Merge pull request #799 from forcedotcom/rm/release3.4.0-updates

rmohan20 · web-flow · commit 32ac24026de0 · 2022-08-16T14:21:20.000-07:00
@W-11606553@ 3.4.0 Release updates
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.3.0",
+	"version": "3.4.0",
 	"author": "ISV SWAT",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {
diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json
@@ -287,10 +287,12 @@
         "jquery.validat(?:ion|e)-(§§version§§)(.min)?\\.js"
       ],
       "uri": [
-        "/(§§version§§)/jquery.validat(ion|e)(\\.min)?\\.js"
+        "/(§§version§§)/jquery.validat(ion|e)(\\.min)?\\.js",
+        "/jquery-validation@(§§version§§)/dist/.*\\.js"
       ],
       "filecontent": [
-        "/\\*!?(?:\n \\*)? jQuery Validation Plugin v(§§version§§)"
+        "/\\*!?(?:\n \\*)?[\\s]*jQuery Validation Plugin -? ?v(§§version§§)",
+        "Original file: /npm/jquery-validation@(§§version§§)/dist/jquery.validate.js"
       ],
       "hashes": {}
     }
@@ -444,9 +446,26 @@
           "https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc",
           "https://nvd.nist.gov/vuln/detail/CVE-2021-41182"
         ]
+      },
+      {
+        "below": "1.13.2",
+        "severity": "medium",
+        "identifiers": {
+          "CVE": [
+            "CVE-2022-31160"
+          ],
+          "summary": "XSS when refreshing a checkboxradio with an HTML-like initial text label "
+        },
+        "info": [
+          "https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2022-31160"
+        ]
       }
     ],
     "extractors": {
+      "uri": [
+        "/(§§version§§)/jquery-ui(\\.min)?\\.js"
+      ],
       "filecontent": [
         "/\\*!? jQuery UI - v(§§version§§)",
         "/\\*!?[\n *]+jQuery UI (§§version§§)"
@@ -578,6 +597,10 @@
       }
     ],
     "extractors": {
+      "uri": [
+        "/prettyPhoto/(§§version§§)/js/jquery\\.prettyPhoto(\\.min?)\\.js",
+        "/prettyphoto@(§§version§§)/js/jquery\\.prettyPhoto\\.js"
+      ],
       "filecontent": [
         "/\\*[\r\n -]+Class: prettyPhoto(?:.*\n){1,3}[ ]*Version: (§§version§§)",
         "\\.prettyPhoto[ ]?=[ ]?\\{version:[ ]?(?:'|\")(§§version§§)(?:'|\")\\}"
@@ -661,8 +684,11 @@
       "filename": [
         "knockout-(§§version§§)(.min)?\\.js"
       ],
+      "uri": [
+        "/knockout/(§§version§§)/knockout(-[a-z.]+)?\\.js"
+      ],
       "filecontent": [
-        "\\* Knockout JavaScript library v(§§version§§)"
+        "(?:\\*|//) Knockout JavaScript library v(§§version§§)"
       ],
       "hashes": {}
     }
@@ -850,8 +876,12 @@
       }
     ],
     "extractors": {
+      "uri": [
+        "/tinymce/(§§version§§)/tinymce(\\.min)?\\.js"
+      ],
       "filecontent": [
-        "// (§§version§§) \\([0-9\\-]+\\)[\n\r]+.{0,1200}l=.tinymce/geom/Rect."
