Rules

Code Duplication Rules List
Possible Extra-Sensitive PII Usage In Configuration Element – Gender
Possible Extra-Sensitive PII Usage In Configuration Element – Religion
Possible Use Of Private Data – UI Policy scriptTrue
Possible Use Of Private Data – UI Policy scriptFalse
Possible Use Of Private Data – Catalog UI Policy scriptTrue
Possible Use Of Private Data – Catalog UI Policy scriptFalse
Possible PII Usage In Configuration Element – Address
Possible PII Usage In Configuration Element – Email
Possible PII Usage In Configuration Element – Nationality
Possible PII Usage In Configuration Element – Passport
Possible PII Usage In Table Column – Address
Possible PII Usage In Table Column – Email
Possible PII Usage In Table Column – Nationality
Possible PII Usage In Table Column – Passport
Possible Extra-Sensitive PII Usage In Table Column – Gender
Possible Extra-Sensitive PII Usage In Table Column – Religion
Data Sensitivity Level Of Field Email Is Not Set
Data Sensitivity Level Of Field Passport Is Not Set
Data Sensitivity Level Of Field Address Is Not Set
Data Sensitivity Level Of Field Nationality Is Not Set
Data Sensitivity Level Of Field Gender Is Not Set
Data Sensitivity Level Of Field Religion Is Not Set
JavaScript Rules List
JavaScript – Avoid Making Connections On Unsafe Protocols
JavaScript – Avoid Making Connections On Unsafe Protocols – UI Policy scriptTrue
JavaScript – Avoid Making Connections On Unsafe Protocols – UI Policy scriptFalse
JavaScript – Avoid Making Connections On Unsafe Protocols – Catalog UI Policy scriptTrue
JavaScript – Avoid Making Connections On Unsafe Protocols – Catalog UI Policy scriptFalse
JavaScript – Avoid Unrestricted targetOrigin On Cross-Domain Messaging
JavaScript – Avoid Unrestricted targetOrigin On Cross-Domain Messaging – UI Policy scriptTrue
JavaScript – Avoid Unrestricted targetOrigin On Cross-Domain Messaging – UI Policy scriptFalse
JavaScript – Avoid Unrestricted targetOrigin On Cross-Domain Messaging – Catalog UI Policy scriptTrue
JavaScript – Avoid Unrestricted targetOrigin On Cross-Domain Messaging – Catalog UI Policy scriptFalse
Javascript – Avoid Use Of Alert Function
JavaScript – Avoid Use Of Debugger Statements
JavaScript – Avoid Use Of Debugger Statements – UI Policy scriptTrue
JavaScript – Avoid Use Of Debugger Statements – UI Policy scriptFalse
JavaScript – Avoid Use Of Debugger Statements – Catalog UI Policy scriptTrue
JavaScript – Avoid Use Of Debugger Statements – Catalog UI Policy scriptFalse
JavaScript – Avoid Use Of Eval Function
Server Side: JavaScript – Avoid Use Of Eval Function
JavaScript – Avoid Use Of Function Constructors
JavaScript – Avoid Use Of Function Constructors – UI Policy scriptTrue
JavaScript – Avoid Use Of Function Constructors – UI Policy scriptFalse
JavaScript – Avoid Use Of Function Constructors – Catalog UI Policy scriptTrue
JavaScript – Avoid Use Of Function Constructors – Catalog UI Policy scriptFalse
Javascript – Avoid Use Of Local Storage On Client Scripts
JavaScript – Avoid Use Of WebDB
JavaScript – Avoid Use Of WebDB – UI Policy scriptTrue
JavaScript – Avoid Use Of WebDB – UI Policy scriptFalse
JavaScript – Avoid Use Of WebDB – Catalog UI Policy scriptTrue
JavaScript – Avoid Use Of WebDB – Catalog UI Policy scriptFalse
JavaScript – Optimize Loops
JavaScript – Optimize Loops – UI Policy scriptTrue
JavaScript – Optimize Loops – UI Policy scriptFalse
JavaScript – Optimize Loops – Catalog UI Policy scriptTrue
JavaScript – Optimize Loops – Catalog UI Policy scriptFalse
JavaScript – Use === comparison
JavaScript – Use === Comparison – UI Policy scriptTrue
JavaScript – Use === Comparison – UI Policy scriptFalse
JavaScript – Use === Comparison – Catalog UI Policy scriptTrue
JavaScript – Use === Comparison – Catalog UI Policy scriptFalse
UI Actions With Debugging Statements
Javascript – Avoid Use Of Local Storage On Catalog Client Scripts
PMD – Apex Class Rules
PMD – Apex Trigger Rules
PMD – Lightning Rules
Accessing Endpoints Over Unencrypted Http Should Be Avoided
Access Permissions Should Be Checked Before A SOQL/SOSL/DML Operation
Apex Unit Tests Should Include At Least One Assertion
Apex Unit Tests Should Not Use @isTest(seeAllData=true)
