<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>dbLinter Archives - Philipp Salvisberg&#039;s Blog</title>
	<atom:link href="https://www.salvis.com/blog/tag/dblinter/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.salvis.com/blog/tag/dblinter/</link>
	<description>Database-centric development</description>
	<lastBuildDate>Wed, 01 Jul 2026 22:57:34 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://www.salvis.com/blog/wp-content/uploads/2014/04/favicon.png</url>
	<title>dbLinter Archives - Philipp Salvisberg&#039;s Blog</title>
	<link>https://www.salvis.com/blog/tag/dblinter/</link>
	<width>32</width>
	<height>32</height>
</image> 
<atom:link rel="hub" href="https://pubsubhubbub.appspot.com"/>
<atom:link rel="hub" href="https://pubsubhubbub.superfeedr.com"/>
<atom:link rel="hub" href="https://websubhub.com/hub"/>
<atom:link rel="self" href="https://www.salvis.com/blog/tag/dblinter/feed/"/>
	<item>
		<title>Detecting Security Vulnerabilities With the APEXlang Parser</title>
		<link>https://www.salvis.com/blog/2026/06/29/detecting-security-vulnerabilities-with-the-apexlang-parser/</link>
					<comments>https://www.salvis.com/blog/2026/06/29/detecting-security-vulnerabilities-with-the-apexlang-parser/#respond</comments>
		
		<dc:creator><![CDATA[Philipp Salvisberg]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 12:12:21 +0000</pubDate>
				<category><![CDATA[Oracle]]></category>
		<category><![CDATA[ANTLR]]></category>
		<category><![CDATA[APEXlang]]></category>
		<category><![CDATA[Code Analysis]]></category>
		<category><![CDATA[dbLinter]]></category>
		<guid isPermaLink="false">https://www.salvis.com/blog/?p=19914</guid>

					<description><![CDATA[<p>Introduction A parser for the APEXlang grammar enables the development of tools beyond the scope of the APEXlang compiler included in SQLcl, SQL Developer for VS Code, and ORDS. These tools can perform static code analysis, convert code, generate documentation, and visualise different aspects of an APEX application. A linter, for example,<span class="excerpt-hellip"> […]</span></p>
<p>The post <a href="https://www.salvis.com/blog/2026/06/29/detecting-security-vulnerabilities-with-the-apexlang-parser/">Detecting Security Vulnerabilities With the APEXlang Parser</a> appeared first on <a href="https://www.salvis.com/blog">Philipp Salvisberg&#039;s Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<h2 id="introduction" class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">A parser for the APEXlang grammar enables the development of tools beyond the scope of the APEXlang compiler included in SQLcl, SQL Developer for VS Code, and ORDS. These tools can perform static code analysis, convert code, generate documentation, and visualise different aspects of an APEX application.</p>



<p class="wp-block-paragraph">A linter, for example, can check whether an APEXlang file conforms to defined quality standards. These standards may cover project- or company-specific conventions as well as more general concerns, such as detecting potential security vulnerabilities.</p>



<p class="wp-block-paragraph">In this blog post, I explain the elements of an APEXlang file that are the basis of Grisselbav&#8217;s <a href="https://github.com/Grisselbav/APEXlang-Parser" type="link" id="https://github.com/Grisselbav/APEXlang-Parser" target="_blank" rel="noreferrer noopener">APEXlang parser</a>. Then I demonstrate how to use the parser in a simple Java program to detect a security vulnerability.</p>



<h2 id="elements-of-an-apexlang-file" class="wp-block-heading">Elements of an APEXlang File</h2>



<p class="wp-block-paragraph">An APEXlang file consists of three basic building blocks: components, properties, and groups. These elements can also be nested, as shown later.</p>



<p class="wp-block-paragraph">Here&#8217;s an excerpt of Oracle&#8217;s Universal Theme demo application.apx file:</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">1) Excerpt of UT&#8217;s application.apx</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>app UT (
    name: Universal Theme 26.1 Reference
    version: 26.1.0
    group: @universal-theme
    logo {
        type: text
        text: Universal Theme
    }
    // ...removed code...
)</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">app</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">UT</span><span style="color: #D4D4D4"> (</span></span>
<span class="line"><span style="color: #D4D4D4">    name: </span><span style="color: #569CD6">Universal</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">Theme</span><span style="color: #D4D4D4"> 26.1 Reference</span></span>
<span class="line"><span style="color: #D4D4D4">    version: 26.1.0</span></span>
<span class="line"><span style="color: #D4D4D4">    group: @universal-theme</span></span>
<span class="line"><span style="color: #D4D4D4">    logo {</span></span>
<span class="line"><span style="color: #D4D4D4">        type: text</span></span>
<span class="line"><span style="color: #D4D4D4">        text: </span><span style="color: #569CD6">Universal</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">Theme</span></span>
<span class="line"><span style="color: #D4D4D4">    }</span></span>
<span class="line"><span style="color: #D4D4D4">    </span><span style="color: #6A9955">// ...removed code...</span></span>
<span class="line"><span style="color: #D4D4D4">)</span></span></code></pre></div>



<h5 id="component" class="wp-block-heading">Component</h5>



<p class="wp-block-paragraph">There is one component in this example. It starts on line 1 and ends on line 10. <code>app</code> is the type of the component and <code>UT</code> the component name.</p>



<p class="wp-block-paragraph">A component body starts with a left parenthesis <code>(</code> and ends with a right parenthesis <code>)</code>.</p>



<h5 id="property" class="wp-block-heading">Property</h5>



<p class="wp-block-paragraph">In this example, we have 5 properties. The property keys are <code>name</code>, <code>version</code>, <code>group</code>, <code>type</code> and <code>text</code>. The value of a property follows a colon <code>:</code>. For <code>name</code> The value is <code>Universal Theme 26.1 Reference</code>, for <code>version</code> the value is <code>26.1.0</code> and so on.</p>



<p class="wp-block-paragraph">Please note that a property starts on a new line, and the property value starts after the colon and ends on a new line. This way, no delimiter characters are required for most property values. However, if leading or trailing spaces are significant, you have to pass the property value as a single-line string, which is enclosed in double quotes.</p>



<h5 id="group" class="wp-block-heading">Group (of properties)</h5>



<p class="wp-block-paragraph">The properties <code>type</code> and <code>text</code> are part of a group named <code>logo</code>.  The group in this example covers lines 5 to 8.</p>



<p class="wp-block-paragraph">A group body starts with an open curly bracket <code>{</code> and ends with a close curly bracket <code>}</code>.</p>



<p class="wp-block-paragraph">Properties which are not part of a group are called direct properties. This means they are defined directly in a component. Examples of direct properties are <code>name</code>, <code>version</code> and <code>group</code>.</p>



<h2 id="nesed-elements" class="wp-block-heading">Nested Elements</h2>



<p class="wp-block-paragraph">We have seen that a component may contain properties and groups. But it is also possible to nest elements.</p>



<ul class="wp-block-list">
<li>Components may contain other components besides properties and groups</li>



<li>Property values may contain groups besides simple values</li>
</ul>



<p class="wp-block-paragraph">There is no limit to the number of levels for nested elements.</p>



<p class="wp-block-paragraph">Here&#8217;s an example:</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">2) Nested Component and Group</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>app UT (
    // ...removed code...
    pwaShortcut getting-started (
        name: Getting Started
        sequence: 10
        shortcut {
            target: {
                page: 500
            }
            description: Getting Started Page - Initial Page
        }
        comments {
            comments: -
        }
    )
   // ...removed code...
)</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">app</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">UT</span><span style="color: #D4D4D4"> (</span></span>
<span class="line"><span style="color: #D4D4D4">    </span><span style="color: #6A9955">// ...removed code...</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">    </span><span style="color: #569CD6">pwaShortcut</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">getting</span><span style="color: #D4D4D4">-started (</span></span>
<span class="line"><span style="color: #D4D4D4">        name: </span><span style="color: #569CD6">Getting</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">Started</span></span>
<span class="line"><span style="color: #D4D4D4">        sequence: 10</span></span>
<span class="line"><span style="color: #D4D4D4">        shortcut {</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">            target: {</span></span>
<span class="line"><span style="color: #D4D4D4">                page: 500</span></span>
<span class="line"><span style="color: #D4D4D4">            }</span></span>
<span class="line"><span style="color: #D4D4D4">            description: </span><span style="color: #569CD6">Getting</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">Started</span><span style="color: #D4D4D4"> Page - </span><span style="color: #569CD6">Initial</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">Page</span></span>
<span class="line"><span style="color: #D4D4D4">        }</span></span>
<span class="line"><span style="color: #D4D4D4">        comments {</span></span>
<span class="line"><span style="color: #D4D4D4">            comments: -</span></span>
<span class="line"><span style="color: #D4D4D4">        }</span></span>
<span class="line"><span style="color: #D4D4D4">    )</span></span>
<span class="line"><span style="color: #D4D4D4">   </span><span style="color: #6A9955">// ...removed code...</span></span>
<span class="line"><span style="color: #D4D4D4">)</span></span></code></pre></div>



<p class="wp-block-paragraph">A nested component starts on line 3 and a nested group on line 7.</p>



<h2 id="apexlang-grammar" class="wp-block-heading">APEXlang Grammar</h2>



<figure class="wp-block-image size-medium"><a href="https://grisselbav.github.io/APEXlang-Parser/grammar.html" target="_blank" rel=" noreferrer noopener"><img decoding="async" width="300" height="133" src="https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile-300x133.png" alt="apxFile rule of APEXlang grammar" class="wp-image-19988" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile-300x133.png 300w, https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile-1024x453.png 1024w, https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile-768x340.png 768w, https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile-150x66.png 150w, https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile-480x212.png 480w, https://www.salvis.com/blog/wp-content/uploads/2026/06/APEXlang-apxFile.png 1456w" sizes="(max-width:767px) 300px, 300px" /></a></figure>



