The below table shows the list of ServiceNow coding best practices that are checked by Quality Clouds.
The severity, area of impact and affected element for each best practice validation are also detailed.
The update set scan feature includes a sub-set of these checks.
Click the button below to open the table as a pop up.
| Description | Severity | Area of impact | Affected element | Included in Instance Scan | Included in Live Check Scan | Included in Update Set Scan |
|---|---|---|---|---|---|---|
| Business Rules defined on the Global table | High | Scalability | Business Rule |  |
|
|
| Unused Inactivity Monitors | High | Performance | Inactivity Monitors | |
 |
|
| Potential Recursive Business Rules | High | Performance | Business Rule | |
|
|
| GlideRecord usage on Client Scripts | High | Performance | Client Script / Portal Widget | |
|
|
| Too many fields in a Form Section | Medium | Performance | Form Section | |
|
|
| Business Rules using GlideRecord and getRowCount | Medium | Scalability | Business Rule | |
|
|
| High Security Settings plugin disabled | High | Security | Plugin | |
|
|
| Client Scripts with the console.log debugging method | Medium | Performance | Client Script | |
|
|
| Client Scripts without function | Medium | Scalability | Client Script | |
|
|
| Modules pointing to big tables without filter | Medium | Performance | Module | |
|
|
| Document Object Model (DOM) manipulation in Client UI Actions | High | Manageability | UI Action | |
|
|
| The default system User Preference “Rows per Page” set above 100 | Medium | Performance | User Preference | |
|
|
| JDBC Data Sources with “Use last run datetime” option unchecked | Warning | Performance | Data Source | |
|
|
| Transform Maps with “Run business rules” option enabled | Low | Performance | Transform Map | |
|
|
| Business Rules using eval function | High | Security | Business Rule | |
|
|
| The “Log/trace level of TaskSLAController” System Property not set to “notice” | Low | Performance | System Property | |
|
|
| UI Policy Actions without field effects | Low | Performance | UI Policy Action | |
|
|
| Client Scripts defined on the Global table | High | Scalability | Client Script | |
|
|
| Business Rules using the SOAP getResponse method | High | Performance | Business Rule | |
|
|
| Contextual Security Plugin disabled | High | Security | Plugin | |
|
|
| Debugging properties enabled in production environments | Low | Performance | System Property | |
|
|
| Client Scripts with empty script field | Low | Performance | Client Script | |
|
|
| Document Object Model (DOM) manipulation in UI Policies | High | Manageability | UI Policy | |
|
|
| Script Includes using GlideRecord and getRowCount | Medium | Scalability | Script Include | |
|
|
| Client UI Actions using GlideRecord | High | Performance | UI Action | |
|
|
| Business Rules with hard-coded sys_ids | Medium | Manageability | Business Rule | |
|
|
| Client Scripts with hard-coded sys_ids | Medium | Manageability | Client Script | |
|
|
| Script Includes with hard-coded sys_ids | Medium | Manageability | Script Include | |
|
|
| UI Actions with hard-coded sys_ids | Medium | Manageability | UI Action | |
|
|
| Transform Maps with hard-coded sys_ids | Medium | Manageability | Table Transform Map | |
|
|
| Transform Scripts with hard-coded sys_ids | Medium | Manageability | Transform Script | |
|
|
| Forms with too many sections | Low | Performance | Forms | |
|
|
| GlideRecord usage on Catalog Client Scripts | High | Performance | Catalog Client Script | |
|
|
| Catalog Client Scripts with the console.log debugging method | Medium | Performance | Catalog Client Script | |
|
|
| Catalog Client Scripts without function | Medium | Scalability | Catalog Client Script | |
|
|
| Document Object Model (DOM) manipulation in Catalog Client Scripts | High | Manageability | Catalog Client Script | |
|
|
| Notification Email Scripts with hard-coded sys_ids | Medium | Manageability | Notification Email Scripts | |
|
|
| Portal Widgets with hard-coded sys_ids | Medium | Manageability | Portal Widget – Client and Server Scripts | |
|
|
| Angular Providers with hard-coded sys_ids | Medium | Manageability | Angular Providers | |
|
|
| GlideRecord usage on UI Scripts | High | Performance | UI Script | |
|
|
| Workflows with Notification Activities | Medium | Manageability | Workflow | |
|
|
| UI Scripts with the console.log debugging method | Medium | Performance | UI Script | |
