As we all know, SonarQube is a great tool that helps us increase quality of our codebase. However, it does apply mainly to general Java issues. As we know, we can hurt ourselves much more doing AEM. Adobe Experience Manager is a comprehensive content management platform solution for building websites, mobile apps and forms. This tool is intended to find common bugs and bad smells specific for AEM development. Documentation of each rule is available from SonarQube interface after plugin installation.
Each release has its own prerequisites section, for more information please check releases page.
Custom Dockerfile
Following Dockerfile uses official Sonarqube 7.9 image and download AEM Rules 1.0-RC2 to plugin directory.
FROM sonarqube:7.9-community AS aemrulesqube79
RUN curl -Lk -o $SONARQUBE_HOME/extensions/plugins/aemrules-1.0-RC2.jar https://github.com/wttech/AEM-Rules-for-SonarQube/releases/download/v1.0-RC2/aemrules-1.0-RC2.jar
Community image
This is already prepared solution thanks to @ahmed-musallam.
docker run --rm -p 9000:9000 ahmedmusallam/sonarqube-aem:latest
This solution is for those who would like to start testing theirs code within aem rules and sonarqube. It contains SonarQube v 7.7, aem rules v 0.11 and predefined quality gates. If you would like to participate in our Aem Rules development, please refer to wiki page to get into.
Go to your SonarQube instance administration console and open Update Center. Find AEM Rules for SonarQube plugin and click install!
- Download
aemrules-x.y.jaror build AEM Rules for SonarQube plugin. - Paste it into
sonarqube/extensions/pluginsdirectory. - Restart SonarQube.
- Go to rules section and activate AEM rules in your profile.
Use of the plugin does not differ much from regular SonarQube analysis. However, as rules are often tied to a certain AEM version and its components (Felix, Sling), we've introduced the aemVersion analysis property.
Each rule defines supported AEM version or version range. Most of the rules are universal. By providing the AEM version parameter, you can instruct the Sonar Runner to only use only a subset of rules applicable to a particular AEM version. When the parameter is not provided then a default AEM version is used (currently 6.4)
When running analysis, pass sonarRunner.aemVersion property with your AEM version. The format is as follows:
sonarRunner.aemVersion=<MAJOR_VERSION>.<MINOR_VERSION>
Runing with Maven
mvn sonar:sonar -DsonarRunner.aemVersion=6.4
Runing with Gradle (See Gradle AEM Plugin)
gradlew sonarQube -DsonarRunner.aemVersion=6.4
Below you will find descriptions of all rules available in AEM Rules for SonarQube plugin.
-
AEM-1 Use predefined constant in annotation instead of hardcoded value.
- Use constants available in AEM instead of repeating inline literals.
-
AEM-2 Use predefined constant instead of hardcoded value.
- Use constants available in AEM instead of repeating inline literals.
-
AEM-5
getContentResource()is not null checked- Always null check the return value of
getContentResource(). It is possible to get a null if a jcr:content node does not exist in the repository.
- Always null check the return value of
-
AEM-8 Prefer cleaner
@SlingServletannotation.- Prefer cleaner
@SlingServletannotation over@Propertiesapproach. Do not mix up both approaches.
- Prefer cleaner
-
AEM-15 Usage of
synchronizedkeyword should be avoided if possible.- Usage of
synchronizedkeyword should be avoided if possible. Check if usingsynchronizedcan be replaced with more sophisticated solution.
- Usage of
-
AEM-17 No mutator methods invoked on
ModifiableValueMapModifiableValueMapshould be replaced byValueMapif no mutator methods are invoked.
-
AEM-19 Implicit search strategy used in Sling Query
SearchStrategycan have negative performance impact if mismatched. Therefore developer should always make informed decision and define strategy explicitly.
-
HTL-1 Wrong placement of the HTL Attribute.
- Always Place HTL Attributes After the Ones that are Part of the Markup.
-
HTL-2 HTL Templates should be placed in separate files.
