Merge pull request #1518 from forcedotcom/dev-3

RELEASE @W-16039195@: Conducting v3.26.0 release.

Author: stephen-carter-at-sf

messages/common.md

@@ -12,4 +12,4 @@ We're continually improving Salesforce Code Analyzer. Tell us what you think! Gi
 
 # upgradeTo4xRecommendation
 
-To use the most up-to-date Code Analyzer features including PMD 7.x, install Code Analyzer v4.x (Beta) by running this command: "sf plugins install @salesforce/sfdx-scanner@latest-beta". You are currently using Code Analyzer v3, which we plan to stop supporting soon.
+You are using Code Analyzer v3, which we no longer support. Update to v4 of Code Analyzer by running this command: "sf plugins install @salesforce/sfdx-scanner". Version 4 of Code Analyzer has the most up-to-date features, including PMD 7.x.

messages/jreSetupManager.md

@@ -2,19 +2,19 @@
 
 We couldn't find Java Home.
 Please verify that Java 1.8 or later is installed on your machine and try again.
-If the problem persists, please manually add a 'javaHome' property to your Config.json file, referencing your Java home directory.
+If the problem persists, please manually add a 'javaHome' property to your `%s` file, referencing your Java home directory.
 
 # InvalidJavaHome
 
 The Java Home is invalid: %s. Error code: %s.
 Please verify that Java 1.8 or later is installed on your machine and try again.
-If the problem persists, please manually add a 'javaHome' property to your Config.json file, referencing your Java home directory.
+If the problem persists, please manually add a 'javaHome' property to your `%s` file, referencing your Java home directory.
 
 # VersionNotFound
 
 We couldn't find the Java version.
 Please verify that Java 1.8 or later is installed on your machine and try again.
-If the problem persists, please manually add a 'javaHome' property to your Config.json file, referencing your Java home directory.
+If the problem persists, please manually add a 'javaHome' property to your `%s` file, referencing your Java home directory.
 
 # InvalidVersion
 

package.json

@@ -1,8 +1,8 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.25.0",
-	"author": "ISV SWAT",
+	"version": "3.26.0",
+	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {
 		"@babel/core": "^7.11.0",