<p class="wp-block-paragraph">While the grammar documented in <a href="https://docs.oracle.com/en/database/oracle/apex/26.1/apxln/apexlang.ebnf" target="_blank" rel="noreferrer noopener">apexlang. ebnf</a> of the <a href="https://docs.oracle.com/en/database/oracle/apex/26.1/apxln/" target="_blank" rel="noreferrer noopener">API Reference</a> defines both the language structure and the valid APEXlang elements, the grammar used by Grisselbav&#8217;s APEXlang parser is limited to structural concerns. </p>



<p class="wp-block-paragraph">Because the parser focuses solely on syntax rather than semantic validation, the grammar remains remarkably compact.</p>



<p class="wp-block-paragraph">Click on the image above to view all the syntax diagrams. Alternatively, view the ANTLR4 source files, <a href="https://github.com/Grisselbav/APEXlang-Parser/blob/v0.2.0/src/main/antlr4/com/grisselbav/apexlang/grammar/ApexLangLexer.g4" target="_blank" rel="noreferrer noopener">ApexLangLexer.g4</a> and <a href="https://github.com/Grisselbav/APEXlang-Parser/blob/v0.2.0/src/main/antlr4/com/grisselbav/apexlang/grammar/ApexLangParser.g4" target="_blank" rel="noreferrer noopener">ApexLangParser.g4</a>, which were used to generate the parser available on <a href="https://central.sonatype.com/artifact/com.grisselbav/apexlang-parser" target="_blank" rel="noreferrer noopener">Maven Central</a>.</p>



<h2 id="apex-sert" class="wp-block-heading">APEX-SERT</h2>



<p class="wp-block-paragraph">APEX-SERT is an APEX application that scans a selected APEX application for security vulnerabilities. A vulnerability is detected by querying APEX dictionary views. All rules are defined in the <a href="https://github.com/oracle-samples/apex-sert/blob/v24.2.27.1/product/sert/sert_core/json_data/APEX-SERT%20Rules.json#L978-L1014" type="link" id="https://github.com/oracle-samples/apex-sert/blob/v24.2.27.1/product/sert/sert_core/json_data/APEX-SERT%20Rules.json#L978-L1014" target="_blank" rel="noreferrer noopener">APEX-SERT Rules.json</a> file. </p>



<p class="wp-block-paragraph">To demonstrate a practical use case, let’s look at the security check &#8220;Embed in Frames&#8221; implemented by APEX-SERT.</p>



<p class="wp-block-paragraph">When the property &#8220;Embed in Frames&#8221; is set to <code>Allow</code>, the application may be vulnerable to &#8220;clickjacking&#8221; attacks as explained in the help text of the page designer. See screenshot below.</p>



<figure class="wp-block-image size-large"><a href="https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow.png"><img fetchpriority="high" decoding="async" width="1024" height="698" src="https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-1024x698.png" alt="" class="wp-image-20001" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-1024x698.png 1024w, https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-300x205.png 300w, https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-768x524.png 768w, https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-1536x1047.png 1536w, https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-2048x1396.png 2048w, https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-110x75.png 110w, https://www.salvis.com/blog/wp-content/uploads/2026/06/embed-in-frames-allow-480x327.png 480w" sizes="(max-width:767px) 480px, (max-width:1024px) 100vw, 1024px" /></a></figure>



<p class="wp-block-paragraph">I changed the original value from <code>Allow from same origin</code> to <code>Allow</code> to simulate a security vulnerability.</p>



<p class="wp-block-paragraph">APEX-SERT runs a query similar to the following to find violations of this rule:</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">3) Find Violations with SQL</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>select application_id, application_name, browser_frame 
  from apex_applications
 where browser_frame not in ('Deny', 'Allow from same origin');</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">select</span><span style="color: #D4D4D4"> application_id, application_name, browser_frame </span></span>
<span class="line"><span style="color: #D4D4D4">  </span><span style="color: #569CD6">from</span><span style="color: #D4D4D4"> apex_applications</span></span>
<span class="line"><span style="color: #D4D4D4"> </span><span style="color: #569CD6">where</span><span style="color: #D4D4D4"> browser_frame </span><span style="color: #569CD6">not</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">in</span><span style="color: #D4D4D4"> (</span><span style="color: #CE9178">&#39;Deny&#39;</span><span style="color: #D4D4D4">, </span><span style="color: #CE9178">&#39;Allow from same origin&#39;</span><span style="color: #D4D4D4">);</span></span></code></pre></div>



<div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>APPLICATION_ID APPLICATION_NAME               BROWSER_FRAME
-------------- ------------------------------ -------------
        101252 Universal Theme 26.1 Reference Allow</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">APPLICATION_ID APPLICATION_NAME               BROWSER_FRAME</span></span>
<span class="line"><span style="color: #D4D4D4">-------------- ------------------------------ -------------</span></span>
<span class="line"><span style="color: #D4D4D4">        101252 Universal Theme 26.1 Reference Allow</span></span></code></pre></div>



<p class="wp-block-paragraph">So, the value of <code>Embed in Frames</code> is provided in the <code>browser_frame</code> column of the APEX dictionary view <code>apex_applications</code>.</p>



<p class="wp-block-paragraph">But where can we find this information in the APEXlang files?</p>



<h2 id="link-page-designer-property-to-apexlang" class="wp-block-heading">Link Page Designer Property to APEXlang</h2>



<p class="wp-block-paragraph">We find the &#8220;Embed in Frames&#8221; property in the page designer by navigating to &#8220;Shared Components&#8221; -&gt; &#8220;Application Definition&#8221; -&gt; &#8220;Security&#8221; -&gt; &#8220;Browser Security&#8221;. </p>



<p class="wp-block-paragraph">According to the <a href="https://docs.oracle.com/en/database/oracle/apex/26.1/apxln/apexlang.ebnf" target="_blank" rel="noreferrer noopener">apexlang. ebnf</a> there is a <code>security</code> group within the <code>app</code> component. Here&#8217;s the relevant excerpt:</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-start:347;--cbp-line-number-width:calc(3 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">3) Property embedInFrames within apexlang.ebnf</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>&lt;app-security> ::= &lt;indent> "security" &lt;ws> "{" &lt;line-end> { &lt;app-security-property-line> } &lt;indent> "}" &lt;line-end>
&lt;app-security-property-line> ::= &lt;indent> &lt;app-security-property> &lt;line-end>
&lt;app-security-property> ::= "deepLinking" ":" &lt;ws> ( "true" | "false" ) (* required; type: SELECT LIST *)
  | "enableDictation" ":" &lt;ws> &lt;boolean> (* required; type: YES NO *)
  | "browserCache" ":" &lt;ws> ( "true" | "false" ) (* required; type: SELECT LIST *)
  | "embedInFrames" ":" &lt;ws> ( "deny" | "allowSameOrigin" | "allow" ) (* required; type: SELECT LIST *)
  | "referrerPolicy" ":" &lt;ws> ( "noReferrer" | "noReferrerWhenDowngrade" | "origin" | "originWhenCrossOrigin" | "sameOrigin" | "strictOrigin" | "strictOriginWhenCrossOrigin" | "unsafeUrl" ) (* required; type: SELECT LIST *)
  | "htmlEscapingMode" ":" &lt;ws> ( "basic" | "extended" ) (* required; type: SELECT LIST *)
  | "httpResponseHeaders" ":" &lt;ws> &lt;multiline-string> (* type: TEXT EDITOR *)
  | "runtimeApiUsage" ":" &lt;ws> &lt;array-of-string-like-value> (* type: CHECKBOXES *)</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">&lt;app-security&gt; ::= &lt;indent&gt; &quot;security&quot; &lt;ws&gt; &quot;</span><span style="color: #6A9955">{&quot; &lt;line-end&gt; { &lt;app-security-property-line&gt; }</span><span style="color: #D4D4D4"> &lt;indent&gt; &quot;}&quot; &lt;line-</span><span style="color: #569CD6">end</span><span style="color: #D4D4D4">&gt;</span></span>
<span class="line"><span style="color: #D4D4D4">&lt;app-security-property-line&gt; ::= &lt;indent&gt; &lt;app-security-property&gt; &lt;line-</span><span style="color: #569CD6">end</span><span style="color: #D4D4D4">&gt;</span></span>
<span class="line"><span style="color: #D4D4D4">&lt;app-security-property&gt; ::= &quot;deepLinking&quot; &quot;:&quot; &lt;ws&gt; ( &quot;</span><span style="color: #569CD6">true</span><span style="color: #D4D4D4">&quot; | &quot;</span><span style="color: #569CD6">false</span><span style="color: #D4D4D4">&quot; ) </span><span style="color: #6A9955">(* required; type: SELECT LIST *)</span></span>
<span class="line"><span style="color: #D4D4D4">  | &quot;enableDictation&quot; &quot;:&quot; &lt;ws&gt; &lt;</span><span style="color: #569CD6">boolean</span><span style="color: #D4D4D4">&gt; </span><span style="color: #6A9955">(* required; type: YES NO *)</span></span>
<span class="line"><span style="color: #D4D4D4">  | &quot;browserCache&quot; &quot;:&quot; &lt;ws&gt; ( &quot;</span><span style="color: #569CD6">true</span><span style="color: #D4D4D4">&quot; | &quot;</span><span style="color: #569CD6">false</span><span style="color: #D4D4D4">&quot; ) </span><span style="color: #6A9955">(* required; type: SELECT LIST *)</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">  | &quot;embedInFrames&quot; &quot;:&quot; &lt;ws&gt; ( &quot;deny&quot; | &quot;allowSameOrigin&quot; | &quot;allow&quot; ) </span><span style="color: #6A9955">(* required; type: SELECT LIST *)</span></span>
<span class="line"><span style="color: #D4D4D4">  | &quot;referrerPolicy&quot; &quot;:&quot; &lt;ws&gt; ( &quot;noReferrer&quot; | &quot;noReferrerWhenDowngrade&quot; | &quot;origin&quot; | &quot;originWhenCrossOrigin&quot; | &quot;sameOrigin&quot; | &quot;strictOrigin&quot; | &quot;strictOriginWhenCrossOrigin&quot; | &quot;unsafeUrl&quot; ) </span><span style="color: #6A9955">(* required; type: SELECT LIST *)</span></span>
<span class="line"><span style="color: #D4D4D4">  | &quot;htmlEscapingMode&quot; &quot;:&quot; &lt;ws&gt; ( &quot;basic&quot; | &quot;</span><span style="color: #569CD6">extended</span><span style="color: #D4D4D4">&quot; ) </span><span style="color: #6A9955">(* required; type: SELECT LIST *)</span></span>
<span class="line"><span style="color: #D4D4D4">  | &quot;httpResponseHeaders&quot; &quot;:&quot; &lt;ws&gt; &lt;multiline-</span><span style="color: #569CD6">string</span><span style="color: #D4D4D4">&gt; </span><span style="color: #6A9955">(* type: TEXT EDITOR *)</span></span>
<span class="line"><span style="color: #D4D4D4">  | &quot;runtimeApiUsage&quot; &quot;:&quot; &lt;ws&gt; &lt;</span><span style="color: #569CD6">array</span><span style="color: #D4D4D4">-</span><span style="color: #569CD6">of</span><span style="color: #D4D4D4">-</span><span style="color: #569CD6">string</span><span style="color: #D4D4D4">-like-value&gt; </span><span style="color: #6A9955">(* type: CHECKBOXES *)</span></span></code></pre></div>