Avoid Classes With Too Many Fields
Avoid Classes With Too Many Public Methods
Avoid Constructors With Excessive Lines of Code Count
Avoid Creating Deeply Nested If-Then Statements
Avoid Declaring Multiple Variables In A Single Line
Avoid DML Statements Inside Loops
Avoid Empty Block Statements
Avoid Empty Catch Block
Avoid Empty If Statements
Avoid Empty Try Or Finally Blocks
Avoid Empty While Statements
Avoid Excessive Class File Lengths
Avoid Excessive Cyclomatic Complexity
Avoid Excessive Standard Cyclomatic Complexity
Avoid Hardcoded Credentials Used In Requests To An Endpoint
Avoid Hardcoding IDs
Avoid Implementing Business Logic In Triggers
Avoid Methods With Excessive Lines Of Code Count
Avoid Processing Unescaped URL Parameters
Avoid SOQL Inside Loops
Avoid Sosl Calls Within Loops
Avoid System.debug And Configuration.disableTriggerCRUDSecurity()
Avoid Types With Excessive Lines Of Code Count
Avoid Using “for” Statements Without Using Surrounding Braces
Avoid Using “while” Statements Without Using Braces To Surround The Code Block
Avoid Using DML Operations In Apex Class Constructor/Init Method
Avoid Using If…Else Statements Without Using Surrounding Braces
Avoid Using If Statements Without Using Braces To Surround The Code Block
Avoid Using Untrusted / Unescaped Variables In DML Queries
Calls To addError With Disabled Escaping Should Be Avoided
Classes Should Explicitly Declare A Sharing Mode If DML Methods Are Used
Class Names Should Always Begin With An Upper Case Character
Final Variables Should Be Fully Capitalized And Non-Final Variables Should Not Include Underscores
Method Names Should Always Begin With A Lower Case Character And Should Not Contain Underscores
Methods With Numerous Parameters Should Not Be Used
Missing ApexDoc @description
Missing ApexDoc Comment
Non-Constructor Methods Should Not Have The Same Name As The Enclosing Class
Randomly Generated IVs And Keys Should Be Used For Crypto Calls
Redirects To User-Controlled Locations Should Be Avoided
The Global Modifier Should Be Avoided
Variable Names Should Start With A Lowercase Character
Variables Should Start With A Lowercase Character
Avoid Directly Accessing Trigger.old And Trigger.new
Avoid Using The With Keyword
Avoid Functions With Inconsistent Return Types
Avoid Unintended Global Variables
Avoid Unintended Modification Of Variables Outside Loops
Avoid Using The ParseInt Function Without An Explicit Base Parameter
Avoid Assignments In Operands
Avoid Using For Statements Without Using Curly Braces
Avoid Using If…Else Statements Without Using Curly Braces
Avoid Using If Statements Without Using Curly Braces
Avoid Return Statements In If Blocks
Avoid Unnecessary Code Blocks
Avoid Unnecessary Parenthesis
Avoid Using “while” Statements Without Using Curly Braces
Avoid Trailing Commas In Object Or Array Literals
Avoid Use Of The “==” Operator
Avoid Declaring Integers Over 15 Digits
All Apex Classes Should Have At Least One Test Class
“System.debug” First Parameter Has To Be Logging Level
Apex Assertions Should Include Message
Apex Unit Test Method Should Have “@IsTest” Annotation
Field Naming Conventions
Formal Parameter Naming Conventions
Local Variable Naming Conventions
Method Naming Conventions
Property Naming Conventions
Cognitive Complexity
Avoid Non Existent Annotations
Inaccessible Aura Enabled Getter
Override Both Equals And Hashcode
Eagerly Loaded Describe SObject Result
Test Methods Must Be In Test Classes
Field Declarations Should Be At Start
Unused Local Variable
Apex Class Rules
Apex Component Rules
Apex Page Rules
Apex Trigger Rules
Custom Field Rules
Duplicate Rules
Object Rules
Org Configuration Rules
Profiles Rules
Report Rules
Static Resource Rules
Avoid Maintaining Legacy Code With Outdated API Versions
Avoid Using Function SObjectType.getDescribe In FLS Checks
Avoid Importing Multiple JavaScript Files Individually
Avoid Using Outdated API Versions In New Code
Avoid Using Data Grids
Avoid Importing Multiple CSS Files Individually
Avoid Using An Excessive Number Of Images
Component Id Must Be Unique
Page Names Should Always Begin With An Upper Case Character
Use Custom Components To Lazy Load Data In APEX Pages