|
|
| UI Scripts without function | Medium | Scalability | UI Script | |
|
|
| Document Object Model (DOM) manipulation in UI Scripts | High | Manageability | UI Script | |
|
|
| onBefore Business Rules should not update records on other tables. | High | Performance | BusinessRule | |
|
|
| onBefore Transform Scripts should only update the target table. | High | Performance | Transform Script | |
|
|
| UI Scripts with empty script field | Low | Performance | UI Script | |
|
|
| Document Object Model (DOM) manipulation in Catalog UI PoliciesNO ESTA EXACTAMENT AIXI A LEXCEL | High | Manageability | Catalog UI policy | |
|
|
| Inbound Email Actions with hard-coded sys_ids. | Medium | Manageability | Inbound Email Action | |
|
|
| Inbound Email Actions using GlideRecord and getRowCount. | Medium | Scalability | Inbound Email Action | |
|
|
| Event Script Action with hard-coded sys_ids. | Medium | Manageability | Script Action | |
|
|
| Event Script Action using GlideRecord and getRowCount. | Medium | Scalability | Script Action | |
|
|
| SOAP Request Strict Security should be enabled | High | Security | System Property | |
|
|
| Java Package Collection mode and Collection mode override properties should be disabled | High | Security | System Property | |
|
|
| Client Generated Scripts Sandbox should be enabled | High | Security | System Property | |
|
|
| Cookies – HTTP Only should be enabled | High | Security | System Property | |
|
|
| Escape HTML should be enabled | High | Security | System Property | |
|
|
| CSV Request Authorization should be enabled | High | Security | System Property | |
|
|
| SSLv2/SSLv3 should be disabled | High | Security | System Property | |
|
|
| AJAXGlideRecord ACL Checking should be enabled | High | Security | System Property | |
|
|
| SLA logging level should be set to “notice” | High | Performance | System Property | |
|
|
| Basic Auth SOAP Requests setting should be enabled | High | Security | System Property | |
|
|
| Old UI enabled or being used | High | Security | System Property | |
|
|
| Script Request Authorization should be enabled | High | Security | System Property | |
|
|
| Escape Jelly should be enabled | High | Security | System Property | |
|
|
| Enable AJAXEvaluate should be disabled | High | Security | System Property | |
|
|
| Anti-CSRF Token setting should be enabled | High | Security | System Property | |
|
|
| Escape XML should be enabled | High | Security | System Property | |
|
|
| HTML Sanitizer property should be enabled | High | Security | System Property | |
|
|
| Client Scripts should not use unsupported scripting APIs |
High | Manageability | Client Scripts | |
|
|
| Catalog Client Scripts should not use unsupported scripting APIs |
High | Manageability | Catalog Client Scripts | |
|
|
| Creating custom tables in the global scope should be avoided. | Warning | Manageability | Tables | |
|
|
| GlideRecord API usage in Scripted REST API Resource. | High | Security | Scripted REST API Resource | |
|
|
| REST API Resource modifying data without Authentication check. | High | Security | Scripted REST API Resource | |
|
|
| REST API Resource modifying data without Authorization check. | High | Security | Scripted REST API Resource | |
|
|
| Modified Out of the Box Element | Warning | Manageability | All elements | |
|
|
| handlebars – Prototype Pollution vulnerability on versions greater than or equal to 4.0.0 and less than 4.0.14 | High | Security | UI Script | |
|
|
| handlebars – Prototype Pollution vulnerability on versions greater than or equal to 3.0.0 and less than 3.0.7 | High | Security | UI Script | |
|
|
| handlebars – Prototype Pollution vulnerability on versions between 4.0.14 and 4.1.2. | High | Security | UI Script | |
|
|
| handlebars – Prototype Pollution vulnerability on versions under 4.0.14. | High | Security | UI Script | |
|
|
| handlebars – XSS vulnerability on versions under 4.0.0. | Medium | Security | UI Script | |
|
|
| Scripts directly call to Java packages – User Criteria | High | Manageability | User Criteria | |
|
|
| Scripts should not use gs.sql – User Criteria | High | Manageability | User Criteria | |
|
|
| Possible PII usage in configuration element (User Criteria) – Religion | Warning | Security | User Criteria | |
|
|
| Possible PII usage in configuration element (User Criteria) – Passport | Warning | Security | User Criteria | |
|
|