<p class="wp-block-paragraph">We find on line 352 the definition of the property <code>embedInFrames</code> with a list of valid values. In this case, the property key is unique. This means that no other component or group uses the property key <code>embedInFrames</code>. Therefore, we can search the folder containing the .apx files for the string <code>embedInFrames:</code> to find the position of this property. </p>



<p class="wp-block-paragraph">The matching property is located in the <span style="background-color: initial; font-family: inherit; font-size: inherit; text-align: initial;"><code>application.apx</code> file.</span></p>



<p class="wp-block-paragraph">Here&#8217;s an excerpt.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-start:46;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">4) Property embedInFrames in application.apx</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>    authorization {
        runOnPublicPages: true
    }
    security {
        deepLinking: true
        embedInFrames: allow
        runtimeApiUsage: modifyThisApp
    }
    sessionStateProtection {
        allowUrlsCreatedAfter: 1999-08-04T00:00:00
        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365
    }</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">    </span><span style="color: #9CDCFE">authorization</span><span style="color: #D4D4D4"> {</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #9CDCFE">runOnPublicPages</span><span style="color: #D4D4D4">: </span><span style="color: #569CD6">true</span></span>
<span class="line"><span style="color: #D4D4D4">    }</span></span>
<span class="line"><span style="color: #D4D4D4">    </span><span style="color: #9CDCFE">security</span><span style="color: #D4D4D4"> {</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #9CDCFE">deepLinking</span><span style="color: #D4D4D4">: </span><span style="color: #569CD6">true</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">        </span><span style="color: #9CDCFE">embedInFrames</span><span style="color: #D4D4D4">: </span><span style="color: #9CDCFE">allow</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #9CDCFE">runtimeApiUsage</span><span style="color: #D4D4D4">: </span><span style="color: #9CDCFE">modifyThisApp</span></span>
<span class="line"><span style="color: #D4D4D4">    }</span></span>
<span class="line"><span style="color: #D4D4D4">    </span><span style="color: #9CDCFE">sessionStateProtection</span><span style="color: #D4D4D4"> {</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #9CDCFE">allowUrlsCreatedAfter</span><span style="color: #D4D4D4">: </span><span style="color: #B5CEA8">1999-08-04T00:00:00</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #9CDCFE">checksumSalt</span><span style="color: #D4D4D4">: 75</span><span style="color: #9CDCFE">BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365</span></span>
<span class="line"><span style="color: #D4D4D4">    }</span></span></code></pre></div>



<p class="wp-block-paragraph">Please note that properties with default values are skipped when an APEX application is exported. Therefore, we would not see the <code>embedInFrames</code> property if its value were <code>Deny</code>.</p>



<h2 id="find-vulnerability-with-apexlang-parser" class="wp-block-heading">Find Vulnerability With APEXlang Parser</h2>



<p class="wp-block-paragraph">We now have all the information we need. We can write a small demo program. This program will find this vulnerability in an APEXlang file.</p>



<p class="wp-block-paragraph">The parser exposes the parse tree through ANTLR4-generated context classes. Each parser rule becomes a context class. For example, the class <code>ApexLangParser.PropertyContext</code> represents the <a href="https://github.com/Grisselbav/APEXlang-Parser/blob/v0.2.0/src/main/antlr4/com/grisselbav/apexlang/grammar/ApexLangParser.g4#L66-L68" target="_blank" rel="noreferrer noopener">property</a> parser rule. This makes it easy to traverse the <code>ApexLangDocument</code> using Java streams.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">5) DemoFindVulnerability.java</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>//DEPS com.grisselbav:apexlang-parser:0.2.0

import com.grisselbav.apexlang.grammar.*;

class DemoFindVulnerability {
    public static void main(String[] args) {
        var apxSource = """
                app UT (
                    name: Universal Theme 26.1 Reference
                    version: 26.1.0
                    // ... removed code ...
                    authorization {
                        runOnPublicPages: true
                    }
                    security {
                        deepLinking: true
                        embedInFrames: allow
                        runtimeApiUsage: modifyThisApp
                    }
                    sessionStateProtection {
                        allowUrlsCreatedAfter: 1999-08-04T00:00:00
                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365
                    }
                    // ... removed code ...
                )
                """;
        var doc = ApexLangDocument.parse(apxSource);
        var violations = doc.getAllContentsOfType(ApexLangParser.PropertyContext.class)
                .stream()
                .filter(p -> p.name.getText().equals("embedInFrames")
                        &amp;&amp; p.value().getText().equals("allow"))
                .toList();
        for (var violation : violations) {
            System.err.println("Found vulnerability: " + violation.getText());
        }
    }
}</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #6A9955">//DEPS com.grisselbav:apexlang-parser:0.2.0</span></span>
<span class="line"></span>
<span class="line"><span style="color: #569CD6">import</span><span style="color: #D4D4D4"> com.grisselbav.apexlang.grammar.*;</span></span>
<span class="line"></span>
<span class="line"><span style="color: #569CD6">class</span><span style="color: #D4D4D4"> </span><span style="color: #4EC9B0">DemoFindVulnerability</span><span style="color: #D4D4D4"> {</span></span>
<span class="line"><span style="color: #D4D4D4">    </span><span style="color: #569CD6">public</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">static</span><span style="color: #D4D4D4"> </span><span style="color: #4EC9B0">void</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">main</span><span style="color: #D4D4D4">(</span><span style="color: #4EC9B0">String</span><span style="color: #D4D4D4">[] </span><span style="color: #9CDCFE">args</span><span style="color: #D4D4D4">) {</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">apxSource</span><span style="color: #D4D4D4"> = </span><span style="color: #CE9178">&quot;&quot;&quot;</span></span>
<span class="line"><span style="color: #CE9178">                app UT (</span></span>
<span class="line"><span style="color: #CE9178">                    name: Universal Theme 26.1 Reference</span></span>
<span class="line"><span style="color: #CE9178">                    version: 26.1.0</span></span>
<span class="line"><span style="color: #CE9178">                    // ... removed code ...</span></span>
<span class="line"><span style="color: #CE9178">                    authorization {</span></span>
<span class="line"><span style="color: #CE9178">                        runOnPublicPages: true</span></span>
<span class="line"><span style="color: #CE9178">                    }</span></span>
<span class="line"><span style="color: #CE9178">                    security {</span></span>
<span class="line"><span style="color: #CE9178">                        deepLinking: true</span></span>
<span class="line"><span style="color: #CE9178">                        embedInFrames: allow</span></span>
<span class="line"><span style="color: #CE9178">                        runtimeApiUsage: modifyThisApp</span></span>
<span class="line"><span style="color: #CE9178">                    }</span></span>
<span class="line"><span style="color: #CE9178">                    sessionStateProtection {</span></span>
<span class="line"><span style="color: #CE9178">                        allowUrlsCreatedAfter: 1999-08-04T00:00:00</span></span>
<span class="line"><span style="color: #CE9178">                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365</span></span>
<span class="line"><span style="color: #CE9178">                    }</span></span>
<span class="line"><span style="color: #CE9178">                    // ... removed code ...</span></span>
<span class="line"><span style="color: #CE9178">                )</span></span>
<span class="line"><span style="color: #CE9178">                &quot;&quot;&quot;</span><span style="color: #D4D4D4">;</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">doc</span><span style="color: #D4D4D4"> = </span><span style="color: #9CDCFE">ApexLangDocument</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">parse</span><span style="color: #D4D4D4">(apxSource);</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">violations</span><span style="color: #D4D4D4"> = </span><span style="color: #9CDCFE">doc</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getAllContentsOfType</span><span style="color: #D4D4D4">(</span><span style="color: #9CDCFE">ApexLangParser</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">PropertyContext</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">class</span><span style="color: #D4D4D4">)</span></span>
<span class="line"><span style="color: #D4D4D4">                .</span><span style="color: #DCDCAA">stream</span><span style="color: #D4D4D4">()</span></span>
<span class="line"><span style="color: #D4D4D4">                .</span><span style="color: #DCDCAA">filter</span><span style="color: #D4D4D4">(p </span><span style="color: #569CD6">-&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">p</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">name</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">equals</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;embedInFrames&quot;</span><span style="color: #D4D4D4">)</span></span>
<span class="line"><span style="color: #D4D4D4">                        &amp;&amp; </span><span style="color: #9CDCFE">p</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">value</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">equals</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;allow&quot;</span><span style="color: #D4D4D4">))</span></span>
<span class="line"><span style="color: #D4D4D4">                .</span><span style="color: #DCDCAA">toList</span><span style="color: #D4D4D4">();</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #C586C0">for</span><span style="color: #D4D4D4"> (</span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">violation</span><span style="color: #D4D4D4"> </span><span style="color: #C586C0">:</span><span style="color: #D4D4D4"> violations) {</span></span>
<span class="line"><span style="color: #D4D4D4">            </span><span style="color: #9CDCFE">System</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">err</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">println</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;Found vulnerability: &quot;</span><span style="color: #D4D4D4"> + </span><span style="color: #9CDCFE">violation</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">());</span></span>
<span class="line"><span style="color: #D4D4D4">        }</span></span>
<span class="line"><span style="color: #D4D4D4">    }</span></span>
<span class="line"><span style="color: #D4D4D4">}</span></span></code></pre></div>