Static Resources Should Be Used To Serve JavaScript, CSS And Images
Action Pollers Should Not Use Short Polling Intervals
Avoid Displaying The Results Of Unbounded Queries On A Page
Avoid Importing Images From Sources Other Than Static Resources
Avoid Using More Than One Tag Per Page
Avoid Importing CSS And Javascript Files From Sources Other Than Static Resources
Use The Render Attribute To Update The Component
Optimize HTML By Removing Unnecessary HTML
Optimize Javascript
Avoid Custom Fields Without Description Or Help Text
Avoid Defining Multiple Triggers Per Object
Avoid Defining More Than One Trigger Per Object – Medium
Avoid Excessive Sharing Rules On An Object
Avoid Formula Fields With JavaScript Code
Avoid Inactive Validation Rules
Avoid Objects Without Indexed Fields
Ratio Custom Fields To Total Fields In Standard Objects – Low
Avoid Objects Without Picklist Fields
Avoid Free Entry Custom Fields With No Data Restrictions
Avoid Excessive Validation Rules
Ratio Custom Fields To Total Fields In Standard Objects – High
Avoid Hardcoded URLs
Avoid Unreachable Code
Ratio Custom Fields To Total Fields In Standard Objects – Medium
Bounded Relative Date Values Should Be Used Whenever Appropriate
Details Should Not Be Shown By Default
The “contains” And “does not contain” Filter Operators Should Not Be Used
The number of fields on a Report should be kept to a minimum
The “or” Operator Should Not Be Used
The Show Filter Should Not Contain The “All” Option
Unbounded Time Intervals Should Not Be Used
Unused Report: Last Run Over Two Years
Unused Report: Last Run From 1 To 2 Years
Unused Report: Last Run From 90 Days To 1 Year
Avoid using apex:includeScript
Avoid Using HTML Tags Which Will Be Removed By The VisualForce Page
Include JavaScript Code From Static Resources
Avoid Using The File Download Servlet To Reference Static Resources
Use Of Open Source Javascript Framework
Password Policy Complexity Too Weak – No Restrictions
Password Policy Expiration Too Weak – Non-Expiring Passwords
Password Policy Expiration Too Weak – Password Lifetime Over 90 Days
Password Policy Repetition Too Weak
Password Policy Max Login Attempts Too Wide
Password Policy: Obfuscate The Secret Answer For Password Resets
Password Policy: Password Question Requirement Set To None
The Trusted IP Range Is Too Wide
Password Policy Minimum Password Length Too Weak
Ratio Of Custom Objects To Standard Objects – High
Ratio Of Custom Objects To Standard Objects – Medium
Ratio Of Custom Objects To Standard Objects – Low
Too Many Apex Classes (Over 50 – Does Not Include Test Classes Or Downloaded Apps)
Too Many Roles (Over 20)
Too Many Branches On Role Hierarchy
Too Many Custom Reports Over Used Objects
Too Much Views Over Used Objects
Too Many Profiles And Permission Sets
Avoid Having More Than One Apex Trigger Per Object
Too Many Reports And Views Without Folder Assigned
The Percentage Of Asynchronous Classes Is Too High
The Instance Has More Than 5.000 Lines Of APEX Code
Coverage Of Unit Tests Is Less Than 75%
Cross-Site Request Forgery (CSRF) Protection On GET Requests On Non-Setup Pages Is Disabled
Cross-Site Request Forgery (CSRF) Protection On POST Requests On Non-Setup Pages Is Disabled
Clickjack Protection For Non-Setup Salesforce Pages Is Disabled
Clickjack Protection For Customer Visualforce Pages With Standard Headers Turned On Is Disabled
Clickjack Protection For Customer Visualforce Pages With Standard Headers Turned Off Is Disabled
Clickjack Protection For Setup Pages Is Disabled
The Browser Is Not Prevented From Inferring The MIME Type From The Document Content And From Executing Malicious Files
Cross-Domain Session Information Is Exchanged Using A GET Request Instead Of A POST Request
Protection Against Reflected Cross-Site Scripting Attacks Is Disabled
The IP Addresses In Login IP Ranges Are Enforced Only When A User Logs In
There Is No Sessions Time Out For Inactive Users
Visualforce, Salesforce Sites, Or Communities Must Use HTTPS
Prevent Unauthorized Used Of Session ID
HTTPS Is Not Required To Log In To Or Access Salesforce
Session Policy – Enable Content Security Policy
Inactivity Time Warning
There Are Free Entry Custom Fields With No Data Restriction
