CHANGE (CodeAnalyzer): @W-15295547@: Prep for v3.23.0 release. (#1418)

forcedotcom · Mar 25, 2024 · 68c50fe · 68c50fe
1 parent 441709b
commit 68c50fe
Show file tree

Hide file tree

Showing 2 changed files with 122 additions and 1 deletion.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.22.0",
+	"version": "3.23.0",
 	"author": "ISV SWAT",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json
@@ -438,6 +438,20 @@
           "https://github.com/advisories/GHSA-ffmh-x56j-9rc3",
           "https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd"
         ]
+      },
+      {
+        "below": "1.20.0",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Potential XSS via showLabel",
+          "PR": "2462"
+        },
+        "info": [
+          "https://github.com/jquery-validation/jquery-validation/blob/master/changelog.md#1200--2023-10-10"
+        ]
       }
     ],
     "extractors": {
@@ -5654,6 +5668,20 @@
           "https://github.com/axios/axios/releases/tag/v1.6.0",
           "https://security.snyk.io/vuln/SNYK-JS-AXIOS-6032459"
         ]
+      },
+      {
+        "below": "1.6.8",
+        "severity": "medium",
+        "cwe": [
+          "CWE-200"
+        ],
+        "identifiers": {
+          "summary": "Versions before 1.6.8 depends on follow-redirects before 1.15.6 which could leak the proxy authentication credentials",
+          "PR": "6300"
+        },
+        "info": [
+          "https://github.com/axios/axios/pull/6300"
+        ]
       }
     ],
     "extractors": {
@@ -5755,6 +5783,21 @@
           "https://nvd.nist.gov/vuln/detail/CVE-2022-21670",
           "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914"
         ]
+      },
+      {
+        "below": "13.0.2",
+        "severity": "medium",
+        "cwe": [
+          "CWE-400"
+        ],
+        "identifiers": {
+          "summary": "Fixed crash/infinite loop caused by linkify inline rule",
+          "issue": "957"
+        },
+        "info": [
+          "https://github.com/markdown-it/markdown-it/issues/957",
+          "https://github.com/markdown-it/markdown-it/compare/13.0.1...13.0.2"
+        ]
       }
     ],
     "extractors": {
@@ -6379,6 +6422,25 @@
         "info": [
           "https://github.com/froala/wysiwyg-editor/releases/tag/v4.0.11"
         ]
+      },
+      {
+        "below": "4.1.4",
+        "atOrAbove": "4.0.1",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Froala Editor v4.0.1 to v4.1.1 was discovered to contain a cross-site scripting (XSS) vulnerability.",
+          "CVE": [
+            "CVE-2023-41592"
+          ],
+          "githubID": "GHSA-hvpq-7vcc-5hj5"
+        },
+        "info": [
+          "https://froala.com/wysiwyg-editor/changelog/#4.1.4",
+          "https://github.com/advisories/GHSA-hvpq-7vcc-5hj5"
+        ]
       }
     ],
     "extractors": {
@@ -7037,6 +7099,65 @@
       ]
     }
   },
+  "mathjax": {
+    "vulnerabilities": [
+      {
+        "atOrAbove": "0",
+        "below": "2.7.4",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Macro in MathJax running untrusted Javascript within a web browser",
+          "CVE": [
+            "CVE-2018-1999024"
+          ],
+          "githubID": "GHSA-3c48-6pcv-88rm"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-3c48-6pcv-88rm",
+          "https://nvd.nist.gov/vuln/detail/CVE-2018-1999024",
+          "https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1",
+          "https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html",
+          "https://github.com/advisories/GHSA-3c48-6pcv-88rm",
+          "https://github.com/mathjax/MathJax"
+        ]
+      },
+      {
+        "atOrAbove": "0",
+        "below": "999",
+        "cwe": [
+          "CWE-1333"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "MathJax Regular expression Denial of Service (ReDoS)",
+          "CVE": [
+            "CVE-2023-39663"
+          ],
+          "githubID": "GHSA-v638-q856-grg8"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-v638-q856-grg8",
+          "https://nvd.nist.gov/vuln/detail/CVE-2023-39663",
+          "https://github.com/mathjax/MathJax/issues/3074"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/mathjax@(§§version§§)/",
+        "/mathjax/(§§version§§)/"
+      ],
+      "filecontent": [
+        "\\.MathJax\\.config\\.startup;{10,100}.\\.VERSION=\"(§§version§§)\"",
+        "\\.MathJax=\\{version:\"(§§version§§)\"",
+        "MathJax.{0,100}.\\.VERSION=void 0,.\\.VERSION=\"(§§version§§)\"",
+        "MathJax\\.version=\"(§§version§§)\";"
+      ]
+    }
+  },
   "dont check": {
     "vulnerabilities": [],
     "extractors": {