<p class="wp-block-paragraph">This program embeds the APEXlang source code to scan in the <code>apxSource</code> variable. To run the program, save it as <code>DemoFindVulnerability.java</code>, then run it with <a href="https://www.jbang.dev/" type="link" id="https://www.jbang.dev/" target="_blank" rel="noreferrer noopener">JBang</a>. This will automatically resolve the Maven dependency on the first line.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#1E1E1E"><svg xmlns="http://www.w3.org/2000/svg" width="54" height="14" viewBox="0 0 54 14"><g fill="none" fill-rule="evenodd" transform="translate(1 1)"><circle cx="6" cy="6" r="6" fill="#FF5F56" stroke="#E0443E" stroke-width=".5"></circle><circle cx="26" cy="6" r="6" fill="#FFBD2E" stroke="#DEA123" stroke-width=".5"></circle><circle cx="46" cy="6" r="6" fill="#27C93F" stroke="#1AAB29" stroke-width=".5"></circle></g></svg></span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>jbang DemoFindVulnerability.java</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #DCDCAA">jbang</span><span style="color: #D4D4D4"> </span><span style="color: #CE9178">DemoFindVulnerability.java</span></span></code></pre></div>



<div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>&#91;jbang&#93; Resolving dependencies...
&#91;jbang&#93;    com.grisselbav:apexlang-parser:0.2.0
&#91;jbang&#93; Dependencies resolved
&#91;jbang&#93; Building jar for DemoFindVulnerability.java...
Found vulnerability: 
        embedInFrames: allow</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">&#91;jbang&#93; Resolving dependencies...</span></span>
<span class="line"><span style="color: #D4D4D4">&#91;jbang&#93;    com.grisselbav:apexlang-parser:0.2.0</span></span>
<span class="line"><span style="color: #D4D4D4">&#91;jbang&#93; Dependencies resolved</span></span>
<span class="line"><span style="color: #D4D4D4">&#91;jbang&#93; Building jar for DemoFindVulnerability.java...</span></span>
<span class="line"><span style="color: #D4D4D4">Found vulnerability: </span></span>
<span class="line"><span style="color: #D4D4D4">        embedInFrames: allow</span></span></code></pre></div>



<h2 id="are-regular-expressions-an-alternative" class="wp-block-heading">Are Regular Expressions An Alternative?</h2>



<p class="wp-block-paragraph">In this case, we could have used a regular expression to identify the violation. </p>



<p class="wp-block-paragraph">However, as soon as the rules become more complicated, e.g. if we want to ensure that the property is part of the <code>security</code> group and the <code>security</code> group is part of the <code>app</code> component, regular expressions are no longer suited. But a parser is. Because we can navigate the parse tree and adjust the filter settings as follows.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">6) DemoFindVulnerability2.java with extended filter</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>//DEPS com.grisselbav:apexlang-parser:0.2.0

import com.grisselbav.apexlang.grammar.*;

class DemoFindVulnerability2 {
    public static void main(String[] args) {
        var apxSource = """
                app UT (
                    name: Universal Theme 26.1 Reference
                    version: 26.1.0
                    // ... removed code ...
                    authorization {
                        runOnPublicPages: true
                    }
                    security {
                        deepLinking: true
                        embedInFrames: allow
                        runtimeApiUsage: modifyThisApp
                    }
                    sessionStateProtection {
                        allowUrlsCreatedAfter: 1999-08-04T00:00:00
                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365
                    }
                    // ... removed code ...
                )
                """;
        var doc = ApexLangDocument.parse(apxSource);
        var violations = doc.getAllContentsOfType(ApexLangParser.PropertyContext.class)
                .stream()
                .filter(p -> p.name.getText().equals("embedInFrames")
                        &amp;&amp; p.value().getText().equals("allow")
                        &amp;&amp; p.parent.parent instanceof ApexLangParser.GroupContext g
                        &amp;&amp; g.name.getText().equals("security")
                        &amp;&amp; g.parent.parent.parent instanceof ApexLangParser.ComponentContext c
                        &amp;&amp; c.type.getText().equals("app"))
                .toList();
        for (var violation : violations) {
            System.err.println("Found vulnerability: " + violation.getText());
        }
    }
}</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #6A9955">//DEPS com.grisselbav:apexlang-parser:0.2.0</span></span>
<span class="line"></span>
<span class="line"><span style="color: #569CD6">import</span><span style="color: #D4D4D4"> com.grisselbav.apexlang.grammar.*;</span></span>
<span class="line"></span>
<span class="line"><span style="color: #569CD6">class</span><span style="color: #D4D4D4"> </span><span style="color: #4EC9B0">DemoFindVulnerability2</span><span style="color: #D4D4D4"> {</span></span>
<span class="line"><span style="color: #D4D4D4">    </span><span style="color: #569CD6">public</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">static</span><span style="color: #D4D4D4"> </span><span style="color: #4EC9B0">void</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">main</span><span style="color: #D4D4D4">(</span><span style="color: #4EC9B0">String</span><span style="color: #D4D4D4">[] </span><span style="color: #9CDCFE">args</span><span style="color: #D4D4D4">) {</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">apxSource</span><span style="color: #D4D4D4"> = </span><span style="color: #CE9178">&quot;&quot;&quot;</span></span>
<span class="line"><span style="color: #CE9178">                app UT (</span></span>
<span class="line"><span style="color: #CE9178">                    name: Universal Theme 26.1 Reference</span></span>
<span class="line"><span style="color: #CE9178">                    version: 26.1.0</span></span>
<span class="line"><span style="color: #CE9178">                    // ... removed code ...</span></span>
<span class="line"><span style="color: #CE9178">                    authorization {</span></span>
<span class="line"><span style="color: #CE9178">                        runOnPublicPages: true</span></span>
<span class="line"><span style="color: #CE9178">                    }</span></span>
<span class="line"><span style="color: #CE9178">                    security {</span></span>
<span class="line"><span style="color: #CE9178">                        deepLinking: true</span></span>
<span class="line"><span style="color: #CE9178">                        embedInFrames: allow</span></span>
<span class="line"><span style="color: #CE9178">                        runtimeApiUsage: modifyThisApp</span></span>
<span class="line"><span style="color: #CE9178">                    }</span></span>
<span class="line"><span style="color: #CE9178">                    sessionStateProtection {</span></span>
<span class="line"><span style="color: #CE9178">                        allowUrlsCreatedAfter: 1999-08-04T00:00:00</span></span>
<span class="line"><span style="color: #CE9178">                        checksumSalt: 75BAAC4002F8CA56EF54FD242CCE7719B1AB85BE339E930260B3EC8EA3879365</span></span>
<span class="line"><span style="color: #CE9178">                    }</span></span>
<span class="line"><span style="color: #CE9178">                    // ... removed code ...</span></span>
<span class="line"><span style="color: #CE9178">                )</span></span>
<span class="line"><span style="color: #CE9178">                &quot;&quot;&quot;</span><span style="color: #D4D4D4">;</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">doc</span><span style="color: #D4D4D4"> = </span><span style="color: #9CDCFE">ApexLangDocument</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">parse</span><span style="color: #D4D4D4">(apxSource);</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">violations</span><span style="color: #D4D4D4"> = </span><span style="color: #9CDCFE">doc</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getAllContentsOfType</span><span style="color: #D4D4D4">(</span><span style="color: #9CDCFE">ApexLangParser</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">PropertyContext</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">class</span><span style="color: #D4D4D4">)</span></span>
<span class="line"><span style="color: #D4D4D4">                .</span><span style="color: #DCDCAA">stream</span><span style="color: #D4D4D4">()</span></span>
<span class="line"><span style="color: #D4D4D4">                .</span><span style="color: #DCDCAA">filter</span><span style="color: #D4D4D4">(p </span><span style="color: #569CD6">-&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">p</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">name</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">equals</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;embedInFrames&quot;</span><span style="color: #D4D4D4">)</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">                        &amp;&amp; </span><span style="color: #9CDCFE">p</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">value</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">equals</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;allow&quot;</span><span style="color: #D4D4D4">)</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">                        &amp;&amp; </span><span style="color: #9CDCFE">p</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">parent</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">parent</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">instanceof</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">ApexLangParser</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">GroupContext</span><span style="color: #D4D4D4"> g</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">                        &amp;&amp; </span><span style="color: #9CDCFE">g</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">name</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">equals</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;security&quot;</span><span style="color: #D4D4D4">)</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">                        &amp;&amp; </span><span style="color: #9CDCFE">g</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">parent</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">parent</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">parent</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">instanceof</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">ApexLangParser</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">ComponentContext</span><span style="color: #D4D4D4"> c</span></span>
<span class="line cbp-line-highlight"><span style="color: #D4D4D4">                        &amp;&amp; </span><span style="color: #9CDCFE">c</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">type</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">().</span><span style="color: #DCDCAA">equals</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;app&quot;</span><span style="color: #D4D4D4">))</span></span>
<span class="line"><span style="color: #D4D4D4">                .</span><span style="color: #DCDCAA">toList</span><span style="color: #D4D4D4">();</span></span>
<span class="line"><span style="color: #D4D4D4">        </span><span style="color: #C586C0">for</span><span style="color: #D4D4D4"> (</span><span style="color: #569CD6">var</span><span style="color: #D4D4D4"> </span><span style="color: #9CDCFE">violation</span><span style="color: #D4D4D4"> </span><span style="color: #C586C0">:</span><span style="color: #D4D4D4"> violations) {</span></span>
<span class="line"><span style="color: #D4D4D4">            </span><span style="color: #9CDCFE">System</span><span style="color: #D4D4D4">.</span><span style="color: #9CDCFE">err</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">println</span><span style="color: #D4D4D4">(</span><span style="color: #CE9178">&quot;Found vulnerability: &quot;</span><span style="color: #D4D4D4"> + </span><span style="color: #9CDCFE">violation</span><span style="color: #D4D4D4">.</span><span style="color: #DCDCAA">getText</span><span style="color: #D4D4D4">());</span></span>
<span class="line"><span style="color: #D4D4D4">        }</span></span>
<span class="line"><span style="color: #D4D4D4">    }</span></span>
<span class="line"><span style="color: #D4D4D4">}</span></span></code></pre></div>