| Possible PII usage in configuration element (User Criteria) – Nationality | Warning | Security | User Criteria | |
|
|
| Possible PII usage in configuration element (User Criteria) – Gender | Warning | Security | User Criteria | |
|
|
| Possible PII usage in configuration element (User Criteria) – Address | Warning | Security | User Criteria | |
|
|
| Possible PII usage in configuration element (User Criteria) – Email | Warning | Security | User Criteria | |
|
|
| JavaScript – Avoid making connections on unsafe protocols – User Criteria | Warning | Security | User Criteria | |
|
|
| JavaScript – Avoid use of WebDB – User Criteria | High | Security | User Criteria | |
|
|
| JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – User Criteria | High | Security | User Criteria | |
|
|
| Possible use of private data – User Criteria | Warning | Security | User Criteria | |
|
|
| JavaScript – Avoid use of debugger statements – User Criteria | low | Security | User Criteria | |
|
|
| JavaScript – Use === comparison – User Criteria | Warning | Manageability | User Criteria | |
|
|
| Usage of gs.cacheFlush() on Scripts – User Criteria | high | Performance | User Criteria | |
|
|
| The glide.xmlutil.max_entity_expansion system property value is not set to 3000. | Medium | Performance | System Property | |
|
|
| Roles assigned to an invalid user | low | Security | Role | |
|
|
| Empty roles assigned to groups | low | Security | User Group | |
|
|
| Empty role assigned to a user | low | Security | User | |
|
|
| Usage of getMessage() without preloading message key | high | Performance | Client Script | |
|
|
| User Criteria with hard-coded sys_ids. | Medium | Manageability | User Criteria | |
|
|
| User Criteria using GlideRecord and getRowCount. | Medium | Scalability | User Criteria | |
|
|
| The out of the box admin account should not be inactive or locked out | high | Manageability | User | |
|
|
| Flows should not use stages that are not defined in a Stage Set | Medium | Manageability | Flow | |
|
|
| The “glide.uxf.js_server.consolidate” System Property is set to “false”. | Medium | Performance | System Property | |
|
|
| The “glide.email.smtp.active” System Property is set to “false”. | high | Manageability | System Property | |
|
|
| The “glide.email.read.active” System Property is set to “false”. | high | Manageability | System Property | |
|
|
| The “glide.image_provider.security_enabled” System Property is set to “false”. | high | Security | System Property | |
|
|
| Integration accounts should not use the admin role | high | Security | User | |
|
|
| Child group does not contain all parent roles | high | Security | User Group | |
|
|
| Stage sets with duplicates entries | Medium | Manageability | Stage Set | |
|
|
| Workflows should not use stages that are not defined in a Stage Set | Medium | Manageability | Workflow | |
|
|
| Dot walking to sys_id – Actions. | Medium | Performance | Action Type | |
|
|
| Actions with hard-coded sys_ids. | Medium | Manageability | Action Type | |
|
|
| Flows should not run using the admin role. | Medium | Security | Flow | |
|
|
| Groups should not have inactive members | high | Security | User Group | |
|
|
| Naming convention | Medium | Manageability | Action Type Benchmark Scheduled Script Business Rule Category Variable Variable Set Catalog Client Scripts Client Script Catalog UI Policy Catalog UI Policy Action Script Action Field Map Flow Form Sections Form Layout HTTP Method Inbound Email Actions Inactivity Monitor Module Email Script Widget Angular Provider Widget Record Producer Report Scripted REST Resource Role Scheduled Data Collection Scheduled Data Import Set Scheduled Email of Custom Chart Scheduled Email of Query Builder Scheduled Email of Report Scheduled Entity Generation Scheduled Report Summary Generation Scheduled Script Execution Service Portal Page Script Include SOAP Message Function Change Record Producer System Property Table Transform Map Transform Script UI Action UI Policy UI Policy Action UI Page UI Script Update Sets User Group User Preferences Workflow Activity Workflow |
|
|
|
| HHRR system properties outside the “Human Resource Scoped” category | high | Manageability | System Property | |
|
|
| Actions should not be client callable | high | Security | Action Type | |
|
|
| Flows should not be client callable | high | Security | Flow | |
|
|
| Dictionary entries present for a table that does not exist | high | Manageability | Dictionary | |
|
