CHANGE (CodeAnalyzer): @W-15634578@ Version update and RetireJS chang…

…es for v4.1.0 release. (#1448)
forcedotcom · Apr 30, 2024 · e1c892c · e1c892c
1 parent e2eba1b
commit e1c892c
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 14 deletions.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.0.0",
+	"version": "4.1.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json
@@ -982,39 +982,39 @@
         ]
       },
       {
-        "below": "2.3.1",
+        "below": "2.3.0",
         "severity": "medium",
         "cwe": [
           "CWE-79"
         ],
         "identifiers": {
-          "summary": "XSS vulnerability in actionscript/Jplayer.as in the Flash SWF component",
+          "summary": "XSS vulnerabilities in actionscript/Jplayer.as in the Flash SWF component",
           "CVE": [
-            "CVE-2013-2023"
+            "CVE-2013-2022"
           ],
-          "release": "2.3.1"
+          "githubID": "GHSA-3jcq-cwr7-6332"
         },
         "info": [
           "http://jplayer.org/latest/release-notes/",
-          "https://nvd.nist.gov/vuln/detail/CVE-2013-2023"
+          "https://nvd.nist.gov/vuln/detail/CVE-2013-2022"
         ]
       },
       {
-        "below": "2.3.23",
+        "below": "2.3.1",
         "severity": "medium",
         "cwe": [
           "CWE-79"
         ],
         "identifiers": {
-          "summary": "XSS vulnerabilities in actionscript/Jplayer.as in the Flash SWF component",
+          "summary": "XSS vulnerability in actionscript/Jplayer.as in the Flash SWF component",
           "CVE": [
-            "CVE-2013-2022"
+            "CVE-2013-2023"
           ],
-          "release": "2.3.23"
+          "release": "2.3.1"
         },
         "info": [
           "http://jplayer.org/latest/release-notes/",
-          "https://nvd.nist.gov/vuln/detail/CVE-2013-2022"
+          "https://nvd.nist.gov/vuln/detail/CVE-2013-2023"
         ]
       }
     ],
@@ -1615,6 +1615,54 @@
           "https://tiny.cloud/docs/release-notes/release-notes5109/",
           "https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/"
         ]
+      },
+      {
+        "atOrAbove": "0",
+        "below": "6.8.1",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes",
+          "CVE": [
+            "CVE-2024-29203"
+          ],
+          "githubID": "GHSA-438c-3975-5x3f"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-438c-3975-5x3f",
+          "https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-29203",
+          "https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
+          "https://github.com/tinymce/tinymce",
+          "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
+          "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true"
+        ]
+      },
+      {
+        "atOrAbove": "0",
+        "below": "7.0.0",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements",
+          "CVE": [
+            "CVE-2024-29881"
+          ],
+          "githubID": "GHSA-5359-pvf2-pw78"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-5359-pvf2-pw78",
+          "https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-29881",
+          "https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1",
+          "https://github.com/tinymce/tinymce",
+          "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types",
+          "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true"
+        ]
       }
     ],
     "extractors": {
@@ -5692,7 +5740,10 @@
         "axios-(§§version§§)(\\.min)?\\.js"
       ],
       "filecontent": [
-        "/\\* *axios v(§§version§§) "
+        "/\\* *axios v(§§version§§) ",
+        "// Axios v(§§version§§) C",
+        "return\"\\[Axios v(§§version§§)\\] Transitional",
+        "\\\"axios\\\",\\\"version\\\":\\\"(§§version§§)\\\""
       ]
     }
   },
@@ -6669,9 +6720,10 @@
       {
         "below": "4.17.5",
         "cwe": [
-          "CWE-471"
+          "CWE-471",
+          "CWE-1321"
         ],
-        "severity": "low",
+        "severity": "medium",
         "identifiers": {
           "summary": "Prototype Pollution in lodash",
           "CVE": [
@@ -6738,6 +6790,7 @@
       {
         "below": "4.17.12",
         "cwe": [
+          "CWE-1321",
           "CWE-20"
         ],
         "severity": "high",