<h2 id="integration-into-dblinter" class="wp-block-heading">Integration Into dbLinter</h2>



<p class="wp-block-paragraph">The APEX-SERT &#8220;Embed in Frames&#8221; rule has been added to the dbLinter repository as rule <a href="https://dblinter.app/ords/r/dblinter/dblinter-console/rules#P1000_SHOW_RULE=core%20a-1010" target="_blank" rel="noreferrer noopener">A-1010: Never allow application pages within an HTML frame</a>. The VS Code extension, the CLI and the SonarQube plugin now support checks implemented for APEXlang.</p>



<p class="wp-block-paragraph">Here&#8217;s a short silent video that demonstrates how this security vulnerability is detected and quickly fixed.</p>



<figure class="wp-block-video"><video height="720" style="aspect-ratio: 1280 / 720;" width="1280" controls src="https://www.salvis.com/blog/wp-content/uploads/2026/06/dblinter-a1010.mp4"></video></figure>



<h2 id="conclusion" class="wp-block-heading">Conclusion</h2>



<p class="wp-block-paragraph">The APEXlang grammar is intentionally simple through focusing on structural elements, leaving semantic validation, such as valid property values, to the APEXlang compiler in SQLcl, SQL Developer and VS Code.</p>



<p class="wp-block-paragraph">Integrating the APEXlang parser into dbLinter was straightforward, as was implementing the first APEXlang-based dbLinter rule.</p>



<p class="wp-block-paragraph">The next step is to identify which additional rules would be beneficial to bring to dbLinter. If you have any suggestions, please let me know. Even better, open a GitHub issue in the <a href="https://github.com/Grisselbav/dbLinter" target="_blank" rel="noreferrer noopener">dbLinter GitHub repository</a>. </p>



<p class="wp-block-paragraph">Thank you.</p>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://www.salvis.com/blog/2026/06/29/detecting-security-vulnerabilities-with-the-apexlang-parser/">Detecting Security Vulnerabilities With the APEXlang Parser</a> appeared first on <a href="https://www.salvis.com/blog">Philipp Salvisberg&#039;s Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.salvis.com/blog/2026/06/29/detecting-security-vulnerabilities-with-the-apexlang-parser/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		<enclosure url="https://www.salvis.com/blog/wp-content/uploads/2026/06/dblinter-a1010.mp4" length="2752429" type="video/mp4" />

			</item>
		<item>
		<title>Syntax Diagrams for APEXlang</title>
		<link>https://www.salvis.com/blog/2026/06/19/syntax-diagrams-for-apexlang/</link>
					<comments>https://www.salvis.com/blog/2026/06/19/syntax-diagrams-for-apexlang/#comments</comments>
		
		<dc:creator><![CDATA[Philipp Salvisberg]]></dc:creator>
		<pubDate>Fri, 19 Jun 2026 14:22:37 +0000</pubDate>
				<category><![CDATA[Oracle]]></category>
		<category><![CDATA[APEXlang]]></category>
		<category><![CDATA[dbLinter]]></category>
		<guid isPermaLink="false">https://www.salvis.com/blog/?p=19515</guid>

					<description><![CDATA[<p>Introduction The APEXlang API Reference documentation went live a few days ago. You can also download the APEXlang EBNF grammar. In this post, Kris Rice explains the value of having an EBNF. Since the APEXlang grammar is available as EBNF, it can be used to generate syntax diagrams. These diagrams (also known<span class="excerpt-hellip"> […]</span></p>
<p>The post <a href="https://www.salvis.com/blog/2026/06/19/syntax-diagrams-for-apexlang/">Syntax Diagrams for APEXlang</a> appeared first on <a href="https://www.salvis.com/blog">Philipp Salvisberg&#039;s Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<h2 id="introduction" class="wp-block-heading">Introduction</h2>



<p class="wp-block-paragraph">The <a href="https://docs.oracle.com/en/database/oracle/apex/26.1/apxln/" target="_blank" rel="noreferrer noopener">APEXlang API Reference documentation</a> went live a few days ago. You can also download the APEXlang EBNF grammar. In <a href="https://www.linkedin.com/pulse/apexlang-now-has-published-ebnf-grammar-heres-what-unlocks-kris-rice-5tsoc/" type="link" id="https://www.linkedin.com/pulse/apexlang-now-has-published-ebnf-grammar-heres-what-unlocks-kris-rice-5tsoc/" target="_blank" rel="noreferrer noopener">this post</a>, Kris Rice explains the value of having an EBNF.</p>



<p class="wp-block-paragraph">Since the APEXlang grammar is available as EBNF, it can be used to generate <a href="https://en.wikipedia.org/wiki/Syntax_diagram" type="link" id="https://en.wikipedia.org/wiki/Syntax_diagram" target="_blank" rel="noreferrer noopener">syntax diagrams</a>. These diagrams (also known as railroad diagrams) make the language easier to explore and provide a visual complement to the API Reference.</p>



<p class="wp-block-paragraph">In this blog post, I explain how to produce the syntax diagrams for APEXlang. </p>



<h2 id="what-is-ebnf" class="wp-block-heading">What Is EBNF</h2>



<p class="wp-block-paragraph">Wikipedia describes the <a href="https://en.wikipedia.org/wiki/Extended_Backus%E2%80%93Naur_form" target="_blank" rel="noreferrer noopener">Extended Backus-Naur Form</a>. However, it&#8217;s important to notice that there are several variants of EBNF. </p>



<h2 id="apexlang-ebnf" class="wp-block-heading">APEXlang EBNF</h2>



<p class="wp-block-paragraph">The APEXlang EBNF grammar uses a variant of the BNF in the SQL:2023 standard, with some extensions explained at the top of the <a href="https://docs.oracle.com/en/database/oracle/apex/26.1/apxln/apexlang.ebnf" type="link" id="https://docs.oracle.com/en/database/oracle/apex/26.1/apxln/apexlang.ebnf" target="_blank" rel="noreferrer noopener">apexlang.ebnf</a> file.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);--cbp-line-highlight-color:rgba(234, 191, 191, 0.2);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">1) Syntax conventions in apexlang.ebnf</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>(* Syntax conventions
   &lt;nl> is significant: component declarations, groups, properties, and closing delimiters are line-oriented.
   &#91; X &#93; means optional X. { X } means zero or more X. A | B means either A or B.
*)</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #6A9955">(* Syntax conventions</span></span>
<span class="line"><span style="color: #6A9955">   &lt;nl&gt; is significant: component declarations, groups, properties, and closing delimiters are line-oriented.</span></span>
<span class="line cbp-line-highlight"><span style="color: #6A9955">   &#91; X &#93; means optional X. { X } means zero or more X. A | B means either A or B.</span></span>
<span class="line"><span style="color: #6A9955">*)</span></span></code></pre></div>



<p class="wp-block-paragraph">Square brackets <code>[]</code> indicate optionality, while curly brackets <code>{}</code> enclose a repeated group as defined in <a href="https://www.cl.cam.ac.uk/~mgk25/iso-14977.pdf" target="_blank" rel="noreferrer noopener">ISO/IEC 14977</a>. However, the <code>apexlang.ebnf</code> file does not fully use this ISO EBNF standard. <code>apexlang.ebnf</code> uses <code>::=</code> while the ISO standard uses a simple <code>=</code> for symbol definitions. This variant resembles a <a href="https://en.wikipedia.org/wiki/Wirth_syntax_notation" target="_blank" rel="noreferrer noopener">Wirth EBNF</a> with comments.</p>



<p class="wp-block-paragraph">Here&#8217;s the definition of the <code>app</code> rule in the <code>apexlang.ebnf</code> file.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-start:248;--cbp-line-number-width:calc(3 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">2) app rule in apexlang.ebnf</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>&lt;app> ::= "app" &#91; &lt;required-ws> &lt;component-id> &#93; &lt;ws> "(" &lt;line-end> { &lt;app-body-line> } &lt;indent> ")" &lt;line-end></textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">app</span><span style="color: #569CD6">&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">::=</span><span style="color: #D4D4D4"> </span><span style="color: #CE9178">&quot;app&quot;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&#91;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">required</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">ws</span><span style="color: #569CD6">&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">component</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">id</span><span style="color: #569CD6">&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&#93;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">ws</span><span style="color: #569CD6">&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #CE9178">&quot;(&quot;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">line</span><span style="color: #569CD6">-end&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">{</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">app</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">body</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">line</span><span style="color: #569CD6">&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">}</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">indent</span><span style="color: #569CD6">&gt;</span><span style="color: #D4D4D4"> </span><span style="color: #CE9178">&quot;)&quot;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">&lt;</span><span style="color: #D4D4D4">line</span><span style="color: #569CD6">-end&gt;</span></span></code></pre></div>



<h2 id="syntax-diagram" class="wp-block-heading">Syntax Diagram</h2>



<p class="wp-block-paragraph">This is the syntax diagram, or railroad diagram, for the app rule.</p>



<figure class="wp-block-image size-full"><a href="https://www.salvis.com/blog/wp-content/uploads/2026/06/app.svg"><img decoding="async" src="https://www.salvis.com/blog/wp-content/uploads/2026/06/app.svg" alt="" class="wp-image-19562"/></a></figure>