|
| Groups should not have an inactive manager | high | Security | User Group | |
|
|
| Update Sets should not include Knowledge Base articles without review. | high | Security | Update Sets | |
|
|
| Update Sets should not include images without review. | high | Security | Update Sets | |
|
|
| Avoid Creating cross-table Business Rule recursive loops | high | Performance | Business Rule | |
|
|
| Transform maps with boolean fields in their import set table | high | Manageability | Field Map | |
|
|
| The assessment_take2 UI page should be public | high | Manageability | UI Page | |
|
|
| Use of GlideRecord and getRowCount | Medium | Scalability | Access Control Field Map Email Script Widget Record Producer Scripted REST Resource Scheduled Report Summary Generation Scheduled Script Execution Table Transform Map Transform Script Workflow Activity |
|
|
|
| Too many delete actions on an Update Set. | Medium | Manageability | Update Sets | |
|
|
| Portal pages should not be made public | high | Security | Service Portal Page | |
|
|
| The Change Request table should not be extended. | high | Manageability | Table | |
|
|
| Portal widgets should not be made public | high | Security | Widget | |
|
|
| Forms with duplicate fields | Medium | Manageability | Form Sections | |
|
|
| angularjs – XSS vulnerability on versions under 1.8.0, via nested option in select elements. | high | Security | UI Script | |
|
|
| angularjs – XSS vulnerability on versions under 1.8.0, via JQLite DOM manipulation functions. | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions between 5.0.0 and 5.1.4, on the core parser, paste and visualcharts plugins. | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions under 5.4.0, in iframe elements. | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions under 5.2.2, in media elements. | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions under 5.1.6, in CDATA elements. | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions under 4.7.12, in links with XLINK:HREF attributes | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions under 4.2.0, in some default config implementations | high | Security | UI Script | |
|
|
| tinyMCE – XSS vulnerability on versions under 4.2.4, in media plugin | high | Security | UI Script | |
|
|
| tinyMCE – Static Code injection vulnerability on versions under 1.4.2, in inc/function.base.php | high | Security | UI Script | |
|
|
| swfobject – XSS vulnerability on versions under 2.1, on swfobject.getQueryParamValue. | high | Security | UI Script | |
|
|
| Bootstrap – XSS vulnerability on versions between 4.0.0 and 4.3.1, on data-template, data-content and data-title attributes. | high | Security | UI Script | |
|
|
| Bootstrap – XSS vulnerability on versions under 3.4.1, on data-template, data-content and data-title attributes. | high | Security | UI Script | |
|
|
| Bootstrap – XSS vulnerability on versions between 4.0.0 and 4.1.2, on data-target attribute. | high | Security | UI Script | |
|
|
| Bootstrap – XSS vulnerability on versions under 3.4.0, on data-target attribute. | high | Security | UI Script | |
|
|
| Bootstrap – XSS vulnerability on versions under 2.1.0, on popover / tooltip. | high | Security | UI Script | |
|
|
| Usage of window objects instead of AngularJS services – Portal Widget clientScript | high | Manageability | Widget | |
|
|
| Usage of window objects instead of AngularJS services | high | Manageability | Widget Angular Provider UI Script | |
|
|
| Auditing for Update Sets should be enabled | high | Manageability | System Property | |
|
|
| Usage of gs.cacheFlush() on Scripts | high | Performance | Access Control Business Rule Widget Record Producer Scripted REST Resource Scheduled Script Execution Script Include Table Transform Map Transform Script UI Action |
|
|
|
| Scheduled Jobs run by deleted users | high | Manageability | Benchmark Scheduled Script Scheduled Data Collection Scheduled Data Import Set Scheduled Email of Custom Chart Scheduled Email of Query Builder Scheduled Email of Report Scheduled Entity Generation Scheduled Report Summary Generation Scheduled Script Execution |
|
|
|
| Usage of gs.sleep() on Workflow Activities | high | Performance | Workflow Activity | |
|
|
| Script Includes with duplicate names | high | Manageability | Script Include | |
|
|
| Scheduled imports should not run at the same time | high | Performance | Scheduled Data Import Set | |
|
|