- HTL Templates should be placed in separate files. This helps to understand which code is meant to render a component and which code is re-used as a template.
-
HTL-3 Use Explicit Names in Loops
- HTL provides implicit variables in
data-sly-listanddata-sly-repeatblocks. Try to avoid them and use explicit names clarifying the role of the objects instead.
- HTL provides implicit variables in
-
HTL-4 Name and re-use Repeating Conditions
- Consider caching data-sly-test conditions and reduce code duplication.
-
HTL-5 Usage of HTML comments should be avoided if possible
- If you want to place comments regarding your code, make sure they don't display to the end users.
-
HTL-6 HTL automatically recognises the context for HTML output
- HTL uses uri display context as default for src, poster, manifest, href, formaction, data, cite, action attributes
-
HTL-7 Style and script tags display context definition is mandatory
-
HTL-8 Event attribute attributes must have display context defined
-
HTL-9 Inline styles must have display context defined
-
HTL-10 Use sly tags over redundant markup.
- HTL attributes should be wrapped in sly tags to avoid superfluous markup.
-
HTL-11 Use existing HTML elements instead of adding extra sly tags.
- HTL attributes should be included in HTML markup without additional SLY tags.
-
HTL-12 Use the most restrictive HTL context possible.
- For data attributes HTL applies HTML escaping.
-
HTL-13 Avoid using 'unsafe' display context.
- 'unsafe' display context disables XSS protection completely.
-
HTL-14 HTL expressions in HTML comments should have defined context.
- HTML comments automatically implies 'comment' markup context.
-
HTL-15 Use Camel Case in identifiers:
- variable names
- template names
-
AEM-3 Non-thread safe object used as a field of Servlet / Filter etc.
- It is not safe to keep session based object as a field in
ServletorFilter. Rule checks for the occurrence of any instance or static fields of following types:org.apache.sling.api.resource.ResourceResolverjavax.jcr.Sessioncom.day.cq.wcm.api.PageManagercom.day.cq.wcm.api.components.ComponentManagercom.day.cq.wcm.api.designer.Designercom.day.cq.dam.api.AssetManagercom.day.cq.tagging.TagManagercom.day.cq.security.UserManagerorg.apache.jackrabbit.api.security.user.Authorizableorg.apache.jackrabbit.api.security.user.Userorg.apache.jackrabbit.api.security.user.UserManager
- It is not safe to keep session based object as a field in
-
AEM-6 ResourceResolver should be closed in finally block.
- According to its Javadoc, Resource Resolver has a life cycle which begins with the creation of the Resource Resolver using any of the factory methods and ends with calling the
closemethod. It is very important to call theclosemethod once the resource resolver is not used any more to ensure any system resources are properly clean up.
- According to its Javadoc, Resource Resolver has a life cycle which begins with the creation of the Resource Resolver using any of the factory methods and ends with calling the
-
AEM-7 Session should be logged out in finally block.
- Manually created
javax.jcr.Sessionshould be logged out after it is no longer needed. Thelogoutmethod releases all resources associated withSession.
- Manually created
-
AEM-11 Do not use deprecated administrative access methods
- Administrative access to the resource tree and JCR Repository by means of usage of
ResourceResolverFactory.getAdministrativeResourceResolverandSlingRepository.loginAdministrativehas been deprecated. UseResourceResolverFactory.getServiceResourceResolverorSlingRepository.loginServicerespectively.
- Administrative access to the resource tree and JCR Repository by means of usage of
Sling Models related
- AEM-16 Optional is defined as
DefaultInjectionStrategy- Usage of
@Optionalannotation is redundant, whendefaultInjectionStrategyisOPTIONAL.
- Usage of
Release notes for each version can be found in releases section.
Copyright 2015-2016 Wunderman Thompson Technology
Licensed under the Apache License, Version 2.0
Technical support can be made available if needed. Please contact us for more details.
We can:
- prioritize your feature request,
- tailor the product to your needs,
- provide a training for your engineers,
- support your development teams.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent