Merge pull request #1089 from forcedotcom/dev

RELEASE: @W-13537298@: Merging dev to release for 3.13.0

Author: jfeingold35

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.12.0",
+	"version": "3.13.0",
 	"author": "ISV SWAT",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {
@@ -119,10 +119,7 @@
 		},
 		"devPlugins": [
 			"@oclif/plugin-help"
-		],
-		"hooks": {
-			"init": "./lib/lib/hooks/init"
-		}
+		]
 	},
 	"nyc": {
 		"branches": "80",

retire-js/RetireJsVulns.json

@@ -559,6 +559,7 @@
       "jquery-ui",
       "jquery.ui"
     ],
+    "npmname": "jquery-ui",
     "vulnerabilities": [
       {
         "below": "1.13.2",
@@ -671,6 +672,7 @@
       "jquery-ui",
       "jquery.ui"
     ],
+    "npmname": "jquery-ui",
     "vulnerabilities": [
       {
         "atOrAbove": "1.8.9",
@@ -728,6 +730,7 @@
       "jquery-ui",
       "jquery.ui"
     ],
+    "npmname": "jquery-ui",
     "vulnerabilities": [],
     "extractors": {
       "filecontent": [
@@ -744,6 +747,7 @@
       "jquery-ui",
       "jquery.ui"
     ],
+    "npmname": "jquery-ui",
     "vulnerabilities": [
       {
         "atOrAbove": "1.9.2",
@@ -779,6 +783,7 @@
     "bowername": [
       "jquery-prettyPhoto"
     ],
+    "basePurl": "pkg:github/scaron/prettyphoto",
     "vulnerabilities": [
       {
         "below": "3.1.5",
@@ -826,6 +831,7 @@
     "bowername": [
       "jPlayer"
     ],
+    "npmname": "jplayer",
     "vulnerabilities": [
       {
         "below": "2.3.1",
@@ -987,6 +993,7 @@
       "tinymce",
       "tinymce-dist"
     ],
+    "npmname": "tinymce",
     "vulnerabilities": [
       {
         "below": "1.4.2",
@@ -1196,6 +1203,7 @@
       "yui",
       "yui3"
     ],
+    "npmname": "yui",
     "vulnerabilities": [
       {
         "atOrAbove": "3.5.0",
@@ -2307,6 +2315,7 @@
       "angularjs",
       "angular.js"
     ],
+    "npmname": "angular",
     "vulnerabilities": [
       {
         "below": "1.8.0",
@@ -2496,6 +2505,8 @@
       "backbonejs",
       "backbone"
     ],
+    "npmname": "backbone",
+    "basePurl": "npm:npm/backbone",
     "vulnerabilities": [
       {
         "below": "0.5.0",
@@ -2532,6 +2543,8 @@
       "mustache.js",
       "mustache"
     ],
+    "npmname": "mustache",
+    "basePurl": "npm:npm/mustache",
     "vulnerabilities": [
       {
         "below": "0.3.1",
@@ -2925,6 +2938,7 @@
     }
   },
   "easyXDM": {
+    "npmname": "easyxdm",
     "vulnerabilities": [
       {
         "below": "2.4.18",
@@ -3166,6 +3180,7 @@
       "dompurify",
       "DOMPurify"
     ],
+    "npmname": "dompurify",
     "vulnerabilities": [
       {
         "below": "0.6.1",
@@ -3514,6 +3529,7 @@
     }
   },
   "DWR": {
+    "npmname": "dwr",
     "vulnerabilities": [
       {
         "below": "1.1.4",
@@ -3578,6 +3594,8 @@
       "moment",
       "momentjs"
     ],
+    "npmname": "moment",
+    "basePurl": "pkg:npm/moment",
     "vulnerabilities": [
       {
         "below": "2.11.2",
@@ -3664,8 +3682,11 @@
       "uri": [
         "/moment\\.js/(§§version§§)/moment(.min)?\\.js"
       ],
+      "filename": [
+        "moment(?:-|\\.)(§§version§§)(?:-min)?\\.js"
+      ],
       "filecontent": [
-        "//! moment.js(?:[\n\r]+)//! version : (§§version§§)",
