...
Guideline ID | Description | Certification Level | Scope | ||||||
---|---|---|---|---|---|---|---|---|---|
G001
| The HTML rendering the UI conforms to the basic layout using a table of class | 1 | PEMDV | ||||||
G002
| The HTML rendering the UI uses only the defined CSS classes. | 3 | PEMDV | ||||||
G003
| The UI conforms to the basic guidelines. | 2 | PEMDV | ||||||
G004
| The UI uses the widgets supported by the XperienCentral platform. | 2 | PEMDV | ||||||
G005
| The JSPs that render the HTML use the JSTL tags and JSP tags offered by the XperienCentral platform as often as possible. | 2 | PEMDV | ||||||
G006
| The UI conforms to the defined UI interaction patterns. | 2 | PEMDV | ||||||
G007
| The business object is implemented as a POJO and does not contain any reference to a controller, form backing object or DAO. | 1 | PEMDV | ||||||
G008
| The business object does not contain properties or logic whose sole purpose is the view. | 1 | PDV | ||||||
G009
| The | 1 | PEMDV | ||||||
G010
| The | 1 | PEMDV | ||||||
G011
| The | 1 | PEMDV | ||||||
G012
| The | 3 | PMDV | ||||||
G013
| The controller is a separate class and implements all controller logic. | 1 | PEMD | ||||||
G014
| Persistence logic is not contained by the business object but implemented in a separate DAO. | 1 | PEMDV | ||||||
G015
| JSPs do not contain SQL statements or other persistence implementation-specific logic unless they are contained by a separate JSP tag. | 1 | PEMDRV | ||||||
G016
| The plugin contains all resources not provided by dependencies or other presentation plugins and is capable of being deployed and functioning properly on any XperienCentral installation, as long as all its defined dependencies are available. | 1 | A | ||||||
G017
| The version number of a plugin conforms to the syntax "major.minor.micro". | 1 | A | ||||||
G019
| The version numbers of the plugin are independent of the XperienCentral release they were developed for. | 1 | A | ||||||
G020
| If the datamodel of the plugin has been changed in a newer version of the plugin , the plugin must properly handle datamodel updates. | 2 | PEMDV | ||||||
G021
| The API that XperienCentral provides is used to access the data model XperienCentral exposes. | 1 | A | ||||||
G022
| XperienCentral features and API functions are used where possible instead of implementing custom functions. | 1 | A | ||||||
G023
| When the plugin uses a service, a dependency with that service is defined in the component definition in order to retrieve a reference to the service. | 1 | A | ||||||
G024
| Text, images and other GUI components are suitable for translation. | 3 | PEMCDV | ||||||
G025
| Multilingual content that can be created using the plugin is translatable. | PEMCDLFV | |||||||
G026
| Language labels are defined in language resource files conforming to JavaI18N and the filename meets the syntax | 1 | PEMCDLFV | ||||||
G027
| Label IDs in the language resource files use only lower case letters. | 1 | PEMCDLFV | ||||||
G028
| Language labels in language resource files are grouped per component and prefixed with at least the ID of the component. | PEMCDLFV | |||||||
G034
| Documentation is available in at least the US English language. | 3 | PEMDFV | ||||||
G035
| A plugin is distributed as a single ZIP file known as a WCA (WebManager Component Archive) which can also contain other related plugins. | 1 | A | ||||||
G036
| The contents of the WCA conforms to the defined directory structure. | 2 | A | ||||||
G037
| The WCA contains a | 1 | A | ||||||
G038
| The layout of the | 1 | A | ||||||
G039
| The plugin JAR file containing the software follows the defined directory structure. | 1 | A | ||||||
G042
| The HTML generated by the JSPs for rendering the Editor is XHTML 1.0 transitional compliant. | 3 | PEMDV | ||||||
G045
| All content generated by the plugin is stored in the JCR or in an external database if there is an obvious need for it. | 1 | PEMCDLFV | ||||||
G046
| The configuration management service is used to store configuration options. No hard-coded web IDs, paths or URLs are used in the software. | 1 | PEMCDLFV | ||||||
G047
| The preferences service is used to store all preferences. | 1 | PEMCDLFV | ||||||
G048
| The | 1 | PEMDRV | ||||||
G049
| SQL-prepared statements are used for all SQL queries. | 1 | A | ||||||
G050
| At least one RBAC category is defined for each component which has a GUI representation which contains one or more RBAC permissions for the component. | 2 | PEDV | ||||||
G051
| A permission category defines and implements at least the RBAC permissions as defined. | 2 | PEV | ||||||
G052
