Skip to content

Add 6 new Flow Scanner rules (lexical): HardcodedUrl, GetRecordAllFields, ProcessBuilder, InactiveFlow, InvalidApiVersion, MissingTriggerOrder#481

Open
nvuillam wants to merge 1 commit into
forcedotcom:devfrom
nvuillam:feat/flow-rules-batch-a
Open

Add 6 new Flow Scanner rules (lexical): HardcodedUrl, GetRecordAllFields, ProcessBuilder, InactiveFlow, InvalidApiVersion, MissingTriggerOrder#481
nvuillam wants to merge 1 commit into
forcedotcom:devfrom
nvuillam:feat/flow-rules-batch-a

Conversation

@nvuillam

@nvuillam nvuillam commented Jul 13, 2026

Copy link
Copy Markdown

What

Adds six new Flow Scanner rules, all six are lexical (single-flow) queries:

Rule Severity Category Detects
HardcodedUrl Moderate BestPractices Hardcoded http(s):// URLs in string values
GetRecordAllFields Low Performance Get Records elements that store all fields automatically (storeOutputAutomatically=true, no queriedFields)
ProcessBuilder Moderate BestPractices Retired Process Builder / Workflow automation (processType Workflow/InvocableProcess)
InactiveFlow Low BestPractices Flows whose status is not Active
InvalidApiVersion Low BestPractices Missing apiVersion or below the supported minimum (50.0)
MissingTriggerOrder Low BestPractices Record-triggered flows without a triggerOrder

How

  • Six Python Query classes in FlowScanner/queries/optional_query.py, registered in that module's QUERIES map (auto-resolved by query_manager).
  • Mirrored 1:1 in the TypeScript catalog src/hardcoded-catalog.ts (RuleName enum + RULE_DESCRIPTIONS) and src/messages.ts.
  • Updated all_rules.goldfile.json (now 21 rules).
  • Engine version bumped to 0.39.0-SNAPSHOT.

Testing

  • New contains-new-rule-violations test workspace with a fixture per rule, plus a jest block asserting each rule flags exactly its fixture with no false positives, and that InactiveFlow stays silent on an all-active workspace.
  • Updated the end-to-end test (rule count 15 → 21; added GetRecordAllFields: 3, InactiveFlow: 4 to the per-rule counts).
  • The existing TS↔Python rule-name sync tests, the describeRules goldfile test, tsc build, and eslint all pass.

🤖 Generated with Claude Code

Adds six lexical Flow rules inspired by the community lightning-flow-scanner
rule set, filling gaps in the current 15-rule catalog:

- HardcodedUrl          (Moderate, BestPractices) - hardcoded http(s) URLs
- GetRecordAllFields    (Low, Performance)        - Get Records storing all fields
- ProcessBuilder        (Moderate, BestPractices) - retired Process Builder / Workflow
- InactiveFlow          (Low, BestPractices)      - non-Active flow status
- InvalidApiVersion     (Low, BestPractices)      - missing/outdated apiVersion (< 50)
- MissingTriggerOrder   (Low, BestPractices)      - record-triggered flow w/o triggerOrder

Each rule is a Python Query class in optional_query.py, registered in its
QUERIES map, mirrored in the TypeScript catalog (hardcoded-catalog.ts) and
messages.ts, and reflected in the all-rules goldfile. Adds a
contains-new-rule-violations test workspace plus a jest block asserting each
rule flags its fixture, and updates the end-to-end rule count (15 -> 21) and
per-rule violation counts. Bumps the engine to 0.39.0-SNAPSHOT.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@git2gus

git2gus Bot commented Jul 13, 2026

Copy link
Copy Markdown

Git2Gus App is installed but the .git2gus/config.json doesn't have right values. You should add the required configuration.

@aruntyagiTutu aruntyagiTutu left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great addition of 6 new Flow Scanner rules to close gaps with the community scanner. The implementation is clean, consistent, and well-tested.

Key observations:

  • Consistency: All 6 rules follow the existing LexicalQuery pattern with proper query_id, get_query_description(), when_to_run(), and execute() methods.
  • Testing: Each rule has a dedicated fixture in contains-new-rule-violations workspace, plus it.each() blocks asserting each rule flags exactly its fixture. InactiveFlow has a negative test (all-active workspace → no violations).
  • TypeScript/Python sync: Rules added to both QUERIES map (Python) and RuleName enum + RULE_DESCRIPTIONS (TypeScript), with message catalog entries.
  • Goldfile updated: all_rules.goldfile.json now includes all 6 rules (15→21 total).
  • Version bump: Engine bumped to 0.39.0-SNAPSHOT.
  • Minimal scope: No unrelated changes, clear commit.
  • Helper function: flow_level_result() is a nice abstraction for rules that report flow-level issues (status, API version) rather than element-level issues.

Minor notes:

  • MIN_API_VERSION = 50.0 is reasonable but not configurable. If the team later wants to bump this, it's a one-line change.
  • url_pattern regex is simple (https?://[^\s"'<>]+). May have edge cases (e.g., URLs in CDATA), but good enough for the common case.

Overall: excellent work, ready to merge.

@nvuillam nvuillam closed this Jul 13, 2026
@nvuillam nvuillam reopened this Jul 13, 2026
@namrata111f

Copy link
Copy Markdown
Contributor

🔴 CRITICAL: O(n) Performance Issue in HardcodedUrl Rule

File: packages/code-analyzer-flow-engine/FlowScanner/queries/optional_query.py:78-89
Category: Performance

Issue

The HardcodedUrl.execute() method uses in operator on a list, causing O(n) membership checks that degrade performance with many violations:

for hardcoded_url in hardcoded_urls:
    if hardcoded_url['url'] not in excluded_urls:  # O(n) lookup!
        normalized_violations.append(...)

Impact

  • With 1,000 excluded URLs and 100 hardcoded URLs: 100,000 comparisons
  • Performance degrades linearly with list size
  • Noticeable slowdown on large Flow files

Recommendation

Convert excluded_urls list to a set for O(1) lookup:

excluded_url_set = set(excluded_urls)
for hardcoded_url in hardcoded_urls:
    if hardcoded_url['url'] not in excluded_url_set:  # O(1) lookup
        normalized_violations.append(...)

Expected improvement: 100-1000x faster for large exclusion lists


###📊 Review Summary

Total findings: 3

  • 🔴 Critical: 1 (Performance)
  • 🟡 Medium: 2 (ReDoS regex, Architecture config)

Generated by /code-analyzer-monitor 🤖

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants