From f270643b844e4bdefc068fba0be6dc8cd7e50f95 Mon Sep 17 00:00:00 2001 From: rmohan20 <58573547+rmohan20@users.noreply.github.com> Date: Mon, 29 Apr 2024 19:09:38 -0700 Subject: [PATCH] CHANGE (CodeAnalyzer): @W-15634578@ Version update and RetireJS changes for v3.24.0 release. (#1449) --- package.json | 2 +- retire-js/RetireJsVulns.json | 79 ++++++++++++++++++++++++++++++------ 2 files changed, 67 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index fe3261670..5cc989490 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@salesforce/sfdx-scanner", "description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.", - "version": "3.23.0", + "version": "3.24.0", "author": "ISV SWAT", "bugs": "https://github.com/forcedotcom/sfdx-scanner/issues", "dependencies": { diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json index 6f532972e..9ad46442e 100644 --- a/retire-js/RetireJsVulns.json +++ b/retire-js/RetireJsVulns.json @@ -982,39 +982,39 @@ ] }, { - "below": "2.3.1", + "below": "2.3.0", "severity": "medium", "cwe": [ "CWE-79" ], "identifiers": { - "summary": "XSS vulnerability in actionscript/Jplayer.as in the Flash SWF component", + "summary": "XSS vulnerabilities in actionscript/Jplayer.as in the Flash SWF component", "CVE": [ - "CVE-2013-2023" + "CVE-2013-2022" ], - "release": "2.3.1" + "githubID": "GHSA-3jcq-cwr7-6332" }, "info": [ "http://jplayer.org/latest/release-notes/", - "https://nvd.nist.gov/vuln/detail/CVE-2013-2023" + "https://nvd.nist.gov/vuln/detail/CVE-2013-2022" ] }, { - "below": "2.3.23", + "below": "2.3.1", "severity": "medium", "cwe": [ "CWE-79" ], "identifiers": { - "summary": "XSS vulnerabilities in actionscript/Jplayer.as in the Flash SWF component", + "summary": "XSS vulnerability in actionscript/Jplayer.as in the Flash SWF component", "CVE": [ - "CVE-2013-2022" + "CVE-2013-2023" ], - "release": "2.3.23" + "release": "2.3.1" }, "info": [ "http://jplayer.org/latest/release-notes/", - "https://nvd.nist.gov/vuln/detail/CVE-2013-2022" + "https://nvd.nist.gov/vuln/detail/CVE-2013-2023" ] } ], @@ -1615,6 +1615,54 @@ "https://tiny.cloud/docs/release-notes/release-notes5109/", "https://tiny.cloud/docs/tinymce/6/6.7.3-release-notes/" ] + }, + { + "atOrAbove": "0", + "below": "6.8.1", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes", + "CVE": [ + "CVE-2024-29203" + ], + "githubID": "GHSA-438c-3975-5x3f" + }, + "info": [ + "https://github.com/advisories/GHSA-438c-3975-5x3f", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-438c-3975-5x3f", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29203", + "https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1", + "https://github.com/tinymce/tinymce", + "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types", + "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#sandbox_iframes-editor-option-is-now-defaulted-to-true" + ] + }, + { + "atOrAbove": "0", + "below": "7.0.0", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements", + "CVE": [ + "CVE-2024-29881" + ], + "githubID": "GHSA-5359-pvf2-pw78" + }, + "info": [ + "https://github.com/advisories/GHSA-5359-pvf2-pw78", + "https://github.com/tinymce/tinymce/security/advisories/GHSA-5359-pvf2-pw78", + "https://nvd.nist.gov/vuln/detail/CVE-2024-29881", + "https://github.com/tinymce/tinymce/commit/bcdea2ad14e3c2cea40743fb48c63bba067ae6d1", + "https://github.com/tinymce/tinymce", + "https://www.tiny.cloud/docs/tinymce/6/6.8.1-release-notes/#new-convert_unsafe_embeds-option-that-controls-whether-object-and-embed-elements-will-be-converted-to-more-restrictive-alternatives-namely-img-for-image-mime-types-video-for-video-mime-types-audio-audio-mime-types-or-iframe-for-other-or-unspecified-mime-types", + "https://www.tiny.cloud/docs/tinymce/7/7.0-release-notes/#convert_unsafe_embeds-editor-option-is-now-defaulted-to-true" + ] } ], "extractors": { @@ -5692,7 +5740,10 @@ "axios-(§§version§§)(\\.min)?\\.js" ], "filecontent": [ - "/\\* *axios v(§§version§§) " + "/\\* *axios v(§§version§§) ", + "// Axios v(§§version§§) C", + "return\"\\[Axios v(§§version§§)\\] Transitional", + "\\\"axios\\\",\\\"version\\\":\\\"(§§version§§)\\\"" ] } }, @@ -6669,9 +6720,10 @@ { "below": "4.17.5", "cwe": [ - "CWE-471" + "CWE-471", + "CWE-1321" ], - "severity": "low", + "severity": "medium", "identifiers": { "summary": "Prototype Pollution in lodash", "CVE": [ @@ -6738,6 +6790,7 @@ { "below": "4.17.12", "cwe": [ + "CWE-1321", "CWE-20" ], "severity": "high",