| The implementation of RBAC permission handling is mainly programmed in a controller or service, not in the business object itself. The check is only performed in the business object itself if the permission defines authorization to retrieve or update that particular property only. | 2 | PEMDV | ||||||
G053
| The definition of all RBAC permissions is positive. Permissions are defined in a way that assigning the permission to a role grants the role particular rights and it never denies rights. | 1 | PEMDV | ||||||
G055
| Coding conventions: the coding conventions that Sun publishes as the standard for the Java programming language are followed. | A | |||||||
G056
| Coding conventions: Java language features are used where applicable (Java version 5 and higher). | 3 | A | ||||||
G057
| Coding conventions: | 1 | A | ||||||
G058
| Coding conventions: Java concurrency utilities are used where applicable (Java version 5 and higher). | 3 | A | ||||||
G059
| Coding conventions: old collections like | 1 | A | ||||||
G060
| Coding conventions: the | A | |||||||
G061
| Coding conventions: The basic variant of the Hungarian notation is used. | A | |||||||
G063
| Coding conventions: The source code does not contain blank spaces before and after method arguments, however, spaces are used after Java keywords and commas. | A | |||||||
G064
| Coding conventions: Declare variables and methods in the following order: Class (static) variables, instance variables, constructors, methods. | A | |||||||
G067
| The FIXME comment is used to indicate that code snippets are incorrect during development and do not appear in a released plugin. | A | |||||||
G068
| The TODO comment is used to indicate that code snippets are incomplete during development and do not appear in a released plugin. | A | |||||||
G069
| Coding conventions: Spaces are used instead of tabs for trailing white space in the source code. | A | |||||||
G070
| Coding conventions: The size of one line in the software code is limited to 120 characters. | A | |||||||
G071
| Coding conventions: Start brackets are added on the same line as the statement to which they apply but ending brackets appear on a new line. | A | |||||||
G072
| Coding conventions: Brackets are used in all cases, even for single line statements. | A | |||||||
G073
| Coding conventions: The source code conforms to Javadoc conventions defined by Sun. | 2 | A | ||||||
G074
| Coding conventions: Public and protected classes, interfaces, variables and methods are tagged with Javadoc. | 2 | A | ||||||
G075
| The Javadoc does not contain references to documents that might not be accessible by external developers. | 3 | A | ||||||
G076
| General plugin classes conform to the defined naming conventions. | 1 | A | ||||||
G077
| Element component classes conform to the defined naming conventions. | 1 | E | ||||||
G078
| Element component classes conform to the defined hierarchy. | 1 | E | ||||||
G079
| Media Item component classes conform to the defined naming conventions. | 1 | M | ||||||
G080
| Media Item component classes conform to the defined hierarchy. | 1 | M | ||||||
G081
| Panel component classes conform to the defined naming conventions. | 1 | P | ||||||
G082
| Panel component classes conform to the defined hierarchy. | 1 | P | ||||||
G083
| The domain used for naming is returned by | 1 | A | ||||||
G084
| The plugin ID is returned by | 1 | A | ||||||
G087
| The prefix equals the plugin ID. | 1 | A | ||||||
G089
| Package names used in the source code of the plugin conform to the package naming guidelines as defined by the Sun coding conventions. | 1 | A | ||||||
G090
| Top level Java package names follow the syntax | 1 | A | ||||||
G095
| The artifact ID in the | 1 | A | ||||||
G096
| The group ID in the | 1 | A | ||||||
G097
| The ID of the component bundle definition defined in the activator of the plugin conforms to the defined syntax. | 1 | A | ||||||
G098
| The ID of each component definition contained by the plugin must be prefixed with the component bundle definition ID followed by an ID that is unique within the plugin, matches the component name and consists of lower case alphanumeric characters in the range [a-z]. This does not include the media item component definition. | 1 | A | ||||||
G099
| All IDs and properties defined use only lower case letters. | 1 | A | ||||||
G101
| The name of the RBAC category conforms to the syntax | 1 | PEMCDLFV | ||||||
G102
| The technical name of each RBAC permission is prefixed with the technical name of the RBAC category, followed by a dot. | 1 | PEMCDLFV | ||||||
G103
| Technical names of categories and permissions are in lower case, do not contain spaces and separate words are separated by a dot. | 1 | PEMCDLFV | ||||||
G104
| For CRUD actions, the defined naming conventions are used.
