Merge pull request #1720 from forcedotcom/m2d/v4.8.0

Main2Dev @W-17291574@ Merging main-4 to dev-4 after v4.8.0

Author: jag-j

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.7.0",
+	"version": "4.8.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

retire-js/RetireJsVulns.json

@@ -2576,6 +2576,23 @@
           "https://github.com/dojo/dojo/pull/307"
         ]
       },
+      {
+        "below": "1.2.0",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser.",
+          "CVE": [
+            "CVE-2015-5654"
+          ],
+          "githubID": "GHSA-p82g-2xpp-m5r3"
+        },
+        "info": [
+          "https://nvd.nist.gov/vuln/detail/CVE-2015-5654"
+        ]
+      },
       {
         "atOrAbove": "1.2",
         "below": "1.2.4",
@@ -2670,23 +2687,6 @@
           "https://github.com/dojo/dojo/pull/307"
         ]
       },
-      {
-        "below": "1.9.1",
-        "severity": "medium",
-        "cwe": [
-          "CWE-79"
-        ],
-        "identifiers": {
-          "summary": "Versions of dojo prior to 1.2.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize HTML code in user-controlled input, allowing attackers to execute arbitrary JavaScript in the victim's browser.",
-          "CVE": [
-            "CVE-2015-5654"
-          ],
-          "githubID": "GHSA-p82g-2xpp-m5r3"
-        },
-        "info": [
-          "https://nvd.nist.gov/vuln/detail/CVE-2015-5654"
-        ]
-      },
       {
         "atOrAbove": "1.10.0",
         "below": "1.10.10",
@@ -4365,6 +4365,28 @@
           "https://github.com/cure53/DOMPurify/releases"
         ]
       },
+      {
+        "atOrAbove": "0",
+        "below": "2.4.2",
+        "cwe": [
+          "CWE-1321"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMPurify vulnerable to tampering by prototype polution",
+          "CVE": [
+            "CVE-2024-48910"
+          ],
+          "githubID": "GHSA-p3vf-v8qc-cwcr"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-p3vf-v8qc-cwcr",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-48910",
+          "https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc",
+          "https://github.com/cure53/DOMPurify"
+        ]
+      },
       {
         "atOrAbove": "0",
         "below": "2.5.0",
@@ -5106,6 +5128,27 @@
           "https://github.com/advisories/GHSA-4p24-vmcr-4gqj"
         ]
       },
+      {
+        "atOrAbove": "1.4.0",
+        "below": "3.4.1",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes",
+          "CVE": [
+            "CVE-2024-6485"
+          ],
+          "githubID": "GHSA-vxmc-5x29-h64v"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-vxmc-5x29-h64v",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-6485",
+          "https://github.com/twbs/bootstrap",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-6485"
+        ]
+      },
       {
         "atOrAbove": "3.0.0",
         "below": "3.4.1",
@@ -5744,6 +5787,27 @@
         "info": [
           "https://github.com/vuejs/vue/releases/tag/v2.6.11"
         ]
+      },
+      {
+        "atOrAbove": "2.0.0-alpha.1",
+        "below": "3.0.0-alpha.0",
+        "cwe": [
+          "CWE-1333"
+        ],
+        "severity": "low",
+        "identifiers": {
+          "summary": "ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function",
+          "CVE": [
+            "CVE-2024-9506"
+          ],
+          "githubID": "GHSA-5j4c-8p2g-v4jx"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-5j4c-8p2g-v4jx",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-9506",
+          "https://github.com/vuejs/core",
+          "https://www.herodevs.com/vulnerability-directory/cve-2024-9506"
+        ]
       }
     ],
     "extractors": {
@@ -5757,11 +5821,16 @@
       ],
       "filecontent": [
         "/\\*!\\n \\* Vue.js v(§§version§§)",
+        "/\\*\\*?!?\\n ?\\* vue v(§§version§§)",
         "Vue.version = '(§§version§§)';",
         "'(§§version§§)'[^\\n]{0,8000}Vue compiler",
         "\\* Original file: /npm/vue@(§§version§§)/dist/vue.(global|common).js",
         "const version[ ]*=[ ]*\"(§§version§§)\";[\\s]*/\\*\\*[\\s]*\\* SSR utils for \\\\@vue/server-renderer",
-        "\\.__vue_app__=.{0,8000}?const [a-z]+=\"(§§version§§)\","
+        "\\.__vue_app__=.{0,8000}?const [a-z]+=\"(§§version§§)\",",
+        "let [A-Za-z]+=\"(§§version§§)\",..=\"undefined\"!=typeof window&&window.trustedTypes;if\\(..\\)try\\{.=..\\.createPolicy\\(\"vue\",",
+        "isCustomElement.{1,5}?compilerOptions.{0,500}exposeProxy.{0,700}\"(§§version§§)\"",
+        "\"(§§version§§)\"[\\s\\S]{0,150}\\.createPolicy\\(\"vue\"",
+        "devtoolsFormatters[\\s\\S]{50,180}\"(§§version§§)\"[\\s\\S]{50,180}\\.createElement\\(\"template\"\\)"
       ]
     }
   },
@@ -6250,7 +6319,7 @@
       },
       {
         "below": "3.8.0",
-        "severity": "high",
+        "severity": "medium",
         "cwe": [
           "CWE-22"
         ],
@@ -6679,7 +6748,7 @@
         ]
       },
       {
-        "atOrAbove": "13.4.0",
+        "atOrAbove": "13.3.1",
         "below": "13.5.0",
         "cwe": [
           "CWE-400"
@@ -6814,6 +6883,29 @@
           "https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
           "https://github.com/vercel/next.js"
         ]
+      },
+      {
+        "atOrAbove": "9.5.5",
+        "below": "14.2.15",
+        "cwe": [
+          "CWE-285"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "Next.js authorization bypass vulnerability",
+          "CVE": [
+            "CVE-2024-51479"
+          ],
+          "githubID": "GHSA-7gfc-8cq8-jh5f"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-7gfc-8cq8-jh5f",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-51479",
+          "https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b",
+          "https://github.com/vercel/next.js",
+          "https://github.com/vercel/next.js/releases/tag/v14.2.15"
+        ]
       }
     ],
     "extractors": {

test/lib/actions/RuleListAction.test.ts

@@ -58,7 +58,7 @@ describe("Tests for RuleListAction", () => {
 			await ruleListAction.run(inputs);
 
 			let tableData: Ux.Table.Data[] = display.getLastTableData();
-			expect(tableData).to.have.length(223);
+			expect(tableData).to.have.length(230);
 
 			for (const rowData of tableData) {
 				expect(rowData.engine).to.equal('eslint-lwc');