v3.0.2

Release notes

• major fix : support for SonarQube 9.7 and later (issue #15 )

You can test the result with the MyAwfulProxy.zip or MyAwfulSharedFlow.zip (after expanding it)

Implemented Rules

The rule IDs come from the apigeecs/bundle-linter.
Other rules start from "500" to not interfer with the first rules. Example : PD500.

Legend :

✔️ : implemented

✖️ : not yet implemented

⭕ : won't be implemented. See details in Description column

Bundle level

Status	Rule ID	Severity	Name	Description
✖️	BN001		Bundle folder structure correctness.	Bundles have a clear structure.
✖️	BN002		Extraneous files.	Ensure each folder contains approrpriate resources in the bundle.
✔️	BN003	Major	Cache Coherence	A bundle that includes cache reads should include cache writes with the same keys.
✖️	BN004		Unused variables.	Within a bundle variables created should be used in conditions, resource callouts, or policies.
✔️	BN005	Minor	Unattached policies.	Unattached policies are dead code and should be removed from production bundles.
✔️	BN006	Major	Bundle size - policies.	Large bundles are a symptom of poor design. A high number of policies is predictive of an oversized bundle. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN007	Major	Bundle size - resource callouts.	Large bundles are a symptom of poor design. A high number of resource callouts is indicative of underutilizing out of the box Apigee policies. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN008	Major	IgnoreUnresolvedVariables and FaultRules	Use of IgnoreUnresolvedVariables without the use of FaultRules may lead to unexpected errors.
✔️	BN009	Major	Statistics Collector - duplicate policies	Warn on duplicate policies when no conditions are present or conditions are duplicates.
✔️	BN500	Info	Description length	A Description tag should have more than N chars to be useful. "N" can be modified in the Quality Profile. The default value is 5.
✔️	BN501	Blocker	Description pattern	The Description of the APIProxy must be compliant with a pattern defined in the Quality Profile. For example : .*\(code=([A-Z0-9]{4})\).*. The default pattern is  .*
✔️	BN502	Minor	Unattached resources.	Unattached resources are dead code and should be removed from production bundles. This rule only checks XSL, XSD and WSDL resources. Don't forget to add .wsdl as suffix to be analyzed in the XMLPlugin administration.

Proxy Definition level

Status	Rule ID	Severity	Name	Description
✔️	PD001	Blocker	RouteRules to Targets	RouteRules should map to defined Targets
✔️	PD002	Blocker	Unreachable Route Rules - defaults	Only one RouteRule should be present without a condition
✔️	PD003	Blocker	Unreachable Route Rules	RouteRule without a condition should be last.
✔️	PD501	Major	Too much proxy endpoints	Discourage the declaration of multiple proxy endpoints in a same proxy. The threshold is defined in the Quality Profile. Default value is 2.

Target Definition level

Status	Rule ID	Severity	Name	Description
✔️	TD001	Major	Mgmt Server as Target	Discourage calls to the Management Server from a Proxy via target.
✔️	TD002	Major	Use Target Servers	Encourage the use of target servers
✔️	TD501	Major	Too much Target Endpoints	Discourage the use of numerous target endpoints. The threshold is defined in the Quality Profile. Default value is 5.

Flow level

Status	Rule ID	Severity	Name	Description
✔️	FL001	Blocker	Unconditional Flows	Only one unconditional flow will get executed. Error if more than one was detected.
✔️	FL500	Critical	Default flow	A default flow must be defined to catch all requests on undefined resources.
✔️	FL501	Blocker	Unreachable flow	Flow without a condition must be last.

Step level

Status	Rule ID	Severity	Name	Description
✔️	ST001	Minor	Empty Step	Empty steps clutter the bundle. (Should never happen, Apigee already blocks this error form occuring.)

