Merge pull request #1556 from forcedotcom/release-4.4.0

RELEASE: @W-16095971@: Conducting v4.4.0 release.

.eslintrc.json

@@ -13,5 +13,8 @@
 	},
 	"plugins": [
 		"@typescript-eslint"
-	]
+	],
+	"rules": {
+		"sf-plugin/only-extend-SfCommand": "off"
+	}
 }

.github/workflows/create-release-branch.yml

@@ -144,7 +144,9 @@ jobs:
           NEW_VERSION=$(jq -r ".version" package.json)
           git checkout -b release-$NEW_VERSION
           git push --set-upstream origin release-$NEW_VERSION
-          # Output the branch name so we can use it in later jobs.
+          # Now that we're done with the interim branch, delete it.
+          git push -d origin ${NEW_VERSION}-interim
+          # Output the release branch name so we can use it in later jobs.
           echo "branch_name=release-$NEW_VERSION" >> "$GITHUB_OUTPUT"
   # Run all the various tests against the newly created branch.
   test-release-branch:

cli-messaging/build.gradle.kts

@@ -18,7 +18,7 @@ dependencies {
     exclude("junit")
   }
   implementation("com.google.code.gson:gson:2.10.1")
-  implementation("com.google.guava:guava:31.1-jre")
+  implementation("com.google.guava:guava:33.2.1-jre")
 
   testImplementation("org.hamcrest:hamcrest:2.2")
   testImplementation("org.junit.jupiter:junit-jupiter-api:5.9.2")

html-templates/simple.mustache

@@ -65,7 +65,7 @@
 	<script type="text/javascript" language="javascript"
 		src="https://cdn.datatables.net/1.10.21/js/jquery.dataTables.min.js"></script>
 	<script type="text/javascript" language="javascript" src="https://cdn.datatables.net/rowgroup/1.1.2/js/dataTables.rowGroup.min.js"></script>
-    <script type="text/javascript" language="javascript" src="https://cdn.jsdelivr.net/npm/[email protected]/dist/Chart.min.js"></script>
+	<script type="text/javascript" language="javascript" src="https://cdn.jsdelivr.net/npm/[email protected]/dist/Chart.min.js"></script>
 	<script type="text/javascript" class="init">
 
 	// BEGIN - Placeholders filled in by the scanner
@@ -294,11 +294,12 @@
 			});
 		});
 	</script>
+	<title>Salesforce Code Analyzer Report</title>
 </head>
 
 <body>
     <h1 id="reportTitle">Salesforce Code Analyzer Report</h1>
-	<div id="summaryChart"/></div>
+	<div id="summaryChart"></div>
 	<h4 id="summaryFiles"></h4>
 	<h4 id="summaryViolations"></h4>
 	<div class="fw-container">
@@ -319,7 +320,7 @@
 							<th>End Column</th>
 						</tr>
 					</thead>
-					<tbody/>
+					<tbody></tbody>
 				</table>
 			</div>
 		</div>

messages/RetireJsEngine.md

@@ -0,0 +1,11 @@
+# error.couldNotGetZipEntries
+
+Failed to get entries from ZIP file %s. Reason: %s.
+
+# error.couldNotReadEntryData
+
+Failed to read contents of entry %s in ZIP file %s. Reason: %s.
+
+# error.couldNotExtractZip
+
+Failed to extract ZIP file %s. Reason: %s.

messages/run-common.md

@@ -74,10 +74,6 @@ The selected output format doesn't match the output file type. Output format: %s
 
 --projectdir must specify existing paths
 
-# validations.noFilesFoundInTarget
-
-No files were found in the target. --target must contain at least one file.
-
 # info.resolvedTarget
 
 The --target flag wasn't specified so the default target '.' will be used.

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.3.2",
+	"version": "4.4.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

pmd-appexchange/docs/AvoidCreateElementScriptLinkTag.md

@@ -10,7 +10,9 @@ AvoidCreateElementScriptLinkTag[](#avoidcreateelementscriptlinktag)
 
 **Description:**
 
-   Detects dynamic creation of script or link tags
+Detects dynamic creation of script or link tags
+Note: This rule identifies the `<script>` block where `createElement` is detected; but can only show the line number where the `<script>` tag begins and not the line number for `createElement`.
+That means if there are multiple `createElement` calls with `script` as input, you'll see multiple issues reported with the line number of the `<script>` tag. This is a known issue; developers are expected to go through the `<script>` block to identify the use of `createElement`
 
