From e457c92b5bec89d17cf46ddad571ef89b8fe1a5a Mon Sep 17 00:00:00 2001 From: Stephen Carter Date: Wed, 8 Jan 2025 12:12:04 -0500 Subject: [PATCH 1/4] CHANGE(pmd): @W-17530168@: Upgrade to PMD 7.9.0 --- pmd7/build.gradle.kts | 14 +++++++++++++- src/Constants.ts | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/pmd7/build.gradle.kts b/pmd7/build.gradle.kts index 8786650aa..cefbe2754 100644 --- a/pmd7/build.gradle.kts +++ b/pmd7/build.gradle.kts @@ -10,7 +10,7 @@ repositories { } // Keep this in sync with src/Constants.ts > PMD7_VERSION -var pmd7Version = "7.8.0" +var pmd7Version = "7.9.0" val pmdDist7Dir = "$buildDir/../../dist/pmd7" @@ -26,6 +26,18 @@ dependencies { implementation("net.sourceforge.pmd:pmd-xml:$pmd7Version") } +// TEMPORARY - FOR SOME REASON WHEN UPGRADING TO PMD 7.9.0, THE TRANSITIVE DEPENDENCY: +// io.github.apex-dev-tools:apex-parser +// IS GETTING PULLED IN AS 4.3.1 INSTEAD OF THE LISTED 4.3.0 AND IT SEEMS TO HAVE A BUG: A MISSING DEPENDENCY LISTED. +// SO WE SHOULD FORCE 4.3.0 TO GET PULLED IN INSTEAD UNTIL THIS IS FIXED. +// See https://github.com/pmd/pmd/issues/5456 +// TODO: As soon as the pmd folks fix this ^... we should remove this workaround: +configurations.all { + resolutionStrategy { + force("io.github.apex-dev-tools:apex-parser:4.3.0") + } +} + tasks.register("copyDependencies") { from(configurations.runtimeClasspath) into("$pmdDist7Dir/lib") diff --git a/src/Constants.ts b/src/Constants.ts index fc10b9cc5..f99511813 100644 --- a/src/Constants.ts +++ b/src/Constants.ts @@ -2,7 +2,7 @@ import os = require('os'); import path = require('path'); // Keep this in sync with /pmd7/build.gradle.kts > pmd7Version -export const PMD7_VERSION = '7.8.0'; +export const PMD7_VERSION = '7.9.0'; export const PMD_APPEXCHANGE_RULES_VERSION = '0.16'; From 207844270174f94fd4b1c023b0f3d652449c39b7 Mon Sep 17 00:00:00 2001 From: Josh Feingold Date: Tue, 21 Jan 2025 11:32:21 -0600 Subject: [PATCH 2/4] CHANGE (CodeAnalyzer): @W-17514797@: v4 release process no longer runs yarn upgrade (#1727) --- .github/workflows/create-release-branch.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index 243268950..1ba23d106 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -58,7 +58,6 @@ jobs: git push --set-upstream origin $INTERIM_BRANCH_NAME # Update dependencies. - run: | - yarn upgrade node tools/UpdateRetireJsVulns.js # Use the GraphQL API to create a signed commit with the various changes. - name: Commit to interim branch @@ -70,12 +69,11 @@ jobs: MESSAGE="Preparing for v$NEW_VERSION release." # GraphQL needs the latest versions of the files we changed, as Base64 encoded strings. NEW_PACKAGE="$(cat package.json | base64)" - NEW_YARN_LOCK="$(cat yarn.lock | base64)" NEW_RETIREJS_VULNS="$(cat retire-js/RetireJsVulns.json | base64)" gh api graphql -F message="$MESSAGE" -F oldOid=`git rev-parse HEAD` -F branch="$BRANCH" \ - -F newPackage="$NEW_PACKAGE" -F newYarnLock="$NEW_YARN_LOCK" -F newRetireJsVulns="$NEW_RETIREJS_VULNS" \ + -F newPackage="$NEW_PACKAGE" -F newRetireJsVulns="$NEW_RETIREJS_VULNS" \ -f query=' - mutation ($message: String!, $oldOid: GitObjectID!, $branch: String!, $newPackage: Base64String!, $newYarnLock: Base64String!, $newRetireJsVulns: Base64String!) { + mutation ($message: String!, $oldOid: GitObjectID!, $branch: String!, $newPackage: Base64String!, $newRetireJsVulns: Base64String!) { createCommitOnBranch(input: { branch: { repositoryNameWithOwner: "forcedotcom/sfdx-scanner", @@ -89,9 +87,6 @@ jobs: { path: "package.json", contents: $newPackage - }, { - path: "yarn.lock", - contents: $newYarnLock }, { path: "retire-js/RetireJsVulns.json", contents: $newRetireJsVulns From 2a654e62d1f9c2f86874cb33e21a40885d08be86 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Fri, 24 Jan 2025 12:03:03 +0000 Subject: [PATCH 3/4] Preparing for v4.9.0 release. --- package.json | 2 +- retire-js/RetireJsVulns.json | 67 ++++++++++++++++++++++++++++++++++-- 2 files changed, 65 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index d98a37800..f746ca780 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@salesforce/sfdx-scanner", "description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.", - "version": "4.8.0", + "version": "4.9.0", "author": "Salesforce