Policy level

Status	Rule ID	Severity	Name	Description
✔️	PO001	Major	JSON Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO002	Major	XML Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO003	Major	Extract Variables with JSONPayload	A check for a body element should be performed before policy execution.
✔️	PO004	Major	Extract Variables with XMLPayload	A check for a body element should be performed before policy execution.
✔️	PO005	Major	Extract Variables with FormParam	A check for a body element should be performed before policy execution.
✖️	PO006		Policy Naming Conventions - default name	Policy names should not be default.
✔️	PO007	Minor	Policy Naming Conventions - type indication	It is recommended that the policy name include an indicator of the policy type.
✔️	PO008	Minor	Policy Name Attribute Conventions	It is recommended that the policy name attribute match the display name of the policy.
✔️	PO009	Major	Service Callout Target - Mgmt Server	Targeting management server may result in higher than expected latency use with caution.
✖️	PO010		Service Callout Target - Target Server	Encourage use of target servers.
✖️	PO011		Service Callout Target - Dynamic URLs	Error on dynamic URLs in target server URL tag.
⭕	PO012		Service Callout Target - Script Target Node	JSHint, ESLint. This Sonarqube plugin is not a linter.
⭕	PO013		Resource Call Out - Javascript	Analyzed by sonar-javascript-plugin.
⭕	PO014		Resource Call Out - Java	Analyzed by sonar-java-plugin.
⭕	PO015		Resource Call Out - Python	Analyzed by sonar-python-plugin.
✖️	PO016		Statistics Collector - duplicate variables	Warn on duplicate variables.
✖️	PO017		Misconfigured - FaultRules/Fault Rule in Policy	FaultRules are configured in ProxyEndpoints and TargetEndpoints.
✔️	PO018	Major	Regex Lookahead/Lookbehind are Expensive - Threat Protection Policy	Regular expressions that include lookahead or lookbehind perform slowly on large payloads and are typically not required.
✔️	PO019	Major	Reserved words as variables - ServiceCallout Request	Using "request" as the name of a Request may cause unexpected side effects.
✔️	PO020	Major	Reserved words as variables - ServiceCallout Response	Using "response" as the name of a Response may cause unexpected side effects.
✖️	PO021		Statistics Collector - reserved variables	Warn on insertion of duplicate variables.
✔️	PO022	Major	Nondistributed Quota	When using nondistributed quota the number of allowed calls is influenced by the number of Message Processors (MPs) deployed. This may lead to higher than expected transactions for a given quota as MPs now autoscale.
✔️	PO023	Major	Quota Policy Reuse	When the same Quota policy is used more than once you must ensure that the conditions of execution are mutually exclusive or that you intend for a call to count more than once per message processed.
✔️	PO024	Major	Cache Error Responses	By default the ResponseCache policy will cache non 200 responses. Either create a condition or use policy configuration options to exclude non 200 responses.
✔️	PO500	Major	Avoid Python language	Python scripts can introduce performance bottlenecks for simple executions, as it is interpreted at runtime.

FaultRules level

Status	Rule ID	Severity	Name	Description
✔️	FR001	Major	No Condition on FaultRule	It's not a best practice to have a FaultRule without an outer condition, which automatically makes the FaultRule true.
✔️	FR501	Major	FaultRules or DefaultFaultRule must be used	It's needed to prevent default error messages from the backend or from Apigee to be forwarded outside.
✔️	FR502	Critical	DefaultFaultRule defined and FaultRule without condition	A DefaultFaultRule is defined whereas a FaultRule without condition exists. Consider removing the FaultRule without condition.

Conditional level

Status	Rule ID	Severity	Name	Description
:heavy_multiplicat...

v3.0.1

Release notes

• major fix : support for SonarQube 8.8 and later (issue #11 )
• minor fix : issue #9

You can test the result with the MyAwfulProxy.zip or MyAwfulSharedFlow.zip (after expanding it)

Implemented Rules

The rule IDs come from the apigeecs/bundle-linter.
Other rules start from "500" to not interfer with the first rules. Example : PD500.

Legend :

✔️ : implemented

✖️ : not yet implemented

⭕ : won't be implemented. See details in Description column

Bundle level

Status	Rule ID	Severity	Name	Description
✖️	BN001		Bundle folder structure correctness.	Bundles have a clear structure.
✖️	BN002		Extraneous files.	Ensure each folder contains approrpriate resources in the bundle.
✔️	BN003	Major	Cache Coherence	A bundle that includes cache reads should include cache writes with the same keys.
✖️	BN004		Unused variables.	Within a bundle variables created should be used in conditions, resource callouts, or policies.
✔️	BN005	Minor	Unattached policies.	Unattached policies are dead code and should be removed from production bundles.
✔️	BN006	Major	Bundle size - policies.	Large bundles are a symptom of poor design. A high number of policies is predictive of an oversized bundle. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN007	Major	Bundle size - resource callouts.	Large bundles are a symptom of poor design. A high number of resource callouts is indicative of underutilizing out of the box Apigee policies. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN008	Major	IgnoreUnresolvedVariables and FaultRules	Use of IgnoreUnresolvedVariables without the use of FaultRules may lead to unexpected errors.
✔️	BN009	Major	Statistics Collector - duplicate policies	Warn on duplicate policies when no conditions are present or conditions are duplicates.
✔️	BN500	Info	Description length	A Description tag should have more than N chars to be useful. "N" can be modified in the Quality Profile. The default value is 5.
✔️	BN501	Blocker	Description pattern	The Description of the APIProxy must be compliant with a pattern defined in the Quality Profile. For example : .*\(code=([A-Z0-9]{4})\).*. The default pattern is  .*
✔️	BN502	Minor	Unattached resources.	Unattached resources are dead code and should be removed from production bundles. This rule only checks XSL, XSD and WSDL resources. Don't forget to add .wsdl as suffix to be analyzed in the XMLPlugin administration.

Proxy Definition level

Status	Rule ID	Severity	Name	Description
✔️	PD001	Blocker	RouteRules to Targets	RouteRules should map to defined Targets
✔️	PD002	Blocker	Unreachable Route Rules - defaults	Only one RouteRule should be present without a condition
✔️	PD003	Blocker	Unreachable Route Rules	RouteRule without a condition should be last.
✔️	PD501	Major	Too much proxy endpoints	Discourage the declaration of multiple proxy endpoints in a same proxy. The threshold is defined in the Quality Profile. Default value is 2.

Target Definition level

Status	Rule ID	Severity	Name	Description
✔️	TD001	Major	Mgmt Server as Target	Discourage calls to the Management Server from a Proxy via target.
✔️	TD002	Major	Use Target Servers	Encourage the use of target servers
✔️	TD501	Major	Too much Target Endpoints	Discourage the use of numerous target endpoints. The threshold is defined in the Quality Profile. Default value is 5.