 **Example(s):**
 

pmd-appexchange/docs/AvoidDisableProtocolSecurity.md

@@ -0,0 +1,18 @@
+AvoidDisableProtocolSecurity[](#avoiddisableprotocolsecurity)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protocol security setting is disabled
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if "Disable Protocol Security" setting is checked/true
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidHardCodedCredentialsInAura.md

@@ -0,0 +1,18 @@
+AvoidHardCodedCredentialsInAura[](#avoidhardcodedcredentialsinaura)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected use of hard coded credentials in Aura component
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detected use of hard coded credentials in Aura component
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidHardCodedSecretsInVFAttrs.md

@@ -0,0 +1,18 @@
+AvoidHardCodedSecretsInVFAttrs[](#avoidhardcodedsecretsinvfattrs)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Hard coded secrets detected in attributes
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects Hard coded secrets in VF attributes
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSetting.md

@@ -0,0 +1,18 @@
+AvoidInsecureHttpRemoteSiteSetting[](#avoidinsecurehttpremotesitesetting)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using insecure http urls in Remote Site Settings.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidSControls.md

@@ -0,0 +1,18 @@
+AvoidSControls[](#avoidscontrols)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected SControls
+
+
+**Priority:** Critical (1)
+
+**Description:**
+
+   S-Controls should not be used in managed packages.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidUnescapedHtml.md

@@ -0,0 +1,18 @@
+AvoidUnescapedHtml[](#avoidunescapedhtml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Potential XSS due to the use of unesapedHtml
+
+
+**Priority:** High (2)
+
+**Description:**
+
+Detected use of aura:unescapedHtml. This should be used cautiously. Developers should ensure that the unescapedHtml should not use tainted input to protect against XSS
+
+**Example(s):**
+
+
+

pmd-cataloger/build.gradle.kts

@@ -4,7 +4,6 @@ plugins {
   java
   application
   jacoco
-  id("de.undercouch.download") version "4.0.4"
 }
 
 group = "sfdx"
@@ -61,80 +60,13 @@ tasks.register<Delete>("deletePmdCatalogerDist") {
 }
 