+        "//!? moment.js(?:[\n\r]+)//!? version : (§§version§§)",
         "\\.version=\"(§§version§§)\".{300,500}\\.isMoment="
       ]
     }
@@ -3675,6 +3696,7 @@
       "Underscore",
       "underscore"
     ],
+    "npmname": "underscore",
     "vulnerabilities": [
       {
         "below": "1.12.1",
@@ -4726,6 +4748,7 @@
     }
   },
   "AlaSQL": {
+    "npmname": "alasql",
     "vulnerabilities": [
       {
         "below": "0.7.0",
@@ -4755,6 +4778,7 @@
     }
   },
   "jquery.datatables": {
+    "npmname": "datatables",
     "vulnerabilities": [
       {
         "below": "1.11.3",
@@ -5009,6 +5033,118 @@
       ]
     }
   },
+  "froala": {
+    "npmname": "froala-editor",
+    "vulnerabilities": [
+      {
+        "below": "4.0.11",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "XSS vulnerability in [insert video]",
+          "issue": "3880"
+        },
+        "info": [
+          "https://github.com/froala/wysiwyg-editor/releases/tag/v4.0.11"
+        ]
+      },
+      {
+        "below": "3.2.7",
+        "severity": "high",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Froala WYSIWYG Editor 3.2.6-1 is affected by XSS due to a namespace confusion during parsing.",
+          "CVE": [
+            "CVE-2021-28114"
+          ]
+        },
+        "info": [
+          "https://bishopfox.com/blog/froala-editor-v3-2-6-advisory"
+        ]
+      },
+      {
+        "below": "3.2.7",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Froala WYSIWYG Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under certain conditions, a base64 crafted string leads to persistent XSS.",
+          "CVE": [
+            "CVE-2021-30109"
+          ]
+        },
+        "info": [
+          "https://github.com/froala/wysiwyg-editor/releases/tag/v4.0.11"
+        ]
+      },
+      {
+        "below": "3.2.2",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Security issue: XSS via pasted content",
+          "issue": "3880"
+        },
+        "info": [
+          "https://froala.com/wysiwyg-editor/changelog/#3.2.2"
+        ]
+      },
+      {
+        "below": "3.2.2",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "XSS Issue In Link Insertion",
+          "issue": "3270"
+        },
+        "info": [
+          "https://github.com/froala/wysiwyg-editor/issues/3270"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/froala-editor/(§§version§§)/",
+        "/froala-editor@(§§version§§)/"
+      ],
+      "filecontent": [
+        "/\\*![\\s]+\\* froala_editor v(§§version§§)",
+        "VERSION:\"(§§version§§)\",INSTANCES:\\[\\],OPTS_MAPPING:\\{\\}"
+      ]
+    }
+  },
+  "pendo": {
+    "vulnerabilities": [
+      {
+        "below": "2.15.18",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Patched XSS vulnerability around script loading",
+          "retid": "74"
+        },
+        "info": [
+          "https://developers.pendo.io/agent-version-2-15-18/"
+        ]
+      }
+    ],
+    "extractors": {
+      "filecontent": [
+        "// Pendo Agent Wrapper\n//[\\s]+Environment:[\\s]+[^\n]+\n// Agent Version:[\\s]+(§§version§§)"
+      ]
+    }
+  },
   "dont check": {
     "extractors": {
       "uri": [

