed after that.
It's better to do this directly in the constructor with constructor injection, so that all logic will be encapsulated there.
This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PostConstruct` method is no longer possible.
</description>
<priority>3</priority>
<properties>
<property name="xpath">
<value>
<![CDATA[
//MethodDeclaration[pmd-java:hasAnnotation('jakarta.annotation.PostConstruct')]
]]>
</value>
</property>
</properties>
</rule>
<rule name="AvoidPreDestroy"
language="java"
message="Avoid @PreDestroy"
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
<description>
`@PreDestroy` should be replaced by implementing `AutoCloseable` and overwriting the `close` method instead.
This also makes using the bean in environments where JavaEE is not present - for example in tests - a lot easier, as forgetting to call the `@PreDestroy` method is no much more difficult.
</description>
<priority>3</priority>
<properties>
<property name="xpath">
<value>
<![CDATA[
//MethodDeclaration[pmd-java:hasAnnotation('jakarta.annotation.PreDestroy')]
]]>
</value>
</property>
</properties>
</rule>
<rule name="AvoidUnmanagedThreads"
language="java"
message="Avoid unmanaged threads"
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
<description>
Trying to manually manage threads usually gets quickly out of control and may result in various problems like uncontrollable spawning of threads.
Threads can also not be cancelled properly.
Use managed Thread services like `ExecutorService` and `CompletableFuture` instead.
</description>
<priority>3</priority>
<properties>
<property name="xpath">
<value>
<![CDATA[
//MethodCall[pmd-java:matchesSig('java.lang.Thread#start()') or pmd-java:matchesSig('java.lang.Thread#startVirtualThread(java.lang.Runnable)') or pmd-java:matchesSig('java.lang.Thread$Builder#start(java.lang.Runnable)')]
]]>
</value>
</property>
</properties>
</rule>
<rule name="JavaObjectSerializationIsUnsafe"
language="java"
message="Using Java Object (De-)Serialization is unsafe and has led to too many security vulnerabilities"
class="net.sourceforge.pmd.lang.rule.xpath.XPathRule">
<description>
Nearly every known usage of (Java) Object Deserialization has resulted in [a security vulnerability](https://cloud.google.com/blog/topics/threat-intelligence/hunting-deserialization-exploits?hl=en).
Vulnerabilities are so common that there are [dedicated projects for exploit payload generation](https://github.com/frohoff/ysoserial).
Java Object Serialization may also fail to deserialize when the underlying classes are changed.
Use proven data interchange formats like JSON instead.
</description>
<priority>2</priority>
<properties>
<property name="xpath">
<value>
<![CDATA[
//ClassDeclaration[@Interface = false()]/ClassBody/FieldDeclaration/VariableDeclarator/VariableId[@Name='serialVersionUID'] |
//ConstructorCall/ClassType[pmd-java:typeIsExactly('java.io.ObjectInputStream') or pmd-java:typeIsExactly('java.io.ObjectOutputStream')]
]]>
</value>
</property>
</properties>
</rule>
</ruleset>