Salesforce Coding Best Practice rules



Quality Clouds Best Practices for Salesforce - Categories

In order to provide a comprehensive view of the overall quality of your Salesforce Org, Quality Clouds checks for Best Practices at three different levels:

  • Best Practices on individual elements: These are best practices which apply to a single configuration element, such as a Lightning Component, Apex Class, Apex Trigger, etc
  • General Org configuration / customisation Best Practices: These are Best Practices which apply to the Org as a whole. For instance, having a high ratio of Custom Objects to Standard Objects is considered an over-customisation, and will be reported as an issue.
  • Code duplication: Every block of duplicated code also generates an issue. The severity of the issue depends on the total number of code lines which are repeated in the Org (size of repeated block x number of lines in the block x number of repetitions)

Best Practices on Individual Elements

The table below lists the Best Practices which Quality Clouds will check on individual code elements in a Salesforce Org, together with the element type to which each one applies. The severity and area of impact of the issues raised when a Best Practice is not followed is also shown in the table.


Best Practice DescriptionConfiguration Element TypeIssue SeverityIssue Impact AreaRulesetAdditional Reference
 Apex unit tests should include at least one assertion.    Apex Class   HIGH    Manageability PMD - APEXPMD Rule Definition
 Apex unit tests should not use @isTest(seeAllData=true) because it opens up the existing database data for unexpected modification by tests. Apex Class   HIGH    Manageability PMD - APEXPMD Rule Definition
 New objects created within loops should be checked to see if they can be created outside them and reused.    Apex Class   HIGH    PerformancePMD - APEXPMD Rule Definition
 Avoid DML statements inside loops to avoid hitting the DML governor limit   Apex Class   HIGH    PerformancePMD - APEXPMD Rule Definition
 Detect classes declared without explicit sharing mode if DML methods are used.    Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Checks against redirects to user-controlled locations. This prevents attackers from redirecting users to phishing sites.    Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Checks against accessing endpoints under plain http. You should always use https for security.   Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Reports on calls to addError with disabled escaping.   Apex Class   HIGH    SecurityPMD - APEXPDM Rule Definition
 The rule makes sure you are using randomly generated IVs and keys for Crypto calls. Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Check to avoid making DML operations in Apex class constructor/init method.    Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Detects the usage of untrusted / unescaped variables in DML queries. Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Checks against calling dangerous methods. Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Detects hardcoded credentials used in requests to an endpoint. Apex Class   HIGH    SecurityPMD - APEXPMD Rule Definition
 Non-constructor methods should not have the same name as the enclosing class. Apex Class   HIGH    Manageability PMD - APEXPMD Rule Definition
 As triggers do not allow methods like regular classes they are less flexible and suited to apply good encapsulation style. Apex Trigger    HIGH    Manageability PMD - APEXPMD Rule Definition
 Global classes should be avoided (especially in managed packages) as they can never be deleted or changed in signature. Apex Class   HIGH    Manageability PMD - APEXPMD Rule Definition
 Avoid using with - it's bad news Lightning    HIGH    Manageability PMD - JavascriptPMD Rule Definition
 Avoid using accidentally global variables by simply missing the var declaration   Lightning    HIGH    Manageability PMD - JavascriptPMD Rule Definition
 In a for-in loop in the variable name is not explicitly scoped to the enclosing scope with the var keyword    Lightning    HIGH    Manageability PMD - JavascriptPMD Rule Definition
 Checks for usages of parseInt Lightning    HIGH    Manageability PMD - JavascriptPMD Rule Definition
 Improve code portability due to differences in browser treatment of trailing commas in object or array literals.   Lightning    HIGH    Manageability PMD - JavascriptPMD Rule Definition
 The numeric literal will have a different value at runtime, which can happen if you provide too much precision in a floating point number.    Lightning    HIGH    Manageability PMD - JavascriptPMD Rule Definition
 Possible extra-sensitive PII usage in configuration element - Gender Apex Class   HIGH    SecurityQualityCloudsGDPR
 Possible extra-sensitive PII usage in configuration element - Gender Apex Trigger    HIGH    SecurityQualityCloudsGDPR
 Possible extra-sensitive PII usage in configuration element - Gender Custom Field    HIGH    SecurityQualityCloudsGDPR
 Possible extra-sensitive PII usage in configuration element - Religion Apex Class   HIGH    SecurityQualityCloudsGDPR
 Possible extra-sensitive PII usage in configuration element - Religion Apex Trigger    HIGH    SecurityQualityCloudsGDPR