Convert Attachments To Files
Password Policy Password Hint Contains Password
Password Policy Complexity Too Weak – Alphanumeric Restriction Only
Password Policy Expiration Too Weak – Never
Password Policy Expiration Too Weak – Six Months
Password Policy Expiration Too Weak – One Year
Password Policy Max Login Attempts – Unlimited
Password Policy: Obfuscate The Secret Answer
Avoid Using The Attachments Object
Avoid Picklist Fields With Too Many Values
Naming Convention For Salesforce
Avoid Catch Block With Just Logs
Avoid Configuration Elements Without “description”
Avoid Return Statements In try/catch Finally Blocks
ServiceNow Rules List
Rules By Configuration Element
Access Control Rules
Business Rules Rules
Catalog Rules
Catalog Client Scripts Rules
Catalog Item Rules
Catalog UI Policy Action Rules
Catalog UI Policy Rules
Client Script Rules
Data source Rules
Dictionary Rules
Dictionary Entry Override Rules
Email Script Rules
Form Layout Rules
Form Sections Rules
Inactive Security Plugins Rules
Inactivity Monitor Rules
Inbound Email Action Rules
Modules Rules
Notification Rules
Record Producer Rules
REST Message Rules
Script Action Rules
Script Include Rules
Scripted Rest Resource Rules
Service Catalog Rules
SOAP Message Rules
System Property Rules
Table Rules
Table Transform Map Rules
Transform Script Rules
UI Action Rules
UI Policy Action Rules
UI Policy Rules
UI Scripts Rules
User Preferences Rules
Variable Rules
Variable Set Rules
Widget Rules
Widget Angular Provider Rules
Workflow Rules
Update Set Rules
Field Map Rules
Roles Rules
Security Best Practices For ServiceNow
ACLs Using GlideRecord Queries
Business Rules Using Eval Function
Contextual Security Plugin Disabled
GlideRecord API Usage In Scripted REST API Resource
High Security Settings Plugin Disabled
Modified Out Of the Box ElemenT
REST API Resource Modifying Data Without Authentication Check
REST API Resource Modifying Data Without Authentication Check – No Author
Scripted REST API Resource With Hard-Coded sys_ids
Scripts Should Not Use gs.sql
Catalog Items Without Short Description
Catalog Items With Short Description Equal To Name
Multiple Choice Catalog Variables With Too Many Options
Catalog Items Without Description
Notification Email Scripts With Hard-Coded sys_ids
Catalog With No Usage Of META Tags
Catalog With Very Low Usage Of META Tags
Catalog With Low Usage Of META Tags
Client Scripts With Hard-Coded sys_ids
Document Object Model (DOM) Manipulation In Client Scripts
Synchronous AJAX Call In Client Scripts
Client Scripts Should Not Use Unsupported Scripting APIs
Client Scripts With The console.log Debugging Method
GlideRecord Usage On Client Scripts
Client Scripts With Empty Script Field
Client Scripts Defined On The Global Table
Client Scripts Without Function
Catalog Client Scripts With Hard-Coded sys_ids
Catalog Client Scripts Without Function
Document Object Model (DOM) Manipulation In Catalog Client Scripts
Catalog Client Scripts With The console.log Debugging Method
Synchronous AJAX Call In Catalog Client Scripts
GlideRecord Usage On Catalog Client Scripts
Catalog Client Scripts With Empty Script Field
Catalog Client Scripts Should Not Use Unsupported Scripting APIs
GlideRecord Usage On Portal Widget Client Scripts
Portal Widgets With Hard-Coded sys_ids
Synchronous Business Rules Making SOAP Or REST Calls
Angular Providers With Hard-Coded sys_ids
UI Actions With Hard-Coded sys_ids
Server UI Actions Using GlideRecord And getRowCount
Synchronous AJAX Call In UI Actions
Document Object Model (DOM) Manipulation In UI Actions
UI Actions Using GlideRecord
UI Policy Action Without Field Effects
Catalog UI Policy Action Without Field Effects
Transform Maps With Hard-Coded sys_ids
Transform Maps With “Run business rules” Option Enabled
Transform Scripts With Hard-Coded sys_ids
onBefore Transform Scripts Should Only Update The Target Table
Too Many Fields In A Form Section
Forms With Too Many Sections
Inbound Email Actions With Hard-Coded sys_ids
Inbound Email Actions Using GlideRecord And getRowCount
Event Script Action With Hard-Coded sys_ids
Event Script Action Using GlideRecord And getRowCount
UI Scripts With Hard-Coded sys_ids
Synchronous AJAX Call In UI Scripts
