AvoidUsingPositionalParameter: Check if command has parameters to avoid having az in default CommandAllowList (#1850)

* AvoidUsingPositionalParameter : Check if command has parameters

* fix syntax

* remove unneeded test

* Update Rules/AvoidPositionalParameters.cs

Author: bergmeister

Engine/Helper.cs

@@ -609,14 +609,15 @@ public bool HasSplattedVariable(CommandAst cmdAst)
         /// </summary>
         /// <param name="cmdAst"></param>
         /// <returns></returns>
-        public bool IsKnownCmdletFunctionOrExternalScript(CommandAst cmdAst)
+        public bool IsKnownCmdletFunctionOrExternalScript(CommandAst cmdAst, out CommandInfo commandInfo)
         {
+            commandInfo = null;
             if (cmdAst == null)
             {
                 return false;
             }
 
-            var commandInfo = GetCommandInfo(cmdAst.GetCommandName());
+            commandInfo = GetCommandInfo(cmdAst.GetCommandName());
             if (commandInfo == null)
             {
                 return false;

Rules/AvoidPositionalParameters.cs

@@ -6,6 +6,7 @@
 using System.Management.Automation.Language;
 using Microsoft.Windows.PowerShell.ScriptAnalyzer.Generic;
 using System.Linq;
+using System.Management.Automation;
 #if !CORECLR
 using System.ComponentModel.Composition;
 #endif
@@ -21,7 +22,7 @@ namespace Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules
 #endif
     public class AvoidPositionalParameters : ConfigurableRule
     {
-        [ConfigurableRuleProperty(defaultValue: new string[] { "az" })]
+        [ConfigurableRuleProperty(defaultValue: new string[] { })]
         public string[] CommandAllowList { get; set; }
 
         public AvoidPositionalParameters()
@@ -61,9 +62,11 @@ public override IEnumerable<DiagnosticRecord> AnalyzeScript(Ast ast, string file
                 // MSDN: CommandAst.GetCommandName Method
                 if (cmdAst.GetCommandName() == null) continue;
 
-                if ((Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst) || declaredFunctionNames.Contains(cmdAst.GetCommandName())) &&
+                if ((Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst, out CommandInfo commandInfo) || declaredFunctionNames.Contains(cmdAst.GetCommandName())) &&
                     (Helper.Instance.PositionalParameterUsed(cmdAst, true)))
                 {
+                    if (commandInfo?.CommandType == CommandTypes.Application) continue;
+
                     PipelineAst parent = cmdAst.Parent as PipelineAst;
 
                     string commandName = cmdAst.GetCommandName();

Rules/UseCmdletCorrectly.cs

@@ -100,7 +100,7 @@ private bool MandatoryParameterExists(CommandAst cmdAst)
             }
 
             // Positional parameters could be mandatory, so we assume all is well
-            if (Helper.Instance.PositionalParameterUsed(cmdAst) && Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst))
+            if (Helper.Instance.PositionalParameterUsed(cmdAst) && Helper.Instance.IsKnownCmdletFunctionOrExternalScript(cmdAst, out _))
             {
                 return true;
             }

docs/Rules/AvoidUsingPositionalParameters.md

@@ -25,17 +25,17 @@ supplied. A simple example where the risk of using positional parameters is negl
 ```powershell
 Rules = @{
     PSAvoidUsingPositionalParameters = @{
-        CommandAllowList = 'az', 'Join-Path'
+        CommandAllowList = 'Join-Path', 'MyCmdletOrScript'
         Enable           = $true
     }
 }
 ```
 
 ### Parameters
 
-#### CommandAllowList: string[] (Default value is 'az')
+#### CommandAllowList: string[] (Default value is @()')
 
-Commands to be excluded from this rule. `az` is excluded by default because starting with version 2.40.0 the entrypoint of the AZ CLI became an `az.ps1` script but this script does not have any named parameters and just passes them on using `$args` as is to the Python process that it starts, therefore it is still a CLI and not a PowerShell command.
+Commands or scripts to be excluded from this rule.
 
 #### Enable: bool (Default value is `$true`)