CHANGE @W-17312010@ Adding PMD AppExchange rule docs to keep links functional (#1697)

Author: jfeingold35

pmd-appexchange/docs/AvoidApiSessionId.md

@@ -0,0 +1,18 @@
+AvoidApiSessionId[](#avoidapisessionid)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Session ID use may not be approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidApiSessionIdInXML.md

@@ -0,0 +1,18 @@
+AvoidApiSessionIdInXML[](#avoidapisessionidinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Session ID use is not approved.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects use of Api.Session_ID to retrieve a session ID. For more guidance on approved use cases, read the [Session Id Guidance][https://partners.salesforce.com/sfc/servlet.shepherd/version/download/0684V00000O83jT?asPdf=false&operationContext=CHATTER] document.
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidAuraAppWithLockerDisabled.md

@@ -0,0 +1,18 @@
+AvoidAuraAppWithLockerDisabled[](#avoidauraappwithlockerdisabled)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To enable Lightning Locker, update the apiVersion to version 40 or greater.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidAuraCmpWithLockerDisabled.md

@@ -0,0 +1,18 @@
+AvoidAuraCmpWithLockerDisabled[](#avoidauracmpwithlockerdisabled)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   To enable Lightning Locker, update the apiVersion to version 40 or greater.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects use of API versions with Lightning Locker disabled in Aura components. Use API version 40 or greater.
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidChangeProtectionUnprotected.md

@@ -0,0 +1,18 @@
+AvoidChangeProtectionUnprotected[](#avoidchangeprotectionunprotected)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Ensure appropriate authorization checks are in-place before invoking FeatureManagement.changeProtection called with 'UnProtected' argument.
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects potential misuse of FeatureManagement.changeProtection.
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidCreateElementScriptLinkTag.md

@@ -0,0 +1,28 @@
+AvoidCreateElementScriptLinkTag[](#avoidcreateelementscriptlinktag)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Load JavaScript/CSS only from static resources.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+Detects dynamic creation of script or link tags
+Note: This rule identifies the `<script>` block where `createElement` is detected; but can only show the line number where the `<script>` tag begins and not the line number for `createElement`.
+That means if there are multiple `createElement` calls with `script` as input, you'll see multiple issues reported with the line number of the `<script>` tag. This is a known issue; developers are expected to go through the `<script>` block to identify the use of `createElement`
+
+**Example(s):**
+
+   
+
+```
+<script src="{!$Resource.jquery}"/>
+```
+
+See more examples on properly using static resources here: https://developer.salesforce.com/docs/atlas.en-us.236.0.secure_coding_guide.meta/secure_coding_guide/secure_coding_cross_site_scripting.htm
+
+        
+

pmd-appexchange/docs/AvoidDisableProtocolSecurity.md

@@ -0,0 +1,18 @@
+AvoidDisableProtocolSecurity[](#avoiddisableprotocolsecurity)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protocol security setting is disabled
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if "Disable Protocol Security" setting is checked/true
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidDisableProtocolSecurityInXML.md

@@ -0,0 +1,18 @@
+AvoidDisableProtocolSecurityInXML[](#avoiddisableprotocolsecurityinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protocol security setting is disabled
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if "Disable Protocol Security" setting is checked/true
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidGetInstanceWithTaint.md

@@ -0,0 +1,20 @@
+AvoidGetInstanceWithTaint[](#avoidgetinstancewithtaint)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   getInstance() is invoked with a potentially tainted parameter.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects use of getInstance(userId)/getInstance(profileId). Hierarchy Custom Settings return the record owned by the current user when `getInstance()` is invoked without any parameters.
+But if a tainted/end-user controlled `userId` or `profileId` is passed as a parameter to `getInstance()` that will allow the code to access records owned by other users on the org.
+Protected Custom Settings are the recommended approach to store subscriber owned secrets. Passing `userId` or `proileId` parameters to `getInstance()` could allow a user access to secrets that belong other other users on the org.
+
+**Example(s):**
+
+   
+

pmd-appexchange/docs/AvoidGlobalInstallUninstallHandlers.md

@@ -0,0 +1,23 @@
+AvoidGlobalInstallUninstallHandlers[](#avoidglobalinstalluninstallhandlers)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Install and Uninstall handlers should be public and not global
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   Detects Install and Uninstall handlers declared as global. Install and Uninstall Handlers don't need to be global classes. 
+Using `global` for these handlers means global methods in these classes act as controllers and can be invoked by untrusted code outside the context of post-install/uninstall scenarios.
+Depending on the logic in these handlers, there could potentially unintended consequences. 
+For ex: Sometimes post install handlers are used to generate an encryption key to be stored in a protected custom settings object. But if the classes are global, then other untrusted code in the org can invoke the global method and the encryption key may be over-written.
+Or
+Helper classes for post-install handlers are recommended to be used "without sharing" - which is acceptable in the context of post-install exectution; but could lead to potential security concerns if "without sharing" classes are invoked by untrusted code.
+
+**Example(s):**
+
+   
+