Merge pull request #704 from forcedotcom/dev-3

@W-11203369@: Release activity for v3.1.2

Author: jfeingold35

html-templates/dfa-simple.mustache

@@ -298,7 +298,7 @@
 </head>
 
 <body>
-    <h1 id="reportTitle">Salesforce CLI Scanner Report</h1>
+    <h1 id="reportTitle">Salesforce Code Analyzer Report</h1>
 	<div id="summaryChart"/></div>
 	<h4 id="summaryFiles"></h4>
 	<h4 id="summaryViolations"></h4>

html-templates/simple.mustache

@@ -297,7 +297,7 @@
 </head>
 
 <body>
-    <h1 id="reportTitle">Salesforce CLI Scanner Report</h1>
+    <h1 id="reportTitle">Salesforce Code Analyzer Report</h1>
 	<div id="summaryChart"/></div>
 	<h4 id="summaryFiles"></h4>
 	<h4 id="summaryViolations"></h4>

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.1.1",
+	"version": "3.1.2",
 	"author": "ISV SWAT",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

retire-js/RetireJsVulns.json

@@ -2992,7 +2992,7 @@
       "filecontent": []
     }
   },
-  "axois": {
+  "axios": {
     "vulnerabilities": [
       {
         "below": "0.21.3",
@@ -3039,7 +3039,7 @@
     ],
     "extractors": {
       "uri": [
-        "/axois/(§§version§§)/.*\\.js"
+        "/axios/(§§version§§)/.*\\.js"
       ],
       "filename": [
         "axios-(§§version§§)(\\.min)?\\.js"
@@ -3049,6 +3049,103 @@
       ]
     }
   },
+  "markdown-it": {
+    "vulnerabilities": [
+      {
+        "below": "12.3.2",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Regular Expression Denial of Service (ReDoS)",
+          "CVE": [
+            "CVE-2022-21670"
+          ]
+        },
+        "info": [
+          "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914",
+          "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md",
+          "https://nvd.nist.gov/vuln/detail/CVE-2022-21670"
+        ]
+      },
+      {
+        "below": "10.0.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Regular Expression Denial of Service (ReDoS)"
+        },
+        "info": [
+          "https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-459438",
+          "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md"
+        ]
+      },
+      {
+        "below": "4.3.1",
+        "atOrAbove": "4.0.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Cross-site Scripting (XSS)"
+        },
+        "info": [
+          "https://security.snyk.io/vuln/npm:markdown-it:20150702",
+          "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md"
+        ]
+      },
+      {
+        "below": "4.1.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Cross-site Scripting (XSS)",
+          "CVE": [
+            "CVE-2015-3295"
+          ]
+        },
+        "info": [
+          "https://security.snyk.io/vuln/npm:markdown-it:20160912",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-3295",
+          "https://github.com/markdown-it/markdown-it/blob/master/CHANGELOG.md"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/markdown-it[/@](§§version§§)/?.*\\.js"
+      ],
+      "filename": [
+        "markdown-it-(§§version§§)(\\.min)?\\.js"
+      ],
+      "filecontent": [
+        "/\\*! markdown-it(?:-ins)? (§§version§§)"
+      ]
+    }
+  },
+  "jszip": {
+    "vulnerabilities": [
+      {
+        "below": "3.7.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Denial of Service (DoS)",
+          "CVE": [
+            "CVE-2021-23413"
+          ]
+        },
+        "info": [
+          "https://security.snyk.io/vuln/SNYK-JS-JSZIP-1251497",
+          "https://nvd.nist.gov/vuln/detail/CVE-2021-23413"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/jszip[/@](§§version§§)/.*\\.js"
+      ],
+      "filename": [
+        "jszip-(§§version§§)(\\.min)?\\.js"
+      ],
+      "filecontent": [
+        "/\\*![ \n]+JSZip v(§§version§§) "
+      ]
+    }
+  },
   "dont check": {
     "extractors": {
       "uri": [

src/lib/ScannerRunCommand.ts

@@ -126,7 +126,7 @@ export abstract class ScannerRunCommand extends ScannerCommand {
 			throw new SfdxError(messages.getMessage('validations.outfileMustBeValid'), null, null, INTERNAL_ERROR_CODE);
 		} else {
 			// Look at the file extension, and infer a corresponding output format.
-			const fileExtension = outfile.slice(lastPeriod + 1);
+			const fileExtension = outfile.slice(lastPeriod + 1).toLowerCase();
 			switch (fileExtension) {
 				case OUTPUT_FORMAT.CSV:
 				case OUTPUT_FORMAT.HTML:

src/lib/formatter/RuleResultRecombinator.ts

@@ -403,8 +403,8 @@ URL: ${url}`;
 		const fileHandler = new FileHandler();
 		const templateName = isDfa ? 'dfa-simple.mustache' : 'simple.mustache';
 		const template = await fileHandler.readFile(path.resolve(__dirname, '..', '..', '..', 'html-templates', templateName));
-		const args = ['sfdx'];
-		for (const arg of process.argv.slice(2)) {
+		const args = ['sfdx', process.argv[2]];
+		for (const arg of process.argv.slice(3)) {
 			if (arg.startsWith('-')) {
 				// Pass flags as-is
 				args.push(arg);