UI Scripts With The console.log Debugging Method
UI Scripts With Empty Script Field
GlideRecord usage on UI Scripts
Document Object Model (DOM) Manipulation In UI Scripts
UI Scripts Without Function
Avoid Global UI Scripts
UI Scripts Including Open Source Libraries
Business Rules Defined On The Global Table
Business Rules Without Function
Business Rules Using GlideRecord And getRowCount
Business Rules With Debugging Statements
Business Rules Using The SOAP getResponse Method
onBefore Business Rule Should Only Update The Target Table
Business Rules With Hard-Coded sys_ids
Potential Recursive Business Rules
Script Includes With Hard-Coded sys_ids
Script Includes Using GlideRecord And getRowCount
Script Include With Debugging Statements
Creating Custom Tables In The Global Scope Should Be Avoided
JDBC Data Sources With “Use last run datetime” Option Unchecked
The Default System User Preference “Rows per Page” Set Above 100
Unused Inactivity Monitors
Avoid Workflows With Too Many Activities
Avoid Workflows With Too Many Timer Activities
Workflows With Notification Activities
Synchronous AJAX Call In UI Policies – scriptFalse
UI Policies Using GlideRecord – scriptFalse
UI Policies Using GlideRecord – scriptTrue
UI Policies With Hard-Coded sys_ids – scriptFalse
UI Policies With Hard-Coded sys_ids – scriptTrue
Document Object Model (DOM) Manipulation In UI Policies – scriptFalse
Document Object Model (DOM) Manipulation In UI Policies – scriptTrue
Catalog UI Policies Using GlideRecord – scriptFalse
Catalog UI Policies Using GlideRecord – scriptTrue
Catalog Policies With Hard-Coded sys_ids – scriptTrue
Catalog UI Policies With Hard-Coded sys_ids – scriptFalse
Document Object Model (DOM) Manipulation In Catalog UI Policies – scriptTrue
Document Object Model (DOM) Manipulation In Catalog UI Policies – scriptFalse
Synchronous AJAX Call In Catalog UI Policies – scriptTrue
Synchronous AJAX Call In Catalog UI Policies – scriptFalse
The System Property “Go To Search” Is Set To “Contains”
The System Property “Update on Iterate” Is Enabled
Debug System Properties Enabled
The “Log/trace level of TaskSLAController” System Property Not Set To “notice”
Debugging Properties Enabled In Production Environments
The System Property “Auto Complete Wait Time” Exceeds 750 ms
The System Property “Items per page” Includes Options Over 100
The SOAP Timeout Value Is Over 5 Minutes
The “Security Manager” System Property Is Set To “Allow Access”
SOAP Request Strict Security Should Be Enabled
SSLv2/SSLv3 Should Be Disabled
Escape Jelly Should Be Enabled
Escape HTML Should Be Enabled
Enable AJAXEvaluate Should Be Disabled
AJAXGlideRecord ACL Checking Should Be Enabled
“Check UI Action Conditions check before Execution” Should Be Enabled
Escape XML Should Be Enabled
Client Generated Scripts Sandbox Should Be Enabled
HTML Sanitizer Property Should Be Enabled
Java Package Collection Mode And Collection Mode Override Properties Should Be Disabled
Cookies – HTTP Only Should Be Enabled
CSV Request Authorization Should Be Enabled
Basic Auth SOAP Requests Setting Should Be Enabled
Old UI Enabled Or Being Used
Script Request Authorization Should Be Enabled
“Allow Javascript tags in Embedded HTML” Property Should Be Disabled
Anti-CSRF Token Setting Should Be Enabled
SLA Logging Level Should Be Set To “notice”
The System Property “Auto Complete Search” Is Set To “Contains”
Modules Pointing To Big Tables Without Filter
Avoid Updating The Source Table On Transform Maps
Avoid Updating The Source Table On Transform Scripts
Unlogged API Call Error Condition
Fields Used To Coalesce Records In A Table Transform Map Should Be Indexed
Update Sets Should Contain A Description
The demo_data_running_trigger Business Rule Should Be Disabled
The glide.businessrule.callstack System Property Is Set To True
The sn_hr_core.impersonateCheck System Property Is False
The glide.db.clone.allow_clone_target System Property Is Set To True
Dot Walking To sys_id
Dot Walking To sys_id – Portal Widget clientScript
Dot Walking To sys_id – UI Policy scriptTrue
Dot Walking To sys_id – UI Policy scriptFalse
Dot Walking To sys_id – Catalog UI Policy scriptTrue
Dot Walking To sys_id – Catalog UI Policy scriptFalse
