diff --git a/README.md b/README.md index 0c8d006ce..98b93e909 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ ![CFLint](/src/main/resources/CFLint-logo.jpg) -# CFLint [![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.github.cflint/CFLint/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.github.cflint/CFLint) [![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6f4b01d4d2cb4860b60ac666452071f1)](https://www.codacy.com/app/ryaneberly/CFLint?utm_source=github.com&utm_medium=referral&utm_content=cflint/CFLint&utm_campaign=Badge_Grade) [![Build Status](https://travis-ci.org/cflint/CFLint.svg?branch=master)](https://travis-ci.org/cflint/CFLint) +# CFLint + +[![Maven Central](https://maven-badges.herokuapp.com/maven-central/com.github.cflint/CFLint/badge.svg)](https://maven-badges.herokuapp.com/maven-central/com.github.cflint/CFLint) [![License](https://img.shields.io/badge/License-BSD%203--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6f4b01d4d2cb4860b60ac666452071f1)](https://www.codacy.com/app/ryaneberly/CFLint?utm_source=github.com&utm_medium=referral&utm_content=cflint/CFLint&utm_campaign=Badge_Grade) [![Build Status](https://travis-ci.org/cflint/CFLint.svg?branch=master)](https://travis-ci.org/cflint/CFLint) A static code analysis tool for CFML. @@ -8,11 +10,11 @@ License: [BSD](http://www.opensource.org/licenses/bsd-license.html) Current Version: 1.5.x -# Versions +## Versions See [CHANGELOG.md](/CHANGELOG.md) for further information. -# Project and library organization +## Project and library organization CFLint is a project developed and worked on by volunteers. When logging issues please, be nice and considerate. We're here to help. We really appreciate fixes and improvements, so feel free to talk to us and/or provide pull requests. @@ -20,7 +22,7 @@ CFLint is a project developed and worked on by volunteers. When logging issues p The master branch is considered our stable codebase. Most of the development happens in the dev branch resp. local development branches for specific issues. -# Building CFLint +## Building CFLint 1. Fork the repository into your account and clone or download the codebase as a zip-file. 1. Install the tooling of your choice and build via Gradle or Maven (deprecated). CFLint requires Java 8. @@ -39,7 +41,7 @@ The master branch is considered our stable codebase. Most of the development hap Alternatively, import the CFLint codebase into the IDE of your choice and use its respectively Gradle/Maven integration. This should work out of the box for Eclipse and IntelliJ users. -# Using CFLint - Quickstart Guide +## Using CFLint - Quickstart Guide Get the latest version from [Maven Central](http://search.maven.org/#search%7Cga%7C1%7Ccflint) or the [CFLint GitHub release page](https://github.com/cflint/CFLint/releases) or build the project. @@ -65,19 +67,19 @@ Or always use the latest: With the binaries retrieved one or the other way, you can now use CFLint on the command line. -#### Use the "-all"-version of the jar-file +### Use the "-all"-version of the jar-file CFLint-1.5.0-all.jar -#### Scan a folder with the complete set of rules +### Scan a folder with the complete set of rules java -jar CFLint-1.5.0-all.jar -folder -#### Scan a file with the complete set of rules +### Scan a file with the complete set of rules java -jar CFLint-1.5.0-all.jar -file -#### See parameters and help +### See command line parameters and help java -jar CFLint-1.5.0-all.jar -help @@ -131,13 +133,13 @@ An example `.cflintrc` file is shown below: * `inheritParent` configures if the rules set in the global or any parent configuration should be inherited as a base set of rules. -* `parameters` allows configuration of rule parameters. See `cflint.definition.json` for the parameters and their defaults. +* `parameters` allows configuration of rules. See [RULES.md](/RULES.md) for the parameters of each rule and their defaults. You must precede the parameter name with the rule name separated by a dot. * Please note: `inheritPlugins` and `output` were marked deprecated in CFLint 1.2.0 and removed in 1.4.0. Plugin inheritance is now always treated as true since the team cannot see a use case in which it should be disabled. The output type can be controlled elsewhere, such as command-line flags. We provide a [schema with the deprecated properties excluded](/src/main/resources/schemas/.cflintrc.schema.json). -More examples of `.cflintrc` files can be found by browsing the [project test files](/src/test/resources/com/cflint/tests). +See [Recipes](#recipes) for some usage examples of `.cflintrc`. Example files can be found by browsing the [project test files](/src/test/resources/com/cflint/tests). ### Annotation-based configuration diff --git a/RULES.md b/RULES.md index 931440af9..a48dbf22c 100644 --- a/RULES.md +++ b/RULES.md @@ -1,416 +1,1045 @@ -List of built-in rules and rule groups -====================================== -## Rule Parameters -
FunctionLengthChecker.length = *100* -
ComponentLengthChecker.length = *500* -
TooManyArgumentsChecker.maximum = *10* -
TooManyFunctionsChecker.maximum = *10* -
SimpleComplexityChecker.maximum = *10* -
VariableNameChecker.minLength = *3* -
VariableNameChecker.maxLength = *20* -
VariableNameChecker.maxWords = *4* -
VariableNameChecker.ignoreUpperCaseScopes = *CGI,URL* -
VariableNameChecker.ignoreAllCapsInScopes = *this,variables* -
VariableNameChecker.ignorePrefixPostfixOn = *thisTag* -
VariableNameChecker.case = *camelCase* -
ArgumentNameChecker.minLength = *3* -
ArgumentNameChecker.maxLength = *20* -
ArgumentNameChecker.maxWords = *4* -
ArgumentNameChecker.case = *camelCase* -
MethodNameChecker.minLength = *3* -
MethodNameChecker.maxLength = *25* -
MethodNameChecker.maxWords = *5* -
MethodNameChecker.case = *camelCase* -
ComponentNameChecker.minLength = *3* -
ComponentNameChecker.maxLength = *15* -
ComponentNameChecker.maxWords = *3* -
ComponentNameChecker.case = *PascalCase* -
GlobalLiteralChecker.maximum = *3* -
GlobalLiteralChecker.maxWarnings = *5* -
GlobalLiteralChecker.warningScope = *global* -
GlobalLiteralChecker.ignoreWords = *numeric,text,textnocase,asc,desc,in,out,inout,one,all,bigdecimal,boolean,byte,char,int,long,float,double,short,string,null* -
LocalLiteralChecker.maximum = *3* -
LocalLiteralChecker.maxWarnings = *5* -
LocalLiteralChecker.warningScope = *local* -
