diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index 243268950..1ba23d106 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -58,7 +58,6 @@ jobs: git push --set-upstream origin $INTERIM_BRANCH_NAME # Update dependencies. - run: | - yarn upgrade node tools/UpdateRetireJsVulns.js # Use the GraphQL API to create a signed commit with the various changes. - name: Commit to interim branch @@ -70,12 +69,11 @@ jobs: MESSAGE="Preparing for v$NEW_VERSION release." # GraphQL needs the latest versions of the files we changed, as Base64 encoded strings. NEW_PACKAGE="$(cat package.json | base64)" - NEW_YARN_LOCK="$(cat yarn.lock | base64)" NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)" gh api graphql -F message="$MESSAGE" -F oldOid=`git rev-parse HEAD` -F branch="$BRANCH" \ - -F newPackage="$NEW_PACKAGE" -F newYarnLock="$NEW_YARN_LOCK" -F newRetireJsVulns="$NEW_RETIREJS_VULNS" \ + -F newPackage="$NEW_PACKAGE" -F newRetireJsVulns="$NEW_RETIREJS_VULNS" \ -f query=' - mutation ($message: String!, $oldOid: GitObjectID!, $branch: String!, $newPackage: Base64String!, $newYarnLock: Base64String!, $newRetireJsVulns: Base64String!) { + mutation ($message: String!, $oldOid: GitObjectID!, $branch: String!, $newPackage: Base64String!, $newRetireJsVulns: Base64String!) { createCommitOnBranch(input: { branch: { repositoryNameWithOwner: "forcedotcom/sfdx-scanner", @@ -89,9 +87,6 @@ jobs: { path: "package.json", contents: $newPackage - }, { - path: "yarn.lock", - contents: $newYarnLock }, { path: "retire-js/RetireJsVulns.json", contents: $newRetireJsVulns diff --git a/package.json b/package.json index d98a37800..707dbc8cf 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@salesforce/sfdx-scanner", "description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.", - "version": "4.8.0", + "version": "4.9.0", "author": "Salesforce Code Analyzer Team", "bugs": "https://github.com/forcedotcom/sfdx-scanner/issues", "dependencies": { @@ -143,13 +143,13 @@ "prepack": "rm -rf lib && tsc -b && oclif manifest && oclif readme && oclif lock && npm shrinkwrap", "postpack": "rm -f oclif.manifest.json oclif.lock npm-shrinkwrap.json", "lint-typescript": "eslint ./src --ext .ts --max-warnings 0", - "test": "./gradlew test jacocoTestCoverageVerification && nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", - "test-quiet": "cross-env SFGE_LOGGING=false ./gradlew test jacocoTestCoverageVerification && nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", + "test": "./gradlew test jacocoTestCoverageVerification && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", + "test-quiet": "cross-env SFGE_LOGGING=false ./gradlew test jacocoTestCoverageVerification && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", "test-cli-messaging": "./gradlew cli-messaging:test cli-messaging:jacocoTestCoverageVerification", "test-pmd-cataloger": "./gradlew pmd-cataloger:test pmd-cataloger:jacocoTestCoverageVerification", "test-sfge": "./gradlew sfge:test sfge:jacocoTestCoverageVerification", "test-sfge-quiet": "cross-env SFGE_LOGGING=false ./gradlew sfge:test sfge:jacocoTestCoverageVerification", - "test-typescript": "tsc -b && nyc mocha --timeout 60000 \"./test/**/*.test.ts\"", + "test-typescript": "tsc -b && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 \"./test/**/*.test.ts\"", "version": "oclif readme && git add README.md" } } diff --git a/pmd7/build.gradle.kts b/pmd7/build.gradle.kts index 8786650aa..cefbe2754 100644 --- a/pmd7/build.gradle.kts +++ b/pmd7/build.gradle.kts @@ -10,7 +10,7 @@ repositories { } // Keep this in sync with src/Constants.ts > PMD7_VERSION -var pmd7Version = "7.8.0" +var pmd7Version = "7.9.0" val pmdDist7Dir = "$buildDir/../../dist/pmd7" @@ -26,6 +26,18 @@ dependencies { implementation("net.sourceforge.pmd:pmd-xml:$pmd7Version") } +// TEMPORARY - FOR SOME REASON WHEN UPGRADING TO PMD 7.9.0, THE TRANSITIVE DEPENDENCY: +// io.github.apex-dev-tools:apex-parser +// IS GETTING PULLED IN AS 4.3.1 INSTEAD OF THE LISTED 4.3.0 AND IT SEEMS TO HAVE A BUG: A MISSING DEPENDENCY LISTED. +// SO WE SHOULD FORCE 4.3.0 TO GET PULLED IN INSTEAD UNTIL THIS IS FIXED. +// See https://github.com/pmd/pmd/issues/5456 +// TODO: As soon as the pmd folks fix this ^... we should remove this workaround: +configurations.all { + resolutionStrategy { + force("io.github.apex-dev-tools:apex-parser:4.3.0") + } +} + tasks.register("copyDependencies") { from(configurations.runtimeClasspath) into("$pmdDist7Dir/lib") diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json index fff4617d0..83635da4f 100644 --- a/retire-js/RetireJsVulns.json +++ b/retire-js/RetireJsVulns.json @@ -4957,8 +4957,7 @@ "identifiers": { "summary": "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4", "CVE": [ - "CVE-2022-31129", - "CVE-2023-22467" + "CVE-2022-31129" ], "githubID": "GHSA-wc69-rhjr-hc9g" }, @@ -6815,6 +6814,27 @@ "https://github.com/vercel/next.js" ] }, + { + "atOrAbove": "13.0.0", + "below": "13.5.8", + "cwe": [ + "CWE-770" + ], + "severity": "medium", + "identifiers": { + "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions", + "CVE": [ + "CVE-2024-56332" + ], + "githubID": "GHSA-7m27-7ghc-44w9" + }, + "info": [ + "https://github.com/advisories/GHSA-7m27-7ghc-44w9", + "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", + "https://github.com/vercel/next.js" + ] + }, { "atOrAbove": "13.4.0", "below": "14.1.1", @@ -6906,6 +6926,48 @@ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v14.2.15" ] + }, + { + "atOrAbove": "14.0.0", + "below": "14.2.21", + "cwe": [ + "CWE-770" + ], + "severity": "medium", + "identifiers": { + "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions", + "CVE": [ + "CVE-2024-56332" + ], + "githubID": "GHSA-7m27-7ghc-44w9" + }, + "info": [ + "https://github.com/advisories/GHSA-7m27-7ghc-44w9", + "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", + "https://github.com/vercel/next.js" + ] + }, + { + "atOrAbove": "15.0.0", + "below": "15.1.2", + "cwe": [ + "CWE-770" + ], + "severity": "medium", + "identifiers": { + "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions", + "CVE": [ + "CVE-2024-56332" + ], + "githubID": "GHSA-7m27-7ghc-44w9" + }, + "info": [ + "https://github.com/advisories/GHSA-7m27-7ghc-44w9", + "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", + "https://github.com/vercel/next.js" + ] } ], "extractors": { @@ -7867,7 +7929,6 @@ "identifiers": { "summary": "PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF", "CVE": [ - "CVE-2024-34342", "CVE-2024-4367" ], "githubID": "GHSA-wgrm-67xf-hhpq" diff --git a/src/Constants.ts b/src/Constants.ts index fc10b9cc5..f99511813 100644 --- a/src/Constants.ts +++ b/src/Constants.ts @@ -2,7 +2,7 @@ import os = require('os'); import path = require('path'); // Keep this in sync with /pmd7/build.gradle.kts > pmd7Version -export const PMD7_VERSION = '7.8.0'; +export const PMD7_VERSION = '7.9.0'; export const PMD_APPEXCHANGE_RULES_VERSION = '0.16';