Usage Of g_form.setValue On A Reference Field Without displayValue
Usage Of g_form.setValue On A Reference Field Without displayValue – Portal Widget clientScript
Usage Of g_form.setValue On A Reference Field Without displayValue – UI Policy scriptTrue
Usage Of g_form.setValue On A Reference Field Without displayValue – UI Policy scriptFalse
Usage Of g_form.setValue On A Reference Field Without displayValue – Catalog UI Policy scriptTrue
Usage Of g_form.setValue On A Reference Field wWithout displayValue – Catalog UI Policy scriptFalse
The “glide.login.autocomplete” System Property Is Set To True
Scripts Directly Call To Java Packages
Avoid Creating Unnecessary Tables In Scoped Applications Which Can Impact Your Licensing Cost
Usage Of getMessage Function Without A Second Parameter
Usage Of getMessage Function Without A Second Parameter – Portal Widget clientScript
Usage Of getMessage Function Without A Second Parameter – UI Policy scriptTrue
Usage Of getMessage Function Without A Second Parameter – UI Policy scriptFalse
Usage Of getMessage Function Without A Second Parameter – Catalog UI Policy scriptTrue
Usage Of getMessage Function Without A Second Parameter – Catalog UI Policy scriptFalse
Roles Without Any User
Scheduled Jobs Without A Dedicated Integration User
Reports Should Not Be Made Public
Usage Of current.update() In Script Workflow Activities
Scheduled Imports Should Not Run At The Same Time
Avoid Script Includes With Duplicate Names
Usage Of gs.sleep() On Workflow Activities
Scheduled Jobs Run By Deleted Users
Usage Of gs.cacheFlush() On Scripts
Auditing For Update Sets Should Be Enabled
Usage Of Window Objects Instead Of AngularJS Services
Forms With Duplicate Fields
Portal Widgets Should Not Be Made Public
The Change Request Table Should Not Be Extended
Portal Pages Should Not Be Made Public
Too Many Delete Actions On An Update Set
The assessment_take2 UI Page Should Be Public
Transform Maps With Boolean Fields In Their Import Set Table
Update Sets Should Not Include Images Without Review
Update Sets Should Not Include Knowledge Base Articles Without Review
Avoid Creating cross-table Business Rule Recursive Loops
Dictionary Entries Present For A Table That Does Not Exist
Groups Should Not Have An Inactive Manager
Flows Should Not Be Client Callable
Actions Should Not Be Client Callable
HHRR System Properties Outside The “Human Resource Scoped” Category
Groups Should Not Have Inactive Members
Flows Should Not Run Using The Admin Role
Integration Accounts Should Not Use The Admin Role
Workflows Should Not Use Stages That Are Not Defined In A Stage Set
Stage Sets With Duplicates Entries
Child Group Does Not Contain All Parent Roles
The “glide.email.read.active” System Property Is Set To “false”
The “glide.email.smtp.active” System Property Is Set To “false”
The “glide.uxf.js_server.consolidate” System Property Is Set To “false”
The “glide.image_provider.security_enabled” System Property Is Set To “false”
Usage Of getMessage() Without Preloading Message Key
The Out Of The Box Admin Account Should Not Be Inactive Or Locked Out
Empty Role Assigned To A User
Empty Roles Assigned To A Group
Roles Assigned To An Invalid User
The glide.xmlutil.max_entity_expansion System Property Value Is Not Set To 3000
Maximum Number Of Actions Per Flow And Subflow
Potential Recursive Business Rules – current.update()
ACLs Should Not Be Entirely Empty Or Contain The “Public” Role
Scheduled Jobs Should Specified A Value For “Run as” Field
Scheduled Jobs Should Not Be Run By inactive/locked Out Users
GlideRecord And GlideRecordSecure Should Not Be Used In Client Side Scripts
GlideRecord And GlideRecordSecure Should Not Be Used In Service Portal Widget-Client Script
GlideRecord And GlideRecordSecure Should Not Be Used In Catalog UI Policies. Script False
GlideRecord And GlideRecordSecure Should Not Be Used In Catalog UI Policies. Script True
GlideRecord And GlideRecordSecure Should Not Be Used In UI Policies. Script False
GlideRecord And GlideRecordSecure Should Not Be Used In UI Policies. Script True
Vulnerabilities in Open Source Libraries List
AngularJS – Denial of Service attack through DOM clobbering on versions under 1.6.3