src/lib/retire-js/RetireJsEngine.ts

@@ -72,10 +72,14 @@ type RetireJsOutput = {
 export class RetireJsEngine extends AbstractRuleEngine {
 	public static ENGINE_ENUM: ENGINE = ENGINE.RETIRE_JS;
 	public static ENGINE_NAME: string = ENGINE.RETIRE_JS.valueOf();
-	// RetireJS isn't really built to be invoked programmatically, so we'll need to invoke it as a CLI command. However, we
-	// can't assume that they have the module installed globally. So what we're doing here is identifying the path to the
-	// locally-scoped `retire` module, and then using that to derive a path to the CLI-executable JS script.
+	// RetireJS isn't really built to be invoked programmatically, so we need to invoke it as a CLI command. However, we
+	// can't assume that the user has `retire` globally installed. So we identify the path to the locally-scoped `retire`
+	// module, and then use that to derive a path to the CLI-executable JS script.
 	private static RETIRE_JS_PATH: string = require.resolve('retire').replace(path.join('lib', 'retire.js'), path.join('bin', 'retire'));
+	// We also can't assume that the user actually has Node globally installed on their machine. So we need to figure out
+	// the version of node that's being executed right now (which may or may not be the version bundled with SFDX), so we
+	// can use that.
+	private static NODE_EXEC_PATH: string = process.execPath;
 	// RetireJS typically loads a JSON of all vulnerabilities from the Github repo. We want to override that, using this
 	// local path instead.
 	private static VULN_JSON_PATH: string = require.resolve(path.join('..', '..', '..', 'retire-js', 'RetireJsVulns.json'));
@@ -184,7 +188,7 @@ export class RetireJsEngine extends AbstractRuleEngine {
 					// So we use --js and --jspath to make retire-js only examine JS files and skip node modules.
 					// We also hardcode a locally-stored vulnerability repo instead of allowing use of the default one.
 					invocationArray.push({
-						args: ['--js', '--jspath', target, '--outputformat', 'json', '--jsrepo', RetireJsEngine.VULN_JSON_PATH],
+						args: [RetireJsEngine.RETIRE_JS_PATH, '--js', '--jspath', target, '--outputformat', 'json', '--jsrepo', RetireJsEngine.VULN_JSON_PATH],
 						rule: rule.name
 					});
 					break;
@@ -197,7 +201,7 @@ export class RetireJsEngine extends AbstractRuleEngine {
 
 	private async executeRetireJs(invocation: RetireJsInvocation): Promise<RuleResult[]> {
 		return new Promise<RuleResult[]>((res, rej) => {
-			const cp = cspawn(RetireJsEngine.RETIRE_JS_PATH, invocation.args);
+			const cp = cspawn(RetireJsEngine.NODE_EXEC_PATH, invocation.args);
 
 			// Initialize both stdout and stderr as empty strings to which we can append data as we receive it.
 			let stdout = '';

test/commands/scanner/run.test.ts

@@ -272,7 +272,7 @@ describe('scanner:run', function () {
 		});
 
 		describe('Output Type: HTML', () => {
-			const outputFile = 'testout.html';
+			const outputFile = 'testout.hTmL';
 			function validateHtmlOutput(html: string): void {
 				const result = html.match(/const violations = (\[.*);/);
 				expect(result).to.be.not.null;

test/lib/retire-js/RetireJsEngine.test.ts

@@ -484,13 +484,16 @@ describe('RetireJsEngine', () => {
 			expect(invocations.length).to.equal(1, 'Should be one invocation');
 			const invocation = invocations[0];
 			expect(invocation.rule).to.equal('insecure-bundled-dependencies', 'Invocation is for incorrect rule');
-			expect(invocation.args[0]).to.equal('--js');
-			expect(invocation.args[1]).to.equal('--jspath');
-			expect(invocation.args[2]).to.equal(target);
-			expect(invocation.args[3]).to.equal('--outputformat');
-			expect(invocation.args[4]).to.equal('json');
-			expect(invocation.args[5]).to.equal('--jsrepo');
-			expect(invocation.args[6]).to.equal((RetireJsEngine as any).VULN_JSON_PATH);
+			expect(invocation.args.length).to.equal(8, 'Wrong number of args provided');
+			// The first argument should be a node executable.
+			expect(invocation.args[0]).to.include('node', 'Node executable');
+			expect(invocation.args[1]).to.equal('--js');
+			expect(invocation.args[2]).to.equal('--jspath');
+			expect(invocation.args[3]).to.equal(target);
+			expect(invocation.args[4]).to.equal('--outputformat');
+			expect(invocation.args[5]).to.equal('json');
+			expect(invocation.args[6]).to.equal('--jsrepo');
+			expect(invocation.args[7]).to.equal((RetireJsEngine as any).VULN_JSON_PATH);
 		});
 	});
 });