 
-// ======== DEFINE/UPDATE PMD7 DIST RELATED TASKS  =====================================================================
-val pmd7DistDir = "$distDir/pmd7"
-val pmd7Version = "7.2.0"
-val pmd7File = "pmd-dist-$pmd7Version-bin.zip"
-
-tasks.register<de.undercouch.gradle.tasks.download.Download>("downloadPmd7") {
-  src("https://github.com/pmd/pmd/releases/download/pmd_releases%2F${pmd7Version}/${pmd7File}")
-  dest(buildDir)
-  overwrite(false)
-}
-
-tasks.register<Copy>("installPmd7") {
-  dependsOn("downloadPmd7")
-  from(zipTree("$buildDir/$pmd7File"))
-
-  // TO KEEP THE BELOW MODULE DEPENDENCIES LIST CORRECT AND UP TO DATE:
-  // I went to https://github.com/pmd/pmd/tree/pmd_releases/7.2.0 and for each of the languages that we support
-  // (apex, java, visualforce, xml), I took a look at its direct and indirect dependencies at
-  //     https://central.sonatype.com/artifact/net.sourceforge.pmd/pmd-apex/dependencies
-  // by selecting the 7.2.0 dropdown and clicking on "Dependencies" and selecting "All Dependencies".
-  // For completeness, I listed the modules and all their compile time dependencies (direct and indirect).
-  // Duplicates don't matter since we use setOf.
-  //
-  // A tip when we upgrade to see if there are any differences between minor releases of a given module:
-  //  1) Open the following in two different tabs (using pmd-core as an example):
-  //     * Go to https://mvnrepository.com/artifact/net.sourceforge.pmd/pmd-core/7.1.0
-  //     * Go to https://mvnrepository.com/artifact/net.sourceforge.pmd/pmd-core/7.2.0
-  //     Then compare the compile dependencies and their versions to see if there are any changes.
-  //     Do this will all modules we care about. Obviously the pmd-core dependency version will change but if nothing else
-  //     changes then this means no updates are needed for that module. If there are changes to pmd-core's dependencies...
-  //     then all modules that depend on pmd-core should be updated below with their new indirect dependencies.
-  //  2) As a sanity check it is also worth comparing the versions of the jars that are bundled between the two release
-  //     zip files to spot any version differences.
-  //     * https://github.com/pmd/pmd/archive/refs/tags/pmd_releases/7.2.0.zip
-  //     * https://github.com/pmd/pmd/archive/refs/tags/pmd_releases/7.1.0.zip
-  val pmd7ModulesToInclude = setOf(
-    // LANGUAGE MODULE     DEPENDENCIES (direct and indirect)
-    "pmd-apex",            "Saxon-HE", "annotations", "antlr4-runtime", "apex-parser", "apexlink", "asm", "checker-compat-qual", "checker-qual", "commons-lang3", "error_prone_annotations", "failureaccess", "flogger", "flogger-system-backend", "geny_2.13", "gson", "gson-extras", "guava", "j2objc-annotations", "jsr250-api", "jsr305", "jul-to-slf4j", "kotlin-stdlib", "kotlin-stdlib-common", "kotlin-stdlib-jdk7", "kotlin-stdlib-jdk8", "listenablefuture", "nice-xml-messages", "pcollections", "pkgforce_2.13", "pmd-core", "runforce", "scala-collection-compat_2.13", "scala-json-rpc-upickle-json-serializer_2.13", "scala-json-rpc_2.13", "scala-library", "scala-parallel-collections_2.13", "scala-reflect", "scala-xml_2.13", "slf4j-api", "summit-ast", "ujson_2.13", "upack_2.13", "upickle-core_2.13", "upickle-implicits_2.13", "upickle_2.13", "xmlresolver",
-    "pmd-html",            "Saxon-HE", "antlr4-runtime", "asm", "checker-qual", "commons-lang3", "gson", "jsoup", "jul-to-slf4j", "nice-xml-messages", "pcollections", "pmd-core", "slf4j-api", "xmlresolver",
-    "pmd-java",            "Saxon-HE", "antlr4-runtime", "asm", "checker-qual", "commons-lang3", "gson", "jul-to-slf4j", "nice-xml-messages", "pcollections", "pmd-core", "slf4j-api", "xmlresolver",
-    "pmd-javascript",      "Saxon-HE", "antlr4-runtime", "asm", "checker-qual", "commons-lang3", "gson", "jul-to-slf4j", "nice-xml-messages", "pcollections", "pmd-core", "rhino", "slf4j-api", "xmlresolver",
-    "pmd-visualforce",     "Saxon-HE", "antlr4-runtime", "apex-parser", "apexlink", "asm", "checker-compat-qual", "checker-qual", "commons-lang3", "error_prone_annotations", "failureaccess", "flogger", "flogger-system-backend", "geny_2.13", "gson", "gson-extras", "guava", "j2objc-annotations", "jsr250-api", "jsr305", "jul-to-slf4j", "kotlin-stdlib", "kotlin-stdlib-common", "kotlin-stdlib-jdk7", "kotlin-stdlib-jdk8", "listenablefuture", "nice-xml-messages", "pcollections", "pkgforce_2.13", "pmd-apex", "pmd-core", "runforce", "scala-collection-compat_2.13", "scala-json-rpc-upickle-json-serializer_2.13", "scala-json-rpc_2.13", "scala-library", "scala-parallel-collections_2.13", "scala-reflect", "scala-xml_2.13", "slf4j-api", "summit-ast", "ujson_2.13", "upack_2.13", "upickle-core_2.13", "upickle-implicits_2.13", "upickle_2.13", "xmlresolver",
-    "pmd-xml",             "Saxon-HE", "antlr4-runtime", "asm", "checker-qual", "commons-lang3", "gson", "jul-to-slf4j", "nice-xml-messages", "pcollections", "pmd-core", "slf4j-api", "xmlresolver",
-    // MAIN CLI MODULE     DEPENDENCIES (direct and indirect)
-    "pmd-cli",             "Saxon-HE", "antlr4-runtime", "asm", "checker-qual", "commons-lang3", "gson", "jline", "jul-to-slf4j", "nice-xml-messages", "pcollections", "picocli", "pmd-core", "progressbar", "slf4j-api", "slf4j-simple", "xmlresolver", // Do not include pmd-designer since we don't use it
-  )
-  val pmd7JarsToIncludeRegexes = mutableSetOf("""^LICENSE""".toRegex())
-  pmd7ModulesToInclude.forEach {
-    pmd7JarsToIncludeRegexes.add("""^$it-.*\.jar""".toRegex())
-  }
-
-  include { details: FileTreeElement -> pmd7JarsToIncludeRegexes.any { it.containsMatchIn(details.file.name) } }
-  into(pmd7DistDir)
-  includeEmptyDirs = false
-  eachFile {
-    // We drop the parent "pmd-bin-7.1.0" folder and put files directly into our "pmd7" folder
-    relativePath = RelativePath(true, *relativePath.segments.drop(1).toTypedArray())
-  }
-}
-
-tasks.register<Delete>("deletePmd7Dist") {
-  delete(pmd7DistDir)
-}
-
-
 // ======== ATTACH TASKS TO ASSEMBLE AND CLEAN  ========================================================================
 tasks.assemble {
   dependsOn("installDist")
-  dependsOn("installPmd7")
 }
 