| Reports should not be made public | high | Security | Report | |
|
|
| Usage of current.update in Script Workflow Activities | high | Performance | Workflow Activity | |
|
|
| Scheduled Jobs without a dedicated integration user | high | Security | Benchmark Scheduled Script Scheduled Data Collection Scheduled Data Import Set Scheduled Email of Custom Chart Scheduled Email of Query Builder Scheduled Email of Report Scheduled Entity Generation Scheduled Report Summary Generation Scheduled Script Execution |
|
|
|
| Roles without any user | Warning | Security | Role | |
|
|
| Usage of getMessage function without a second parameter – Catalog UI Policy scriptFalse | low | Performance | Catalog UI Policy | |
|
|
| Usage of getMessage function without a second parameter – Catalog UI Policy scriptTrue | low | Performance | Catalog UI Policy | |
|
|
| Usage of getMessage function without a second parameter – UI Policy scriptFalse | low | Performance | UI Policy | |
|
|
| Usage of getMessage function without a second parameter – UI Policy scriptTrue | low | Performance | UI Policy | |
|
|
| Usage of getMessage function without a second parameter – Portal Widget clientScript | low | Performance | Widget | |
|
|
| Usage of getMessage function without a second parameter | low | Performance | Catalog Client Scripts Client Script Widget Angular Provider UI Action UI Script |
|
|
|
| Avoid creating unnecessary tables in scoped applications which can impact your licensing cost. | low | Manageability | Table | |
|
|
| Scripts directly call to Java packages | high | Manageability | Access Control Business Rule Widget Record Producer Scripted REST Resource Script Include Table Transform Map Transform Script UI Action |
|
|
|
| The “glide.login.autocomplete” System Property is set to “true”. | Medium | Security | System Property | |
|
|
| Usage of g_form.setValue on a reference field without displayValue – Catalog UI Policy scriptFalse | high | Performance | Catalog UI Policy | |
|
|
| Usage of g_form.setValue on a reference field without displayValue – Catalog UI Policy scriptTrue | high | Performance | Catalog UI Policy | |
|
|
| Usage of g_form.setValue on a reference field without displayValue – UI Policy scriptFalse | high | Performance | UI Policy | |
|
|
| Usage of g_form.setValue on a reference field without displayValue – UI Policy scriptTrue | high | Performance | UI Policy | |
|
|
| Usage of g_form.setValue on a reference field without displayValue – Portal Widget clientScript | high | Performance | Widget | |
|
|
| Usage of g_form.setValue on a reference field without displayValue | high | Performance | Catalog Client Scripts Client Script Widget Angular Provider UI Action UI Script |
|
|
|
| Dot walking to sys_id – Catalog UI Policy scriptFalse | Medium | Performance | Catalog UI Policy | |
|
|
| Dot walking to sys_id – Catalog UI Policy scriptTrue | Medium | Performance | Catalog UI Policy | |
|
|
| Dot walking to sys_id – UI Policy scriptFalse | Medium | Performance | UI Policy | |
|
|
| Dot walking to sys_id – UI Policy scriptTrue | Medium | Performance | UI Policy | |
|
|
| Dot walking to sys_id – Portal Widget clientScript | Medium | Performance | Widget | |
|
|
| Dot walking to sys_id | Medium | Performance | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include UI Action UI Script |
|
|
|
| The “glide.db.clone.allow_clone_target” System Property is set to “true”. | high | Manageability | System Property | |
|
|
| The “sn_hr_core.impersonateCheck” System Property is “false”. | high | Security | System Property | |
|
|
| The “glide.businessrule.callstack” System Property is set to “true”. | Medium | Performance | System Property | |
|
|
| The demo_data_running_trigger business rule should be disabled | high | Manageability | Business Rule | |
|
|
| Unlogged API call error condition. | medium | Manageability | Business Rule Script Include |
|
|
|
| Fields used to coalesce records in a Table Transform Map should be indexed. | Medium | Performance | Field Map | |
|
|
| Update Sets should contain a description | Warning | Scalability | Update Sets | |
|
|
| Avoid updating the source table on transform scripts | high | Manageability | Transform Script | |
|
|
| Avoid updating the source table on transform maps | high | Manageability | Table Transform Map | |
|
|
| moment.js – Regular Expression Denial of Service Vulnerability | high | Security | UI Script | |
|
|