+        "// (§§version§§) \\([0-9\\-]+\\)[\n\r]+.{0,1200}l=.tinymce/geom/Rect.",
+        "/\\*\\*[\\s]*\\* TinyMCE version (§§version§§)"
       ],
       "filecontentreplace": [
         "/tinyMCEPreInit.*majorVersion:.([0-9]+).,minorVersion:.([0-9.]+)./$1.$2/",
@@ -1360,15 +1390,20 @@
     ],
     "extractors": {
       "uri": [
-        "/(?:v)?(§§version§§)/ember(\\.min)?\\.js"
+        "/(?:v)?(§§version§§)/ember(\\.min)?\\.js",
+        "/ember\\.?js/(§§version§§)/ember((\\.|-)[a-z\\-.]+)?\\.js"
       ],
       "filename": [
         "ember-(§§version§§)(\\.min)?\\.js"
       ],
       "filecontent": [
         "Project:   Ember -(?:.*\n){9,11}// Version: v(§§version§§)",
         "// Version: v(§§version§§)(.*\n){10,15}(Ember Debug|@module ember|@class ember)",
-        "Ember.VERSION[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\")"
+        "Ember.VERSION[ ]?=[ ]?(?:'|\")(§§version§§)(?:'|\")",
+        "meta\\.revision=\"Ember@(§§version§§)\"",
+        "e\\(\"ember/version\",\\[\"exports\"\\],function\\(e\\)\\{\"use strict\";?[\\s]*e(?:\\.|\\[\")default(?:\"\\])?=\"(§§version§§)\"",
+        "\\(\"ember/version\",\\[\"exports\"\\],function\\(e\\)\\{\"use strict\";.{1,70}\\.default=\"(§§version§§)\"",
+        "/\\*![\\s]+\\* @overview  Ember - JavaScript Application Framework[\\s\\S]{0,400}\\* @version   (§§version§§)"
       ],
       "hashes": {}
     }
@@ -1733,6 +1768,20 @@
           "https://vulnerabledoma.in/ngSanitize1.6.8_bypass.html"
         ]
       },
+      {
+        "below": "1.5.0-beta.1",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "XSS through xlink:href attributes",
+          "CVE": [
+            "CVE-2019-14863"
+          ]
+        },
+        "info": [
+          "https://github.com/angular/angular.js/blob/master/CHANGELOG.md#150-beta1-dense-dispersion-2015-09-29",
+          "https://github.com/advisories/GHSA-r5fx-8r73-v86c"
+        ]
+      },
       {
         "atOrAbove": "1.3.0",
         "below": "1.5.0-rc2",
@@ -1786,6 +1835,16 @@
         "info": [
           "https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94"
         ]
+      },
+      {
+        "below": "1.999",
+        "severity": "low",
+        "identifiers": {
+          "summary": "End-of-Life: Long term support for AngularJS has been discontinued"
+        },
+        "info": [
+          "https://blog.angular.io/discontinued-long-term-support-for-angularjs-cc066b82e65a?gi=9d3103b5445c"
+        ]
       }
     ],
     "extractors": {
@@ -1829,7 +1888,7 @@
       ],
       "filecontent": [
         "//[ ]+Backbone.js (§§version§§)",
-        "a=t.Backbone={}}a.VERSION=\"(§§version§§)\""
+        "a=t.Backbone=\\{\\}\\}a.VERSION=\"(§§version§§)\""
       ],
       "hashes": {}
     }
@@ -2283,7 +2342,9 @@
       "filecontent": [
         "DOMPurify.version = '(§§version§§)';",
         "DOMPurify.version=\"(§§version§§)\"",
-        "DOMPurify=.[^\\r\\n]{10,500}\\.version=\"(§§version§§)\""
+        "DOMPurify=.[^\\r\\n]{10,850}?\\.version=\"(§§version§§)\"",
+        "/\\*! @license DOMPurify (§§version§§)",
+        "var .=\"dompurify\"+.{10,550}?\\.version=\"(§§version§§)\""
       ],
       "hashes": {}
     }
@@ -2718,7 +2779,7 @@
         "/\\*!? Bootstrap v(§§version§§)",
         "\\* Bootstrap v(§§version§§)",
         "/\\*! Bootstrap v(§§version§§)",
-        "this\\.close\\)};.\\.VERSION=\"(§§version§§)\"(?:,.\\.TRANSITION_DURATION=150)?,.\\.prototype\\.close"
+        "this\\.close\\)\\};.\\.VERSION=\"(§§version§§)\"(?:,.\\.TRANSITION_DURATION=150)?,.\\.prototype\\.close"
       ],
       "hashes": {}
     }
@@ -2992,15 +3053,20 @@
     ],
     "extractors": {
       "uri": [
-        "/vue@(§§version§§)/dist/vue\\.js"
+        "/vue@(§§version§§)/dist/vue\\.js",
+        "/vue/(§§version§§)/vue\\..*\\.js",
+        "/npm/vue@(§§version§§)"
       ],
       "filename": [
         "vue-(§§version§§)(\\.min)?\\.js"
       ],
       "filecontent": [
         "/\\*!\\n \\* Vue.js v(§§version§§)",
         "Vue.version = '(§§version§§)';",
-        "'(§§version§§)'[^\\n]{0,8000}Vue compiler"
+        "'(§§version§§)'[^\\n]{0,8000}Vue compiler",
+        "\\* Original file: /npm/vue@(§§version§§)/dist/vue.(global|common).js",
+        "const version[ ]*=[ ]*\"(§§version§§)\";[\\s]*/\\*\\*[\\s]*\\* SSR utils for \\\\@vue/server-renderer",
+        "\\.__vue_app__=.{0,8000}?const [a-z]+=\"(§§version§§)\","
       ]
     }
   },
@@ -3263,9 +3329,6 @@
         "below": "0.7.0",
         "severity": "high",
         "identifiers": {
-          "CVE": [
-            "CVE-XXXX-XXXX"
-          ],
           "bug": "SNYK-JS-ALASQL-1082932",
           "summary": "An arbitrary code execution exists as AlaSQL doesn't sanitize input when characters are placed between square brackets [] or preceded with a backtik (accent grave) ` character. Versions older that 0.7.0 were deprecated in March of 2021 and should no longer be used."
