When conducting code reviews, I much rather like to focus on the logic of the code and that it aligns to the direction our team is going rather than scanning line upon line for code that preferably should not be used such as output="true" in a cffunction or <cfif myVar IS 1>.
That is why I'd like to introduce CodeChecker! It is a code review automation tool that helps take away the tedious (and boring) aspects of reviewing code. It has a UI to be ran from the browser, or you can call the CFCs directly in MXUnit. All of the rules are defined as regular expressions, and it also integrates the popular QueryParamScanner and VarScoper components. My regex skills admittedly are not great, so anyone out there who would be willing to optimize them please contribute to the project on GitHub. Below are some of the highlights. More documentation can be found on the project's wiki.
- Rule Categories
- Security
- Performance
- Standards
- Mainenance
- Rules
- Prohibit client scoped variables in a CFM page
- File upload warnings to ensure they use the accept attribute and check for valid file extension and MIME type.
- Prohibit nested cflock tags
- Prohibit ParameterExists()
- Prohibit IsDefined()
- Prohibit Evaluate()
- Prohibit DE()
- Prohibit IIF()
- Prohibit StructFind()
- Prohibit DecrementValue()
- Prohibit IncrementValue()
- Use Len() instead of is "", is not "", etc.
- Prohibit SetVariable()
- Prohibit cfquery in a CFM page
- Prohibit shared scope variables (form, application, url, session, cgi, client, request, cookie) in a CFC
- Prohibit IS and GT for boolean tests
- Prohibit IS/IS NOT when comparing numbers
- Prohibit EQ/NEQ when comparing strings
- Prohibit mathematical operations on strings
- Prohibit the ampersand concatenator on numbers
- Prohibit empty cfcatch blocks
- Prohibit output=true in cfcomponent and cffunction
- Require init method in CFCs
- Require onMissingMethod method in CFCs
- Require hints in cfcomponent, cffunction, and cfargument
- Use ArrayNew() instead of ArrayNew(1)
- Prohibit arguments-scoped datasource (since the datasource should be set on object instantiation)
- Prohibit cfabort and abort()
- Prohibit cfdump and writedump()
- Prohibit cflog and writelog()
- Prohibit console.log()
- Third Party Plugins
- QueryParamScanner by Peter Boughton
- VarScoper by Mike Schierberl
Every team/developer has different needs and preferences, so feel free to remove any of the rules that you don't require. As I mentioned above, feel free to contribute new rules and optimize the ones I've defined. Also, any comments are welcome!
Special thanks/credit to Steve Bryant's CodeCop project for inspiring this.