Merge pull request #823 from forcedotcom/dev-3

@W-11732835@: Merging dev-3 to release-3 in preparation for v3.5.0 release.

Author: jfeingold35

messages/EventKeyTemplates.js

@@ -1,7 +1,7 @@
 module.exports = {
 	"info": {
 		"categoryImplicitlyRun": "Implicitly including %s rules from category '%s'",
-		"jarAndXmlProcessed": "XML files collected from JAR [%s]: %s",
+		"jarAndXmlProcessed": "Cataloger: XML files collected from JAR [%s]: %s",
 		"usingEngineConfigFile": "Using engine configuration file at %s",
 		"generalInternalLog": "Log from Java: %s",
 		"customEslintHeadsUp": "About to run Eslint with custom config in %s. Please make sure your current directory has all the required NPM dependencies.",
@@ -18,9 +18,9 @@ module.exports = {
 		"sfgeCompletedPathAnalysis": "Overall, analyzed %s path(s) from %s entry point(s). Detected %s violation(s)."
 	},
 	"warning": {
-		"invalidCategorySkipped": "Cataloger skipped invalid PMD Category file '%s'.",
-		"invalidRulesetSkipped": "Cataloger skipped invalid PMD Ruleset file '%s'.",
-		"xmlDropped": "Dropping XML file [%s] since its path does not conform to Rulesets or Category.",
+		"invalidCategorySkipped": "Cataloger: Skipping invalid PMD Category file '%s'.",
+		"invalidRulesetSkipped": "Cataloger: Skipping invalid PMD Ruleset file '%s'.",
+		"xmlDropped": "Cataloger: Dropping XML file [%s] since its path does not conform to Rulesets or Category.",
 		"langMarkedForDeprecation": "Future releases will not include PMD support for %s. If this would cause you hardship, please log an issue on github.com/forcedotcom/sfdx-scanner",
 		"customRuleFileNotFound": "Custom rule file path [%s] for language [%s] was not found.",
 		"pmdSkippedFile": "PMD failed to evaluate against file '%s'. Message: %s",
@@ -49,7 +49,8 @@ module.exports = {
 			"recursionLimitReached": "ERROR: PMD Ruleset [%s] references rule [%s] through 10 or more layers of indirection. Please reduce this number.",
 			"xmlNotReadable": "ERROR: Error occurred while reading file [%s]: %s",
 			"xmlNotParsable": "ERROR: Could not parse XML file [%s]: %s",
-			"duplicateXmlPath": "ERROR: XML path [%s] defined in jar [%s] collides with previously defined path in jar [%s]. You will need to remove one of the jars by executing the following command 'sfdx scanner:rule:remove --force --path <jar-to-remove>'"
+			"duplicateXmlPath": "ERROR: XML path [%s] defined in jar [%s] collides with previously defined path in jar [%s]. You will need to remove one of the jars by executing the following command 'sfdx scanner:rule:remove --force --path <jar-to-remove>'",
+			"sfgeIncompleteAnalysis": "ERROR: SFGE encountered an error and couldn't complete analysis: %s"
 		}
 	}
 

messages/run-dfa.js

@@ -20,6 +20,8 @@ module.exports = {
 		"rulethreadtimeoutDescriptionLong": "Time limit for evaluating a single entrypoint. Value in milliseconds. Inherits from SFGE_RULE_THREAD_TIMEOUT env-var if set. Default is 900,000 ms, or 15 minutes.",
 		"sevthresholdDescription": "throws an error when violations of specific severity (or more severe) are detected, invokes --normalize-severity",
 		"sevthresholdDescriptionLong": "Throws an error if violations are found with equal or greater severity than provided value. Values are 1 (high), 2 (moderate), and 3 (low). Exit code is the most severe violation. Using this flag also invokes the --normalize-severity flag",
+		"sfgejvmargsDescription": "JVM arguments to optimize SFGE execution to your system",
+		"sfgejvmargsDescriptionLong": "Specify JVM arguments to override system defaults while executing SFGE. For multiple arguments, add them to the same string separated by space.",
 		"targetDescription": "location of source code",
 		"targetDescriptionLong": "Source code location. May use glob patterns, or specify individual methods with #-syntax. Multiple values can be specified as a comma-separated list"
 	},
@@ -47,9 +49,12 @@ module.exports = {
 	Use --severity-threshold to throw a non-zero exit code when rule violations of a specific normalized severity (or greater) are found. For this example, if there are any rule violations with a severity of 2 or more (which includes 1-high and 2-moderate), the exit code will be equal to the severity of the most severe violation.
 		E.g., $ sfdx scanner:run:dfa --target "/some-project/" --projectdir "/some-project/" --severity-threshold 2
 	Use --rule-thread-count to allow more (or fewer) entrypoints to be evaluated concurrently.
-		E.g., $ sfdx scanner:run:dfa --rule-thread-count 6
+		E.g., $ sfdx scanner:run:dfa --rule-thread-count 6 ...
 	Use --rule-thread-timeout to increase (or decrease) the maximum runtime for a single entrypoint evaluation.
 		E.g., $ sfdx scanner:run:dfa --rule-thread-timeout 9000000 ...
 			Increases timeout from 15 minutes (default) to 150 minutes.
+	Use --sfgejvmargs to pass JVM args to override system defaults while executing Salesforce Graph Engine's rules. 
+		E.g., $ sfdx scanner:run:dfa --sfgejvmargs "-Xmx8g" ...
+			Overrides system's default heapspace allocation to 8g and decreases chances of encountering OutOfMemory error.
 `
 };

