Merge pull request #1628 from forcedotcom/release-4.6.0

RELEASE @W-16608399@: Conducting v4.6.0 release

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.5.0",
+	"version": "4.6.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

pmd7/build.gradle.kts

@@ -10,7 +10,7 @@ repositories {
 }
 
 // Keep this in sync with src/Constants.ts > PMD7_VERSION
-var pmd7Version = "7.4.0"
+var pmd7Version = "7.5.0"
 
 val pmdDist7Dir = "$buildDir/../../dist/pmd7"
 

retire-js/RetireJsVulns.json

@@ -3223,6 +3223,28 @@
           "https://github.com/advisories/GHSA-qwqh-hm9m-p5hr"
         ]
       },
+      {
+        "atOrAbove": "0",
+        "below": "1.8.4",
+        "cwe": [
+          "CWE-791"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "AngularJS allows attackers to bypass common image source restrictions",
+          "CVE": [
+            "CVE-2024-8373"
+          ],
+          "githubID": "GHSA-mqm9-c95h-x2p6"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-mqm9-c95h-x2p6",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-8373",
+          "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b",
+          "https://github.com/angular/angular.js",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"
+        ]
+      },
       {
         "atOrAbove": "1.3.0",
         "below": "1.8.4",
@@ -3247,6 +3269,28 @@
           "https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos"
         ]
       },
+      {
+        "atOrAbove": "1.3.0-rc.4",
+        "below": "1.8.4",
+        "cwe": [
+          "CWE-1289"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "AngularJS allows attackers to bypass common image source restrictions",
+          "CVE": [
+            "CVE-2024-8372"
+          ],
+          "githubID": "GHSA-m9gf-397r-hwpg"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-m9gf-397r-hwpg",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-8372",
+          "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017",
+          "https://github.com/angular/angular.js",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
+        ]
+      },
       {
         "below": "1.999",
         "severity": "low",
@@ -4318,6 +4362,54 @@
         "info": [
           "https://github.com/cure53/DOMPurify/releases"
         ]
+      },
+      {
+        "atOrAbove": "0",
+        "below": "2.5.4",
+        "cwe": [
+          "CWE-1321",
+          "CWE-1333"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMPurify allows tampering by prototype pollution",
+          "CVE": [
+            "CVE-2024-45801"
+          ],
+          "githubID": "GHSA-mmhx-hmjr-r674"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45801",
+          "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21",
+          "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc",
+          "https://github.com/cure53/DOMPurify"
+        ]
+      },
+      {
+        "atOrAbove": "3.0.0",
+        "below": "3.1.3",
+        "cwe": [
+          "CWE-1321",
+          "CWE-1333"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMPurify allows tampering by prototype pollution",
+          "CVE": [
+            "CVE-2024-45801"
+          ],
+          "githubID": "GHSA-mmhx-hmjr-r674"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45801",
+          "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21",
+          "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc",
+          "https://github.com/cure53/DOMPurify"
+        ]
       }
     ],
     "extractors": {
@@ -5119,7 +5211,7 @@
       },
       {
         "atOrAbove": "4.0.0",
-        "below": "4.6.3",
+        "below": "5.0.0",
         "cwe": [
           "CWE-79"
         ],
@@ -5723,6 +5815,27 @@
         "info": [
           "https://github.com/sveltejs/svelte/pull/7530"
         ]
+      },
+      {
+        "below": "4.2.19",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Svelte has a potential mXSS vulnerability due to improper HTML escaping",
+          "CVE": [
+            "CVE-2024-45047"
+          ],
+          "githubID": "GHSA-8266-84wp-wv5c"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-8266-84wp-wv5c",
+          "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45047",
+          "https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3",
+          "https://github.com/sveltejs/svelte"
+        ]
       }
     ],
     "extractors": {
@@ -5734,6 +5847,7 @@
       ],
       "filecontent": [
         "generated by Svelte v\\$\\{['\"](§§version§§)['\"]\\}",
+        "generated by Svelte v(§§version§§) \\*/",
         "version: '(§§version§§)' [\\s\\S]{80,200}'SvelteDOMInsert'",
         "VERSION = '(§§version§§)'[\\s\\S]{21,200}parse\\$[0-9][\\s\\S]{10,80}preprocess",
         "var version\\$[0-9] = \"(§§version§§)\";[\\s\\S]{10,30}normalizeOptions\\(options\\)[\\s\\S]{80,200}'SvelteComponent.html'"
@@ -6536,6 +6650,30 @@
           "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1"
         ]
       },
+      {
+        "atOrAbove": "13.5.1",
+        "below": "13.5.7",
+        "cwe": [
+          "CWE-349",
+          "CWE-639"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Cache Poisoning",
+          "CVE": [
+            "CVE-2024-46982"
+          ],
+          "githubID": "GHSA-gp8f-8m3g-qvj9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
+          "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
+          "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
+          "https://github.com/vercel/next.js"
+        ]
+      },
       {
         "atOrAbove": "13.4.0",
         "below": "14.1.1",
@@ -6558,6 +6696,30 @@
           "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
           "https://github.com/vercel/next.js"
         ]
+      },
+      {
+        "atOrAbove": "14.0.0",
+        "below": "14.2.10",
+        "cwe": [
+          "CWE-349",
+          "CWE-639"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Cache Poisoning",
+          "CVE": [
+            "CVE-2024-46982"
+          ],
+          "githubID": "GHSA-gp8f-8m3g-qvj9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
+          "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
+          "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
+          "https://github.com/vercel/next.js"
+        ]
       }
     ],
     "extractors": {

src/Constants.ts

@@ -2,7 +2,7 @@ import os = require('os');
 import path = require('path');
 