LocalLiteralChecker.ignoreWords = *numeric,text,textnocase,asc,desc,in,out,inout,one,all,bigdecimal,boolean,byte,char,int,long,float,double,short,string,null* -## Built-in rules -* ArgDefChecker - * ARG_DEFAULT_MISSING - Optional argument is missing a default value. *WARNING* - * Argument *variable* is not required and does not define a default value. -* ArgVarChecker - * ARG_VAR_CONFLICT - Variable declared in both local and argument scopes. *ERROR* - * Variable *variable* should not be declared in both local and argument scopes. - * ARG_VAR_MIXED - Variable referenced in local and argument scopes. *INFO* - * Variable *variable* should not be referenced in local and argument scope. -* CFSwitchDefaultChecker - * NO_DEFAULT_INSIDE_SWITCH - Missing default switch statement. *WARNING* - * Not having a Default statement defined for a switch could pose potential issues. -* GlobalVarChecker - * GLOBAL_VAR - Global variable exists. *WARNING* - * Identifier *variable* is global. Referencing in a CFC or function should be avoided. -* NestedCFOutput - * NESTED_CFOUTPUT - Nexted cfoutput with cfquery tag. *ERROR* - * Nested CFOutput, outer CFOutput has @query. -* OutputParmMissing - * OUTPUT_ATTR - Tag should have output='false'. *INFO* - * <*tag* name="*variable*"> should have @output='false' -* QueryParamChecker - * QUERYPARAM_REQ - SetSql() statement should use .addParam(). *WARNING* - * setSql() statement should use .addParam() instead of #'s name="*variable*" - * CFQUERYPARAM_REQ - cfquery should use <cfqueryparam>. *WARNING* - * <*tag*> should use <cfqueryparam/> for variable '*variable*'. -* TypedQueryNew - * QUERYNEW_DATATYPE - QueryNew statement should specify datatypes. *WARNING* - * QueryNew statement should specify datatypes. -* VarScoper - * MISSING_VAR - Variable is not declared with a var statement. *ERROR* - * Variable *variable* is not declared with a var statement. -* CFDumpChecker - * Parameters - * tagName = *cfdump* - * AVOID_USING_CFDUMP_TAG - Avoid use of cfdump tags. *WARNING* - * Avoid leaving <cfdump> tags in committed code. Debug information should be omitted from release code -* CFExecuteChecker - * Parameters - * tagName = *cfexecute* - * AVOID_USING_CFEXECUTE_TAG - Avoid use of cfexecute tags. *WARNING* - * Avoid leaving <cfexecute> tags in committed code. CFexecute can be used as an attack vector and is slow. -* CFBuiltInFunctionChecker - * AVOID_USING_ISDATE - *WARNING* - * Avoid using the isDate built-in function. It is too permissive. Use isValid() instead. -* CFAbortChecker - * Parameters - * tagName = *cfabort* - * AVOID_USING_CFABORT_TAG - Avoid use of cfabort tags. *INFO* - * Avoid leaving <cfabort> tags in committed code. -* AbortChecker - * AVOID_USING_ABORT - Avoid use of abort statements. *INFO* - * Avoid using abort in production code. -* CFInsertChecker - * Parameters - * tagName = *cfinsert* - * AVOID_USING_CFINSERT_TAG - Avoid use of cfinsert tags. *WARNING* - * Avoid using <cfinsert> tags. Use cfquery and cfstoredproc instead. -* CFModuleChecker - * Parameters - * tagName = *cfmodule* - * AVOID_USING_CFMODULE_TAG - Avoid use of cfmodule tags. *WARNING* - * Avoid using <cfmodule> tags. -* CFUpdateChecker - * Parameters - * tagName = *cfupdate* - * AVOID_USING_CFUPDATE_TAG - Avoid use of cfupdate tags. *WARNING* - * Avoid using <cfupdate> tags. Use cfquery and cfstoredproc instead. -* CFIncludeChecker - * Parameters - * tagName = *cfinclude* - * scope = *component* - * AVOID_USING_CFINCLUDE_TAG - Avoid use of cfinclude tags. *WARNING* - * Avoid using <cfinclude> tags. Use components instead. -* ComponentHintChecker - * COMPONENT_HINT_MISSING - Component is missing a hint. *WARNING* - * Component *variable* is missing a hint. -* FunctionHintChecker - * FUNCTION_HINT_MISSING - Function is missing a hint. *INFO* - * Function *variable* is missing a hint. -* ArgumentHintChecker - * ARG_HINT_MISSING - Argument is missing a hint. *INFO* - * Argument *variable* is missing a hint. - * ARG_HINT_MISSING_SCRIPT - *INFO* - * Argument *variable* is missing a hint. Use javadoc style annotations on cfscript functions. -* ArgumentTypeChecker - * ARG_TYPE_MISSING - Component is missing a type. *WARNING* - * Argument *variable* is missing a type. - * ARG_TYPE_ANY - Component is of type any. *WARNING* - * Argument *variable* is any. Please change to be a more specific type. -* FunctionLengthChecker - * Parameters - * length = *100* - * EXCESSIVE_FUNCTION_LENGTH - Method is too long. *WARNING* - * Function *function* is *variable* lines. Should be fewer than 100 lines. -* ComponentLengthChecker - * Parameters - * length = *500* - * EXCESSIVE_COMPONENT_LENGTH - Component is too long. *WARNING* - * Component *component* is *variable* lines. Should be fewer than 500 lines. -* FunctionTypeChecker - * FUNCTION_TYPE_MISSING - Function is missing a return type. *WARNING* - * Function *variable* is missing a return type. - * FUNCTION_TYPE_ANY - Function has a return type of any. *INFO* - * Function *variable* return type is any. Please change to be a more specific type. -* TooManyArgumentsChecker - * Parameters - * maximum = *10* - * EXCESSIVE_ARGUMENTS - Function has too many arguments. *WARNING* - * Function *function* has too many arguments. Should be fewer than 10. -* TooManyFunctionsChecker - * Parameters - * maximum = *10* - * EXCESSIVE_FUNCTIONS - Too many functions. *WARNING* - * Component *component* has too many functions. Should be fewer than 10. -* SimpleComplexityChecker - * Parameters - * maximum = *10* - * FUNCTION_TOO_COMPLEX - Function is too complex. *WARNING* - * Function *function* is too complex. Consider breaking the function into smaller functions. -* WriteDumpChecker - * Parameters - * functionName = *writeDump* - * AVOID_USING_WRITEDUMP - Avoid use of writedump statements. *INFO* - * Avoid using the writeDump function in production code. -* StructNewChecker - * Parameters - * functionName = *structNew* - * AVOID_USING_STRUCTNEW - Avoid use of structnew statements. Use {} instead. *INFO* - * Avoid using the structNew function in production code. -* IsDebugModeChecker - * Parameters - * functionName = *IsDebugMode* - * AVOID_USING_ISDEBUGMODE - Avoid use of isdebugmode statements. *WARNING* - * Avoid using the IsDebugMode function in production code. -* ArrayNewChecker - * AVOID_USING_ARRAYNEW - Avoid use of arraynew statements. Use [] instead. *INFO* - * Use implict array construction instead (= []). -* ComplexBooleanExpressionChecker - * COMPLEX_BOOLEAN_CHECK - Complex boolean expression. *WARNING* - * Boolean expression is too complex. Consider simplifying or moving to a named method. -* BooleanExpressionChecker - * EXPLICIT_BOOLEAN_CHECK - Checking boolean expression explicitly. *INFO* - * Explicit check of boolean expression is not needed. -* VariableNameChecker - * Parameters - * minLength = *3* - * maxLength = *20* - * maxWords = *4* - * ignoreUpperCaseScopes = *CGI,URL* - * ignoreAllCapsInScopes = *this,variables* - * ignorePrefixPostfixOn = *thisTag* - * case = *camelCase* - * VAR_INVALID_NAME - Variable has invalid name. *INFO* - * Variable *variable* is not a valid name. Please use camelCase or underscores. - * VAR_ALLCAPS_NAME - Variable