[apex] AvoidHardcodingId false positives

[parksungrin]

Please, prefix the report title with the language it applies to within brackets, such as [java] or [apex]. If not specific to a language, you can use [core]

Rule Set:
6.0.0 Snapshoot
AvoidHardcodingId

Description:
15 digit number is indicated as Salesforce Id.

objAssetDevice.IMEI__c = '359040082913024';

Code Sample demonstrating the issue:
359040082913024 is not Salesforce Id but below code indicated as violation of AvoidHardcodingId
objAssetDevice.IMEI__c = '359040082913024';

Running PMD through: [CLI | Ant | Maven | Gradle | Designer | Other]
CLI

[rsoesemann]

@JAertgeerts didn't you add this rule. Can you make the regexp a bit smarter as describe here https://stackoverflow.com/questions/9742913/validating-a-salesforce-id?

[jsotuyod]

@up2go-rsoesemann @JAertgeerts @parksungrin the rule is implemented based on this description which is actually a little more strict on 15 chars ids.

The rule is flawed for ids longer than 15 (it would allow, 16 and 17 chars "ids", and the 18 char ones are not validated).

However, for this scenario of a 15 char string, it would still match. I don't think we can safely detect this as a FP and avoid it...

[rsoesemann]

The rule would need to incorporate also a checksum check as described here https://gist.github.com/jeriley/36b29f7c46527af4532aaf092c90dd56

A simple regex doesn't do the magic.

[jsotuyod]

@up2go-rsoesemann that checksum applies only to 18 digit ids. 15 digit ids would still be flagged as long as the sixth position is a 0.

[alan-morey]

While not a solution for the false positive scenario where a 15 digit string is considered a Salesforce ID, the current pattern could be made stricter.

pmd/pmd-apex/src/main/java/net/sourceforge/pmd/lang/apex/rule/errorprone/AvoidHardcodingIdRule.java

Line 13 in e7e5e13

private static final Pattern PATTERN = Pattern.compile("^[a-zA-Z0-9]{5}[0][a-zA-Z0-9]{9,12}$", Pattern.CASE_INSENSITIVE);

The following pattern:

• avoids matching 16 and 17 character Ids
• limits allowable characters for the last 3 characters (checksum) of an 18 character Id
  https://stackoverflow.com/a/29299786/264911

Pattern.compile("^[a-zA-Z0-9]{5}0[a-zA-Z0-9]{9}([a-zA-Z0-5]{3})?$");

Also is Pattern.CASE_INSENSITIVE flag redundant when the character classes are matching both upper and lower alpha?

[jsotuyod]

@alan-morey thanks, that's exactly what I was going after. The checksum check can be done too.

I'm flagging this for 6.1.0 release.

[adangel]

Note: only solution for the specific string is right now to suppress the rule, like that:

       @SuppressWarnings('PMD.AvoidHardcodingId')
        String IMEI__c = '359040082913024';