| 2 | PEMCDLFV | ||||||
G105
| In user documentation, the defined naming conventions are used for XperienCentral assets. | 3 | A | ||||||
G106
| All names of labels, Java classes, methods, properties, etc. are in US English unless they represent translatable labels presented to the end user. | 1 | A | ||||||
G107
| The CMU-SEI (https://en.wikipedia.org/wiki/Cyclomatic_complexity) does not exceed 15. | 3 | PEMCDLFV | ||||||
G108
| Online help covering the visible components contained by the plugin is available. | 2 | PEMDV | ||||||
G109
| An API is exposed by a domain object interface when it consists of getters and setters for properties of that domain object. | 1 | PEMCDLFV | ||||||
G110
| Implementations of a domain object interface is postfixed with "Impl". | 2 | PEMCDLFV | ||||||
G111
| An API is exposed as a service when the API creates or deletes domain objects or operates on multiple domain objects. | 2 | PEMCDLFV | ||||||
G112
| An API service managing entities is preferably postfixed with "ManagementService". | 3 | CV | ||||||
G113
| A method handles an exception internally if it is recoverable. | 2 | A | ||||||
G114
| A method throws a checked exception if it is unrecoverable and occurs in an area outside the immediate control of the program. | A | |||||||
G116
| Identifiers used by a plugin are defined in one class as public static final fields of that class. | 3 | A | ||||||
G117
| A plugin exposes its identifiers by exposing the class as defined by guideline G116. | 3 | A | ||||||
G118
| Any class or interface that is exposed by a plugin as API should be contained by a package called "api" directly under the plugin's root package, or by a sub package of this package. | 2 | A | ||||||
G119
| If content is stored in an internal relational database, the SQL scripts to create those database tables should be contained by the plugin in a | 2 | A | ||||||
G120
| Each plugin should come with a unit test or test bundle that has a code coverage of at least 10%. | 3 | PEMCDLFV | ||||||
G121
| The plugin ID only contains alphanumeric characters in the range [a-z]. | 1 | A | ||||||
G122
| The domain only contains alphanumeric characters in the range [a-z] separated by dots. | 1 | A | ||||||
G123
| In the JSPs, properly escaped strings in the HTML are output using standard JSTL functions. | 1 | PEMDRV | ||||||
G124
| The | 1 | M | ||||||
G125
| Use the Entity Manager as the DAO implementation to store entities in the JCR when possible. | PEMCDLF | |||||||
G126
| Creating and removing resources on which a plugin depends should be done automatically upon installation and purging the plugin if possible. | 1 | A | ||||||
G127
| Framework labels are grouped separately in the language resource files. | PEMCDLFV | |||||||
G128
| Language files are at least available in US English. | 2 | PEMCDLFV | ||||||
G129
| A method should not catch an unchecked exception if it is unrecoverable and occurs in an area inside the immediate control of the program. | 1 | A | ||||||
G131
| A new checked exception type is used as the wrapper for multiple checked exceptions if the amount of thrown checked exception exceeds five. | 2 | A | ||||||
G132
| The Javadoc clearly explains how the class or interface should be used, preferably by providing code examples. | 2 | A | ||||||
G133
| For each package contained by the plugin, a | A | |||||||
G134
| HTML generated by the JSPs for rendering the website environment should be XHTML 1.0 transitional compliant. | 3 | R | ||||||
G135
| If a method of a class implements a method of an interface, refer to the Javadoc of the interface using the | 2 | A | ||||||
G136
| The | 1 | A | ||||||
G137
| The presentation plugin is self-sufficient and does not depend on any resource provided by another plugin unless it is another presentation plugin . | 1 | R | ||||||
G138
| JSPs copied from the original XperienCentral platform presentation are copied to the specified directory. | 1 | R | ||||||
G139
| The value of the name attribute in the descriptor of a JSP is prefixed by the plugin ID. | 1 | R | ||||||
G140
| Static files used by the presentation plugin are located in a subdirectory that equals the plugin ID. | 1 | R | ||||||
G141
| The software does not contain code snippets that are commented out, not used or that duplicates of other code snippets in the same plugin . | 2 | A | ||||||
G142
| Media item JSPs that display the content of a media item contain a check to see whether the media item has not already been rendered before within the same request. | 1 | MR | ||||||
G143
| Use the | 1 | PEMDRV | ||||||
G144
| Implement caching properly by providing SSIs. | 1 | PEMDRV | ||||||
G145
| A plugin contains only those components that logically belong to each other. | 1 | R | ||||||
G147
| The plugin does not contain the empty online help that was generated by the archetype. | 1 | A | ||||||
G148
| Do not use public or protected instance variables. Use private instance variables with getters and setters instead. | 1 | A | ||||||
G149
| The plugin ID and domain are approved by GX and the plugin (of this version) is registered. | 1 | A | ||||||
G151
| The name of a scheduled job is prefixed by the plugin ID. | 1 | C | ||||||
G152
| The ID of each configuration set defined by the plugin is prefixed by or equals the plugin ID. | 1 | A | ||||||
G153
| The plugin contains an example frontend presentation if it requires such a presentation to work properly. | 2 | EMDFV | ||||||
G154
| The plugin supports the software and hardware as described in Hardware and Software Requirements. | 2 | A |
...
Note |
---|
More complete security guidelines are available explained in /wiki/spaces/PD/pages/24707143. This section is The topics in this section are only visible to certified GX Software partners and customers who are logged in to the GX Software domain. |
...
Code Block | ||
---|---|---|
| ||
// Bad SQL query vulnerable to SQL injection String query = “select"select count(*) from users where name=’' + name + “’"' and password=’”'" + password + “’”"'"; |
If the name and password are directly passed from the posted form onto this query, the query will be vulnerable to SQL injection. If the user would enter username and password:
...
Code Block | ||
---|---|---|
| ||
username=’ or 1=1 or name=’' password=’ or 1=1 or password=’' |
The query would always return 1. SQL injection can be easily prevented by using prepared statements instead. Prepared statements prevent SQL injection by automatically escaping the input. For this reason it is recommended that you use prepared statements in all cases. See java.sql.PreparedStatement
[G049].
...
Code Block | ||
---|---|---|
| ||
// FIXME (ivol): this won’twon't work if myNumber equals 0 public String getProperty(); return 1/myNumber; } |
...