 // Keep this in sync with <repoRoot>/pmd7/build.gradle.kts > pmd7Version
-export const PMD7_VERSION = '7.4.0';
+export const PMD7_VERSION = '7.5.0';
 
 export const PMD_APPEXCHANGE_RULES_VERSION = '0.15';
 

src/commands/scanner/run/dfa.ts

@@ -69,7 +69,19 @@ export default class Dfa extends ScannerRunCommand {
 			summary: getMessage(BundleName.RunDfa, 'flags.pathexplimitSummary'),
 			description: getMessage(BundleName.RunDfa, 'flags.pathexplimitDescription'),
 			env: 'SFGE_PATH_EXPANSION_LIMIT'
-		})
+		}),
+		'enablecaching': Flags.boolean({
+			summary: '',
+			description: '',
+			env: 'SFGE_ENABLE_CACHING',
+			hidden: true
+		}),
+		'cachepath': Flags.string({
+			summary: '',
+			description: '',
+			env: 'SFGE_FILES_TO_ENTRIES_CACHE_LOCATION',
+			hidden: true
+		}),
 		// END: Config-overrideable engine flags.
 	};
 

src/lib/EngineOptionsFactory.ts

@@ -114,6 +114,12 @@ export class RunDfaEngineOptionsFactory extends CommonEngineOptionsFactory {
 		if (inputs['pathexplimit'] != null) {
 			sfgeConfig.pathexplimit = inputs['pathexplimit'] as number;
 		}
+		if (inputs['enablecaching'] != null) {
+			sfgeConfig.enablecaching = inputs['enablecaching'] as boolean;
+		}
+		if (inputs['cachepath'] != null) {
+			sfgeConfig.cachepath = inputs['cachepath'] as string;
+		}
 		sfgeConfig.ruleDisableWarningViolation = getBooleanEngineOption(inputs, RULE_DISABLE_WARNING_VIOLATION_FLAG);
 		engineOptions.set(CUSTOM_CONFIG.SfgeConfig, JSON.stringify(sfgeConfig));
 

src/lib/sfge/SfgeWrapper.ts

@@ -46,6 +46,8 @@ type SfgeExecuteOptions = SfgeWrapperOptions & {
 	ruleThreadCount?: number;
 	ruleThreadTimeout?: number;
 	ruleDisableWarningViolation?: boolean;
+	enablecaching?: boolean;
+	cachepath?: string;
 }
 
 type SfgeTarget = {
@@ -57,6 +59,8 @@ type SfgeInput = {
 	targets: SfgeTarget[];
 	projectDirs: string[];
 	rulesToRun: string[];
+	enablecaching?: boolean;
+	cachepath?: string;
 };
 
 class SfgeSpinnerManager extends AsyncCreatable implements SpinnerManager {
@@ -209,6 +213,8 @@ export class SfgeExecuteWrapper extends AbstractSfgeWrapper {
 	private ruleThreadCount: number;
 	private ruleThreadTimeout: number;
 	private ruleDisableWarningViolation: boolean;
+	private enablecaching: boolean;
+	private cachepath: string;
 
 	constructor(options: SfgeExecuteOptions) {
 		super(options);
@@ -218,6 +224,8 @@ export class SfgeExecuteWrapper extends AbstractSfgeWrapper {
 		this.ruleThreadCount = options.ruleThreadCount;
 		this.ruleThreadTimeout = options.ruleThreadTimeout;
 		this.ruleDisableWarningViolation = options.ruleDisableWarningViolation;
+		this.enablecaching = options.enablecaching;
+		this.cachepath = options.cachepath;
 	}
 
 	protected getSupplementalFlags(): string[] {
@@ -231,6 +239,12 @@ export class SfgeExecuteWrapper extends AbstractSfgeWrapper {
 		if (this.ruleDisableWarningViolation != null) {
 			flags.push(`-DSFGE_RULE_DISABLE_WARNING_VIOLATION=${this.ruleDisableWarningViolation.toString()}`);
 		}
+		if (this.enablecaching != null && this.enablecaching) {
+			flags.push(`-DSFGE_DISABLE_CACHING=false`);
+		}
+		if (this.cachepath != null) {
+			flags.push(`-DSFGE_FILES_TO_ENTRIES_CACHE_LOCATION=${this.cachepath}`);
+		}
 		return flags;
 	}
 
@@ -291,7 +305,9 @@ export class SfgeExecuteWrapper extends AbstractSfgeWrapper {
 			pathExpLimit: sfgeConfig.pathexplimit,
 			ruleThreadCount: sfgeConfig.ruleThreadCount,
 			ruleThreadTimeout: sfgeConfig.ruleThreadTimeout,
-			ruleDisableWarningViolation: sfgeConfig.ruleDisableWarningViolation
+			ruleDisableWarningViolation: sfgeConfig.ruleDisableWarningViolation,
+			cachepath: sfgeConfig.cachepath,
+			enablecaching: sfgeConfig.enablecaching
 		});
 		return wrapper.execute();
 	}

src/types.ts

@@ -204,4 +204,6 @@ export type SfgeConfig = {
 	ruleDisableWarningViolation?: boolean;
 	jvmArgs?: string;
 	pathexplimit?: number;
+	enablecaching?: boolean;
+	cachepath?: string;
 };