zappzarapp-php-security/phpmd.xml at master · marcstraube/zappzarapp-php-security · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<?xml version="1.0"?>
<ruleset name="Security Package Rules"
         xmlns="http://pmd.sf.net/ruleset/1.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://pmd.sf.net/ruleset/1.0.0 http://pmd.sf.net/ruleset_xml_schema.xsd"
         xsi:noNamespaceSchemaLocation="http://pmd.sf.net/ruleset_xml_schema.xsd">
    <description>
        PHPMD rules for security package - focuses on security best practices
    </description>

    <!-- Clean Code Rules -->
    <rule ref="rulesets/cleancode.xml">
        <!-- Allow static methods (NonceGenerator pattern) -->
        <exclude name="StaticAccess"/>
        <!-- Boolean flags are appropriate for configuration classes -->
        <exclude name="BooleanArgumentFlag"/>
        <!-- Else expressions are sometimes clearer -->
        <exclude name="ElseExpression"/>
        <!-- Error control operator needed for file operations with proper error handling -->
        <exclude name="ErrorControlOperator"/>
    </rule>

    <!-- Code Size Rules -->
    <rule ref="rulesets/codesize.xml">
        <!-- Test classes can have many test methods -->
        <exclude name="TooManyPublicMethods"/>
        <exclude name="TooManyMethods"/>
        <exclude name="CyclomaticComplexity"/>
        <exclude name="NPathComplexity"/>
        <exclude name="ExcessiveParameterList"/>
        <!-- Exclude for test classes which naturally have many methods -->
        <exclude name="ExcessivePublicCount"/>
        <exclude name="ExcessiveClassComplexity"/>
        <!-- Exclude to redefine with higher limits -->
        <exclude name="ExcessiveMethodLength"/>
        <exclude name="ExcessiveClassLength"/>
    </rule>
    <rule ref="rulesets/codesize.xml/TooManyPublicMethods">
        <properties>
            <!-- Test classes naturally have many test methods for comprehensive coverage -->
            <property name="maxmethods" value="80"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/TooManyMethods">
        <properties>
            <!-- Test classes naturally have many test methods for comprehensive coverage -->
            <property name="maxmethods" value="80"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/ExcessivePublicCount">
        <properties>
            <!-- Test classes naturally have many public test methods -->
            <property name="minimum" value="80"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/ExcessiveClassComplexity">
        <properties>
            <!-- Test classes with many data providers can have high complexity -->
            <property name="maximum" value="90"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/ExcessiveMethodLength">
        <properties>
            <!-- Data providers with many test cases can be long -->
            <property name="minimum" value="170"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/ExcessiveClassLength">
        <properties>
            <!-- Test classes with comprehensive coverage can be long -->
            <property name="minimum" value="1100"/>
        </properties>
    </rule>
    <!-- Increased limits for security library patterns -->
    <rule ref="rulesets/codesize.xml/CyclomaticComplexity">
        <properties>
            <property name="reportLevel" value="15"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/NPathComplexity">
        <properties>
            <!-- Higher threshold for builder methods that check multiple optional fields -->
            <property name="minimum" value="2500"/>
        </properties>
    </rule>
    <rule ref="rulesets/codesize.xml/ExcessiveParameterList">
        <properties>
            <property name="minimum" value="12"/>
        </properties>
    </rule>

    <!-- Controversial Rules -->
    <rule ref="rulesets/controversial.xml">
        <!-- Allow static methods for singleton pattern -->
        <exclude name="Superglobals"/>
    </rule>

    <!-- Design Rules -->
    <rule ref="rulesets/design.xml">
        <!-- Allow getenv() for environment detection -->
        <exclude name="Superglobals"/>
        <!-- Count in loop is sometimes necessary for indexed iteration -->
        <exclude name="CountInLoopExpression"/>
    </rule>

    <!-- Naming Rules -->
    <rule ref="rulesets/naming.xml">
        <!-- Allow short variable names in compact methods -->
        <exclude name="ShortVariable"/>
    </rule>

    <!-- Unused Code Rules -->
    <rule ref="rulesets/unusedcode.xml">
        <!-- Mock callbacks in tests may have unused parameters matching interface signatures -->
        <exclude name="UnusedFormalParameter"/>
    </rule>
</ruleset>