 tasks.clean {
   dependsOn("deletePmdCatalogerDist")
-  dependsOn("deletePmd7Dist")
 }
 
 

pmd7/build.gradle.kts

@@ -0,0 +1,43 @@
+// This build file simply downloads the pmd jar files and their dependencies that we care to bundle with the scanner
+// plugin and puts them in the dist/pmd7/libs folder.
+
+plugins {
+  java // Minimum needed to be able to download dependencies
+}
+
+repositories {
+  mavenCentral()
+}
+
+// Keep this in sync with src/Constants.ts > PMD7_VERSION
+var pmd7Version = "7.3.0"
+
+val pmdDist7Dir = "$buildDir/../../dist/pmd7"
+
+dependencies {
+  implementation("net.sourceforge.pmd:pmd-apex:$pmd7Version")
+  implementation("net.sourceforge.pmd:pmd-cli:$pmd7Version") {
+    exclude(group = "net.sourceforge.pmd", module = "pmd-designer")
+  }
+  implementation("net.sourceforge.pmd:pmd-html:$pmd7Version")
+  implementation("net.sourceforge.pmd:pmd-java:$pmd7Version")
+  implementation("net.sourceforge.pmd:pmd-javascript:$pmd7Version")
+  implementation("net.sourceforge.pmd:pmd-visualforce:$pmd7Version")
+  implementation("net.sourceforge.pmd:pmd-xml:$pmd7Version")
+}
+
+tasks.register<Copy>("copyDependencies") {
+  from(configurations.runtimeClasspath)
+  into("$pmdDist7Dir/lib")
+}
+tasks.assemble {
+  dependsOn(tasks.named("copyDependencies"))
+}
+
+
+tasks.register<Delete>("deletePmd7Dist") {
+  delete(pmdDist7Dir)
+}
+tasks.clean {
+  dependsOn("deletePmd7Dist")
+}

retire-js/RetireJsVulns.json

@@ -6491,6 +6491,27 @@
           "https://github.com/advisories/GHSA-c59h-r6p8-q9wc"
         ]
       },
+      {
+        "atOrAbove": "13.4.0",
+        "below": "13.5.0",
+        "cwe": [
+          "CWE-400"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Denial of Service (DoS) condition",
+          "CVE": [
+            "CVE-2024-39693"
+          ],
+          "githubID": "GHSA-fq54-2j52-jc42"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-fq54-2j52-jc42",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-fq54-2j52-jc42",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-39693",
+          "https://github.com/vercel/next.js"
+        ]
+      },
       {
         "atOrAbove": "13.4.0",
         "below": "13.5.1",
@@ -7517,7 +7538,6 @@
         "/pdfjs-dist@(§§version§§)/"
       ],
       "filecontent": [
-        " pdfjs-dist@(§§version§§) ",
         "(?:const|var) pdfjsVersion = ['\"](§§version§§)['\"];",
         "PDFJS.version ?= ?['\"](§§version§§)['\"]",
         "apiVersion: ?['\"](§§version§§)['\"][\\s\\S]*,data(:[a-zA-Z.]{1,6})?,[\\s\\S]*password(:[a-zA-Z.]{1,10})?,[\\s\\S]*disableAutoFetch(:[a-zA-Z.]{1,22})?,[\\s\\S]*rangeChunkSize",

settings.gradle.kts

@@ -7,4 +7,4 @@
 
 rootProject.name = "sfdx-scanner"
 
-include(":cli-messaging", ":pmd-cataloger", ":sfge")
+include(":cli-messaging", ":pmd7", ":pmd-cataloger", ":sfge")