<p class="wp-block-paragraph">I produced this syntax diagram with the <a href="https://www.bottlecaps.de/rr/ui" target="_blank" rel="noreferrer noopener">Railroad Diagram Generator (RR)</a> by Gunter Rademacher. However, this tool requires a <a href="https://www.w3.org/TR/xml/#sec-notation">W3</a><a href="https://www.w3.org/TR/xml/#sec-notation" target="_blank" rel="noreferrer noopener">C EBNF</a> as input. In other words, the original <code>apexlang.ebnf</code> produces runtime errors. </p>



<h2 id="w3c-ebnf" class="wp-block-heading">W3C EBNF</h2>



<p class="wp-block-paragraph">Fortunately, it is straightforward to convert the APEXlang EBNF grammar to W3C EBNF. For the current APEXlang grammar, the conversion can be performed entirely through automated text transformations without manual edits.</p>



<p class="wp-block-paragraph">Here is a list of the most important replacement actions:</p>



<figure class="wp-block-table is-style-regular"><table><thead><tr><th class="has-text-align-left" data-align="left">Action</th><th class="has-text-align-left" data-align="left">Example From</th><th class="has-text-align-left" data-align="left">Example To</th></tr></thead><tbody><tr><td class="has-text-align-left" data-align="left">Replace multiline comments</td><td class="has-text-align-left" data-align="left"><code>(* ... *)</code></td><td class="has-text-align-left" data-align="left"><code>/* ... */</code></td></tr><tr><td class="has-text-align-left" data-align="left">Remove leading <code>&lt;</code> and trailing <code>></code> in symbol names</td><td class="has-text-align-left" data-align="left"><code>&lt;app></code></td><td class="has-text-align-left" data-align="left"><code>app</code></td></tr><tr><td class="has-text-align-left" data-align="left">Use expression and <code>?</code> to express optionality</td><td class="has-text-align-left" data-align="left"><code>[ ... ]</code></td><td class="has-text-align-left" data-align="left"><code>( ... )?</code></td></tr><tr><td class="has-text-align-left" data-align="left">Use expression and <code>*</code> for repetitions</td><td class="has-text-align-left" data-align="left"><code>{ ... }</code></td><td class="has-text-align-left" data-align="left"><code>( ... )*</code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">The rule <code>app</code> in W3C EBNF looks as follows after applying these changes:</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-start:248;--cbp-line-number-width:calc(3 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">3) app rule in apexlang.w3c.ebnf</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>app ::= "app" ( required-ws component-id )? ws "(" line-end ( app-body-line )* indent ")" line-end</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">app </span><span style="color: #569CD6">::=</span><span style="color: #D4D4D4"> </span><span style="color: #CE9178">&quot;app&quot;</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">(</span><span style="color: #D4D4D4"> required</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">ws component</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">id </span><span style="color: #569CD6">)</span><span style="color: #D4D4D4">? ws </span><span style="color: #CE9178">&quot;(&quot;</span><span style="color: #D4D4D4"> line</span><span style="color: #569CD6">-end</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">(</span><span style="color: #D4D4D4"> app</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">body</span><span style="color: #569CD6">-</span><span style="color: #D4D4D4">line </span><span style="color: #569CD6">)*</span><span style="color: #D4D4D4"> indent </span><span style="color: #CE9178">&quot;)&quot;</span><span style="color: #D4D4D4"> line</span><span style="color: #569CD6">-end</span></span></code></pre></div>



<p class="wp-block-paragraph">See <a href="https://github.com/Grisselbav/APEXlang/blob/main/Convert.java" type="link" id="https://github.com/Grisselbav/APEXlang/blob/main/Convert.java" target="_blank" rel="noreferrer noopener">Convert.java</a> for the complete conversion program. </p>



<h2 id="syntax-diagrams-on-github" class="wp-block-heading">Syntax Diagrams on GitHub</h2>



<p class="wp-block-paragraph">You cannot produce the complete syntax diagrams in the online version of the Railroad Diagram Generator because the APEXlang grammar is huge, and you will get a timeout when trying.</p>



<p class="wp-block-paragraph">So, you need to run the tool locally. I&#8217;ve created a <a href="https://github.com/Grisselbav/APEXlang/blob/main/.github/workflows/ci.yml" type="link" id="https://github.com/Grisselbav/APEXlang/blob/main/.github/workflows/ci.yml" target="_blank" rel="noreferrer noopener">GitHub workflow</a> that downloads <code>apexlang.ebnf</code>, converts it to a W3C EBNF, and generates an HTML file containing all syntax diagrams. Finally, the workflow publishes the result:</p>



<ul class="wp-block-list">
<li><a href="https://grisselbav.github.io/APEXlang/apexlang.w3c.ebnf.txt" target="_blank" rel="noreferrer noopener">APEXlang grammar converted to W3C EBNF</a> </li>



<li><a href="https://grisselbav.github.io/APEXlang/apexlang.html#app" type="link" id="https://grisselbav.github.io/APEXlang/apexlang.html#app" target="_blank" rel="noreferrer noopener">APEXlang syntax diagrams produced by RR</a></li>
</ul>



<p class="wp-block-paragraph">The advantage of syntax diagrams is that they show all usages of a symbol, allowing you to navigate quickly to the relevant definition.</p>



<h2 id="outlook" class="wp-block-heading">Outlook</h2>



<p class="wp-block-paragraph">The next step is to build a parser for APEXlang and use this as the basis for linting. This would enable APEXlang source code to be automatically validated, helping both developers and AI agents to produce code that conforms to defined quality standards.</p>



<p class="wp-block-paragraph">Looking further ahead, we are considering providing full support for APEXlang within the <a href="https://www.united-codes.com/products/dblinter/" type="link" id="https://www.united-codes.com/products/dblinter/" target="_blank" rel="noreferrer noopener">dbLinter tool suite</a>. Currently, dbLinter analyses only SQL and PL/SQL code blocks embedded in APEXlang files. Full APEXlang support is a natural evolution. Stay tuned!</p>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://www.salvis.com/blog/2026/06/19/syntax-diagrams-for-apexlang/">Syntax Diagrams for APEXlang</a> appeared first on <a href="https://www.salvis.com/blog">Philipp Salvisberg&#039;s Blog</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://www.salvis.com/blog/2026/06/19/syntax-diagrams-for-apexlang/feed/</wfw:commentRss>
			<slash:comments>3</slash:comments>
		
		
			</item>
		<item>
		<title>Fighting Bad PL/SQL &#038; SQL with VS Code</title>
		<link>https://www.salvis.com/blog/2026/01/02/fighting-bad-pl-sql-sql-with-vs-code/</link>
		
		<dc:creator><![CDATA[Philipp Salvisberg]]></dc:creator>
		<pubDate>Fri, 02 Jan 2026 21:05:10 +0000</pubDate>
				<category><![CDATA[Oracle]]></category>
		<category><![CDATA[Code Analysis]]></category>
		<category><![CDATA[dbLinter]]></category>
		<category><![CDATA[PL/SQL]]></category>
		<category><![CDATA[SQL]]></category>
		<category><![CDATA[VSCode]]></category>
		<guid isPermaLink="false">https://www.salvis.com/blog/?p=14289</guid>

					<description><![CDATA[<p>The success of a project or product depends largely on the quality of the code. But how can I improve security, maintainability or performance? More importantly, how can I prevent code with quality defects from entering production? In addition to testing, code analysis plays a central role. These days, code can be<span class="excerpt-hellip"> […]</span></p>
<p>The post <a href="https://www.salvis.com/blog/2026/01/02/fighting-bad-pl-sql-sql-with-vs-code/">Fighting Bad PL/SQL &amp; SQL with VS Code</a> appeared first on <a href="https://www.salvis.com/blog">Philipp Salvisberg&#039;s Blog</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p class="wp-block-paragraph">The success of a project or product depends largely on the quality of the code. But how can I improve security, maintainability or performance? More importantly, how can I prevent code with quality defects from entering production? In addition to testing, code analysis plays a central role. These days, code can be checked not only in CI/CD pipelines, but also during development. Modern IDEs, such as Visual Studio Code, can automatically detect quality issues and offer quick fixes. The goal is a fast feedback loop.</p>



<p class="wp-block-paragraph">This blog post is based on my German article with the same title, published in issue 1/2026 of the <a href="https://www.salvis.com/blog/wp-content/uploads/2026/02/01_2026-Red_Stack_Magazin-DTk-WEB-Philipp_Salvisberg_Fighting_Bad_PLSQL__SQL_with_VS_Code.pdf" target="_blank" rel="noreferrer noopener nofollow">Red Stack Magazin</a>.</p>



<h2 class="wp-block-heading" id="measuring-software-quality">Measuring Software Quality</h2>



<p class="wp-block-paragraph">Imagine you are part of a team where code changes to a feature or bug fix branch are only merged into the develop or main branch following a review. Sometimes you are the author and sometimes one of the reviewers. I am currently part of a team that works in this way. In addition to quality assurance, knowledge sharing is also an important aspect. But how can we assess code quality?</p>



<figure class="wp-block-image is-style-default"><a href="https://www.osnews.com/story/19266/wtfsm/" target="_blank" rel=" noreferrer noopener"><img decoding="async" width="500" height="471" src="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-1-wtfm.jpg" alt="" class="wp-image-14292" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-1-wtfm.jpg 500w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-1-wtfm-300x283.jpg 300w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-1-wtfm-80x75.jpg 80w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-1-wtfm-480x452.jpg 480w" sizes="(max-width:767px) 480px, 500px" /></a><figcaption class="wp-element-caption">Figure 1: WTFs/m</figcaption></figure>



<p class="wp-block-paragraph">This well-known meme by Thom Holwerda says, &#8220;The only valid measurement of code quality is WTFs per minute.&#8221; This seems to be a good metric. However, this metric does have some flaws.</p>



