From c5e9b5c40152fb2880cd44591eb2cb55e5758bd6 Mon Sep 17 00:00:00 2001 From: Joshua Feingold Date: Mon, 8 Jan 2024 12:25:04 -0600 Subject: [PATCH] CHANGE (CodeAnalyzer): @W-14750116@: Release prep for v3.20.0. --- package.json | 2 +- retire-js/RetireJsVulns.json | 134 ++++++++++++++++++++++++++++++++++- 2 files changed, 132 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index b9ce6351e..c25f5893c 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@salesforce/sfdx-scanner", "description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.", - "version": "3.19.0", + "version": "3.20.0", "author": "ISV SWAT", "bugs": "https://github.com/forcedotcom/sfdx-scanner/issues", "dependencies": { diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json index 669d6720c..efa03be62 100644 --- a/retire-js/RetireJsVulns.json +++ b/retire-js/RetireJsVulns.json @@ -1374,7 +1374,10 @@ "identifiers": { "summary": "security issue where URLs in attributes weren’t correctly sanitized. security issue in the codesample plugin", "retid": "67", - "githubID": "GHSA-w7jx-j77m-wp65" + "githubID": "GHSA-w7jx-j77m-wp65", + "CVE": [ + "CVE-2024-21911" + ] }, "info": [ "https://www.tiny.cloud/docs/release-notes/release-notes56/#securityfixes" @@ -1404,7 +1407,10 @@ "identifiers": { "summary": "Inserting certain HTML content into the editor could result in invalid HTML once parsed. This caused a medium severity Cross Site Scripting (XSS) vulnerability", "retid": "69", - "githubID": "GHSA-5h9g-x5rv-25wg" + "githubID": "GHSA-5h9g-x5rv-25wg", + "CVE": [ + "CVE-2024-21908" + ] }, "info": [ "https://www.tiny.cloud/docs/release-notes/release-notes59/#securityfixes" @@ -1420,7 +1426,10 @@ "identifiers": { "summary": "URLs not cleaned correctly in some cases in the link and image plugins", "retid": "70", - "githubID": "GHSA-r8hm-w5f7-wj39" + "githubID": "GHSA-r8hm-w5f7-wj39", + "CVE": [ + "CVE-2024-21910" + ] }, "info": [ "https://www.tiny.cloud/docs/release-notes/release-notes510/#securityfixes" @@ -3087,6 +3096,89 @@ "hashes": {} } }, + "@angular/core": { + "vulnerabilities": [ + { + "atOrAbove": "0", + "below": "10.2.5", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "Cross site scripting in Angular", + "CVE": [ + "CVE-2021-4231" + ], + "githubID": "GHSA-c75v-2vq8-878f" + }, + "info": [ + "https://github.com/advisories/GHSA-c75v-2vq8-878f", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4231", + "https://github.com/angular/angular/issues/40136", + "https://github.com/angular/angular/commit/0aa220bc0000fc4d1651ec388975bbf5baa1da36", + "https://github.com/angular/angular/commit/47d9b6d72dab9d60c96bc1c3604219f6385649ea", + "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09", + "https://github.com/angular/angular", + "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902", + "https://vuldb.com/?id.181356" + ] + }, + { + "atOrAbove": "11.0.0", + "below": "11.0.5", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "Cross site scripting in Angular", + "CVE": [ + "CVE-2021-4231" + ], + "githubID": "GHSA-c75v-2vq8-878f" + }, + "info": [ + "https://github.com/advisories/GHSA-c75v-2vq8-878f", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4231", + "https://github.com/angular/angular/issues/40136", + "https://github.com/angular/angular/commit/0aa220bc0000fc4d1651ec388975bbf5baa1da36", + "https://github.com/angular/angular/commit/47d9b6d72dab9d60c96bc1c3604219f6385649ea", + "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09", + "https://github.com/angular/angular", + "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902", + "https://vuldb.com/?id.181356" + ] + }, + { + "atOrAbove": "11.1.0-next.0", + "below": "11.1.0-next.3", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "Cross site scripting in Angular", + "CVE": [ + "CVE-2021-4231" + ], + "githubID": "GHSA-c75v-2vq8-878f" + }, + "info": [ + "https://github.com/advisories/GHSA-c75v-2vq8-878f", + "https://nvd.nist.gov/vuln/detail/CVE-2021-4231", + "https://github.com/angular/angular/issues/40136", + "https://github.com/angular/angular/commit/0aa220bc0000fc4d1651ec388975bbf5baa1da36", + "https://github.com/angular/angular/commit/47d9b6d72dab9d60c96bc1c3604219f6385649ea", + "https://github.com/angular/angular/commit/ba8da742e3b243e8f43d4c63aa842b44e14f2b09", + "https://github.com/angular/angular", + "https://security.snyk.io/vuln/SNYK-JS-ANGULARCORE-1070902", + "https://vuldb.com/?id.181356" + ] + } + ], + "extractors": {} + }, "backbone.js": { "bowername": [ "backbonejs", @@ -6300,6 +6392,42 @@ ] } }, + "select2": { + "vulnerabilities": [ + { + "atOrAbove": "0", + "below": "4.0.6", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "Improper Neutralization of Input During Web Page Generation in Select2", + "CVE": [ + "CVE-2016-10744" + ], + "githubID": "GHSA-rf66-hmqf-q3fc" + }, + "info": [ + "https://github.com/advisories/GHSA-rf66-hmqf-q3fc", + "https://nvd.nist.gov/vuln/detail/CVE-2016-10744", + "https://github.com/select2/select2/issues/4587", + "https://github.com/snipe/snipe-it/pull/6831", + "https://github.com/snipe/snipe-it/pull/6831/commits/5848d9a10c7d62c73ff6a3858edfae96a429402a", + "https://github.com/select2/select2" + ] + } + ], + "extractors": { + "filecontent": [ + "/\\*!(?:[\\s]+\\*)? Select2 (§§version§§)", + "/\\*[\\s]+Copyright 20[0-9]{2} [I]gor V[a]ynberg[\\s]+Version: (§§version§§)[\\s\\S]{1,4000}(\\.attr\\(\"class\",\"select2-sizer\"|\\.data\\(document,\"select2-lastpos\"|document\\)\\.data\\(\"select2-lastpos\")" + ], + "uri": [ + "(§§version§§)/(js/)?select2(.min)?\\.js" + ] + } + }, "dont check": { "vulnerabilities": [], "extractors": {