name is allcaps. *INFO* - * Variable *variable* should not be upper case. - * SCOPE_ALLCAPS_NAME - Variable scope name is allcaps. *INFO* - * Scope *variable* should not be upper case. - * VAR_TOO_SHORT - Variable name is too short. *INFO* - * Variable *variable* should be longer than 3 characters. - * VAR_TOO_LONG - Variable name is too long. *INFO* - * Variable *variable* should be shorter than 20 characters. - * VAR_TOO_WORDY - Variable name contain too many words. *INFO* - * Variable *variable* is too wordy. Try to think of a more concise name. - * VAR_IS_TEMPORARY - Variable name looks temporary. *INFO* - * Temporary variable *variable* could be named better. - * VAR_HAS_PREFIX_OR_POSTFIX - Variable name has prefix or postfix. *INFO* - * Variable has prefix or postfix *variable* and could be named better. -* ArgumentNameChecker - * Parameters - * minLength = *3* - * maxLength = *20* - * maxWords = *4* - * case = *camelCase* - * ARGUMENT_MISSING_NAME - *INFO* - * Argument is missing a name. - * ARGUMENT_INVALID_NAME - Argument has invalid name. *INFO* - * Argument *variable* is not a valid name. Please use camelCase or underscores. - * ARGUMENT_ALLCAPS_NAME - Argument name is allcaps. *INFO* - * Argument *variable* should not be upper case. - * ARGUMENT_TOO_SHORT - Argument name is too short. *INFO* - * Argument *variable* should be longer than 3 characters. - * ARGUMENT_TOO_LONG - Argument name is too long. *INFO* - * Argument *variable* should be shorter than 20 characters. - * ARGUMENT_TOO_WORDY - Argument name contain too many words. *INFO* - * Argument *variable* is too wordy. Try to think of a more concise name. - * ARGUMENT_IS_TEMPORARY - Argument name looks temporary. *INFO* - * Temporary argument *variable* could be named better. - * ARGUMENT_HAS_PREFIX_OR_POSTFIX - Argument name has prefix or postfix. *INFO* - * Argument has prefix or postfix *variable* and could be named better. -* MethodNameChecker - * Parameters - * minLength = *3* - * maxLength = *25* - * maxWords = *5* - * case = *camelCase* - * METHOD_INVALID_NAME - Method has invalid name. *INFO* - * Method name *function* is not a valid name. Please use camelCase or underscores. - * METHOD_ALLCAPS_NAME - Method name is allcaps. *INFO* - * Method name *function* should not be upper case. - * METHOD_TOO_SHORT - Method name is too short. *INFO* - * Method name *function* should be longer than 3 characters. - * METHOD_TOO_LONG - Method name is too long. *INFO* - * Method name *function* should be shorter than 25 characters. - * METHOD_TOO_WORDY - Method name contain too many words. *INFO* - * Method name *function* is too wordy. Try to think of a more concise name. - * METHOD_IS_TEMPORARY - Method name looks temporary. *INFO* - * Method name *function* could be named better. - * METHOD_HAS_PREFIX_OR_POSTFIX - Method name has prefix or postfix. *INFO* - * Method name *function* has prefix or postfix and could be named better. -* ComponentNameChecker - * Parameters - * minLength = *3* - * maxLength = *15* - * maxWords = *3* - * case = *PascalCase* - * COMPONENT_INVALID_NAME - Component has invalid name. *INFO* - * Component name *component* is not a valid name. Please use PascalCase and start with a capital letter. - * COMPONENT_ALLCAPS_NAME - Component name is allcaps. *INFO* - * Component name *component* should not be all upper case. - * COMPONENT_TOO_SHORT - Component name is too short. *INFO* - * Component name *component* should be longer than 3 characters. - * COMPONENT_TOO_LONG - Component name is too long. *INFO* - * Component name *component* should be shorter than 15 characters. - * COMPONENT_TOO_WORDY - Component name contain too many words. *INFO* - * Component name *component* is too wordy. Try to think of a more concise name. - * COMPONENT_IS_TEMPORARY - Component name looks temporary. *INFO* - * Component name *component* could be named better. - * COMPONENT_HAS_PREFIX_OR_POSTFIX - Component name has prefix or postfix. *INFO* - * Component name *component* has prefix or postfix and could be named better. -* FileCaseChecker - * FILE_SHOULD_START_WITH_LOWERCASE - CFM File starts with upper case. *INFO* - * File *filename* starts with an upper case letter. Only components (.cfc files) should start with an upper case letter. -* CreateObjectChecker - * AVOID_USING_CREATEOBJECT - Avoid use of creatobject statements. *INFO* - * CreateObject found. Use createObject(path_to_component) or even better new path_to_component(). -* CFDebugAttributeChecker - * AVOID_USING_DEBUG_ATTR - Avoid use of debug attribute. *WARNING* - * Avoid leaving debug attribute on tags. - * AVOID_USING_CFSETTING_DEBUG - Avoid using showDebugOutput attribute on cfsetting. *WARNING* - * Avoid using showDebugOutput attribute on cfsetting. -* UnusedLocalVarChecker - * Parameters - * usedTagAttributes = *[cfquery/name, cfloop/index, cfloop/item, cfchart/name, cfdocument/name, cfftp/name, cfhtmltopdf/name, cfhttp/resultname, cfimage/name, cfimap/name, cfldap/name, cfoutput/query, cfpdf/name, cfreport/name, cfsavecontent/name, cfstoreproc/result, cfxml/variable]* - * UNUSED_LOCAL_VARIABLE - Unused local variable. *INFO* - * Local variable *variable* is not used in function *function*. Consider removing it. -* UnusedArgumentChecker - * UNUSED_METHOD_ARGUMENT - Unused method argument. *INFO* - * Argument *variable* is not used in function. Consider removing it. -* CFCompareVsAssignChecker - * COMPARE_INSTEAD_OF_ASSIGN - Using comparision where assignment was probably meant. *WARNING* - * CWE-482: Comparing instead of Assigning -* StructKeyChecker - * UNQUOTED_STRUCT_KEY - *WARNING* - * Unquoted struct key *variable* is not case-sensitive. Quoting it is recommended. - * STRUCT_ARRAY_NOTATION - *WARNING* - * Unquoted struct key *variable* is not case-sensitive. Using array notation is recommended. -* SelectStarChecker - * SQL_SELECT_STAR - *WARNING* - * Avoid using 'select *' in a query. -* CFQueryChecker - * NEVER_USE_QUERY_IN_CFM - ** - * Don't use <cfquery> in .cfm files. Database should not be coupled with view. -* ComponentDisplayNameChecker - * USE_DISPLAY_NAME - *INFO* - * Component *variable* has a name attribute, but perhaps you meant to use displayName. -* GlobalLiteralChecker - * Parameters - * maximum = *3* - * maxWarnings = *5* - * warningScope = *global* - * ignoreWords = *numeric,text,textnocase,asc,desc,in,out,inout,one,all,bigdecimal,boolean,byte,char,int,long,float,double,short,string,null* - * GLOBAL_LITERAL_VALUE_USED_TOO_OFTEN - *WARNING* - * Literal *variable* occurs several times in one or more files. Consider giving it a name and not hard coding values. -* LocalLiteralChecker - * Parameters - * maximum = *3* - * maxWarnings = *5* - * warningScope = *local* - * ignoreWords = *numeric,text,textnocase,asc,desc,in,out,inout,one,all,bigdecimal,boolean,byte,char,int,long,float,double,short,string,null* - * LOCAL_LITERAL_VALUE_USED_TOO_OFTEN - *WARNING* - * Literal *variable* occurs several times in the same file. Consider giving it a name and not hard coding values. -* PackageCaseChecker - * PACKAGE_CASE_MISMATCH - Warn with package case does not match its use. *WARNING* - * The case of the package folder and the object declaration do not match for *variable*. +# Built-in Rules + +## Rule List + +### ArgDefChecker + +#### ARG_DEFAULT_MISSING + +Optional argument is missing a default value. + +**Severity**: WARNING + +**Message**: Argument *variable* is not required and does not define a default value. + +### ArgVarChecker + +#### ARG_VAR_CONFLICT + +Variable declared in both local and argument scopes. + +**Severity**: ERROR + +**Message**: Variable *variable* should not be declared in both local and argument scopes. + +#### ARG_VAR_MIXED + +Variable referenced in local and argument scopes. + +**Severity**: INFO + +**Message**: Variable *variable* should not be referenced in local and argument scope. + +### CFSwitchDefaultChecker + +#### NO_DEFAULT_INSIDE_SWITCH + +Missing default switch statement. + +**Severity**: WARNING + +**Message**: Not having a Default statement defined for a switch could pose potential issues. + +### GlobalVarChecker + +#### GLOBAL_VAR + +Global variable exists. + +**Severity**: WARNING + +**Message**: Identifier *variable* is global. Referencing in a CFC or function should be avoided. + +### NestedCFOutput + +#### NESTED_CFOUTPUT + +Nested cfoutput with cfquery tag. + +**Severity**: ERROR + +**Message**: Nested CFOutput, outer CFOutput has @query. + +### OutputParmMissing + +#### OUTPUT_ATTR + +Tag should have output='false'. + +**Severity**: INFO + +**Message**: <*tag* name="*variable*"> should have @output='false' + +### QueryParamChecker + +#### QUERYPARAM_REQ + +Use query parameters for variables in sql statements. + +**Severity**: WARNING + +**Message**: Use query parameters for variables in sql statements. + +#### CFQUERYPARAM_REQ + +cfquery should use <cfqueryparam>. + +**Severity**: WARNING + +**Message**: <*tag*> should use <cfqueryparam/> for variable '*variable*'. + +### TypedQueryNew + +#### QUERYNEW_DATATYPE + +QueryNew statement should specify data types. + +**Severity**: WARNING + +**Message**: QueryNew statement should specify datatypes. + +### VarScoper + +#### MISSING_VAR + +Variable is not declared with a var statement. + +**Severity**: ERROR + +**Message**: Variable *variable* is not declared with a var statement. + +### CFDumpChecker + +#### AVOID_USING_CFDUMP_TAG + +Avoid use of cfdump tags. + +**Severity**: WARNING + +**Message**: Avoid leaving <cfdump> tags in committed code. Debug information should be omitted from release code + +### CFExecuteChecker + +#### AVOID_USING_CFEXECUTE_TAG + +Avoid use of cfexecute tags. + +**Severity**: WARNING + +**Message**: Avoid leaving <cfexecute> tags in committed code. CFexecute can be used as an attack vector and is slow. + +### CFBuiltInFunctionChecker + +#### AVOID_USING_ISDATE + +**Severity**: WARNING + +**Message**: Avoid using the isDate built-in function. It is too permissive. Use isValid() instead. + +### CFAbortChecker + +#### AVOID_USING_CFABORT_TAG + +Avoid use of cfabort tags. + +**Severity**: INFO + +**Message**: Avoid leaving <cfabort> tags in committed code. + +### AbortChecker + +#### AVOID_USING_ABORT + +Avoid use of abort statements. + +**Severity**: INFO + +**Message**: Avoid using abort in production code. + +### CFInsertChecker + +#### AVOID_USING_CFINSERT_TAG + +Avoid use of cfinsert tags. + +**Severity**: WARNING + +**Message**: Avoid using <cfinsert> tags. Use cfquery and cfstoredproc instead. + +### CFModuleChecker + +#### AVOID_USING_CFMODULE_TAG + +Avoid use of cfmodule tags. + +**Severity**: WARNING + +**Message**: Avoid using <cfmodule> tags. + +### CFUpdateChecker + +#### AVOID_USING_CFUPDATE_TAG + +Avoid use of cfupdate tags. + +**Severity**: WARNING + +**Message**: Avoid using <cfupdate> tags. Use cfquery and cfstoredproc instead. + +### CFIncludeChecker + +#### AVOID_USING_CFINCLUDE_TAG + +Avoid use of cfinclude tags. + +**Severity**: WARNING + +**Message**: Avoid using <cfinclude> tags. Use components instead. + +### ComponentHintChecker + +#### COMPONENT_HINT_MISSING + +Component is missing a hint. + +**Severity**: WARNING + +**Message**: Component *variable* is missing a hint. + +### FunctionHintChecker + +#### FUNCTION_HINT_MISSING + +Function is missing a hint. + +**Severity**: INFO + +**Message**: Function *variable* is missing a hint. + +### ArgumentHintChecker + +#### ARG_HINT_MISSING + +Argument is missing a hint. + +**Severity**: INFO + +**Message**: Argument *variable* is missing a hint. + +#### ARG_HINT_MISSING_SCRIPT + +**Severity**: INFO + +**Message**: Argument *variable* is missing a hint. Use javadoc style annotations on cfscript functions. + +### ArgumentTypeChecker + +#### ARG_TYPE_MISSING + +Component is missing a type. + +**Severity**: WARNING + +**Message**: Argument *variable* is missing a type. + +#### ARG_TYPE_ANY + +Component is of type any. + +**Severity**: WARNING + +**Message**: Argument *variable* is any. Please change to be a more specific type. + +### FunctionLengthChecker + +#### EXCESSIVE_FUNCTION_LENGTH + +Method is too long. + +**Severity**: WARNING + +**Message**: Function *function* is *variable* lines. Should be fewer than 100 lines. + +#### FunctionLengthChecker Parameters + +* length = *100* + +### ComponentLengthChecker + +#### EXCESSIVE_COMPONENT_LENGTH + +Component is too long. + +**Severity**: WARNING + +**Message**: Component *component* is *variable* lines. Should be fewer than 500 lines. + +#### ComponentLengthChecker Parameters + +* length = *500* + +### FunctionTypeChecker + +#### FUNCTION_TYPE_MISSING + +Function is missing a return type. + +**Severity**: WARNING + +**Message**: Function *variable* is missing a return type. + +#### FUNCTION_TYPE_ANY + +Function has a return type of any. + +**Severity**: INFO + +**Message**: Function *variable* return type is any. Please change to be a more specific type. + +### TooManyArgumentsChecker + +#### EXCESSIVE_ARGUMENTS + +Function has too many arguments. + +**Severity**: WARNING + +**Message**: Function *function* has too many arguments. Should be fewer than 10. + +#### TooManyArgumentsChecker Parameters + +* maximum = *10* + +### TooManyFunctionsChecker + +#### EXCESSIVE_FUNCTIONS + +Too many functions. + +**Severity**: WARNING + +**Message**: Component *component* has too many functions. Should be fewer than 10. + +#### TooManyFunctionsChecker Parameters + +* maximum = *10* + +### SimpleComplexityChecker + +#### FUNCTION_TOO_COMPLEX + +Function is too complex. + +**Severity**: WARNING + +**Message**: Function *function* is too complex. Consider breaking the function into smaller functions. + +#### SimpleComplexityChecker Parameters + +* maximum = *10* + +### QueryNewChecker + +#### QUERYNEW_DUPLICATE_COLUMNS + +**Severity**: ERROR + +**Message**: QueryNew declares column *variable* multiple times, this is a hard error in some CFML implementations. + +### WriteDumpChecker + +#### AVOID_USING_WRITEDUMP + +Avoid use of writeDump statements. + +**Severity**: INFO + +**Message**: Avoid using the writeDump function in production code. + +### StructNewChecker + +#### AVOID_USING_STRUCTNEW + +Avoid use of structNew statements. Use {} instead. + +**Severity**: INFO + +**Message**: Avoid using the structNew function in production code. + +### IsDebugModeChecker + +#### AVOID_USING_ISDEBUGMODE + +Avoid use of isDebugMode statements. + +**Severity**: WARNING + +**Message**: Avoid using the IsDebugMode function in production code. + +### FunctionCollisionChecker + +#### FUNCTION_NAME_COLLISION + +**Severity**: WARNING + +**Message**: Avoid using the name *variable* for a function. It is reserved in some CFML implementations. See https://cfdocs.org/*variable* + +### ArrayNewChecker + +#### AVOID_USING_ARRAYNEW + +Avoid use of arrayNew statements. Use [] instead. + +**Severity**: INFO + +**Message**: Use implict array construction instead (= []). + +### ComplexBooleanExpressionChecker + +#### COMPLEX_BOOLEAN_CHECK + +Complex boolean expression. + +**Severity**: WARNING + +**Message**: Boolean expression is too complex. Consider simplifying or moving to a named method. + +### BooleanExpressionChecker + +#### EXPLICIT_BOOLEAN_CHECK + +Checking boolean expression explicitly. + +**Severity**: INFO + +**Message**: Explicit check of boolean expression is not needed. + +### VariableNameChecker + +#### VAR_INVALID_NAME + +Variable has invalid name. + +**Severity**: INFO + +**Message**: Variable *variable* is not a valid name. Please use camelCase or underscores. + +#### VAR_ALLCAPS_NAME + +Variable name is all caps. + +**Severity**: INFO + +**Message**: Variable *variable* should not be upper case. + +#### SCOPE_ALLCAPS_NAME + +Variable scope name is all caps. + +**Severity**: INFO + +**Message**: Scope *variable* should not be upper case. + +#### VAR_TOO_SHORT + +Variable name is too short. + +**Severity**: INFO + +**Message**: Variable *variable* should be longer than 3 characters. + +#### VAR_TOO_LONG + +Variable name is too long. + +**Severity**: INFO + +**Message**: Variable *variable* should be shorter than 20 characters. + +#### VAR_TOO_WORDY + +Variable name contain too many words. + +**Severity**: INFO + +**Message**: Variable *variable* is too wordy. Try to think of a more concise name. + +#### VAR_IS_TEMPORARY + +Variable name looks temporary. + +**Severity**: INFO + +**Message**: Temporary variable *variable* could be named better. + +#### VAR_HAS_PREFIX_OR_POSTFIX + +Variable name has prefix or postfix. + +**Severity**: INFO + +**Message**: Variable has prefix or postfix *variable* and could be named better. + +#### VariableNameChecker Parameters + +* minLength = *3* + +* maxLength = *20* + +* maxWords = *4* + +* ignoreUpperCaseScopes = *CGI,URL* + +* ignoreAllCapsInScopes = *this,variables* + +* ignorePrefixPostfixOn = *thisTag* + +* case = *camelCase* + +### ArgumentNameChecker + +#### ARGUMENT_MISSING_NAME + +**Severity**: INFO + +**Message**: Argument is missing a name. + +#### ARGUMENT_INVALID_NAME + +Argument has invalid name. + +**Severity**: INFO + +**Message**: Argument *variable* is not a valid name. Please use camelCase or underscores. + +#### ARGUMENT_ALLCAPS_NAME + +Argument name is all caps. + +**Severity**: INFO + +**Message**: Argument *variable* should not be upper case. + +#### ARGUMENT_TOO_SHORT + +Argument name is too short. + +**Severity**: INFO + +**Message**: Argument *variable* should be longer than 3 characters. + +#### ARGUMENT_TOO_LONG + +Argument name is too long. + +**Severity**: INFO + +**Message**: Argument *variable* should be shorter than 20 characters. + +#### ARGUMENT_TOO_WORDY + +Argument name contain too many words. + +**Severity**: INFO + +**Message**: Argument *variable* is too wordy. Try to think of a more concise name. + +#### ARGUMENT_IS_TEMPORARY + +Argument name looks temporary. + +**Severity**: INFO + +**Message**: Temporary argument *variable* could be named better. + +#### ARGUMENT_HAS_PREFIX_OR_POSTFIX + +Argument name has prefix or postfix. + +**Severity**: INFO + +**Message**: Argument has prefix or postfix *variable* and could be named better. + +#### ArgumentNameChecker Parameters + +* minLength = *3* + +* maxLength = *20* + +* maxWords = *4* + +* case = *camelCase* + +### MethodNameChecker + +#### METHOD_INVALID_NAME + +Method has invalid name. + +**Severity**: INFO + +**Message**: Method name *function* is not a valid name. Please use camelCase or underscores. + +#### METHOD_ALLCAPS_NAME + +Method name is all caps. + +**Severity**: INFO + +**Message**: Method name *function* should not be upper case. + +#### METHOD_TOO_SHORT + +Method name is too short. + +**Severity**: INFO + +**Message**: Method name *function* should be longer than 3 characters. + +#### METHOD_TOO_LONG + +Method name is too long. + +**Severity**: INFO + +**Message**: Method name *function* should be shorter than 25 characters. + +#### METHOD_TOO_WORDY + +Method name contain too many words. + +**Severity**: INFO + +**Message**: Method name *function* is too wordy. Try to think of a more concise name. + +#### METHOD_IS_TEMPORARY + +Method name looks temporary. + +**Severity**: INFO + +**Message**: Method name *function* could be named better. + +#### METHOD_HAS_PREFIX_OR_POSTFIX + +Method name has prefix or postfix. + +**Severity**: INFO + +**Message**: Method name *function* has prefix or postfix and could be named better. + +#### MethodNameChecker Parameters + +* minLength = *3* + +* maxLength = *25* + +* maxWords = *5* + +* case = *camelCase* + +### ComponentNameChecker + +#### COMPONENT_INVALID_NAME + +Component has invalid name. + +**Severity**: INFO + +**Message**: Component name *component* is not a valid name. Please use PascalCase and start with a capital letter. + +#### COMPONENT_ALLCAPS_NAME + +Component name is all caps. + +**Severity**: INFO + +**Message**: Component name *component* should not be all upper case. + +#### COMPONENT_TOO_SHORT + +Component name is too short. + +**Severity**: INFO + +**Message**: Component name *component* should be longer than 3 characters. + +#### COMPONENT_TOO_LONG + +Component name is too long. + +**Severity**: INFO + +**Message**: Component name *component* should be shorter than 15 characters. + +#### COMPONENT_TOO_WORDY + +Component name contain too many words. + +**Severity**: INFO + +**Message**: Component name *component* is too wordy. Try to think of a more concise name. + +#### COMPONENT_IS_TEMPORARY + +Component name looks temporary. + +**Severity**: INFO + +**Message**: Component name *component* could be named better. + +#### COMPONENT_HAS_PREFIX_OR_POSTFIX + +Component name has prefix or postfix. + +**Severity**: INFO + +**Message**: Component name *component* has prefix or postfix and could be named better. + +#### ComponentNameChecker Parameters + +* minLength = *3* + +* maxLength = *15* + +* maxWords = *3* + +* case = *PascalCase* + +### FileCaseChecker + +#### FILE_SHOULD_START_WITH_LOWERCASE + +CFM File starts with upper case. + +**Severity**: INFO + +**Message**: File *filename* starts with an upper case letter. Only components (.cfc files) should start with an upper case letter. + +### CreateObjectChecker + +#### AVOID_USING_CREATEOBJECT + +Avoid use of creatObject statements. + +**Severity**: INFO + +**Message**: CreateObject found. Use createObject(path_to_component) or even better new path_to_component(). + +### CFDebugAttributeChecker + +#### AVOID_USING_DEBUG_ATTR + +Avoid use of debug attribute. + +**Severity**: WARNING + +**Message**: Avoid leaving debug attribute on tags. + +#### AVOID_USING_CFSETTING_DEBUG + +Avoid using showDebugOutput attribute on cfsetting. + +**Severity**: WARNING + +**Message**: Avoid using showDebugOutput attribute on cfsetting. + +### UnusedLocalVarChecker + +#### UNUSED_LOCAL_VARIABLE + +Unused local variable. + +**Severity**: INFO + +**Message**: Local variable *variable* is not used in function *function*. Consider removing it. + +### UnusedArgumentChecker + +#### UNUSED_METHOD_ARGUMENT + +Unused method argument. + +**Severity**: INFO + +**Message**: Argument *variable* is not used in function. Consider removing it. + +### CFCompareVsAssignChecker + +#### COMPARE_INSTEAD_OF_ASSIGN + +Using comparison where assignment was probably meant. + +**Severity**: WARNING + +**Message**: CWE-482: Comparing instead of Assigning + +### StructKeyChecker + +#### UNQUOTED_STRUCT_KEY + +**Severity**: WARNING + +**Message**: Unquoted struct key *variable* is not case-sensitive. Quoting it is recommended. + +#### STRUCT_ARRAY_NOTATION + +**Severity**: WARNING + +**Message**: Unquoted struct key *variable* is not case-sensitive. Using array notation is recommended. + +### SelectStarChecker + +#### SQL_SELECT_STAR + +**Severity**: WARNING + +**Message**: Avoid using 'select *' in a query. + +### CFQueryChecker + +#### NEVER_USE_QUERY_IN_CFM + +**Message**: Don't use <cfquery> in .cfm files. Database should not be coupled with view. + +### ComponentDisplayNameChecker + +#### USE_DISPLAY_NAME + +**Severity**: INFO + +**Message**: Component *variable* has a name attribute, but perhaps you meant to use displayName. + +### GlobalLiteralChecker + +#### GLOBAL_LITERAL_VALUE_USED_TOO_OFTEN + +**Severity**: INFO + +**Message**: Literal *variable* occurs several times in one or more files. Consider giving it a name and not hard coding values. + +#### GlobalLiteralChecker Parameters + +* maximum = *3* + +* maxWarnings = *5* + +* warningScope = *global* + +* ignoreWords = *numeric,text,textnocase,asc,desc,in,out,inout,one,all,bigdecimal,boolean,byte,char,int,long,float,double,short,string,null* + +### LocalLiteralChecker + +#### LOCAL_LITERAL_VALUE_USED_TOO_OFTEN + +**Severity**: INFO + +**Message**: Literal *variable* occurs several times in the same file. Consider giving it a name and not hard coding values. + +#### LocalLiteralChecker Parameters + +* maximum = *3* + +* maxWarnings = *5* + +* warningScope = *local* + +* ignoreWords = *numeric,text,textnocase,asc,desc,in,out,inout,one,all,bigdecimal,boolean,byte,char,int,long,float,double,short,string,null* + +### PackageCaseChecker + +#### PACKAGE_CASE_MISMATCH + +Warn with package case does not match its use. + +**Severity**: WARNING + +**Message**: The case of the package folder and the object declaration do not match for *variable*. + ## Rule Groups + ### BugProne - * ARG_VAR_CONFLICT *ERROR* - * NO_DEFAULT_INSIDE_SWITCH *WARNING* - * NESTED_CFOUTPUT *ERROR* - * OUTPUT_ATTR *INFO* - * MISSING_VAR *ERROR* - * COMPARE_INSTEAD_OF_ASSIGN *WARNING* - * AVOID_USING_ISDATE *WARNING* + +* [ARG_VAR_CONFLICT](#arg_var_conflict) + +* [NO_DEFAULT_INSIDE_SWITCH](#no_default_inside_switch) + +* [NESTED_CFOUTPUT](#nested_cfoutput) + +* [OUTPUT_ATTR](#output_attr) + +* [MISSING_VAR](#missing_var) + +* [COMPARE_INSTEAD_OF_ASSIGN](#compare_instead_of_assign) + +* [AVOID_USING_ISDATE](#avoid_using_isdate) + ### Correctness - * ARG_DEFAULT_MISSING *WARNING* - * ARG_TYPE_ANY *WARNING* - * ARG_TYPE_MISSING *WARNING* - * ARG_VAR_MIXED *INFO* - * QUERYNEW_DATATYPE *WARNING* - * UNUSED_LOCAL_VARIABLE *INFO* - * UNUSED_METHOD_ARGUMENT *INFO* - * UNQUOTED_STRUCT_KEY *WARNING* - * STRUCT_ARRAY_NOTATION *WARNING* - * USE_DISPLAY_NAME *INFO* + +* [ARG_DEFAULT_MISSING](#arg_default_missing) + +* [ARG_TYPE_ANY](#arg_type_any) + +* [ARG_TYPE_MISSING](#arg_type_missing) + +* [ARG_VAR_MIXED](#arg_var_mixed) + +* [QUERYNEW_DATATYPE](#querynew_datatype) + +* [UNUSED_LOCAL_VARIABLE](#unused_local_variable) + +* [UNUSED_METHOD_ARGUMENT](#unused_method_argument) + +* [UNQUOTED_STRUCT_KEY](#unquoted_struct_key) + +* [STRUCT_ARRAY_NOTATION](#struct_array_notation) + +* [USE_DISPLAY_NAME](#use_display_name) + ### BadPractice - * AVOID_USING_ABORT *INFO* - * AVOID_USING_CFABORT_TAG *INFO* - * AVOID_USING_CFDUMP_TAG *WARNING* - * AVOID_USING_CFEXECUTE_TAG *WARNING* - * AVOID_USING_CFINSERT_TAG *WARNING* - * AVOID_USING_CFMODULE_TAG *WARNING* - * AVOID_USING_CFUPDATE_TAG *WARNING* - * AVOID_USING_WRITEDUMP *INFO* - * GLOBAL_LITERAL_VALUE_USED_TOO_OFTEN *WARNING* - * GLOBAL_VAR *WARNING* - * LOCAL_LITERAL_VALUE_USED_TOO_OFTEN *WARNING* - * SQL_SELECT_STAR *WARNING* - * AVOID_USING_DEBUG_ATTR *WARNING* - * AVOID_USING_CFSETTING_DEBUG *WARNING* - * AVOID_USING_CFINCLUDE_TAG *WARNING* - * AVOID_USING_ISDEBUGMODE *WARNING* + +* [AVOID_USING_ABORT](#avoid_using_abort) + +* [AVOID_USING_CFABORT_TAG](#avoid_using_cfabort_tag) + +* [AVOID_USING_CFDUMP_TAG](#avoid_using_cfdump_tag) + +* [AVOID_USING_CFEXECUTE_TAG](#avoid_using_cfexecute_tag) + +* [AVOID_USING_CFINSERT_TAG](#avoid_using_cfinsert_tag) + +* [AVOID_USING_CFMODULE_TAG](#avoid_using_cfmodule_tag) + +* [AVOID_USING_CFUPDATE_TAG](#avoid_using_cfupdate_tag) + +* [AVOID_USING_WRITEDUMP](#avoid_using_writedump) + +* [GLOBAL_LITERAL_VALUE_USED_TOO_OFTEN](#global_literal_value_used_too_often) + +* [GLOBAL_VAR](#global_var) + +* [LOCAL_LITERAL_VALUE_USED_TOO_OFTEN](#local_literal_value_used_too_often) + +* [SQL_SELECT_STAR](#sql_select_star) + +* [AVOID_USING_DEBUG_ATTR](#avoid_using_debug_attr) + +* [AVOID_USING_CFSETTING_DEBUG](#avoid_using_cfsetting_debug) + +* [AVOID_USING_CFINCLUDE_TAG](#avoid_using_cfinclude_tag) + +* [AVOID_USING_ISDEBUGMODE](#avoid_using_isdebugmode) + ### Security - * CFQUERYPARAM_REQ *WARNING* - * QUERYPARAM_REQ *WARNING* + +* [CFQUERYPARAM_REQ](#cfqueryparam_req) + +* [QUERYPARAM_REQ](#queryparam_req) + ### CodeStyle - * ARG_HINT_MISSING *INFO* - * COMPONENT_HINT_MISSING *WARNING* - * FUNCTION_HINT_MISSING *INFO* - * FUNCTION_TYPE_ANY *INFO* - * FUNCTION_TYPE_MISSING *WARNING* - * ARG_HINT_MISSING_SCRIPT *INFO* + +* [ARG_HINT_MISSING](#arg_hint_missing) + +* [COMPONENT_HINT_MISSING](#component_hint_missing) + +* [FUNCTION_HINT_MISSING](#function_hint_missing) + +* [FUNCTION_TYPE_ANY](#function_type_any) + +* [FUNCTION_TYPE_MISSING](#function_type_missing) + +* [ARG_HINT_MISSING_SCRIPT](#arg_hint_missing_script) + ### ModernSyntax - * AVOID_USING_ARRAYNEW *INFO* - * AVOID_USING_STRUCTNEW *INFO* - * AVOID_USING_CREATEOBJECT *INFO* + +* [AVOID_USING_ARRAYNEW](#avoid_using_arraynew) + +* [AVOID_USING_STRUCTNEW](#avoid_using_structnew) + +* [AVOID_USING_CREATEOBJECT](#avoid_using_createobject) + ### Complexity - * COMPLEX_BOOLEAN_CHECK *WARNING* - * EXCESSIVE_FUNCTIONS *WARNING* - * EXCESSIVE_ARGUMENTS *WARNING* - * EXPLICIT_BOOLEAN_CHECK *INFO* - * EXCESSIVE_COMPONENT_LENGTH *WARNING* - * EXCESSIVE_FUNCTION_LENGTH *WARNING* - * FUNCTION_TOO_COMPLEX *WARNING* + +* [COMPLEX_BOOLEAN_CHECK](#complex_boolean_check) + +* [EXCESSIVE_FUNCTIONS](#excessive_functions) + +* [EXCESSIVE_ARGUMENTS](#excessive_arguments) + +* [EXPLICIT_BOOLEAN_CHECK](#explicit_boolean_check) + +* [EXCESSIVE_COMPONENT_LENGTH](#excessive_component_length) + +* [EXCESSIVE_FUNCTION_LENGTH](#excessive_function_length) + +* [FUNCTION_TOO_COMPLEX](#function_too_complex) + ### Naming - * METHOD_HAS_PREFIX_OR_POSTFIX *INFO* - * METHOD_INVALID_NAME *INFO* - * METHOD_IS_TEMPORARY *INFO* - * METHOD_TOO_SHORT *INFO* - * METHOD_TOO_LONG *INFO* - * METHOD_TOO_WORDY *INFO* - * VAR_ALLCAPS_NAME *INFO* - * VAR_HAS_PREFIX_OR_POSTFIX *INFO* - * VAR_INVALID_NAME *INFO* - * VAR_IS_TEMPORARY *INFO* - * VAR_TOO_SHORT *INFO* - * VAR_TOO_LONG *INFO* - * VAR_TOO_WORDY *INFO* - * SCOPE_ALLCAPS_NAME *INFO* - * ARGUMENT_MISSING_NAME *INFO* - * ARGUMENT_INVALID_NAME *INFO* - * ARGUMENT_ALLCAPS_NAME *INFO* - * ARGUMENT_TOO_SHORT *INFO* - * ARGUMENT_TOO_LONG *INFO* - * ARGUMENT_TOO_WORDY *INFO* - * ARGUMENT_IS_TEMPORARY *INFO* - * ARGUMENT_HAS_PREFIX_OR_POSTFIX *INFO* - * METHOD_ALLCAPS_NAME *INFO* - * COMPONENT_INVALID_NAME *INFO* - * COMPONENT_ALLCAPS_NAME *INFO* - * COMPONENT_TOO_SHORT *INFO* - * COMPONENT_TOO_LONG *INFO* - * COMPONENT_TOO_WORDY *INFO* - * COMPONENT_IS_TEMPORARY *INFO* - * COMPONENT_HAS_PREFIX_OR_POSTFIX *INFO* - * PACKAGE_CASE_MISMATCH *WARNING* + +* [METHOD_HAS_PREFIX_OR_POSTFIX](#method_has_prefix_or_postfix) + +* [METHOD_INVALID_NAME](#method_invalid_name) + +* [METHOD_IS_TEMPORARY](#method_is_temporary) + +* [METHOD_TOO_SHORT](#method_too_short) + +* [METHOD_TOO_LONG](#method_too_long) + +* [METHOD_TOO_WORDY](#method_too_wordy) + +* [VAR_ALLCAPS_NAME](#var_allcaps_name) + +* [VAR_HAS_PREFIX_OR_POSTFIX](#var_has_prefix_or_postfix) + +* [VAR_INVALID_NAME](#var_invalid_name) + +* [VAR_IS_TEMPORARY](#var_is_temporary) + +* [VAR_TOO_SHORT](#var_too_short) + +* [VAR_TOO_LONG](#var_too_long) + +* [VAR_TOO_WORDY](#var_too_wordy) + +* [SCOPE_ALLCAPS_NAME](#scope_allcaps_name) + +* [ARGUMENT_MISSING_NAME](#argument_missing_name) + +* [ARGUMENT_INVALID_NAME](#argument_invalid_name) + +* [ARGUMENT_ALLCAPS_NAME](#argument_allcaps_name) + +* [ARGUMENT_TOO_SHORT](#argument_too_short) + +* [ARGUMENT_TOO_LONG](#argument_too_long) + +* [ARGUMENT_TOO_WORDY](#argument_too_wordy) + +* [ARGUMENT_IS_TEMPORARY](#argument_is_temporary) + +* [ARGUMENT_HAS_PREFIX_OR_POSTFIX](#argument_has_prefix_or_postfix) + +* [METHOD_ALLCAPS_NAME](#method_allcaps_name) + +* [COMPONENT_INVALID_NAME](#component_invalid_name) + +* [COMPONENT_ALLCAPS_NAME](#component_allcaps_name) + +* [COMPONENT_TOO_SHORT](#component_too_short) + +* [COMPONENT_TOO_LONG](#component_too_long) + +* [COMPONENT_TOO_WORDY](#component_too_wordy) + +* [COMPONENT_IS_TEMPORARY](#component_is_temporary) + +* [COMPONENT_HAS_PREFIX_OR_POSTFIX](#component_has_prefix_or_postfix) + +* [PACKAGE_CASE_MISMATCH](#package_case_mismatch) + ### Experimental - * NEVER_USE_QUERY_IN_CFM ** - * FILE_SHOULD_START_WITH_LOWERCASE *INFO* +* [NEVER_USE_QUERY_IN_CFM](#never_use_query_in_cfm) + +* [FILE_SHOULD_START_WITH_LOWERCASE](#file_should_start_with_lowercase) diff --git a/src/main/java/com/cflint/cli/CFLintCLI.java b/src/main/java/com/cflint/cli/CFLintCLI.java index afa0aece9..0d1607464 100644 --- a/src/main/java/com/cflint/cli/CFLintCLI.java +++ b/src/main/java/com/cflint/cli/CFLintCLI.java @@ -226,9 +226,9 @@ public static void main(final String[] args) throws Exception { final CFLintPluginInfo pluginInfo = ConfigUtils.loadDefaultPluginInfo(); final ConfigBuilder configBuilder = new ConfigBuilder(pluginInfo); if (cmd.hasOption(Settings.MARKDOWN)){ - final FileWriter out = new FileWriter("RULES.MD"); + final FileWriter out = new FileWriter("RULES.md"); CFLintDoc.generateRuleMarkDown(pluginInfo, new PrintWriter(out)); - System.out.println("Rules written to RULES.MD"); + System.out.println("Rules written to RULES.md"); out.close(); return; } diff --git a/src/main/java/com/cflint/tools/CFLintDoc.java b/src/main/java/com/cflint/tools/CFLintDoc.java index 97f795980..b910cbf2c 100644 --- a/src/main/java/com/cflint/tools/CFLintDoc.java +++ b/src/main/java/com/cflint/tools/CFLintDoc.java @@ -6,7 +6,6 @@ import java.util.List; import java.util.Map; -import com.cflint.config.CFLintConfiguration; import com.cflint.config.CFLintPluginInfo; import com.cflint.config.ConfigUtils; import com.cflint.config.CFLintPluginInfo.PluginInfoRule; @@ -37,50 +36,56 @@ public static void generateRuleGroup(final CFLintPluginInfo pluginInfo, final Pr } } } - + public static void generateRuleMarkDown(final CFLintPluginInfo pluginInfo, final PrintWriter print){ final Map descriptions = ConfigUtils.loadDescriptions(); - final List diminishParms = Arrays.asList("UnusedLocalVarChecker","CFXTagChecker","FunctionXChecker"); - print.println("List of built-in rules and rule groups"); - print.println("======================================"); - print.println("## Rule Parameters "); - for(PluginInfoRule ruleInfo: pluginInfo.getRules()){ - //Do not highlight specific parameters. - if(!diminishParms.contains(ruleInfo.getClassName())){ - for(PluginParameter p: ruleInfo.getParameters()){ - print.println("