<ul class="wp-block-list">
<li>It is subjective.</li>



<li>It does not provide any information about what is being assessed.</li>



<li>It does not help new team members to adapt quickly.</li>



<li>And it cannot be automated in a meaningful way.</li>
</ul>



<p class="wp-block-paragraph">Sooner or later, a team has no choice but to agree on a set of rules. They can be informal or formal. Typical coding guidelines cover topics such as naming conventions, formatting, code complexity, and language usage rules. The aim is to define and comply with quality standards relating to maintainability, reliability, performance and security. Written coding guidelines also simplify the onboarding of new team members.</p>



<h2 class="wp-block-heading" id="automation">Automation</h2>



<p class="wp-block-paragraph">Manually checking compliance with coding guidelines as part of a review is so time-consuming that no one can afford to do it properly. Therefore, we have to automate as many checks as possible. This is possible for many aspects. The rest still have to be checked manually.</p>



<p class="wp-block-paragraph">In other words, we need a tool suite for automatic rule checking. <a href="https://grisselbav.github.io/dbLinter/" target="_blank" rel="noreferrer noopener nofollow">dbLinter</a> is such a tool suite. It is a new product developed and continuously improved by <a href="https://www.grisselbav.com/" target="_blank" rel="noreferrer noopener nofollow">Grisselbav</a> and <a href="https://www.united-codes.com/" target="_blank" rel="noreferrer noopener nofollow">United Codes</a>. dbLinter uses the <a href="https://github.com/IslandSQL/IslandSQL" target="_blank" rel="noreferrer noopener nofollow">IslandSQL</a> parser, which is updated quarterly with every release update of the Oracle AI Database for SQL, PL/SQL, SQL*Plus and SQLcl.</p>



<p class="wp-block-paragraph">dbLinter is the successor to the decommissioned db* CODECOP suite. dbLinter consists of a central repository, a web GUI and client tools. These include a CLI, a SonarQube plugin and a VS Code extension.</p>



<h2 class="wp-block-heading" id="visual-studio-code-extension">Visual Studio Code Extension</h2>



<p class="wp-block-paragraph">The VS Code extension is compatible with all IDEs that implement the <a href="https://code.visualstudio.com/api" target="_blank" rel="noreferrer noopener nofollow">Visual Studio Code Extension API</a>. Specifically: Visual Studio Code, Theia IDE, VSCodium, Cursor, Windsurf, Void, Kiro and Antigravity.</p>



<p class="wp-block-paragraph">dbLinter for VS Code is available in both the <a href="https://marketplace.visualstudio.com/items?itemName=Grisselbav.dblinter" target="_blank" rel="noreferrer noopener nofollow">Visual Studio Marketplace</a> and the <a href="https://open-vsx.org/extension/Grisselbav/dblinter" target="_blank" rel="noreferrer noopener nofollow">Open VSX Registry</a>. Therefore, it can be conveniently installed directly from the IDE. The extension is free to use as part of the Anonymous and Starter plans (see <a href="https://www.united-codes.com/products/dblinter/#pricing" target="_blank" rel="noreferrer noopener nofollow">dbLinter Pricing Plans</a>).</p>



<p class="wp-block-paragraph">It is important to note that your code is always analysed locally, meaning that it never leaves your network. The configuration is read from the central repository, enabling the client to identify the active rules and parameters. These configurations, along with others, are managed using the <a href="https://dblinter.app/" target="_blank" rel="noreferrer noopener nofollow">Web GUI</a>.</p>



<figure class="wp-block-image size-full"><a href="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui.png"><img loading="lazy" decoding="async" width="1228" height="1088" src="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui.png" alt="" class="wp-image-14313" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui.png 1228w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui-300x266.png 300w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui-1024x907.png 1024w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui-768x680.png 768w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui-85x75.png 85w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-2-dblinter-regel-konfiguration-im-web-gui-480x425.png 480w" sizes="auto, (max-width:767px) 480px, (max-width:1228px) 100vw, 1228px" /></a><figcaption class="wp-element-caption">Figure 2: dbLinter rule configuration in the Web GUI</figcaption></figure>



<p class="wp-block-paragraph">dbLinter currently offers 187 rules. This includes all the rules from the decommissioned Trivadis PL/SQL &amp; SQL Coding Guidelines. Figure 2 shows the configuration of my 14 favourite rules. A violation of one of these rules is a bug. There is almost no room for interpretation here. The following chapters provide two examples.</p>



<h2 class="wp-block-heading top-n-queries-with-rownum">Top-N Queries with ROWNUM</h2>



<p class="wp-block-paragraph">The query in Listing 1 is based on the well-known <code>EMP</code> table owned by the database user <code>SCOTT</code>. It returns two rows.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">Listing 1: Defective pre-12c-style top-n query</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>select ename,
       sal,
       hiredate,
       rownum as rank
  from emp
 where rownum &lt;= 2
 order by sal desc;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">select</span><span style="color: #D4D4D4"> ename,</span></span>
<span class="line"><span style="color: #D4D4D4">       sal,</span></span>
<span class="line"><span style="color: #D4D4D4">       hiredate,</span></span>
<span class="line"><span style="color: #D4D4D4">       </span><span style="color: #569CD6">rownum</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">as</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">rank</span></span>
<span class="line"><span style="color: #D4D4D4">  </span><span style="color: #569CD6">from</span><span style="color: #D4D4D4"> emp</span></span>
<span class="line"><span style="color: #D4D4D4"> </span><span style="color: #569CD6">where</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">rownum</span><span style="color: #D4D4D4"> &lt;= </span><span style="color: #B5CEA8">2</span></span>
<span class="line"><span style="color: #D4D4D4"> </span><span style="color: #569CD6">order by</span><span style="color: #D4D4D4"> sal </span><span style="color: #569CD6">desc</span><span style="color: #D4D4D4">;</span></span></code></pre></div>



<div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>ENAME             SAL HIREDATE         RANK
---------- ---------- ---------- ----------
ALLEN            1600 20.02.1981          2
SMITH             800 17.12.1980          1</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">ENAME             SAL HIREDATE         RANK</span></span>
<span class="line"><span style="color: #D4D4D4">---------- ---------- ---------- ----------</span></span>
<span class="line"><span style="color: #D4D4D4">ALLEN            1600 20.02.1981          2</span></span>
<span class="line"><span style="color: #D4D4D4">SMITH             800 17.12.1980          1</span></span></code></pre></div>



<p class="wp-block-paragraph">However, the result barely meets the requirements. I would have expected the two employees with the highest salaries to be returned. Why is this not the case? The query is formulated in such a way that two rows are randomly selected and then sorted in descending order by salary. The result depends on the execution plan and the physical storage of the data.</p>



<figure class="wp-block-image size-full"><a href="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code.png"><img loading="lazy" decoding="async" width="913" height="448" src="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code.png" alt="" class="wp-image-14323" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code.png 913w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code-300x147.png 300w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code-768x377.png 768w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code-150x75.png 150w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-3-g-3185-regelverletzung-in-vs-code-480x236.png 480w" sizes="auto, (max-width:767px) 480px, (max-width:913px) 100vw, 913px" /></a><figcaption class="wp-element-caption">Figure 3: Violation of rule G-3185 in VS Code</figcaption></figure>



<p class="wp-block-paragraph">In VS Code, rule violations are displayed under <code>Problems</code> (see Figure 3). There is also a <a href="https://dblinter.app/ords/r/dblinter/dblinter-console/rules#P1000_SHOW_RULE=core%20g-3185" target="_blank" rel="noreferrer noopener nofollow">Core G-3185</a> link that opens the rule details in the Web GUI.</p>



<figure class="wp-block-image size-full"><a href="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2.png"><img loading="lazy" decoding="async" width="982" height="1490" src="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2.png" alt="" class="wp-image-14330" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2.png 982w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2-198x300.png 198w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2-675x1024.png 675w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2-768x1165.png 768w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2-49x75.png 49w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-4-g-3185-im-dblinter-web-gui-2-480x728.png 480w" sizes="auto, (max-width:767px) 480px, (max-width:982px) 100vw, 982px" /></a><figcaption class="wp-element-caption">Figure 4: Rule G-3185 in the dbLinter Web GUI</figcaption></figure>



<p class="wp-block-paragraph">Rule G-3185 in the web GUI is explained based on a similar case in the HR schema (see Figure 4). There are two solutions here. One that can be applied in all Oracle Database versions and one that works from version 12c onwards. Listing 2 shows the traditional solution, which uses an inline view. Of course, nowadays I would always prefer a solution using the <a href="https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/SELECT.html#GUID-CFA006CA-6FF1-4972-821E-6996142A51C6__BABBADDD" target="_blank" rel="noreferrer noopener nofollow">row_limiting_clause</a>.</p>



<p class="wp-block-paragraph">We can also see that the rule is used in six configurations. Clicking on &#8220;(details)&#8221; opens a pop-up window in which changes can be made. This allows you to configure the rules directly from the IDE.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(2 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">Listing 2: Fixed pre-12c-style top-n query</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>select e.*,
       rownum as rank
  from (
          select ename,
                 sal,
                 hiredate
            from emp
           order by sal desc
       ) e
 where rownum &lt;= 2;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">select</span><span style="color: #D4D4D4"> e.*,</span></span>
<span class="line"><span style="color: #D4D4D4">       </span><span style="color: #569CD6">rownum</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">as</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">rank</span></span>
<span class="line"><span style="color: #D4D4D4">  </span><span style="color: #569CD6">from</span><span style="color: #D4D4D4"> (</span></span>
<span class="line"><span style="color: #D4D4D4">          </span><span style="color: #569CD6">select</span><span style="color: #D4D4D4"> ename,</span></span>
<span class="line"><span style="color: #D4D4D4">                 sal,</span></span>
<span class="line"><span style="color: #D4D4D4">                 hiredate</span></span>
<span class="line"><span style="color: #D4D4D4">            </span><span style="color: #569CD6">from</span><span style="color: #D4D4D4"> emp</span></span>
<span class="line"><span style="color: #D4D4D4">           </span><span style="color: #569CD6">order by</span><span style="color: #D4D4D4"> sal </span><span style="color: #569CD6">desc</span></span>
<span class="line"><span style="color: #D4D4D4">       ) e</span></span>
<span class="line"><span style="color: #D4D4D4"> </span><span style="color: #569CD6">where</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">rownum</span><span style="color: #D4D4D4"> &lt;= </span><span style="color: #B5CEA8">2</span><span style="color: #D4D4D4">;</span></span></code></pre></div>