 Possible extra-sensitive PII usage in configuration element - Religion Custom Field    HIGH    SecurityQualityCloudsGDPR
 Component id must be unique    Apex Page    HIGH    ScalabilityQualityCloudsAPEX Page and Component Best Practices
 Increase the time interval for calling Apex   Apex Page    HIGH    PerformanceQualityCloudsAPEX Page and Component Best Practices
 Use the render attribute on Visualforce components to update the component without updating the entire page.    Apex Page    HIGH    PerformanceQualityCloudsAPEX Page and Component Best Practices
 Whenever you can, choose the My... or My Team's... options rather than All in the "Show" filter.    Report    HIGH    PerformanceQualityCloudsReport Performance Best Practices
 Avoid using if statements without using braces to surround the code block. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid using while statements without using braces to surround the code block.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid using if..else statements without using surrounding braces. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid using for statements without using surrounding braces. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid creating deeply nested if-then statements since they are harder to read and error-prone to maintain.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Methods with numerous parameters are a challenge to maintain, especially if most of them share the same datatype. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Excessive class file lengths are usually indications that the class may be burdened with excessive responsibilities   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of lines of code for a given method.    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of lines of code for a given type.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 This rule uses the NCSS (Non-Commenting Source Statements) algorithm to determine the number of lines of code for a given constructor. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Too much cyclomatic complexity.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Classes that have too many fields can become unwieldy and could be redesigned to have fewer fields.    Apex Class   MEDIUM ScalabilityPMD - APEXPMD Rule Definition
 Classes with large numbers of public methods and attributes require disproportionate testing efforts. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Method names should always begin with a lower case character, and should not contain underscores.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Class names should always begin with an upper case character.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Method names should always begin with a lower case character, and should not contain underscores.   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 It is essential to avoid hardcoding IDs    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Empty block statements serve no purpose and should be removed. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 it checks for final variables that should be fully capitalized and non-final variables that should not include underscores.    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid directly accessing Trigger.old and Trigger.new as it can lead to a bug. Apex Trigger    MEDIUM Manageability PMD - APEXPMD Rule Definition
 Empty Catch Block finds instances where an exception is caught, but nothing is done Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Empty If Statement finds instances where a condition is checked but nothing is done about it.    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid empty try or finally blocks    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Sosl calls within loops can cause governor limit exceptions.    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Avoid empty while statements   Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Complexity directly affects maintenance costs is determined by the number of decision points in a method plus one for the method entry.    Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 Makes sure that all values obtained from URL parameters are properly escaped / sanitized to avoid XSS attacks. Apex Class   MEDIUM Manageability PMD - APEXPMD Rule Definition
 The rule validates you are checking for access permissions before a SOQL/SOSL/DML operation. Apex Trigger    MEDIUM Manageability PMD - APEXPMD Rule Definition
 Too much cyclomatic complexity.   Apex Trigger    MEDIUM Manageability PMD - APEXPMD Rule Definition
 Complexity directly affects maintenance costs is determined by the number of decision points in a method plus one for the method entry.    Apex Trigger    MEDIUM Manageability PMD - APEXPMD Rule Definition
 Variables should start with a lowercase character   Apex Trigger    MEDIUM Manageability PMD - APEXPMD Rule Definition
 Issue not identified    All    MEDIUM Manageability QualityClouds