AngularJS – Prototype Pollution Vulnerability Under 1.7.9
AngularJS – XSS vulnerability Using AngularJS Under 1.6.5 In Firefox And Safari – Sanitize On Inert Documents
AngularJS – XSS Vulnerability Through The Attribute “usemap” From 1.0.0 To 1.2.30
AngularJS – XSS Vulnerability Through The Attribute “usemap” From 1.3.0 To 1.5.0-rc2
AngularJS – XSS Vulnerability Under 1.8.0 – Input HTML
AngularJS – XSS Vulnerability Using AngularJS Under 1.6.9 With Firefox
jQuery – XSS Vulnerability Under 3.5.0, When Using htmlPrefilter
XSS Vulnerability In Ext JS Action Column getTip
jQuery – Prototype Pollution Vulnerability Under 3.4.0
jQuery – XSS Vulnerability Under 1.6.3, When Using location.hash
jQuery – XSS Vulnerability Under 1.9.0, When Using jQuery(strInput)
jQuery – XSS Vulnerability Under 3.0.0, When Making Cross-Domain Calls Without The dataType Option
jQuery-ui-tooltip – XSS Vulnerability Under 1.10.0, Title Attribute
jQuery-ui-dialog – XSS Vulnerability Under 1.10.0, Title Attribute
jQuery-ui-dialog – XSS Vulnerability Under 1.10.0, closeText Parameter
moment.js – Regular Expression Denial Of Service Vulnerability
Bootstrap – XSS Vulnerability On Versions Under 2.1.0, On popover / tooltip
Bootstrap – XSS Vulnerability On Versions Under 3.4.0, On data-target Attribute
Bootstrap – XSS Vulnerability On Versions Between 4.0.0 And 4.1.2, On data-target Attribute
Bootstrap – XSS Vulnerability On Versions Under 3.4.1, On data-template, data-content And data-Title Attributes
Bootstrap – XSS Vulnerability On Versions Between 4.0.0 And 4.3.1, On data-template, data-content And data-title Attributes
swfobject – XSS Vulnerability On Versions Under 2.1, On swfobject.getQueryParamValue
tinyMCE – Static Code Injection Vulnerability On Versions Under 1.4.2, In inc/function.base.php
tinyMCE – XSS Vulnerability On Versions Under 4.2.4, In Media Plugin
tinyMCE – XSS Vulnerability On Versions Under 4.2.0, In Some Default Config Implementations
tinyMCE – XSS Vulnerability On Versions Under 4.7.12, In Links With XLINK:HREF Attributes
tinyMCE – XSS Vulnerability On Versions Under 5.1.6, In CDATA Elements
tinyMCE – XSS Vulnerability On Versions Under 5.2.2, In Media Elements
tinyMCE – XSS Vulnerability On Versions Under 5.4.0, In iframe Elements
tinyMCE – XSS Vulnerability On Versions Between 5.0.0 And 5.1.4, On The Core Parser, Paste And visualcharts Plugins
AngularJS – XSS Vulnerability On Versions Under 1.8.0, Via JQLite DOM Manipulation Functions
AngularJS – XSS Vulnerability On Versions Under 1.8.0, Via Nested Option In Select Elements
jQuery – XSS Vulnerability On Versions Under 3.5.0, Via The htmlPrefilter Method
Handlebars – Remote Code Execution Possible In Compat And Strict Mode On Versions Under 4.7.7
Handlebars – Template Injection And Remote Code Execution On Versions Under 4.6.0
Handlebars – Remote-code-execution Exploits Where Misusing prototype-builtins On Versions Under 4.5.3
Handlebars – Remote-code-execution Exploits Where Misusing The Helper blockHelperMissing On Versions Under 4.3.0
Handlebars – Prototype Pollution Vulnerability On Versions Greater Than Or Equal To 4.0.0 And Less Than 4.0.14
Handlebars – Prototype Pollution Vulnerability On Versions Greater Than Or Equal To 3.0.0 And Less Than 3.0.7
Handlebars – Prototype Pollution Vulnerability On Versions Between 4.0.14 And 4.1.2
Handlebars – Prototype Pollution Vulnerability On Versions Under 4.0.14
Handlebars – XSS Vulnerability On Versions Under 4.0.0
Vue. Possible XSS Vector On Versions Under 2.4.3
Vue. Potential XSS In SSR When Using v-bind On Versions Under 2.5.17
Vue. vue-server-renderer’s Dependency Of serialize-javascript To 2.1.2 On Versions Under 2.6.11
React. Potential XSS Vulnerability When Using User Data As A Key. This Only Affects v0.5.x And v0.4.x
React. XSS Via A Spoofed React Element On Versions Under 0.14.0
Dynamics 365 Rules List
Avoid Using Deprecated Event Registration And Handling Methods
Avoid Using Deprecated Global Context Methods
Avoid Using Deprecated GridRow And GridRowData Methods
Avoid Using Deprecated Methods
Avoid Using Deprecated Xrm.Page.context Methods
Avoid Using Deprecated Xrm.Utility Methods
Avoid Using DOM Manipulation
Avoid Using Silverlight Web Components