Flow level

Status	Rule ID	Severity	Name	Description
✔️	FL001	Blocker	Unconditional Flows	Only one unconditional flow will get executed. Error if more than one was detected.
✔️	FL500	Critical	Default flow	A default flow must be defined to catch all requests on undefined resources.
✔️	FL501	Blocker	Unreachable flow	Flow without a condition must be last.

Step level

Status	Rule ID	Severity	Name	Description
✔️	ST001	Minor	Empty Step	Empty steps clutter the bundle. (Should never happen, Apigee already blocks this error form occuring.)

Policy level

Status	Rule ID	Severity	Name	Description
✔️	PO001	Major	JSON Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO002	Major	XML Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO003	Major	Extract Variables with JSONPayload	A check for a body element should be performed before policy execution.
✔️	PO004	Major	Extract Variables with XMLPayload	A check for a body element should be performed before policy execution.
✔️	PO005	Major	Extract Variables with FormParam	A check for a body element should be performed before policy execution.
✖️	PO006		Policy Naming Conventions - default name	Policy names should not be default.
✔️	PO007	Minor	Policy Naming Conventions - type indication	It is recommended that the policy name include an indicator of the policy type.
✔️	PO008	Minor	Policy Name Attribute Conventions	It is recommended that the policy name attribute match the display name of the policy.
✔️	PO009	Major	Service Callout Target - Mgmt Server	Targeting management server may result in higher than expected latency use with caution.
✖️	PO010		Service Callout Target - Target Server	Encourage use of target servers.
✖️	PO011		Service Callout Target - Dynamic URLs	Error on dynamic URLs in target server URL tag.
⭕	PO012		Service Callout Target - Script Target Node	JSHint, ESLint. This Sonarqube plugin is not a linter.
⭕	PO013		Resource Call Out - Javascript	Analyzed by sonar-javascript-plugin.
⭕	PO014		Resource Call Out - Java	Analyzed by sonar-java-plugin.
⭕	PO015		Resource Call Out - Python	Analyzed by sonar-python-plugin.
✖️	PO016		Statistics Collector - duplicate variables	Warn on duplicate variables.
✖️	PO017		Misconfigured - FaultRules/Fault Rule in Policy	FaultRules are configured in ProxyEndpoints and TargetEndpoints.
✔️	PO018	Major	Regex Lookahead/Lookbehind are Expensive - Threat Protection Policy	Regular expressions that include lookahead or lookbehind perform slowly on large payloads and are typically not required.
✔️	PO019	Major	Reserved words as variables - ServiceCallout Request	Using "request" as the name of a Request may cause unexpected side effects.
✔️	PO020	Major	Reserved words as variables - ServiceCallout Response	Using "response" as the name of a Response may cause unexpected side effects.
✖️	PO021		Statistics Collector - reserved variables	Warn on insertion of duplicate variables.
✔️	PO022	Major	Nondistributed Quota	When using nondistributed quota the number of allowed calls is influenced by the number of Message Processors (MPs) deployed. This may lead to higher than expected transactions for a given quota as MPs now autoscale.
✔️	PO023	Major	Quota Policy Reuse	When the same Quota policy is used more than once you must ensure that the conditions of execution are mutually exclusive or that you intend for a call to count more than once per message processed.
✔️	PO024	Major	Cache Error Responses	By default the ResponseCache policy will cache non 200 responses. Either create a condition or use policy configuration options to exclude non 200 responses.
✔️	PO500	Major	Avoid Python language	Python scripts can introduce performance bottlenecks for simple executions, as it is interpreted at runtime.

FaultRules level

Status	Rule ID	Severity	Name	Description
✔️	FR001	Major	No Condition on FaultRule	It's not a best practice to have a FaultRule without an outer condition, which automatically makes the FaultRule true.
✔️	FR501	Major	FaultRules or DefaultFaultRule must be used	It's needed to prevent default error messages from the backend or from Apigee to be forwarded outside.
✔️	FR502	Critical	DefaultFaultRule defined and FaultRule without condition	A DefaultFaultRule is defined whereas a FaultRule without condition exists. Consider removing the FaultRule without condition.

Conditional level

| Status | Rule ID | Severity | Name | Description |
|:------:| ---- | -------- | ---- | ---------...

v3.0.0

Release notes

• major fix : support for SonarQube 8.8 and later (issue #11 )
• minor fix : issue #9

You can test the result with the MyAwfulProxy.zip or MyAwfulSharedFlow.zip (after expanding it)

Implemented Rules

The rule IDs come from the apigeecs/bundle-linter.
Other rules start from "500" to not interfer with the first rules. Example : PD500.