 When a function does use returns they should all have a value, or all with no value.    Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Avoid assignments in operands; this can make code more complicated and harder to read. Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Avoid using for statements without using curly braces. Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Avoid using if..else statements without using curly braces. Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Avoid using if statements without using curly braces. Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 The else block in a if-else-construct is unnecessary if the if block contains a return. Then the content of the else block can be put outside.  Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 An unnecessary Block is present. Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 A return , break , continue , or throw statement should be the last in a block.    Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Avoid using while statements without using curly braces.   Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Using == in condition may lead to unexpected results, as the variables are automatically casted to be of the same type. Lightning    MEDIUM Manageability PMD - JavascriptPMD Rule Definition
 Use only one <apex:form> tag on a page Apex Page    MEDIUM Manageability QualityCloudsAPEX Page and Component Best Practices
 Avoid using data grids Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Combine all CSS files into a single file   Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Combine all JavaScript files into a single file Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Include JavaScript files using a standard HTML <script> tag right before your closing </apex:page> tag instead of using <apex:includeScript>;.  Apex Page    MEDIUM Manageability QualityCloudsAPEX Page and Component Best Practices
 Include JavaScript files using a standard HTML <script> tag right before your closing </apex:page> tag instead of using <apex:includeScript>;.  Apex Component MEDIUM Manageability QualityCloudsAPEX Page and Component Best Practices
 Displaying the Content of a Static Resource   Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Unnecessary HTML increases the size of the component tree and the processing time for Ajax requests.   Apex Component MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Unnecessary HTML increases the size of the component tree and the processing time for Ajax requests.   Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Reduce the number of records displayed on the page Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Use fewer images Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Use static resources to serve CSS files, as well as images, JavaScript, and other non-changing files. Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Use static resources to serve images, as well as CSS, JavaScript, and other non-changing files. Apex Page    MEDIUM PerformanceQualityCloudsAPEX Page and Component Best Practices
 Use a static resource to upload content that it can be referenced in a Visualforce page    Apex Page    MEDIUM Manageability QualityCloudsAPEX Page and Component Best Practices
 Use the equals or not equal to operators instead of contains or does not contain Report    MEDIUM PerformanceQualityCloudsReport Performance Best Practices
 Choose AND rather than OR for filter logic    Report    MEDIUM PerformanceQualityCloudsReport Performance Best Practices
 Always use the starting and ending date values to limit the report scope.   Report    MEDIUM PerformanceQualityCloudsReport Performance Best Practices
 Try using relative date values such as THIS WEEK, NEXT MONTH, or TOMORROW. Report    MEDIUM PerformanceQualityCloudsReport Performance Best Practices
 Select Hide Details in Advanced Filters if you only need a summary of the data and to reduce loading time.   Report    MEDIUM PerformanceQualityCloudsReport Performance Best Practices
 Unnecessary parentheses should be removed.    Lightning    LOW Manageability PMD - JavascriptPMD Rule Definition
 Create a custom component to show and hide data Apex Page    LOW PerformanceQualityCloudsAPEX Page and Component Best Practices
 Page names should always begin with an upper case character.    Apex Page    LOW Manageability QualityCloudsAPEX Page and Component Best Practices
 Possible PII usage in configuration element  - Email Apex Class   WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element - Email Apex Trigger    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Email Custom Field    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Passport Apex Class   WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Passport Apex Trigger    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Passport Custom Field    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Nationality Apex Class   WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Nationality Apex Trigger    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Nationality Custom Field    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Address Apex Class   WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Address Apex Trigger    WARNING    SecurityQualityCloudsGDPR
 Possible PII usage in configuration element  - Address Custom Field    WARNING    SecurityQualityCloudsGDPR
 Reduce the number of fields in the report by removing unnecessary columns or fields.    Report    WARNING    PerformanceQualityCloudsReport Performance Best Practices