| jQuery-ui-dialog – XSS vulnerability under 1.10.0, closeText parameter. | high | Security | UI Script | |
|
|
| jQuery-ui-dialog – XSS vulnerability under 1.10.0, title attribute. | high | Security | UI Script | |
|
|
| jQuery-ui-tooltip – XSS vulnerability under 1.10.0, title attribute. | high | Security | UI Script | |
|
|
| jQuery – XSS vulnerability under 3.0.0, when making cross-domain calls without the dataType option. | high | Security | UI Script | |
|
|
| jQuery – XSS vulnerability under 1.9.0, when using jQuery(strInput) | high | Security | UI Script | |
|
|
| jQuery – XSS vulnerability under 1.6.3, when using location.hash | high | Security | UI Script | |
|
|
| jQuery – Prototype Pollution Vulnerability under 3.4.0 | high | Security | UI Script | |
|
|
| angularjs – XSS vulnerability under 1.8.0 – input HTML | high | Security | UI Script | |
|
|
| angularjs – XSS vulnerability using angularjs under 1.6.5 in Firefox and Safari – sanitize on inert Documents | high | Security | UI Script | |
|
|
| angularjs – Denial of Service attack through DOM clobbering on versions under 1.6.3 | high | Security | UI Script | |
|
|
| angularjs – XSS vulnerability through the attribute “usemap” from 1.0.0 to 1.2.30 | high | Security | UI Script | |
|
|
| angularjs – XSS vulnerability through the attribute “usemap” from 1.3.0 to 1.5.0-rc2 | high | Security | UI Script | |
|
|
| angularjs – XSS vulnerability using angularjs under 1.6.9 with Firefox | high | Security | UI Script | |
|
|
| angularjs – Prototype Pollution Vulnerability under 1.7.9 | high | Security | UI Script | |
|
|
| XSS vulnerability in Ext JS Action Column getTip | high | Security | UI Script | |
|
|
| jQuery – XSS vulnerability in htmlPrefilter under 3.5.0 | high | Security | UI Script | |
|
|
| Scripted REST API Resource with hard-coded sys_ids. | Medium | Manageability | Scripted REST Resource | |
|
|
| Multiple Choice Catalog Variables with too many options. | Warning | Manageability | Variable | |
|
|
| Catalog Items without description. | Warning | Manageability | Catalog Item Record Producer |
|
|
|
| Catalog Items with short description equal to name. | Warning | Manageability | Catalog Item Record Producer |
|
|
|
| Catalog with low usage of META tags. | Low | Manageability | Catalog | |
|
|
| Catalog with very low usage of META tags. | Medium | Manageability | Catalog | |
|
|
| Catalog with no usage of META tags. | High | Manageability | Catalog | |
|
|
| GlideRecord usage on Portal Widget Client Scripts | High | Performance | Widget | |
|
|
| JavaScript – Avoid making connections on unsafe protocols – Catalog UI Policy scriptFalse | Warning | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid making connections on unsafe protocols – Catalog UI Policy scriptTrue | Warning | Security | Catalog UI Policy | |
|
|
| Possible use of private data – Catalog UI Policy scriptFalse | Warning | Security | Catalog UI Policy | |
|
|
| Possible use of private data – Catalog UI Policy scriptTrue | Warning | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid use of debugger statements – Catalog UI Policy scriptFalse | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid use of debugger statements – Catalog UI Policy scriptTrue | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid use of WebDB – Catalog UI Policy scriptFalse | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid use of WebDB – Catalog UI Policy scriptTrue | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid use of Function Constructors – Catalog UI Policy scriptFalse | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid use of Function Constructors – Catalog UI Policy scriptTrue | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – Catalog UI Policy scriptFalse | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – Catalog UI Policy scriptTrue | High | Security | Catalog UI Policy | |
|
|
| JavaScript – Use === comparison – Catalog UI Policy scriptFalse | Warning | Manageability | Catalog UI Policy | |
|
|
| JavaScript – Use === comparison – Catalog UI Policy scriptTrue | Warning | Manageability | Catalog UI Policy | |
|
|
| JavaScript – Optimize Loops – Catalog UI Policy scriptFalse | Warning | Performance | Catalog UI Policy | |
|
|
| JavaScript – Optimize Loops – Catalog UI Policy scriptTrue | Warning | Performance | Catalog UI Policy | |
|
|
| Catalog UI Policies with hard-coded sys_ids – scriptFalse. | Medium | Performance | Catalog UI Policy | |
|