sfge/lib/apex-jorje-lsp-sfge.jar

@@ -18,5 +18,7 @@ public void accept(JorjeNodeVisitor visitor) {
     @Override
     protected void fillProperties(Map<String, Object> properties) {
         properties.put(Schema.NAME, getName());
+        properties.put(Schema.TARGET_NAME, getNode().getTargetName().get(0).getValue());
+        properties.put(Schema.USAGES, getNode().getUsages().toString());
     }
 }

sfge/src/main/java/com/salesforce/apex/jorje/UserTriggerWrapper.java

@@ -3,12 +3,7 @@
 import com.google.common.collect.ImmutableList;
 import com.salesforce.exception.UnexpectedException;
 import com.salesforce.graph.ops.TypeableUtil;
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.TreeMap;
-import java.util.TreeSet;
+import java.util.*;
 import java.util.concurrent.ConcurrentMap;
 import java.util.concurrent.ConcurrentSkipListMap;
 import java.util.function.BiFunction;
@@ -186,5 +181,20 @@ public static <T, U> List<U> newImmutableListOf(
                 .collect(Collectors.collectingAndThen(Collectors.toList(), ImmutableList::copyOf));
     }
 
+    /**
+     * Peek into the stack to get the last element. Converts value into an Optional instead of
+     * throwing an {@link EmptyStackException} when stack is empty.
+     *
+     * @param stack to look at
+     * @param <T> Stack's generic
+     * @return last element added to the stack
+     */
+    public static <T> Optional<T> peek(Stack<T> stack) {
+        if (stack.isEmpty()) {
+            return Optional.empty();
+        }
+        return Optional.of(stack.peek());
+    }
+
     private CollectionUtil() {}
 }

sfge/src/main/java/com/salesforce/collections/CollectionUtil.java

@@ -9,11 +9,13 @@ public final class UserFacingMessages {
 
     public static final class RuleDescriptions {
         public static final String APEX_NULL_POINTER_EXCEPTION_RULE =
-                "Identfies Apex operations that dereference null objects and throw NullPointerExceptions.";
+                "Identifies Apex operations that dereference null objects and throw NullPointerExceptions.";
         public static final String UNIMPLEMENTED_TYPE_RULE =
                 "Identifies abstract classes and interfaces that are non-global and don't have implementations or extensions.";
         public static final String UNUSED_METHOD_RULE =
                 "Identifies methods that aren't invoked from recognized entry points.";
+        public static final String MULTIPLE_MASS_SCHEMA_LOOKUP_RULE =
+                "Detects mass schema lookups that can cause performance degradation if made more than once in a path. These methods are: Schema.getGlobalDescribe() and Schema.describeSObjects(...). Flagged lookups include those within a loop or multiple invocations in a path.";
     }
 
     public static final class RuleViolationTemplates {
@@ -75,4 +77,10 @@ public static final class CompilationErrors {
                 "Graph engine encountered compilation errors. Fix the errors in %s and retry.";
         public static final String EXCEPTION_FORMAT_TEMPLATE = "%s, Caused by:\n%s";
     }
+
+    public static final class MultipleMassSchemaLookupRuleTemplates {
+        public static final String MESSAGE_TEMPLATE = "%s was %s at %s:%d.";
+        public static final String OCCURRENCE_LOOP_TEMPLATE = "called inside a %s";
+        public static final String OCCURRENCE_MULTIPLE_TEMPLATE = "preceded by a call to %s";
+    }
 }

sfge/src/main/java/com/salesforce/config/UserFacingMessages.java

@@ -62,10 +62,12 @@ public class Schema {
     public static final String STATIC_CONSTRUCTOR_CANONICAL_NAME = "<clinit>";
     public static final String SUPER_CLASS_NAME = "SuperClassName";
     public static final String SUPER_INTERFACE_NAME = "SuperInterfaceName";
+    public static final String TARGET_NAME = "TargetName";
     public static final String TYPE = "Type";
     /** Contains type for statements such as MyClass.class */
     public static final String TYPE_REF = "TypeRef";
 
+    public static final String USAGES = "Usages";
     public static final String VALUE = "Value";
     public static final String VIRTUAL = "Virtual";
     public static final String QUERY = "Query";

sfge/src/main/java/com/salesforce/graph/Schema.java

@@ -47,7 +47,8 @@ public class CaseSafePropertyUtil {
                     Schema.NAME,
                     Schema.RETURN_TYPE,
                     Schema.SUPER_CLASS_NAME,
-                    Schema.SUPER_INTERFACE_NAME);
+                    Schema.SUPER_INTERFACE_NAME,
+                    Schema.TARGET_NAME);
 
     static void addCaseSafeProperty(
             GraphTraversal<Vertex, Vertex> traversal, String property, Object value) {