retire-js/RetireJsVulns.json

@@ -7255,6 +7255,132 @@
       ]
     }
   },
+  "pdf.js": {
+    "bowername": [
+      "pdfjs-dist"
+    ],
+    "npmname": "pdfjs-dist",
+    "vulnerabilities": [
+      {
+        "atOrAbove": "0",
+        "below": "1.10.100",
+        "cwe": [
+          "CWE-94"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Malicious PDF can inject JavaScript into PDF Viewer",
+          "CVE": [
+            "CVE-2018-5158"
+          ],
+          "githubID": "GHSA-7jg2-jgv3-fmr4"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-7jg2-jgv3-fmr4",
+          "https://nvd.nist.gov/vuln/detail/CVE-2018-5158",
+          "https://github.com/mozilla/pdf.js/pull/9659",
+          "https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97",
+          "https://access.redhat.com/errata/RHSA-2018:1414",
+          "https://access.redhat.com/errata/RHSA-2018:1415",
+          "https://bugzilla.mozilla.org/show_bug.cgi?id=1452075",
+          "https://github.com/mozilla/pdf.js",
+          "https://lists.debian.org/debian-lts-announce/2018/05/msg00007.html",
+          "https://security.gentoo.org/glsa/201810-01",
+          "https://usn.ubuntu.com/3645-1",
+          "https://www.debian.org/security/2018/dsa-4199",
+          "https://www.mozilla.org/security/advisories/mfsa2018-11",
+          "https://www.mozilla.org/security/advisories/mfsa2018-12",
+          "http://www.securityfocus.com/bid/104136",
+          "http://www.securitytracker.com/id/1040896"
+        ]
+      },
+      {
+        "atOrAbove": "2.0.0",
+        "below": "2.0.550",
+        "cwe": [
+          "CWE-94"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Malicious PDF can inject JavaScript into PDF Viewer",
+          "CVE": [
+            "CVE-2018-5158"
+          ],
+          "githubID": "GHSA-7jg2-jgv3-fmr4"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-7jg2-jgv3-fmr4",
+          "https://nvd.nist.gov/vuln/detail/CVE-2018-5158",
+          "https://github.com/mozilla/pdf.js/pull/9659",
+          "https://github.com/mozilla/pdf.js/commit/2dc4af525d1612c98afcd1e6bee57d4788f78f97",
+          "https://access.redhat.com/errata/RHSA-2018:1414",
+          "https://access.redhat.com/errata/RHSA-2018:1415",
+          "https://bugzilla.mozilla.org/show_bug.cgi?id=1452075",
+          "https://github.com/mozilla/pdf.js",
+          "https://lists.debian.org/debian-lts-announce/2018/05/msg00007.html",
+          "https://security.gentoo.org/glsa/201810-01",
+          "https://usn.ubuntu.com/3645-1",
+          "https://www.debian.org/security/2018/dsa-4199",
+          "https://www.mozilla.org/security/advisories/mfsa2018-11",
+          "https://www.mozilla.org/security/advisories/mfsa2018-12",
+          "http://www.securityfocus.com/bid/104136",
+          "http://www.securitytracker.com/id/1040896"
+        ]
+      },
+      {
+        "atOrAbove": "0",
+        "below": "4.2.67",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF",
+          "CVE": [
+            "CVE-2024-34342",
+            "CVE-2024-4367"
+          ],
+          "githubID": "GHSA-wgrm-67xf-hhpq"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-wgrm-67xf-hhpq",
+          "https://github.com/mozilla/pdf.js/security/advisories/GHSA-wgrm-67xf-hhpq",
+          "https://github.com/mozilla/pdf.js/pull/18015",
+          "https://github.com/mozilla/pdf.js/commit/85e64b5c16c9aaef738f421733c12911a441cec6",
+          "https://bugzilla.mozilla.org/show_bug.cgi?id=1893645",
+          "https://github.com/mozilla/pdf.js"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/pdf\\.js/(§§version§§)/",
+        "/pdfjs-dist@(§§version§§)/"
+      ],
+      "filecontent": [
+        " pdfjs-dist@(§§version§§) ",
+        "(?:const|var) pdfjsVersion = ['\"](§§version§§)['\"];",
+        "PDFJS.version ?= ?['\"](§§version§§)['\"]",
+        "apiVersion: ?['\"](§§version§§)['\"][\\s\\S]*,data(:[a-zA-Z.]{1,6})?,[\\s\\S]*password(:[a-zA-Z.]{1,10})?,[\\s\\S]*disableAutoFetch(:[a-zA-Z.]{1,22})?,[\\s\\S]*rangeChunkSize",
+        "messageHandler\\.sendWithPromise\\(\"GetDocRequest\",\\{docId:[a-zA-Z],apiVersion:\"(§§version§§)\""
+      ]
+    }
+  },
+  "pdfobject": {
+    "vulnerabilities": [],
+    "extractors": {
+      "uri": [
+        "/pdfobject@(§§version§§)/",
+        "/pdfobject/(§§version§§)/pdfobject(\\.min)?\\.js"
+      ],
+      "filecontent": [
+        "\\* +PDFObject v(§§version§§)",
+        "/*[\\s]+PDFObject v(§§version§§)",
+        "let pdfobjectversion = \"(§§version§§)\";",
+        "pdfobjectversion:\"(§§version§§)\""
+      ]
+    }
+  },
   "dont check": {
     "vulnerabilities": [],
     "extractors": {

src/lib/JreSetupManager.ts

@@ -30,6 +30,7 @@ export class JreSetupManagerDependencies {
 class JreSetupManager extends AsyncCreatable {
 	private logger!: Logger;
 	private config!: Config;
+	private configFile: string;
 	private dependencies: JreSetupManagerDependencies;
 	private initialized: boolean;
 
@@ -40,6 +41,7 @@ class JreSetupManager extends AsyncCreatable {
 		this.logger = await Logger.child('verifyJRE');
 
 		this.config = await Controller.getConfig();
+		this.configFile = path.join(Controller.getSfdxScannerPath(), CONFIG_FILE)
 		this.dependencies = new JreSetupManagerDependencies();
 
 		this.initialized = true;
@@ -80,7 +82,7 @@ class JreSetupManager extends AsyncCreatable {
 		// So we'll just throw an error telling the user to set it themselves.
 		if (!javaHome) {
 			const errName = 'NoJavaHomeFound';
-			throw new SfError(getMessage(BundleName.JreSetupManager, errName, []), errName);
+			throw new SfError(getMessage(BundleName.JreSetupManager, errName, [this.configFile]), errName);
 		}
 
 		return javaHome;
@@ -110,42 +112,50 @@ class JreSetupManager extends AsyncCreatable {
 		} catch (e) {
 			const error: NodeJS.ErrnoException = e as NodeJS.ErrnoException;
 			const errName = 'InvalidJavaHome';
-			throw new SfError(getMessage(BundleName.JreSetupManager, errName, [javaHome, error.code]), errName);
+			throw new SfError(getMessage(BundleName.JreSetupManager, errName, [javaHome, error.code, this.configFile]), errName);
 		}
 	}
 