|
| Catalog UI Policies with hard-coded sys_ids – scriptTrue. | Medium | Performance | Catalog UI Policy | |
|
|
| Catalog UI Policies using GlideRecord – scriptFalse. | high | Performance | Catalog UI Policy | |
|
|
| Catalog UI Policies using GlideRecord – scriptTrue. | High | Performance | Catalog UI Policy | |
|
|
| Document Object Model (DOM) manipulation in Catalog UI Policies – scriptFalse. | High | Manageability | Catalog UI Policy | |
|
|
| Document Object Model (DOM) manipulation in Catalog UI Policies – scriptTrue. | high | Manageability | Catalog UI Policy | |
|
|
| Synchronous AJAX call in Catalog UI Policies – scriptFalse. | High | Performance | Catalog UI Policy | |
|
|
| Synchronous AJAX call in Catalog UI Policies – scriptTrue. | High | Performance | Catalog UI Policy | |
|
|
| JavaScript – Avoid making connections on unsafe protocols – UI Policy scriptFalse | Warning | Security | UI Policy | |
|
|
| JavaScript – Avoid making connections on unsafe protocols – UI Policy scriptTrue | Warning | Security | UI Policy | |
|
|
| Possible use of private data – UI Policy scriptFalse | Warning | Security | UI Policy | |
|
|
| Possible use of private data – UI Policy scriptTrue | Warning | Security | UI Policy | |
|
|
| JavaScript – Avoid use of debugger statements – UI Policy scriptFalse | High | Security | UI Policy | |
|
|
| JavaScript – Avoid use of debugger statements – UI Policy scriptTrue | High | Security | UI Policy | |
|
|
| JavaScript – Avoid use of WebDB – UI Policy scriptFalse | High | Security | UI Policy | |
|
|
| JavaScript – Avoid use of WebDB – UI Policy scriptTrue | High | Security | UI Policy | |
|
|
| JavaScript – Avoid use of Function Constructors – UI Policy scriptFalse | High | Security | UI Policy | |
|
|
| JavaScript – Avoid use of Function Constructors – UI Policy scriptTrue | High | Security | UI Policy | |
|
|
| JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – UI Policy scriptFalse | High | Security | UI Policy | |
|
|
| JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging – UI Policy scriptTrue | High | Security | UI Policy | |
|
|
| JavaScript – Use === comparison – UI Policy scriptFalse | Warning | Manageability | UI Policy | |
|
|
| JavaScript – Use === comparison – UI Policy scriptTrue | Warning | Manageability | UI Policy | |
|
|
| JavaScript – Optimize Loops – UI Policy scriptFalse | Warning | Performance | UI Policy | |
|
|
| JavaScript – Optimize Loops – UI Policy scriptTrue | Warning | Performance | UI Policy | |
|
|
| UI Policies with hard-coded sys_ids – scriptFalse. | Medium | Manageability | UI Policy | |
|
|
| UI Policies with hard-coded sys_ids – scriptTrue. | Medium | Manageability | UI Policy | |
|
|
| Synchronous AJAX call in UI Policies – scriptFalse. | High | Performance | UI Policy | |
|
|
| Synchronous AJAX call in UI Policies – scriptTrue. | High | Performance | UI Policy | |
|
|
| UI Policies using GlideRecord – scriptFalse. | High | Performance | UI Policy | |
|
|
| UI Policies using GlideRecord – scriptTrue. | High | Performance | UI Policy | |
|
|
| Possible extra-sensitive PII usage in table column – Religion | High | Security | Dictionary | |
|
|
| Possible extra-sensitive PII usage in table column – Gender | High | Security | Dictionary | |
|
|
| Possible PII usage in table column – Nationality | Warning | Security | Dictionary | |
|
|
| Possible PII usage in table column – Address | Warning | Security | Dictionary | |
|
|
| Possible PII usage in table column – Passport | Warning | Security | Dictionary | |
|
|
| “Check UI Action Conditions check before Execution” should be enabled | High | Security | System Property | |
|
|
| Possible PII usage in table column – Email | Warning | Security | Dictionary | |
|
|
| UI Scripts including Open Source libraries | Warning | Manageability | UI Script | |
|
|
| “Allow Javascript tags in Embedded HTML” property should be disabled | High | Security | System Property | |
|
|
| Avoid Global UI Scripts. | low | Performance | – | |
|
|
| onBefore Transform Scripts should only update the target table. | High | Performance | – | |
|
|
| onBefore Business Rules should not update records on other tables. | High | Performance | – | |
|
|
| Possible extra-sensitive PII usage in configuration element – Religion | High | Security | – | |
|
|
| Possible PII usage in configuration element – Passport | Warning | Security | – | |
|
|