" + ruleInfo.getName()+"." + p.getName() + " = *" + p.getValue() + "*"); + final List diminishParams = Arrays.asList("UnusedLocalVarChecker","CFXTagChecker","FunctionXChecker"); + print.println("# Built-in Rules"); + print.println(""); + print.println("## Rule List"); + + for (PluginInfoRule ruleInfo: pluginInfo.getRules()) { + print.println(""); + print.println("### " + ruleInfo.getName()); + + for (PluginMessage msg: ruleInfo.getMessages()) { + final String desc = descriptions.get(msg.getCode()) != null ? + descriptions.get(msg.getCode()).replace(">", ">").replace("<", "<") : ""; + print.println(""); + print.println("#### "+ msg.getCode()); + if (desc.length() > 0) { + print.println(""); + print.println(desc); } - } - } - print.println("## Built-in rules"); - - for(PluginInfoRule ruleInfo: pluginInfo.getRules()){ - print.println("* "+ ruleInfo.getName()); - final String className = ruleInfo.getClassName()==null?ruleInfo.getName():ruleInfo.getClassName(); - final String fullClassName = className.contains(".")?className: - "com.cflint.plugins.core." + className; - //print.println("**Class:** "+fullClassName); - if(!ruleInfo.getParameters().isEmpty()){ - print.println(" * Parameters"); - for(PluginParameter p: ruleInfo.getParameters()){ - print.println(" * " + p.getName() + " = *" + p.getValue() + "*"); + if (msg.getSeverity().toString().length() > 0) { + print.println(""); + print.println("**Severity**: " + msg.getSeverity()); + } + final String messageText = cleanUpMessage(msg,ruleInfo); + if (messageText.length() > 0) { + print.println(""); + print.println("**Message**: " + messageText); } } - int counter = 1; - for(PluginMessage msg: ruleInfo.getMessages()){ - final String desc = descriptions.get(msg.getCode())!=null? - descriptions.get(msg.getCode()).replace(">", ">").replace("<", "<"):""; - print.println(" * "+ msg.getCode() + " - " + desc+ " *" + msg.getSeverity() + "*"); - print.println(" * "+ cleanUpMessage(msg,ruleInfo) ); + + if (!ruleInfo.getParameters().isEmpty() && !diminishParams.contains(ruleInfo.getClassName())) { + print.println(""); + print.println("#### " + ruleInfo.getName() + " Parameters"); + for (PluginParameter p: ruleInfo.getParameters()) { + print.println(""); + print.println("* " + p.getName() + " = *" + p.getValue() + "*"); + } } } - + + print.println(""); print.println("## Rule Groups"); - for (final RuleGroup ruleGroup : pluginInfo.getRuleGroups()) { + print.println(""); print.println("### " + ruleGroup.getName()); for (final PluginMessage msg : ruleGroup.getMessages()) { - print.println(" * " + msg.getCode() + " *" + msg.getSeverity() + "*"); + print.println(""); + print.println("* [" + msg.getCode() + "](#" + msg.getCode().toLowerCase() + ")"); } } } diff --git a/src/main/resources/cflint.description.txt b/src/main/resources/cflint.description.txt index afe2d8eac..cbcdd7c7d 100644 --- a/src/main/resources/cflint.description.txt +++ b/src/main/resources/cflint.description.txt @@ -3,11 +3,11 @@ ARG_VAR_CONFLICT:Variable declared in both local and argument scopes. ARG_VAR_MIXED:Variable referenced in local and argument scopes. NO_DEFAULT_INSIDE_SWITCH:Missing default switch statement. GLOBAL_VAR:Global variable exists. -NESTED_CFOUTPUT:Nexted cfoutput with cfquery tag. +NESTED_CFOUTPUT:Nested cfoutput with cfquery tag. OUTPUT_ATTR:Tag should have output='false'. QUERYPARAM_REQ:Use query parameters for variables in sql statements. CFQUERYPARAM_REQ:cfquery should use . -QUERYNEW_DATATYPE:QueryNew statement should specify datatypes. +QUERYNEW_DATATYPE:QueryNew statement should specify data types. MISSING_VAR:Variable is not declared with a var statement. AVOID_USING_CFDUMP_TAG:Avoid use of cfdump tags. AVOID_USING_CFEXECUTE_TAG:Avoid use of cfexecute tags. @@ -29,46 +29,46 @@ FUNCTION_TYPE_ANY:Function has a return type of any. EXCESSIVE_ARGUMENTS:Function has too many arguments. EXCESSIVE_FUNCTIONS:Too many functions. FUNCTION_TOO_COMPLEX:Function is too complex. -AVOID_USING_WRITEDUMP:Avoid use of writedump statements. -AVOID_USING_STRUCTNEW:Avoid use of structnew statements. Use {} instead. -AVOID_USING_ISDEBUGMODE:Avoid use of isdebugmode statements. -AVOID_USING_ARRAYNEW:Avoid use of arraynew statements. Use [] instead. +AVOID_USING_WRITEDUMP:Avoid use of writeDump statements. +AVOID_USING_STRUCTNEW:Avoid use of structNew statements. Use {} instead. +AVOID_USING_ISDEBUGMODE:Avoid use of isDebugMode statements. +AVOID_USING_ARRAYNEW:Avoid use of arrayNew statements. Use [] instead. COMPLEX_BOOLEAN_CHECK:Complex boolean expression. EXPLICIT_BOOLEAN_CHECK:Checking boolean expression explicitly. VAR_INVALID_NAME:Variable has invalid name. -VAR_ALLCAPS_NAME:Variable name is allcaps. -SCOPE_ALLCAPS_NAME:Variable scope name is allcaps. +VAR_ALLCAPS_NAME:Variable name is all caps. +SCOPE_ALLCAPS_NAME:Variable scope name is all caps. VAR_TOO_SHORT:Variable name is too short. VAR_TOO_LONG:Variable name is too long. VAR_TOO_WORDY:Variable name contain too many words. VAR_IS_TEMPORARY:Variable name looks temporary. VAR_HAS_PREFIX_OR_POSTFIX:Variable name has prefix or postfix. ARGUMENT_INVALID_NAME:Argument has invalid name. -ARGUMENT_ALLCAPS_NAME:Argument name is allcaps. +ARGUMENT_ALLCAPS_NAME:Argument name is all caps. ARGUMENT_TOO_SHORT:Argument name is too short. ARGUMENT_TOO_LONG:Argument name is too long. ARGUMENT_TOO_WORDY:Argument name contain too many words. ARGUMENT_IS_TEMPORARY:Argument name looks temporary. ARGUMENT_HAS_PREFIX_OR_POSTFIX:Argument name has prefix or postfix. METHOD_INVALID_NAME:Method has invalid name. -METHOD_ALLCAPS_NAME:Method name is allcaps. +METHOD_ALLCAPS_NAME:Method name is all caps. METHOD_TOO_SHORT:Method name is too short. METHOD_TOO_LONG:Method name is too long. METHOD_TOO_WORDY:Method name contain too many words. METHOD_IS_TEMPORARY:Method name looks temporary. METHOD_HAS_PREFIX_OR_POSTFIX:Method name has prefix or postfix. COMPONENT_INVALID_NAME:Component has invalid name. -COMPONENT_ALLCAPS_NAME:Component name is allcaps. +COMPONENT_ALLCAPS_NAME:Component name is all caps. COMPONENT_TOO_SHORT:Component name is too short. COMPONENT_TOO_LONG:Component name is too long. COMPONENT_TOO_WORDY:Component name contain too many words. COMPONENT_IS_TEMPORARY:Component name looks temporary. COMPONENT_HAS_PREFIX_OR_POSTFIX:Component name has prefix or postfix. FILE_SHOULD_START_WITH_LOWERCASE:CFM File starts with upper case. -AVOID_USING_CREATEOBJECT:Avoid use of creatobject statements. +AVOID_USING_CREATEOBJECT:Avoid use of creatObject statements. AVOID_USING_DEBUG_ATTR:Avoid use of debug attribute. UNUSED_LOCAL_VARIABLE:Unused local variable. UNUSED_METHOD_ARGUMENT:Unused method argument. AVOID_USING_CFSETTING_DEBUG:Avoid using showDebugOutput attribute on cfsetting. -COMPARE_INSTEAD_OF_ASSIGN:Using comparision where assignment was probably meant. +COMPARE_INSTEAD_OF_ASSIGN:Using comparison where assignment was probably meant. PACKAGE_CASE_MISMATCH:Warn with package case does not match its use.