Legend :

✔️ : implemented

✖️ : not yet implemented

⭕ : won't be implemented. See details in Description column

Bundle level

Status	Rule ID	Severity	Name	Description
✖️	BN001		Bundle folder structure correctness.	Bundles have a clear structure.
✖️	BN002		Extraneous files.	Ensure each folder contains approrpriate resources in the bundle.
✔️	BN003	Major	Cache Coherence	A bundle that includes cache reads should include cache writes with the same keys.
✖️	BN004		Unused variables.	Within a bundle variables created should be used in conditions, resource callouts, or policies.
✔️	BN005	Minor	Unattached policies.	Unattached policies are dead code and should be removed from production bundles.
✔️	BN006	Major	Bundle size - policies.	Large bundles are a symptom of poor design. A high number of policies is predictive of an oversized bundle. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN007	Major	Bundle size - resource callouts.	Large bundles are a symptom of poor design. A high number of resource callouts is indicative of underutilizing out of the box Apigee policies. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN008	Major	IgnoreUnresolvedVariables and FaultRules	Use of IgnoreUnresolvedVariables without the use of FaultRules may lead to unexpected errors.
✔️	BN009	Major	Statistics Collector - duplicate policies	Warn on duplicate policies when no conditions are present or conditions are duplicates.
✔️	BN500	Info	Description length	A Description tag should have more than N chars to be useful. "N" can be modified in the Quality Profile. The default value is 5.
✔️	BN501	Blocker	Description pattern	The Description of the APIProxy must be compliant with a pattern defined in the Quality Profile. For example : .*\(code=([A-Z0-9]{4})\).*. The default pattern is  .*
✔️	BN502	Minor	Unattached resources.	Unattached resources are dead code and should be removed from production bundles. This rule only checks XSL, XSD and WSDL resources. Don't forget to add .wsdl as suffix to be analyzed in the XMLPlugin administration.

Proxy Definition level

Status	Rule ID	Severity	Name	Description
✔️	PD001	Blocker	RouteRules to Targets	RouteRules should map to defined Targets
✔️	PD002	Blocker	Unreachable Route Rules - defaults	Only one RouteRule should be present without a condition
✔️	PD003	Blocker	Unreachable Route Rules	RouteRule without a condition should be last.
✔️	PD501	Major	Too much proxy endpoints	Discourage the declaration of multiple proxy endpoints in a same proxy. The threshold is defined in the Quality Profile. Default value is 2.

Target Definition level

Status	Rule ID	Severity	Name	Description
✔️	TD001	Major	Mgmt Server as Target	Discourage calls to the Management Server from a Proxy via target.
✔️	TD002	Major	Use Target Servers	Encourage the use of target servers
✔️	TD501	Major	Too much Target Endpoints	Discourage the use of numerous target endpoints. The threshold is defined in the Quality Profile. Default value is 5.

Flow level

Status	Rule ID	Severity	Name	Description
✔️	FL001	Blocker	Unconditional Flows	Only one unconditional flow will get executed. Error if more than one was detected.
✔️	FL500	Critical	Default flow	A default flow must be defined to catch all requests on undefined resources.
✔️	FL501	Blocker	Unreachable flow	Flow without a condition must be last.

Step level

Status	Rule ID	Severity	Name	Description
✔️	ST001	Minor	Empty Step	Empty steps clutter the bundle. (Should never happen, Apigee already blocks this error form occuring.)

Policy level

Status	Rule ID	Severity	Name	Description
✔️	PO001	Major	JSON Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO002	Major	XML Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO003	Major	Extract Variables with JSONPayload	A check for a body element should be performed before policy execution.
✔️	PO004	Major	Extract Variables with XMLPayload	A check for a body element should be performed before policy execution.
✔️	PO005	Major	Extract Variables with FormParam	A check for a body element should be performed before policy execution.
✖️	PO006		Policy Naming Conventions - default name	Policy names should not be default.
✔️	PO007	Minor	Policy Naming Conventions - type indication	It is recommended that the policy name include an indicator of the policy type.
✔️	PO008	Minor	Policy Name Attribute Conventions	It is recommended that the policy name attribute match the display name of the policy.
✔️	PO009	Major	Service Callout Target - Mgmt Server	Targeting management server may result in higher than expected latency use with caution.
✖️	PO010		Service Callout Target - Target Server	Encourage use of target servers.
✖️	PO011		Service Callout Target - Dynamic URLs	Error on dynamic URLs in target server URL tag.
⭕	PO012		Service Callout Target - Script Target Node	JSHint, ESLint. This Sonarqube plugin is not a linter.
⭕	PO013		Resource Call Out - Javascript	Analyzed by sonar-javascript-plugin.
⭕	PO014		Resource Call Out - Java	Analyzed by sonar-java-plugin.
⭕	PO015		Resource Call Out - Python	Analyzed by sonar-python-plugin.
✖️	PO016		Statistics Collector - duplicate variables	Warn on duplicate variables.
✖️	PO017		Misconfigured - FaultRules/Fault Rule in Policy	FaultRules are configured in ProxyEndpoints and TargetEndpoints.
✔️	PO018	Major	Regex Lookahead/Lookbehind are Expensive - Threat Protection Policy	Regular expressions that include lookahead or lookbehind perform slowly on large payloads and are typically not required.
✔️	PO019	Major	Reserved words as variables - ServiceCallout Request	Using "request" as the name of a Request may cause unexpected side effects.
✔️	PO020	Major	Reserved words as variables - ServiceCallout Response	Using "response" as the name of a Response may cause unexpected side effects.
✖️	PO021		Statistics Collector - reserved variables	Warn on insertion of duplicate variables.
✔️	PO022	Major	Nondistributed Quota	When using nondistributed quota the number of allowed calls is influenced by the number of Message Processors (MPs) deployed. This may lead to higher than expected transactions for a given quota as MPs now autoscale.
✔️	PO023	Major	Quota Policy Reuse	When the same Quota policy is used more than once you must ensure that the conditions of execution are mutually exclusive or that you intend for a call to count more than once per message processed.
✔️	PO024	Major	Cache Error Responses	By default the ResponseCache policy will cache non 200 responses. Either create a condition or use policy configuration options to exclude non 200 responses.
✔️	PO500	Major	Avoid Python language	Python scripts can introduce performance bottlenecks for simple executions, as it is interpreted at runtime.