| Possible PII usage in configuration element – Nationality | Warning | Security | – | |
|
|
| Possible extra-sensitive PII usage in configuration element – Gender | High | Security | – | |
|
|
| Possible PII usage in configuration element – Address | Warning | Security | – | |
|
|
| Possible PII usage in configuration element – Email | Warning | Security | – | |
|
|
| Avoid workflows with too many timer activities | High | Performance | – | |
|
|
| Document Object Model (DOM) manipulation in UI Scripts. | High | Manageability | – | |
|
|
| Avoid use of local storage on Catalog Client Scriptss | High | Security | – | |
|
|
| Synchronous AJAX call in UI Scripts. | High | Performance | – | |
|
|
| UI Actions with debugging statements. | low | Scalability | – | |
|
|
| UI Script with hard-coded sys_ids. | medium | Manageability | – | |
|
|
| Avoid use of local storage on Client Scripts | High | Security | – | |
|
|
| JavaScript – Avoid making connections on unsafe protocols | Warning | Security | Scripted REST Resource Script Include Table Transform Map Transform Script UI Action UI Script |
|
|
|
| UI Policy Action without field effects. | low | Performance | UI Policy Action | |
|
|
| Synchronous AJAX call in UI Actions. | High | Performance | UI Action | |
|
|
| Avoid workflows with too many activities | High | Manageability | Workflow | |
|
|
| JavaScript – Avoid use of WebDB | High | Security | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Script Include UI Action UI Script |
|
|
|
| JavaScript – Avoid unrestricted targetOrigin on cross-domain messaging | High | Security | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include UI Action UI Script |
|
|
|
| Possible use of private data | Warning | Security | Access Control Business Rule Catalog Client Scripts Client Script Dictionary Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include Table Transform Map Transform Script UI Action UI Script |
|
|
|
| JavaScript – Avoid use of Function Constructors | High | Security | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include UI Action UI Script |
|
|
|
| JavaScript – Avoid use of debugger statements | High | Security | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include UI Action UI Script |
|
|
|
| ACLs using GlideRecord queries | Medium | Performance | Access Control | |
|
|
| The System Property “Update on Iterate” is enabled. | Medium | Performance | System Property | |
|
|
| The System Property “Auto Complete Search” is set to “Contains”. | low | Manageability | System Property | |
|
|
| The “Security Manager” System Property is set to “Allow Access”. | High | Security | System Property | |
|
|
| JavaScript – Avoid use of alert function | low | Scalability | Catalog Client Scripts Client Script Widget Angular Provider Widget UI Script |
|
|
|
| Synchronous AJAX call in Catalog Client Scripts. | High | Performance | Catalog Client Scripts | |
|
|
| JavaScript – Avoid use of Eval function | High | Security | Catalog Client Scripts Client Script Widget Angular Provider Widget Record Producer Scripted REST Resource UI Script |
|
|
|
| The System Property “Items per page” includes options over 100. | medium | Performance | System Property | |
|
|
| JavaScript – Use === comparison | Warning | Manageability | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include UI Action UI Script |
|
|
|
| JavaScript – Optimize Loops | Warning | Performance | Access Control Business Rule Catalog Client Scripts Client Script Script Action Inbound Email Actions Email Script Widget Angular Provider Widget Record Producer Scripted REST Resource Script Include UI Action UI Script |
|
|
|
| The System Property “Go To Search” is set to “Contains”. | low | Performance | System Property | |
|
|
| The SOAP Timeout value is over 5 minutes. | High | Performance | System Property | |
|
|
| Debug System Properties Enabled. | low | Performance | System Property | |
|
|
| Server UI Actions using GlideRecord and getRowCount. | Medium | Scalability | UI Action | |
|
|
| Script Includes with debugging statements. | low | Scalability | Script Include | |
|
|
| Synchronous AJAX call in Client Scripts. | High | Performance | Client Script | |
|
|
| Business Rules with debugging statements. | low | Scalability | Business Rule | |
|
|
| Business Rules without function. | High | Scalability | Business Rule | |
|
|
| The System Property “Auto Complete Wait Time” exceeds 750 ms. | Medium | Performance | System Property | |
|
|