Code Analyzer Team", "bugs": "https://github.com/forcedotcom/sfdx-scanner/issues", "dependencies": { diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json index fff4617d0..83635da4f 100644 --- a/retire-js/RetireJsVulns.json +++ b/retire-js/RetireJsVulns.json @@ -4957,8 +4957,7 @@ "identifiers": { "summary": "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4", "CVE": [ - "CVE-2022-31129", - "CVE-2023-22467" + "CVE-2022-31129" ], "githubID": "GHSA-wc69-rhjr-hc9g" }, @@ -6815,6 +6814,27 @@ "https://github.com/vercel/next.js" ] }, + { + "atOrAbove": "13.0.0", + "below": "13.5.8", + "cwe": [ + "CWE-770" + ], + "severity": "medium", + "identifiers": { + "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions", + "CVE": [ + "CVE-2024-56332" + ], + "githubID": "GHSA-7m27-7ghc-44w9" + }, + "info": [ + "https://github.com/advisories/GHSA-7m27-7ghc-44w9", + "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", + "https://github.com/vercel/next.js" + ] + }, { "atOrAbove": "13.4.0", "below": "14.1.1", @@ -6906,6 +6926,48 @@ "https://github.com/vercel/next.js", "https://github.com/vercel/next.js/releases/tag/v14.2.15" ] + }, + { + "atOrAbove": "14.0.0", + "below": "14.2.21", + "cwe": [ + "CWE-770" + ], + "severity": "medium", + "identifiers": { + "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions", + "CVE": [ + "CVE-2024-56332" + ], + "githubID": "GHSA-7m27-7ghc-44w9" + }, + "info": [ + "https://github.com/advisories/GHSA-7m27-7ghc-44w9", + "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", + "https://github.com/vercel/next.js" + ] + }, + { + "atOrAbove": "15.0.0", + "below": "15.1.2", + "cwe": [ + "CWE-770" + ], + "severity": "medium", + "identifiers": { + "summary": "Next.js Allows a Denial of Service (DoS) with Server Actions", + "CVE": [ + "CVE-2024-56332" + ], + "githubID": "GHSA-7m27-7ghc-44w9" + }, + "info": [ + "https://github.com/advisories/GHSA-7m27-7ghc-44w9", + "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56332", + "https://github.com/vercel/next.js" + ] } ], "extractors": { @@ -7867,7 +7929,6 @@ "identifiers": { "summary": "PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF", "CVE": [ - "CVE-2024-34342", "CVE-2024-4367" ], "githubID": "GHSA-wgrm-67xf-hhpq" From f8909ec11942d01de7a2baa3930eec91fa39ab13 Mon Sep 17 00:00:00 2001 From: Stephen Carter <123964848+stephen-carter-at-sf@users.noreply.github.com> Date: Fri, 24 Jan 2025 13:02:41 -0500 Subject: [PATCH 4/4] FIX (build) @W-17615470@ Fix errors with latest node in release-4.9.0 (#1730) --- package.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index f746ca780..707dbc8cf 100644 --- a/package.json +++ b/package.json @@ -143,13 +143,13 @@ "prepack": "rm -rf lib && tsc -b && oclif manifest && oclif readme && oclif lock && npm shrinkwrap", "postpack": "rm -f oclif.manifest.json oclif.lock npm-shrinkwrap.json", "lint-typescript": "eslint ./src --ext .ts --max-warnings 0", - "test": "./gradlew test jacocoTestCoverageVerification && nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", - "test-quiet": "cross-env SFGE_LOGGING=false ./gradlew test jacocoTestCoverageVerification && nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", + "test": "./gradlew test jacocoTestCoverageVerification && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", + "test-quiet": "cross-env SFGE_LOGGING=false ./gradlew test jacocoTestCoverageVerification && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 --retries 5 \"./test/**/*.test.ts\"", "test-cli-messaging": "./gradlew cli-messaging:test cli-messaging:jacocoTestCoverageVerification", "test-pmd-cataloger": "./gradlew pmd-cataloger:test pmd-cataloger:jacocoTestCoverageVerification", "test-sfge": "./gradlew sfge:test sfge:jacocoTestCoverageVerification", "test-sfge-quiet": "cross-env SFGE_LOGGING=false ./gradlew sfge:test sfge:jacocoTestCoverageVerification", - "test-typescript": "tsc -b && nyc mocha --timeout 60000 \"./test/**/*.test.ts\"", + "test-typescript": "tsc -b && cross-env NODE_OPTIONS=--no-experimental-strip-types nyc mocha --timeout 60000 \"./test/**/*.test.ts\"", "version": "oclif readme && git add README.md" } }