FaultRules level

Status	Rule ID	Severity	Name	Description
✔️	FR001	Major	No Condition on FaultRule	It's not a best practice to have a FaultRule without an outer condition, which automatically makes the FaultRule true.
✔️	FR501	Major	FaultRules or DefaultFaultRule must be used	It's needed to prevent default error messages from the backend or from Apigee to be forwarded outside.
✔️	FR502	Critical	DefaultFaultRule defined and FaultRule without condition	A DefaultFaultRule is defined whereas a FaultRule without condition exists. Consider removing the FaultRule without condition.

Conditional level

| Status | Rule ID | Severity | Name | Description |
|:------:| ---- | -------- | ---- | ---------...

v2.1.1

Minor fixes

• issue #9
• dependabot alert

v2.1.0

This release comes with :

• support for SharedFlow
• new rules implementated : BN006, BN007, BN008, BN009, PO022, PO023, PO024.
• minor fixes (issue #4 )

You can test the result with the MyAwfulProxy.zip or MyAwfulSharedFlow.zip (after expanding it)

Implemented Rules

The rule IDs come from the apigeecs/bundle-linter.
Other rules start from "500" to not interfer with the first rules. Example : PD500.

Legend :

✔️ : implemented

✖️ : not yet implemented

⭕ : won't be implemented. See details in Description column

Bundle level

Status	Rule ID	Severity	Name	Description
✖️	BN001		Bundle folder structure correctness.	Bundles have a clear structure.
✖️	BN002		Extraneous files.	Ensure each folder contains approrpriate resources in the bundle.
✔️	BN003	Major	Cache Coherence	A bundle that includes cache reads should include cache writes with the same keys.
✖️	BN004		Unused variables.	Within a bundle variables created should be used in conditions, resource callouts, or policies.
✔️	BN005	Minor	Unattached policies.	Unattached policies are dead code and should be removed from production bundles.
✔️	BN006	Major	Bundle size - policies.	Large bundles are a symptom of poor design. A high number of policies is predictive of an oversized bundle. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN007	Major	Bundle size - resource callouts.	Large bundles are a symptom of poor design. A high number of resource callouts is indicative of underutilizing out of the box Apigee policies. The threshold is defined in the Quality Profile. Default value is 20.
✔️	BN008	Major	IgnoreUnresolvedVariables and FaultRules	Use of IgnoreUnresolvedVariables without the use of FaultRules may lead to unexpected errors.
✔️	BN009	Major	Statistics Collector - duplicate policies	Warn on duplicate policies when no conditions are present or conditions are duplicates.
✔️	BN500	Info	Description length	A Description tag should have more than N chars to be useful. "N" can be modified in the Quality Profile. The default value is 5.
✔️	BN501	Blocker	Description pattern	The Description of the APIProxy must be compliant with a pattern defined in the Quality Profile. For example : .*\(code=([A-Z0-9]{4})\).*. The default pattern is  .*
✔️	BN502	Minor	Unattached resources.	Unattached resources are dead code and should be removed from production bundles. This rule only checks XSL, XSD and WSDL resources. Don't forget to add .wsdl as suffix to be analyzed in the XMLPlugin administration.

Proxy Definition level

Status	Rule ID	Severity	Name	Description
✔️	PD001	Blocker	RouteRules to Targets	RouteRules should map to defined Targets
✔️	PD002	Blocker	Unreachable Route Rules - defaults	Only one RouteRule should be present without a condition
✔️	PD003	Blocker	Unreachable Route Rules	RouteRule without a condition should be last.
✔️	PD501	Major	Too much proxy endpoints	Discourage the declaration of multiple proxy endpoints in a same proxy. The threshold is defined in the Quality Profile. Default value is 2.

Target Definition level

Status	Rule ID	Severity	Name	Description
✔️	TD001	Major	Mgmt Server as Target	Discourage calls to the Management Server from a Proxy via target.
✔️	TD002	Major	Use Target Servers	Encourage the use of target servers
✔️	TD501	Major	Too much Target Endpoints	Discourage the use of numerous target endpoints. The threshold is defined in the Quality Profile. Default value is 5.

Flow level

Status	Rule ID	Severity	Name	Description
✔️	FL001	Blocker	Unconditional Flows	Only one unconditional flow will get executed. Error if more than one was detected.
✔️	FL500	Critical	Default flow	A default flow must be defined to catch all requests on undefined resources.
✔️	FL501	Blocker	Unreachable flow	Flow without a condition must be last.