         },
@@ -3286,6 +3349,164 @@
       ]
     }
   },
+  "jquery.datatables": {
+    "vulnerabilities": [
+      {
+        "below": "1.10.10",
+        "identifiers": {
+          "summary": "possible XSS"
+        },
+        "info": [
+          "https://github.com/DataTables/DataTables/commit/6f67df2d21f9858ec40a6e9565c3a653cdb691a6"
+        ]
+      },
+      {
+        "below": "1.10.8",
+        "identifiers": {
+          "CVE": [
+            "CVE-2015-6584"
+          ],
+          "summary": "XSS"
+        },
+        "info": [
+          "https://github.com/DataTables/DataTablesSrc/commit/ccf86dc5982bd8e16d",
+          "https://www.invicti.com/web-applications-advisories/cve-2015-6384-xss-vulnerability-identified-in-datatables/"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/(§§version§§)/(js/)?jquery.dataTables(.min)?.js"
+      ],
+      "filename": [
+        "jquery.dataTables-(§§version§§)(\\.min)?\\.js"
+      ],
+      "filecontent": [
+        "http://www.datatables.net\n +DataTables (§§version§§)",
+        "/\\*! DataTables (§§version§§)",
+        "u.version=\"(§§version§§)\";u.settings=\\[\\];u.models=\\{\\};u.models.oSearch"
+      ]
+    }
+  },
+  "nextjs": {
+    "vulnerabilities": [
+      {
+        "atOrAbove": "10.0.0",
+        "below": "12.1.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Improper CSP in Image Optimization API",
+          "CVE": [
+            "CVE-2022-23646"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-fmvm-x8mv-47mj"
+        ]
+      },
+      {
+        "atOrAbove": "12.0.0",
+        "below": "12.0.9",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "DOS Vulnerability for self-hosted next.js apps",
+          "CVE": [
+            "CVE-2022-21721"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-wr66-vrwm-5g5x"
+        ]
+      },
+      {
+        "below": "11.1.3",
+        "severity": "high",
+        "identifiers": {
+          "summary": "Unexpected server crash in Next.js versions",
+          "CVE": [
+            "CVE-2021-43803"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx"
+        ]
+      },
+      {
+        "atOrAbove": "12.0.0",
+        "below": "12.0.5",
+        "severity": "high",
+        "identifiers": {
+          "summary": "Unexpected server crash in Next.js versions",
+          "CVE": [
+            "CVE-2021-43803"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx"
+        ]
+      },
+      {
+        "atOrAbove": "10.0.0",
+        "below": "11.1.1",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "XSS in Image Optimization API",
+          "CVE": [
+            "CVE-2021-39178"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m"
+        ]
+      },
+      {
+        "below": "11.1.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Open Redirect in Next.js",
+          "CVE": [
+            "CVE-2021-37699"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9"
+        ]
+      },
+      {
+        "atOrAbove": "9.5.0",
+        "below": "9.5.4",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Open Redirect in Next.js",
+          "CVE": [
+            "CVE-2020-15242"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435"
+        ]
+      },
+      {
+        "below": "9.3.2",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Directory Traversal in Next.js",
+          "CVE": [
+            "CVE-2020-5284"
+          ]
+        },
+        "info": [
+          "https://github.com/vercel/next.js/security/advisories/GHSA-fq77-7p7r-83rj"
+        ]
+      }
+    ],
+    "extractors": {
+      "filecontent": [
+        "version=\"(§§version§§)\".{1,1500}document\\.getElementById\\(\"__NEXT_DATA__\"\\)\\.textContent",
+        "document\\.getElementById\\(\"__NEXT_DATA__\"\\)\\.textContent\\);window\\.__NEXT_DATA__=.;.\\.version=\"(§§version§§)\""
+      ]
+    }
+  },
   "dont check": {
     "extractors": {
       "uri": [
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@salesforce/sfdx-scanner",`
`3`	`3`	`"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",`
`4`		`- "version": "3.3.0",`
	`4`	`+ "version": "3.4.0",`
`5`	`5`	`"author": "ISV SWAT",`
`6`	`6`	`"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",`
`7`	`7`	`"dependencies": {`