 	private async verifyJavaVersion(javaHome: string): Promise<void> {
-		const versionOut = await this.fetchJavaVersion(javaHome);
-
-		// Version output looks like this:
-		// MacOS: "openjdk version "11.0.6" 2020-01-14 LTS\nOpenJDK Runtime Environment Zulu11.37+17-CA (build 11.0.6+10-LTS)\nOpenJDK 64-Bit Server VM Zulu11.37+17-CA (build 11.0.6+10-LTS, mixed mode)\n"
-		// Win10: "openjdk 14 2020-03-17\r\nOpenJDK Runtime Environment (build 14+36-1461)\r\nOpenJDK 64-Bit Server VM (build 14+36-1461, mixed mode, sharing)\r\n"
-		// We want to get the "11.0" or "14" part
-		// The version number could be of the format 11.0 or 1.8 or 14
-		const regex = /(\d+)(\.(\d+))?/;
-		const matchedParts = regex.exec(versionOut);
-		this.logger.trace(`Version output match for pattern ${regex.toString()} is ${JSON.stringify(matchedParts)}`);
-
-		// matchedParts should have four groups: "11.0", "11", ".0", "0" or "14", "14", undefined, undefined
-		if (!matchedParts || matchedParts.length < 4) {
-			throw new SfError(getMessage(BundleName.JreSetupManager, 'VersionNotFound', []));
+		const versionCommandOut = await this.fetchJavaVersion(javaHome);
+
+		// We are using "java -version" below which has output that typically looks like:
+		// * (from MacOS): "openjdk version "11.0.6" 2020-01-14 LTS\nOpenJDK Runtime Environment Zulu11.37+17-CA (build 11.0.6+10-LTS)\nOpenJDK 64-Bit Server VM Zulu11.37+17-CA (build 11.0.6+10-LTS, mixed mode)\n"
+		// From much research it should ideally say "version " and then either a number with or without quotes.
+		// If instead we used java --version then the output would look something like:
+		// * (from Win10): "openjdk 14 2020-03-17\r\nOpenJDK Runtime Environment (build 14+36-1461)\r\nOpenJDK 64-Bit Server VM (build 14+36-1461, mixed mode, sharing)\r\n"
+		// Notice it doesn't have the word "version" but again, we don't call "--version". But for sanity sakes,
+		// we will attempt to support this as well. Basically we want to get the "11.0.6" or "14" part.
+
+		// First we'll see if the word "version" exists with the version number and use that first.
+		const matchedParts = versionCommandOut.match(/version\s+"?(\d+(\.\d+)*)"?/i);
+		this.logger.trace(`Attempt 1: Java version output match results is ${JSON.stringify(matchedParts)}`);
+		let version: string;
+		if (matchedParts && matchedParts.length > 1) {
+			version = matchedParts[1];
+		} else {
+			// Otherwise we'll try to get the version number the old way just be looking for the first number
+			const matchedParts = versionCommandOut.match(/\s+(\d+(\.\d+)*)/);
+			this.logger.trace(`Attempt 2: Java version output match results is ${JSON.stringify(matchedParts)}`);
+			if (!matchedParts || matchedParts.length < 2) {
+				throw new SfError(getMessage(BundleName.JreSetupManager, 'VersionNotFound', [this.configFile]));
+			}
+			version = matchedParts[1];
 		}
 
-		const majorVersion = parseInt(matchedParts[1]);
-		const minorVersion = matchedParts[3] ? parseInt(matchedParts[3]) : '';
-		const version = `${majorVersion}${minorVersion ? `.${minorVersion}` : ''}`;
-
-		// We want to allow 1.8 and greater.
 		// Up to JDK8, the version scheme is 1.blah
 		// Starting JDK 9, the version scheme is 9.blah for 9, 10.blah for 10, etc.
-		// If either version part clicks, we should be good.
+		const versionParts: string[] = version.split('.');
+		const majorVersion = parseInt(versionParts[0]);
+		const minorVersion: number = versionParts.length > 1 ? parseInt(versionParts[1]) : 0;
+
 		if (majorVersion === 1 && minorVersion === 8) {
 			// Accommodating 1.8
 			uxEvents.emit(EVENTS.WARNING_ALWAYS_UNIQUE, getMessage(BundleName.JreSetupManager, 'warning.JavaV8Deprecated', [path.join(Controller.getSfdxScannerPath(), CONFIG_FILE)]));
 		} else if (majorVersion < 9) {
 			// Not matching what we are looking for
 			const errName = 'InvalidVersion';
-			throw new SfError(getMessage(BundleName.JreSetupManager, errName, [version]), errName);
+			throw new SfError(getMessage(BundleName.JreSetupManager, errName, [version, this.configFile]), errName);
 		}
 
 		this.logger.trace(`Java version found as ${version}`);