[BUG] Error (1): Attribute without value

[saurabh-coinbase]

scanner run Issue Template

Fill out this template to submit your Code Analyzer issue.

Description:

Error (1): Attribute without value

Documentation:

Steps To Reproduce:

Install latest beta version: sf plugins install @salesforce/sfdx-scanner@latest-beta
Expected Behavior:

Should not throw any error!
Screenshots:

Desktop:
Using in the Git CI/CD Pipeline

Additional Context:

Workaround:

if I use latest then it works finesf plugins install @salesforce/sfdx-scanner@latest
Urgency:

We are facing some pmd errorException (Scanner Internal) which would be resolved under pmd 7.0 release version.

[jfeingold35]

@saurabh-coinbase , can you post the file that causes the exception?

[saurabh-coinbase]

Yup @jfeingold35 it's here!

<?xml version="1.0" encoding="UTF-8"?>
<ruleset xmlns="http://pmd.sourceforge.net/ruleset/2.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="Default ruleset used by the CodeClimate Engine for Salesforce.com Apex" xsi:schemaLocation="http://pmd.sourceforge.net/ruleset/2.0.0 http://pmd.sourceforge.net/ruleset_2_0_0.xsd">
    <description>Salesforce Coinbase ruleset</description>

    <exclude-pattern>.*/.sfdx/.*</exclude-pattern>
    <!--
    * Note on priorities:
    *   1: hihgest level
    *   5: lowest level
    *
    *   1: must fix (CI will stop on any of those)
    *   2: should fix (CI might refuse the PR). Not fixing those will make the code difficult to understand, test or debug.
    *   3: default value
    *   4: generic code style, naming conventions, etc..
    *   5: for information no immediate action required
    -->

    <!-- SECURITY -->
    <rule ref="category/apex/security.xml/ApexBadCrypto" message="Apex Crypto should use random IV/key">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexDangerousMethods" message="Calling potentially dangerous method">
    <priority>1</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexInsecureEndpoint" message="Apex callouts should use encrypted communication channels">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexOpenRedirect" message="Apex classes should safely redirect to a known location">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexSuggestUsingNamedCred" message="Consider using named credentials for authenticated callouts">
    <priority>1</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexXSSFromEscapeFalse" message="Apex classes should escape addError strings">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexXSSFromURLParam" message="Apex classes should escape Strings obtained from URL parameters">
    <priority>3</priority>
    </rule>
    <rule ref="category/apex/security.xml/ApexSharingViolations" message="Apex classes should declare a sharing model if DML or SOQL is used">
    <priority>1</priority>
    </rule>

    <!--Performance-->
    <rule ref="category/apex/performance.xml/AvoidDebugStatements" >
    <priority>2</priority>
    </rule>
    <rule ref="category/apex/performance.xml/EagerlyLoadedDescribeSObjectResult" >
    <priority>2</priority>
    </rule>
    <rule ref="category/apex/performance.xml/OperationWithLimitsInLoop" >
    <priority>2</priority>
    </rule>


</ruleset>

[jfeingold35]

@saurabh-coinbase , if this is an issue with PMD itself instead of our integration with PMD (which is what this certainly seems like), then you might be better off logging this against PMD's repo directly instead of with us.

[saurabh-coinbase]

@jfeingold35 I already created with PMD support team, they had mentioned the issue could be from Salesforce scanner end.

[jfeingold35]

@saurabh-coinbase , I'm unable to reproduce locally with the ruleset you provided. Is there any additional setup that you haven't posted yet? Alternatively, is it only reproducible in a particular file?

[saurabh-coinbase]

@jfeingold35 below is the yml file, custom rule file already shared, that's all I have!

name: Salesforce Code Quality

on:
    workflow_dispatch:
    workflow_call:

jobs:
    PMD:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v4
            - uses: actions/setup-node@v3
            - name: Setup Salesforce CLI
              run: |
                  npm install --global @salesforce/cli
                  sf plugins install @salesforce/sfdx-scanner@latest-beta
            - name: SF Code Analyzer - PMD
              run: |
                  sf scanner:run --engine pmd --target src --pmdconfig=pmd/apex-ruleset.xml --format table

[jfeingold35]

@saurabh-coinbase , okay, I've tried running that command with your custom ruleset against some of the sample Apex files we have on hand, and I can't reproduce this. That means it's probably dependent on the contents of the file being scanned. If you can narrow it down to a specific file or set of files and provide the contents of those files, I can continue to assist in debugging. But if not, then I'm afraid there's not much I can do to help.

[saurabh-coinbase]

@jfeingold35 There's another issue with the pipeline where 6 PMD violations were detected, but the PMD check did not fail based on the violations reported.

[jfeingold35]

@saurabh-coinbase , Use the --severity-threshold flag, as per our documentation.

[saurabh-coinbase]

Thank you so much @jfeingold35, I'm still getting Server_Internal error and not sure what could be the resolution for that.

[jfeingold35]

@saurabh-coinbase , as I've mentioned, I'm unable to reproduce that behavior. If you can narrow it down to one or more specific files being passed into --target and post those files, then I can continue to help you debug, but if not, then there's really nothing more I can do.

[stephen-carter-at-sf]

Yeah I too am unable to reproduce. I am getting:

~/temp/tempProj: sf scanner run --pmdconfig customRuleSet.xml --target force-app --format table
› Warning: @salesforce/cli update available from 2.40.7 to 2.41.8.
› Warning: Plugin @salesforce/sfdx-scanner (4.1.0) differs from the version specified by sf (3.24.0)
Warning: We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
Warning: The specified target wasn't processed by any engines. Use the --engine parameter to select a different engine or specify a different target. Specified target: force-app.
About to run PMD with custom config in customRuleSet.xml. Please make sure that any custom rule references have already been added to the plugin through scanner:rule:add command.
Executed engines: pmd-custom, retire-js. No rule violations found.

So it might be attached to how the rule is running on your specific codebase. @saurabh-coinbase Have you tried using PMD 7 independent of salesforce code analyzer to see if that errors?

[stephen-carter-at-sf]

Closing this for now since we haven't received a reply.