<div class="wp-block-kevinbatdorf-code-block-pro" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>ENAME             SAL HIREDATE         RANK
---------- ---------- ---------- ----------
KING             5000 17.11.1981          1
SCOTT            3000 19.04.1987          2</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #D4D4D4">ENAME             SAL HIREDATE         RANK</span></span>
<span class="line"><span style="color: #D4D4D4">---------- ---------- ---------- ----------</span></span>
<span class="line"><span style="color: #D4D4D4">KING             5000 17.11.1981          1</span></span>
<span class="line"><span style="color: #D4D4D4">SCOTT            3000 19.04.1987          2</span></span></code></pre></div>



<h2 class="wp-block-heading nvl-vs-coalesce">NVL vs. COALESCE</h2>



<p class="wp-block-paragraph">One often underestimated rule is &#8220;<a href="https://dblinter.app/ords/r/dblinter/dblinter-console/rules#P1000_SHOW_RULE=core%20g-4230" target="_blank" rel="noreferrer noopener nofollow">G-4230</a>: Always use a COALESCE instead of a NVL command, if parameter 2 of the NVL function is a function call or a SELECT statement&#8221;. This rule is about performance, which is relevant to all of us, especially when it is poor. This is why this rule is important.</p>



<div class="wp-block-kevinbatdorf-code-block-pro cbp-has-line-numbers" data-code-block-pro-font-family="Code-Pro-JetBrains-Mono" style="font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;--cbp-line-number-color:#D4D4D4;--cbp-line-number-width:calc(1 * 0.6 * .875rem);line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)"><span style="display:flex;align-items:center;padding:10px 0px 10px 16px;margin-bottom:-2px;width:100%;text-align:left;background-color:#2b2b2b;color:#c7c7c7">Listing 3: Bad performance with NVL</span><span role="button" tabindex="0" style="color:#D4D4D4;display:none" aria-label="Copy" class="code-block-pro-copy-button"><pre class="code-block-pro-copy-button-pre" aria-hidden="true"><textarea class="code-block-pro-copy-button-textarea" tabindex="-1" aria-hidden="true" readonly>with
   function slow_function return integer is
   begin
      sys.dbms_session.sleep(0.2);
      return null;
   end slow_function;
select ename, nvl(mgr, slow_function()) as mgr
  from emp;</textarea></pre><svg xmlns="http://www.w3.org/2000/svg" style="width:24px;height:24px" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2"><path class="with-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"></path><path class="without-check" stroke-linecap="round" stroke-linejoin="round" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2"></path></svg></span><pre class="shiki dark-plus" style="background-color: #1E1E1E" tabindex="0"><code><span class="line"><span style="color: #569CD6">with</span></span>
<span class="line"><span style="color: #D4D4D4">   </span><span style="color: #569CD6">function</span><span style="color: #D4D4D4"> </span><span style="color: #DCDCAA">slow_function</span><span style="color: #D4D4D4"> </span><span style="color: #C586C0">return</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">integer</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">is</span></span>
<span class="line"><span style="color: #D4D4D4">   </span><span style="color: #569CD6">begin</span></span>
<span class="line"><span style="color: #D4D4D4">      sys.</span><span style="color: #DCDCAA">dbms_session.</span><span style="color: #4EC9B0">sleep</span><span style="color: #D4D4D4">(</span><span style="color: #B5CEA8">0.2</span><span style="color: #D4D4D4">);</span></span>
<span class="line"><span style="color: #D4D4D4">      </span><span style="color: #C586C0">return</span><span style="color: #D4D4D4"> </span><span style="color: #569CD6">null</span><span style="color: #D4D4D4">;</span></span>
<span class="line"><span style="color: #D4D4D4">   </span><span style="color: #569CD6">end</span><span style="color: #D4D4D4"> slow_function;</span></span>
<span class="line"><span style="color: #569CD6">select</span><span style="color: #D4D4D4"> ename, </span><span style="color: #DCDCAA">nvl</span><span style="color: #D4D4D4">(mgr, slow_function()) </span><span style="color: #569CD6">as</span><span style="color: #D4D4D4"> mgr</span></span>
<span class="line"><span style="color: #D4D4D4">  </span><span style="color: #569CD6">from</span><span style="color: #D4D4D4"> emp;</span></span></code></pre></div>



<p class="wp-block-paragraph">Listing 3 demonstrates a case in which the use of <code>NVL</code> results in an execution time of approximately 2.8 seconds. If <code>COALESCE</code> is used instead of <code>NVL</code>, the execution time is only about 0.2 seconds. The reason is that <code>NVL</code> always evaluates the second parameter, even if the first parameter is not null. <code>COALESCE</code> works differently: the second parameter is only evaluated if the first parameter is null. This performance difference originates from the fact that the <code>EMP</code> table contains 14 rows, but only one of these returns an empty <code>MGR</code>.</p>



<p class="wp-block-paragraph">In this case, using <code>COALESCE</code> is definitely the better solution. So, should <code>NVL</code> always be replaced by <code>COALESCE</code>? No. There are two special cases:</p>



<ol class="wp-block-list">
<li>NVL supports implicit data type conversion.<br /><code>select nvl(mgr, '1') from emp</code> works, but <code>select coalesce(mgr, '1') from emp</code> causes an <a href="https://docs.oracle.com/en/error-help/db/ora-00932/" target="_blank" rel="noreferrer noopener nofollow">ORA-00932</a> error. However, implicit type conversions should be avoided anyway. The code should be adjusted accordingly.<br /></li>



<li>Optimisations of <code>NVL</code> can lead to better execution plans.<br />Such optimisations currently only exist for <code>NVL</code> and not for <code>COALESCE</code>. Therefore, it is better to continue using <code>NVL</code> in these cases. See <a href="https://how2ora-en.blogspot.com/2025/09/the-magical-nvl-function.html" target="_blank" rel="noreferrer noopener nofollow">The Magical NVL Function</a> by Monika Lewandowska for an example. </li>
</ol>



<h5 class="wp-block-heading">Quick Fixes</h5>



<p class="wp-block-paragraph">dbLinter knows these special cases. It offers appropriate alternative solutions. See Figure 5.</p>



<figure class="wp-block-image size-full"><a href="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode.png"><img loading="lazy" decoding="async" width="1121" height="717" src="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode.png" alt="" class="wp-image-14346" srcset="https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode.png 1121w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode-300x192.png 300w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode-1024x655.png 1024w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode-768x491.png 768w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode-117x75.png 117w, https://www.salvis.com/blog/wp-content/uploads/2026/01/abbildung-5-g-4230-quick-fixes-in-vscode-480x307.png 480w" sizes="auto, (max-width:767px) 480px, (max-width:1121px) 100vw, 1121px" /></a><figcaption class="wp-element-caption">Figure 5: Quick fixes for G-4230 violation in VS Code.</figcaption></figure>



<p class="wp-block-paragraph">dbLinter can apply quick fixes to different sections. For example, for a single violation of a rule, for all violations of a rule, or for all violations of all rules in the editor window.</p>



<p class="wp-block-paragraph">The &#8220;@dbLinter ignore markers&#8221; are special comments used to ignore rule violations. There are various legitimate reasons for doing this. For example, in the case of false positives (dbLinter bugs) or exceptions to the rule. A comment such as <code>-- @dbLinter ignore(G-4230): NVL forever</code> can have the following scopes: line, statement or file, depending on where the comment is positioned.</p>



<h2 class="wp-block-heading" id="code-analysis-and-ai">Code Analysis and AI</h2>



<p class="wp-block-paragraph">The solution proposals in Figure 5, indicated by the yellow lamp symbol, are quick fixes from dbLinter. However, the last two menu options come from GitHub Copilot.</p>



<p class="wp-block-paragraph">When Copilot suggests a solution to a rule violation, dbLinter provides the necessary context, including the file and the exact location of the violation, as well as the name of the violated rule. This gives Copilot access to the rule definition online, enabling it to suggest a reasonable solution in many cases. In other words, dbLinter enhances the support offered by tools such as Copilot, Cline and Windsurf.</p>



<p class="wp-block-paragraph">Rules are useful for AI tools. They provide a framework that leads to better results. However, there is no guarantee that all rules will be followed. Ultimately, code generated or expanded by AI becomes part of our code base. This is why it is important to check AI-generated code according to the same rules as manually created code.</p>



<p class="wp-block-paragraph">In other words, AI does not enforce standards. But dbLinter can do that.</p>



<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>



<p class="wp-block-paragraph">Software quality is a matter of definition. dbLinter offers many rules. Not all of them are useful and applicable to every project. The dbLinter rules can therefore be seen as a large buffet. You choose what you like and what is healthy. But not too much at once. Nevertheless, there are some rules that, in my opinion, should be followed in every project. I have presented two of them in this blog post.</p>



<p class="wp-block-paragraph">Install dbLinter for VS Code to identify the rules that will be most helpful for your projects. The rules in Figure 2 are certainly a good starting point.</p>



<p class="wp-block-paragraph">If you have any questions, please feel free to contact me. Alternatively, you can create issues directly in the <a href="https://github.com/Grisselbav/dbLinter" target="_blank" rel="noreferrer noopener nofollow">dbLinter GitHub repository</a>.</p>



<p class="wp-block-paragraph"></p>
<p>The post <a href="https://www.salvis.com/blog/2026/01/02/fighting-bad-pl-sql-sql-with-vs-code/">Fighting Bad PL/SQL &amp; SQL with VS Code</a> appeared first on <a href="https://www.salvis.com/blog">Philipp Salvisberg&#039;s Blog</a>.</p>
]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
