Preparing for v4.6.0 release.

forcedotcom · Sep 20, 2024 · be427d8 · be427d8
1 parent 2f1eca8
commit be427d8
Show file tree

Hide file tree

Showing 3 changed files with 1,144 additions and 937 deletions.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.5.0",
+	"version": "4.6.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json
@@ -3223,6 +3223,28 @@
           "https://github.com/advisories/GHSA-qwqh-hm9m-p5hr"
         ]
       },
+      {
+        "atOrAbove": "0",
+        "below": "1.8.4",
+        "cwe": [
+          "CWE-791"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "AngularJS allows attackers to bypass common image source restrictions",
+          "CVE": [
+            "CVE-2024-8373"
+          ],
+          "githubID": "GHSA-mqm9-c95h-x2p6"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-mqm9-c95h-x2p6",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-8373",
+          "https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b",
+          "https://github.com/angular/angular.js",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-8373"
+        ]
+      },
       {
         "atOrAbove": "1.3.0",
         "below": "1.8.4",
@@ -3247,6 +3269,28 @@
           "https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos"
         ]
       },
+      {
+        "atOrAbove": "1.3.0-rc.4",
+        "below": "1.8.4",
+        "cwe": [
+          "CWE-1289"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "AngularJS allows attackers to bypass common image source restrictions",
+          "CVE": [
+            "CVE-2024-8372"
+          ],
+          "githubID": "GHSA-m9gf-397r-hwpg"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-m9gf-397r-hwpg",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-8372",
+          "https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017",
+          "https://github.com/angular/angular.js",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-8372"
+        ]
+      },
       {
         "below": "1.999",
         "severity": "low",
@@ -4318,6 +4362,54 @@
         "info": [
           "https://github.com/cure53/DOMPurify/releases"
         ]
+      },
+      {
+        "atOrAbove": "0",
+        "below": "2.5.4",
+        "cwe": [
+          "CWE-1321",
+          "CWE-1333"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMPurify allows tampering by prototype pollution",
+          "CVE": [
+            "CVE-2024-45801"
+          ],
+          "githubID": "GHSA-mmhx-hmjr-r674"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45801",
+          "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21",
+          "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc",
+          "https://github.com/cure53/DOMPurify"
+        ]
+      },
+      {
+        "atOrAbove": "3.0.0",
+        "below": "3.1.3",
+        "cwe": [
+          "CWE-1321",
+          "CWE-1333"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMPurify allows tampering by prototype pollution",
+          "CVE": [
+            "CVE-2024-45801"
+          ],
+          "githubID": "GHSA-mmhx-hmjr-r674"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-mmhx-hmjr-r674",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45801",
+          "https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21",
+          "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc",
+          "https://github.com/cure53/DOMPurify"
+        ]
       }
     ],
     "extractors": {
@@ -5119,7 +5211,7 @@
       },
       {
         "atOrAbove": "4.0.0",
-        "below": "4.6.3",
+        "below": "5.0.0",
         "cwe": [
           "CWE-79"
         ],
@@ -5723,6 +5815,27 @@
         "info": [
           "https://github.com/sveltejs/svelte/pull/7530"
         ]
+      },
+      {
+        "below": "4.2.19",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Svelte has a potential mXSS vulnerability due to improper HTML escaping",
+          "CVE": [
+            "CVE-2024-45047"
+          ],
+          "githubID": "GHSA-8266-84wp-wv5c"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-8266-84wp-wv5c",
+          "https://github.com/sveltejs/svelte/security/advisories/GHSA-8266-84wp-wv5c",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45047",
+          "https://github.com/sveltejs/svelte/commit/83e96e044deb5ecbae2af361ae9e31d3e1ac43a3",
+          "https://github.com/sveltejs/svelte"
+        ]
       }
     ],
     "extractors": {
@@ -5734,6 +5847,7 @@
       ],
       "filecontent": [
         "generated by Svelte v\\$\\{['\"](§§version§§)['\"]\\}",
+        "generated by Svelte v(§§version§§) \\*/",
         "version: '(§§version§§)' [\\s\\S]{80,200}'SvelteDOMInsert'",
         "VERSION = '(§§version§§)'[\\s\\S]{21,200}parse\\$[0-9][\\s\\S]{10,80}preprocess",
         "var version\\$[0-9] = \"(§§version§§)\";[\\s\\S]{10,30}normalizeOptions\\(options\\)[\\s\\S]{80,200}'SvelteComponent.html'"
@@ -6536,6 +6650,30 @@
           "https://github.com/vercel/next.js/compare/v13.5.0...v13.5.1"
         ]
       },
+      {
+        "atOrAbove": "13.5.1",
+        "below": "13.5.7",
+        "cwe": [
+          "CWE-349",
+          "CWE-639"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Cache Poisoning",
+          "CVE": [
+            "CVE-2024-46982"
+          ],
+          "githubID": "GHSA-gp8f-8m3g-qvj9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
+          "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
+          "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
+          "https://github.com/vercel/next.js"
+        ]
+      },
       {
         "atOrAbove": "13.4.0",
         "below": "14.1.1",
@@ -6558,6 +6696,30 @@
           "https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
           "https://github.com/vercel/next.js"
         ]
+      },
+      {
+        "atOrAbove": "14.0.0",
+        "below": "14.2.10",
+        "cwe": [
+          "CWE-349",
+          "CWE-639"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js Cache Poisoning",
+          "CVE": [
+            "CVE-2024-46982"
+          ],
+          "githubID": "GHSA-gp8f-8m3g-qvj9"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
+          "https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
+          "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
+          "https://github.com/vercel/next.js"
+        ]
       }
     ],
     "extractors": {