Best Practices
Learn Quality Clouds Recommendations
Document Your Code And Configuration Elements
Maximum Length Of Code Elements
Naming Conventions
Use Naming Prefix
Use Only Allowed Character Set
Quality Clouds Salesforce Best Practice Rules
List Of Configuration Elements Scanned In Salesforce
Code Duplication Best Practices
GDPR (General Data Protection Regulation) Best Practices
Classify Sensitive Data To Support Data Management Policies
SOQL Injection
Flow Best Practices Rules
List Of Configuration Elements (CEs) Scanned In ServiceNow
Allocating Your Custom Tables To A Subscription Entitlement
Allow JavaScript Tags In Embedded HTML
Anti-CSRF Token
Application Security Best Practice
Apply ACLs To AJAXGlideRecord (Client-Side Glide Record)
Available System Properties
Avoid Coding Pitfalls
Avoid Modifying Core Platform Components
Avoid Modifying Out Of The Box Elements
Basic Auth: SOAP Requests
Business Rules Best Practices
Business Rules In Scoped Applications
Check UI Action Conditions Before Execution
Client Generated Scripts Sandbox
Client Scripts Best Practices
Client-side Scripting Design And Processing
Collection Mode Override Property
Configure Keyword Search For Catalog Items
Contextual Security
Cookies – HTTP Only
CSV Request Authorization
Data Source Fields
Debugging Best Practices
Disabling SSLv2/SSLv3
Enable AJAXEvaluate
Escape HTML
Escape Jelly
Escape XML
High Security Settings
HTML Sanitizer
Inactivity Monitors
Interacting With The Database
Keep Code In Functions
Legacy: UI11
Minimize Server Lookups
Performance Best Practices
Prevent Recursive Business Rules
Reusing Client Script Code
Run Only Necessary Client Scripts
Script Request Authorization
Scripted REST API Best Practices
Service Catalog UI Policy
Service Portal And Client Scripts
SOAP Request Strict Security
Troubleshoot Import Set Performance
UI Scripts
Workflow Best Practices
Software Development Industry Standards
JavaScript Best Practices
Common Weakness Enumeration (CWE™)
Apex Best Practices List
Apex Code Style Best Practices
Apex Design Best Practices
Apex Error Prone Best Practices
Apex General Best Practices
Apex Security Best Practices
Apex Performance Best Practices
Apex Documentation Best Practices
Apex Java Best Practices
What are OWASP Recommendations?
Sensitive Data Exposure
Cross-Site Scripting (XSS)
Quality Clouds Dynamics 365 Best Practices
Deprecated Client APIs
Avoid using size() in SOQL queries.xg
Use of GlideRecord and getRowCount
Inline Scripts should not contain many lines of code
Exception Classes Should Extend an Exception
Avoid Using HTTP Referer Headers
Avoid Messaging Operation In Loop
Avoid Async scheduling or queueing Operation In Loop.
Avoid invocation of future methods inside loops
Switch Statements Should Have a When Else Case
React. XSS Via A Spoofed React Element On Versions Under 0.14.0
AngularJS – XSS Vulnerability On Versions Under 1.8.0, Via Nested Option In Select Elements
React. Potential XSS Vulnerability When Using User Data As A Key. This Only Affects v0.5.x And v0.4.x
Vue. vue-server-renderer’s Dependency Of serialize-javascript To 2.1.2 On Versions Under 2.6.11
Vue. Potential XSS In SSR When Using v-bind On Versions Under 2.5.17
Vue. Possible XSS Vector On Versions Under 2.4.3
Handlebars – XSS Vulnerability On Versions Under 4.0.0
Handlebars – Prototype Pollution Vulnerability On Versions Under 4.0.14
Handlebars – Prototype Pollution Vulnerability On Versions Between 4.0.14 And 4.1.2
Handlebars – Prototype Pollution Vulnerability On Versions Greater Than Or Equal To 3.0.0 And Less Than 3.0.7
Handlebars – Prototype Pollution Vulnerability On Versions Greater Than Or Equal To 4.0.0 And Less Than 4.0.14
Handlebars – Remote-code-execution Exploits Where Misusing The Helper blockHelperMissing On Versions Under 4.3.0
Avoid Losing Exception Information
Avoid duplicate queueable jobs
Set maximum depth for chained queueable jobs
Avoid using Tab Characters Check
Set minimum queueable delay for chained queueable jobs
Avoid multiple unary operators
GlideRecordSecure should not be used in Inline Scripts.
GlideRecord should not be used in Inline Scripts.
Remove unused private methods
Remove unused apex classes