Avoid  the use of several variables declaration of the same type on one line.  

Apex Class  

HIGH   

Manageability

PMD - APEX

PMD Rule Definition

ApexDoc comments are present for classes, methods, and properties that are public or global, excluding overrides and test classes  

Apex Class  

 MEDIUM

Manageability

PMD - APEX

PMD Rule Definition

Missing ApexDoc @description

Apex Class  

MEDIUM

Manageability

PMD - APEX

PMD Rule Definition




Org Customisation Best Practices


The table below lists the overall Org customisation Best Practices which Quality Clouds will check on a Salesforce Org. The severity and area of impact of the issues raised when a Best Practice is not followed is also shown in the table. Some of the issues have a varying Severity depending on the amount of customisation detected.



Best Practice DescriptionSeverityImpact AreaRulesetAdditional Reference
Ratio of Custom Objects to Standard Objects.

HIGH (if ratio is over 30%)

MEDIUM (if ratio is over between 20% 30%)

LOW (if ratio is between 10% and 20%)

MANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many Apex Classes (Over 50 - Does not include Test Classes or Dowloaded Apps)MEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many Roles (over 20)MEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many branches on Role HierarchyMEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many Custom Reports over used objectsMEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too much Dashboards over used objectsMEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many Profiles and Permission SetsMEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many Apex Triggers per Objects usedMEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Too many Reports and Dashboards without folder assignedMEDIUMMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
The percentage of asynchronous classes is too highLOWMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
The instance has more than 5.000 lines od APEX codeWARNINGMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Coverage of Unit Tests is less than 75%WARNINGMANAGEABILITYQualityCloudsOrg Configuration and Customisation Best Practices
Cross-Site Request Forgery (CSRF) protection on GET requests on non-setup pages is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Cross-Site Request Forgery (CSRF) protection on POST requests on non-setup pages is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Clickjack protection for non-setup Salesforce pages is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Clickjack protection for customer Visualforce pages with standard headers turned on is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Clickjack protection for customer Visualforce pages with standard headers turned off is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Clickjack protection for setup pages is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices

The browser is not prevented from inferring the MIME type from the document content and from executing malicious files

MEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Cross-domain session information is exchanged using a GET request instead of a POST requestMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Protection against reflected cross-site scripting attacks is disabledMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
The IP addresses in Login IP Ranges are enforced only when a user logs inMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
There is not sessions time out for inactive usersMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Visualforce, Salesforce sites, or Communities must use HTTPSMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Prevent Unauthorised used of session IDMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
HTTPS is not required to log in to or access SalesforceMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Inactivity Time WarningWARNINGSECURITYQualityCloudsOrg Configuration and Customisation Best Practices
Session Policy - Enable Content Security PolicyMEDIUMSECURITYQualityCloudsOrg Configuration and Customisation Best Practices

There are free entry Custom Fields with no data restriction

MEDIUM

MANAGEABILITY

QualityClouds

Org Configuration and Customisation Best Practices

Convert Attachments to Files

MEDIUM

MANAGEABILITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy Complexity is too weak

HIGH

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy Expiration is too weak

MEDIUM

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy Repetition is too weak

MEDIUM

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy Max Login Attempts too wide

MEDIUM

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy Minimum Password Length too weak

HIGH

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy: Obfuscate the Secret Answer

MEDIUM

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Password Policy Password Hint contains password

MEDIUM

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

The trusted IP range is too wide


WARNING

SECURITY

QualityClouds

Org Configuration and Customisation Best Practices

Code Duplication

Code duplication issues are raised whenever duplicated code is detected across Apex Classes and Apex Triggers. The severity of the issue depends on the total number of duplicated lines of code.


Best Practice DescriptionConfiguration Element TypeIssue SeverityIssue Impact Area
Code DuplicationApex Class

HIGH (if total number of duplicated lines is over 1000)

MEDIUM (if total number of duplicated lines is between 100 and 1000)

LOW (if total number of duplicated lines is between 10 and 100)

MANAGEABILITY
Code DuplicationApex Trigger

HIGH (if total number of duplicated lines is over 1000)

MEDIUM (if total number of duplicated lines is between 100 and 1000)

LOW (if total number of duplicated lines is between 10 and 100)

MANAGEABILITY


QualityClouds


What's here


Related content