Step level

Status	Rule ID	Severity	Name	Description
✔️	ST001	Minor	Empty Step	Empty steps clutter the bundle. (Should never happen, Apigee already blocks this error form occuring.)

Policy level

Status	Rule ID	Severity	Name	Description
✔️	PO001	Major	JSON Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO002	Major	XML Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO003	Major	Extract Variables with JSONPayload	A check for a body element should be performed before policy execution.
✔️	PO004	Major	Extract Variables with XMLPayload	A check for a body element should be performed before policy execution.
✔️	PO005	Major	Extract Variables with FormParam	A check for a body element should be performed before policy execution.
✖️	PO006		Policy Naming Conventions - default name	Policy names should not be default.
✔️	PO007	Minor	Policy Naming Conventions - type indication	It is recommended that the policy name include an indicator of the policy type.
✔️	PO008	Minor	Policy Name Attribute Conventions	It is recommended that the policy name attribute match the display name of the policy.
✔️	PO009	Major	Service Callout Target - Mgmt Server	Targeting management server may result in higher than expected latency use with caution.
✖️	PO010		Service Callout Target - Target Server	Encourage use of target servers.
✖️	PO011		Service Callout Target - Dynamic URLs	Error on dynamic URLs in target server URL tag.
⭕	PO012		Service Callout Target - Script Target Node	JSHint, ESLint. This Sonarqube plugin is not a linter.
⭕	PO013		Resource Call Out - Javascript	Analyzed by sonar-javascript-plugin.
⭕	PO014		Resource Call Out - Java	Analyzed by sonar-java-plugin.
⭕	PO015		Resource Call Out - Python	Analyzed by sonar-python-plugin.
✖️	PO016		Statistics Collector - duplicate variables	Warn on duplicate variables.
✖️	PO017		Misconfigured - FaultRules/Fault Rule in Policy	FaultRules are configured in ProxyEndpoints and TargetEndpoints.
✔️	PO018	Major	Regex Lookahead/Lookbehind are Expensive - Threat Protection Policy	Regular expressions that include lookahead or lookbehind perform slowly on large payloads and are typically not required.
✔️	PO019	Major	Reserved words as variables - ServiceCallout Request	Using "request" as the name of a Request may cause unexpected side effects.
✔️	PO020	Major	Reserved words as variables - ServiceCallout Response	Using "response" as the name of a Response may cause unexpected side effects.
✖️	PO021		Statistics Collector - reserved variables	Warn on insertion of duplicate variables.
✔️	PO022	Major	Nondistributed Quota	When using nondistributed quota the number of allowed calls is influenced by the number of Message Processors (MPs) deployed. This may lead to higher than expected transactions for a given quota as MPs now autoscale.
✔️	PO023	Major	Quota Policy Reuse	When the same Quota policy is used more than once you must ensure that the conditions of execution are mutually exclusive or that you intend for a call to count more than once per message processed.
✔️	PO024	Major	Cache Error Responses	By default the ResponseCache policy will cache non 200 responses. Either create a condition or use policy configuration options to exclude non 200 responses.
✔️	PO500	Major	Avoid Python language	Python scripts can introduce performance bottlenecks for simple executions, as it is interpreted at runtime.

FaultRules level

Status	Rule ID	Severity	Name	Description
✔️	FR001	Major	No Condition on FaultRule	It's not a best practice to have a FaultRule without an outer condition, which automatically makes the FaultRule true.
✔️	FR501	Major	FaultRules or DefaultFaultRule must be used	It's needed to prevent default error messages from the backend or from Apigee to be forwarded outside.
✔️	FR502	Critical	DefaultFaultRule defined and FaultRule without condition	A DefaultFaultRule is defined whereas a FaultRule without condition exists. Consider removing the FaultRule without condition.

Conditional level

| Status | Rule ID | Severity | Name | Descripti...

v2.0.0

This release provides support for sonar-xml 2.0.1+.
Compatible with all public releases of SonarQube. Available directly in the SonarQube Marketplace.

• Fix issues #5 and #22

You can test the result with the MyAwfulProxy.zip (after expanding it)

Implemented Rules

The rule IDs come from the apigeecs/bundle-linter.
Other rules start from "500" to not interfer with the first rules. Example : PD500.

Legend :

✔️ : implemented

✖️ : not yet implemented

⭕ : won't be implemented. See details in Description column

Bundle level

Status	Rule ID	Severity	Name	Description
✖️	BN001		Bundle folder structure correctness.	Bundles have a clear structure.
✖️	BN002		Extraneous files.	Ensure each folder contains approrpriate resources in the bundle.
✔️	BN003	Major	Cache Coherence	A bundle that includes cache reads should include cache writes with the same keys.
✖️	BN004		Unused variables.	Within a bundle variables created should be used in conditions, resource callouts, or policies.
✔️	BN005	Minor	Unattached policies.	Unattached policies are dead code and should be removed from production bundles.
✖️	BN006		Bundle size - policies.	Large bundles are a symptom of poor design. A high number of policies is predictive of an oversized bundle.
✖️	BN007		Bundle size - resource callouts.	Large bundles are a symptom of poor design. A high number of resource callouts is indicative of underutilizing out of the box Apigee policies.
✖️	BN008		IgnoreUnresolvedVariables and FaultRules	Use of IgnoreUnresolvedVariables without the use of FaultRules may lead to unexpected errors.
✖️	BN009		Statistics Collector - duplicate policies	Warn on duplicate policies when no conditions are present or conditions are duplicates.
✔️	BN500	Info	Description length	A Description tag should have more than N chars to be useful. "N" can be modified in the Quality Profile. The default value is 5.
✔️	BN501	Blocker	Description pattern	The Description of the APIProxy must be compliant with a pattern defined in the Quality Profile. For example : .*\(code=([A-Z0-9]{4})\).*. The default pattern is  .*
✔️	BN502	Minor	Unattached resources.	Unattached resources are dead code and should be removed from production bundles. This rule only checks XSL, XSD and WSDL resources. Don't forget to add .wsdl as suffix to be analyzed in the XMLPlugin administration.