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.4.0",
+	"version": "3.5.0",
 	"author": "ISV SWAT",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {
@@ -40,6 +40,7 @@
 		"tsyringe": "^4.1.0",
 		"typescript": "^4.6.2",
 		"untildify": "^4.0.0",
+		"uuid": "^9.0.0",
 		"word-wrap": "^1.2.3",
 		"xml-js": "^1.6.11"
 	},
@@ -71,6 +72,7 @@
 		"@types/sarif": "^2.1.4",
 		"@types/semver": "^7.3.9",
 		"@types/tmp": "^0.2.3",
+		"@types/uuid": "^8.3.4",
 		"chai": "^4",
 		"eslint": "^8.10.0",
 		"mocha": "^9",

retire-js/RetireJsVulns.json

@@ -2602,11 +2602,60 @@
         "info": [
           "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4"
         ]
+      },
+      {
+        "below": "2.29.4",
+        "atOrAbove": "2.18.0",
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Regular Expression Denial of Service (ReDoS), Affecting moment package, versions >=2.18.0 <2.29.4",
+          "CVE": [
+            "CVE-2022-31129"
+          ]
+        },
+        "info": [
+          "https://security.snyk.io/vuln/SNYK-JS-MOMENT-2944238",
+          "https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/moment\\.js/(§§version§§)/moment(.min)?\\.js"
+      ],
+      "filecontent": [
+        "//! moment.js(?:[\n\r]+)//! version : (§§version§§)",
+        "\\.version=\"(§§version§§)\".{300,500}\\.isMoment="
+      ]
+    }
+  },
+  "underscore.js": {
+    "bowername": [
+      "Underscore",
+      "underscore"
+    ],
+    "vulnerabilities": [
+      {
+        "below": "1.12.1",
+        "atOrAbove": "1.3.2",
+        "severity": "High",
+        "identifiers": {
+          "summary": " vulnerable to Arbitrary Code Injection via the template function",
+          "CVE": [
+            "CVE-2021-23358"
+          ]
+        },
+        "info": [
+          "https://nvd.nist.gov/vuln/detail/CVE-2021-23358"
+        ]
       }
     ],
     "extractors": {
+      "uri": [
+        "/underscore\\.js/(§§version§§)/underscore(-min)?\\.js"
+      ],
       "filecontent": [
-        "//! moment.js(?:[\n\r]+)//! version : (§§version§§)"
+        "//[\\s]*Underscore.js (§§version§§)"
       ]
     }
   },

sfge/build.gradle.kts

@@ -28,6 +28,8 @@ dependencies {
 	testImplementation("org.junit.jupiter:junit-jupiter-api:5.7.2")
 	testImplementation("org.junit.jupiter:junit-jupiter-engine:5.7.2")
 	testImplementation("org.junit.jupiter:junit-jupiter-params:5.7.2")
+	testImplementation("org.mockito:mockito-core:2.21.0")
+	testImplementation("org.mockito:mockito-junit-jupiter:2.23.0")
 }
 
 group = "com.salesforce.apex"

sfge/src/main/java/com/salesforce/CliMessagerAppender.java

@@ -62,21 +62,17 @@ protected CliMessagerAppender(
     @Override
     public void append(LogEvent event) {
         Level level = event.getLevel();
-        if (Level.WARN.equals(level) && this.shouldLogWarningsOnVerbose) {
-            CliMessager.postMessage(
-                    "SFGE Warning as Info", EventKey.INFO_GENERAL, getEventMessage(event));
+        if (Level.WARN.equals(level)) {
+            if (this.shouldLogWarningsOnVerbose) {
+                CliMessager.postMessage(
+                        "SFGE Warning as Info", EventKey.INFO_GENERAL, getEventMessage(event));
+            }
         } else if (Level.ERROR.equals(level)) {
             CliMessager.postMessage(
                     "SFGE Error as Warning", EventKey.WARNING_GENERAL, getEventMessage(event));
         } else if (Level.FATAL.equals(level)) {
             CliMessager.postMessage(
                     "SFGE Fatal as Error", EventKey.ERROR_GENERAL, getEventMessage(event));
-        } else {
-            error(
-                    String.format(
-                            "Unable to log less than WARN level [{}]: {}",
-                            event.getLevel(),
-                            getEventMessage(event)));
         }
     }