Proxy Definition level

Status	Rule ID	Severity	Name	Description
✔️	PD001	Blocker	RouteRules to Targets	RouteRules should map to defined Targets
✔️	PD002	Blocker	Unreachable Route Rules - defaults	Only one RouteRule should be present without a condition
✔️	PD003	Blocker	Unreachable Route Rules	RouteRule without a condition should be last.
✔️	PD501	Major	Too much proxy endpoints	Discourage the declaration of multiple proxy endpoints in a same proxy.

Target Definition level

Status	Rule ID	Severity	Name	Description
✔️	TD001	Major	Mgmt Server as Target	Discourage calls to the Management Server from a Proxy via target.
✔️	TD002	Major	Use Target Servers	Encourage the use of target servers
✔️	TD501	Major	Too much Target Endpoints	Discourage the use of numerous target endpoints

Flow level

Status	Rule ID	Severity	Name	Description
✔️	FL001	Blocker	Unconditional Flows	Only one unconditional flow will get executed. Error if more than one was detected.
✔️	FL500	Critical	Default flow	A default flow must be defined to catch all requests on undefined resources.
✔️	FL501	Blocker	Unreachable flow	Flow without a condition must be last.

Step level

Status	Rule ID	Severity	Name	Description
✔️	ST001	Minor	Empty Step	Empty steps clutter the bundle. (Should never happen, Apigee already blocks this error form occuring.)

Policy level

Status	Rule ID	Severity	Name	Description
✔️	PO001	Major	JSON Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO002	Major	XML Threat Protection	A check for a body element should be performed before policy execution.
✔️	PO003	Major	Extract Variables with JSONPayload	A check for a body element should be performed before policy execution.
✔️	PO004	Major	Extract Variables with XMLPayload	A check for a body element should be performed before policy execution.
✔️	PO005	Major	Extract Variables with FormParam	A check for a body element should be performed before policy execution.
✖️	PO006		Policy Naming Conventions - default name	Policy names should not be default.
✔️	PO007	Minor	Policy Naming Conventions - type indication	It is recommended that the policy name include an indicator of the policy type.
✔️	PO008	Minor	Policy Name Attribute Conventions	It is recommended that the policy name attribute match the display name of the policy.
✔️	PO009	Major	Service Callout Target - Mgmt Server	Targeting management server may result in higher than expected latency use with caution.
✖️	PO010		Service Callout Target - Target Server	Encourage use of target servers.
✖️	PO011		Service Callout Target - Dynamic URLs	Error on dynamic URLs in target server URL tag.
✖️	PO012		Service Callout Target - Script Target Node	JSHint, ESLint.
⭕	PO013		Resource Call Out - Javascript	Analyzed by sonar-javascript-plugin.
⭕	PO014		Resource Call Out - Java	Analyzed by sonar-java-plugin.
⭕	PO015		Resource Call Out - Python	Analyzed by sonar-python-plugin.
✖️	PO016		Statistics Collector - duplicate variables	Warn on duplicate variables.
✖️	PO017		Misconfigured - FaultRules/Fault Rule in Policy	FaultRules are configured in ProxyEndpoints and TargetEndpoints.
✔️	PO018	Major	Regex Lookahead/Lookbehind are Expensive - Threat Protection Policy	Regular expressions that include lookahead or lookbehind perform slowly on large payloads and are typically not required.
✔️	PO019	Major	Reserved words as variables - ServiceCallout Request	Using "request" as the name of a Request may cause unexpected side effects.
✔️	PO020	Major	Reserved words as variables - ServiceCallout Response	Using "response" as the name of a Response may cause unexpected side effects.
✖️	PO021		Statistics Collector - reserved variables	Warn on insertion of duplicate variables.
✖️	PO022		Nondistributed Quota	When using nondistributed quota the number of allowed calls is influenced by the number of Message Processors (MPs) deployed. This may lead to higher than expected transactions for a given quota as MPs now autoscale.
✖️	PO023		Quota Policy Reuse	When the same Quota policy is used more than once you must ensure that the conditions of execution are mutually exclusive or that you intend for a call to count more than once per message processed.
✖️	PO024		Cache Error Responses	By default the ResponseCache policy will cache non 200 responses. Either create a condition or use policy configuration options to exclude non 200 responses.
✔️	PO500	Major	Avoid Python language	Python scripts can introduce performance bottlenecks for simple executions, as it is interpreted at runtime.

FaultRules level

Status	Rule ID	Severity	Name	Description
✔️	FR001	Major	No Condition on FaultRule	It's not a best practice to have a FaultRule without an outer condition, which automatically makes the FaultRule true.
✔️	FR501	Major	FaultRules or DefaultFaultRule must be used	It's needed to prevent default error messages from the backend or from Apigee to be forwarded outside.
✔️	FR502	Critical	DefaultFaultRule defined and FaultRule without condition	A DefaultFaultRule is defined whereas a FaultRule without condition exists. Consider removing the FaultRule without condition.

Conditional level

Status	Rule ID	Severity	Name	Description
✖️	CC001		Literals in Conditionals	Warn on literals in any conditional statement.
:heavy_multiplicatio...

2.0.0-RC0

Provides support for sonar-xml 2.0.1+.
Compatible with all public releases of SonarQube.

2.0.0-alpha.0

Refactoring to be compatible with sonar-xml 2.0.1-xxxx.

v1.3.1

Fix issue ntiss#19

v1.3.0

• Fix issue #2 : exclude manifest.xml from analysis
• Add rule BN502 to check resource files

The binary sonar-apigee-plugin-1.3.0.jar is ready to be deployed in your SonarQube instance.
You can test the result with the MyAwfulProxy.zip (after expanding it)

Implemented Rules

Bundle level

Status	Rule ID	Severity	Name	Description
✅	BN003	Major	Cache Coherence	A bundle that includes cache reads should include cache writes with the same keys.
✅	BN005	Minor	Unattached policies.	Unattached policies are dead code and should be removed from production bundles.
✅	BN500	Info	Description length	A Description tag should have more than N chars to be useful. "N" can be modified in the Quality Profile. The default value is 5.
✅	BN501	Blocker	Description pattern	The Description of the APIProxy must be compliant with a pattern defined in the Quality Profile. For example : .*\(code=([A-Z0-9]{4})\).*. The default pattern is .*
✅	BN502	Minor	Unattached resources.	Unattached resources are dead code and should be removed from production bundles. This rule only checks XSL, XSD and WSDL resources. Don't forget to add .wsdl as suffix to be analyzed in the XMLPlugin administration.

Proxy Definition level

Status	Rule ID	Severity	Name	Description
✅	PD001	Blocker	RouteRules to Targets	RouteRules should map to defined Targets
✅	PD002	Blocker	Unreachable Route Rules - defaults	Only one RouteRule should be present without a condition
✅	PD003	Blocker	Unreachable Route Rules	RouteRule without a condition should be last.

Target Definition level

Status	Rule ID	Severity	Name	Description
✅	TD001	Major	Mgmt Server as Target	Discourage calls to the Management Server from a Proxy via target.
✅	TD002	Major	Use Target Servers	Encourage the use of target servers

Flow level

Status	Rule ID	Severity	Name	Description
✅	FL001	Blocker	Unconditional Flows	Only one unconditional flow will get executed. Error if more than one was detected.
✅	FL500	Critical	Default flow	A default flow must be defined to catch all requests on undefined resources.
✅	FL501	Blocker	Unreachable flow	Flow without a condition must be last.

Step level

Status	Rule ID	Severity	Name	Description
✅	ST001	Minor	Empty Step	Empty steps clutter the bundle. (Should never happen, Apigee already blocks this error form occuring.)

Policy level

Status	Rule ID	Severity	Name	Description
✅	PO001	Major	JSON Threat Protection	A check for a body element should be performed before policy execution.
✅	PO002	Major	XML Threat Protection	A check for a body element should be performed before policy execution.
✅	PO003	Major	Extract Variables with JSONPayload	A check for a body element should be performed before policy execution.
✅	PO004	Major	Extract Variables with XMLPayload	A check for a body element should be performed before policy execution.
✅	PO005	Major	Extract Variables with FormParam	A check for a body element should be performed before policy execution.
✅	PO007	Minor	Policy Naming Conventions - type indication	It is recommended that the policy name include an indicator of the policy type.
✅	PO008	Minor	Policy Name Attribute Conventions	It is recommended that the policy name attribute match the display name of the policy.
✅	PO009	Major	Service Callout Target - Mgmt Server	Targeting management server may result in higher than expected latency use with caution.
✅	PO018	Major	Regex Lookahead/Lookbehind are Expensive - Threat Protection Policy	Regular expressions that include lookahead or lookbehind perform slowly on large payloads and are typically not required.
✅	PO019	Major	Reserved words as variables - ServiceCallout Request	Using "request" as the name of a Request may cause unexpected side effects.
✅	PO020	Major	Reserved words as variables - ServiceCallout Response	Using "response" as the name of a Response may cause unexpected side effects.
✅	PO500	Major	Avoid Python language	Python scripts can introduce performance bottlenecks for simple executions, as it is interpreted at runtime.

FaultRules level

Status	Rule ID	Severity	Name	Description
✅	FR001	Major	No Condition on FaultRule	It's not a best practice to have a FaultRule without an outer condition, which automatically makes the FaultRule true.

Conditional level

Status	Rule ID	Severity	Name	Description
✅	CC003	Minor	Long condition statement	Conditions should not be longer than "N" characters. "N" can be modified in the Quality Profile. The default value is 255.