RELEASE @W-16879137@: Conducting v4.7.0 release

messages/common.md

@@ -4,4 +4,4 @@ Emit additional command output to stdout.
 
 # surveyRequestMessage
 
-We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at https://research.net/r/SalesforceCA
+We're continually improving Salesforce Code Analyzer. Tell us what you think! Give feedback at http://sfdc.co/CodeAnalyzerFeedback

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "4.6.0",
+	"version": "4.7.0",
 	"author": "Salesforce Code Analyzer Team",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

pmd-appexchange/docs/AvoidDisableProtocolSecurityInXML.md

@@ -0,0 +1,18 @@
+AvoidDisableProtocolSecurityInXML[](#avoiddisableprotocolsecurityinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Protocol security setting is disabled
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects if "Disable Protocol Security" setting is checked/true
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidInsecureHttpRemoteSiteSettingInXML.md

@@ -0,0 +1,18 @@
+AvoidInsecureHttpRemoteSiteSettingInXML[](#avoidinsecurehttpremotesitesettinginxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Avoid using insecure http urls in Remote Site Settings.
+
+
+**Priority:** Medium (3)
+
+**Description:**
+
+   Detects instances of a Remote Site Settings that use HTTP.Use HTTPS instead.
+
+**Example(s):**
+
+
+

pmd-appexchange/docs/AvoidLmcIsExposedTrueInXML.md

@@ -0,0 +1,18 @@
+AvoidLmcIsExposedTrueInXML[](#avoidlmcisexposedtrueinxml)
+------------------------------------------------------------------------------------------------------------------------------------------------------
+
+**Violation:**
+
+   Detected Lightning Message Channel with isExposed set to true.
+
+
+**Priority:** High (2)
+
+**Description:**
+
+   Detects a Lightning Message Channel with isExposed=true,which isn’t allowed in managed packages.
+
+**Example(s):**
+
+
+

pmd7/build.gradle.kts

@@ -10,7 +10,7 @@ repositories {
 }
 
 // Keep this in sync with src/Constants.ts > PMD7_VERSION
-var pmd7Version = "7.5.0"
+var pmd7Version = "7.6.0"
 
 val pmdDist7Dir = "$buildDir/../../dist/pmd7"
 

retire-js/RetireJsVulns.json

@@ -78,6 +78,7 @@
         ]
       },
       {
+        "atOrAbove": "1.2.1",
         "below": "1.9.0",
         "cwe": [
           "CWE-79"
@@ -92,7 +93,8 @@
         },
         "info": [
           "https://github.com/advisories/GHSA-q4m3-2j7h-f7xw",
-          "https://nvd.nist.gov/vuln/detail/CVE-2020-7656"
+          "https://nvd.nist.gov/vuln/detail/CVE-2020-7656",
+          "https://research.insecurelabs.org/jquery/test/"
         ]
       },
       {
@@ -4363,6 +4365,30 @@
           "https://github.com/cure53/DOMPurify/releases"
         ]
       },
+      {
+        "atOrAbove": "0",
+        "below": "2.5.0",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMpurify has a nesting-based mXSS",
+          "CVE": [
+            "CVE-2024-47875"
+          ],
+          "githubID": "GHSA-gx9m-whjm-85jf"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-gx9m-whjm-85jf",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-47875",
+          "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f",
+          "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a",
+          "https://github.com/cure53/DOMPurify",
+          "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"
+        ]
+      },
       {
         "atOrAbove": "0",
         "below": "2.5.4",
@@ -4387,6 +4413,30 @@
           "https://github.com/cure53/DOMPurify"
         ]
       },
+      {
+        "atOrAbove": "3.0.0",
+        "below": "3.1.3",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "high",
+        "identifiers": {
+          "summary": "DOMpurify has a nesting-based mXSS",
+          "CVE": [
+            "CVE-2024-47875"
+          ],
+          "githubID": "GHSA-gx9m-whjm-85jf"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-gx9m-whjm-85jf",
+          "https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-47875",
+          "https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f",
+          "https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a",
+          "https://github.com/cure53/DOMPurify",
+          "https://github.com/cure53/DOMPurify/blob/0ef5e537a514f904b6aa1d7ad9e749e365d7185f/test/test-suite.js#L2098"
+        ]
+      },
       {
         "atOrAbove": "3.0.0",
         "below": "3.1.3",
@@ -5613,6 +5663,28 @@
           "https://github.com/ckeditor/ckeditor5/compare/v34.2.0...v35.0.0",
           "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-42wq-rch8-6f6j"
         ]
+      },
+      {
+        "atOrAbove": "40.0.0",
+        "below": "43.1.1",
+        "cwe": [
+          "CWE-79"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Cross-site scripting (XSS) in the clipboard package",
+          "CVE": [
+            "CVE-2024-45613"
+          ],
+          "githubID": "GHSA-rgg8-g5x8-wr9v"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-rgg8-g5x8-wr9v",
+          "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-rgg8-g5x8-wr9v",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-45613",
+          "https://github.com/ckeditor/ckeditor5",
+          "https://github.com/ckeditor/ckeditor5/releases/tag/v43.1.1"
+        ]
       }
     ],
     "extractors": {
@@ -6697,6 +6769,28 @@
           "https://github.com/vercel/next.js"
         ]
       },
+      {
+        "atOrAbove": "10.0.0",
+        "below": "14.2.7",
+        "cwe": [
+          "CWE-674"
+        ],
+        "severity": "medium",
+        "identifiers": {
+          "summary": "Denial of Service condition in Next.js image optimization",
+          "CVE": [
+            "CVE-2024-47831"
+          ],
+          "githubID": "GHSA-g77x-44xx-532m"
+        },
+        "info": [
+          "https://github.com/advisories/GHSA-g77x-44xx-532m",
+          "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m",
+          "https://nvd.nist.gov/vuln/detail/CVE-2024-47831",
+          "https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a",
+          "https://github.com/vercel/next.js"
+        ]
+      },
       {
         "atOrAbove": "14.0.0",
         "below": "14.2.10",

src/Constants.ts

@@ -2,9 +2,9 @@ import os = require('os');
 import path = require('path');
 
 // Keep this in sync with <repoRoot>/pmd7/build.gradle.kts > pmd7Version
-export const PMD7_VERSION = '7.5.0';
+export const PMD7_VERSION = '7.6.0';
 
-export const PMD_APPEXCHANGE_RULES_VERSION = '0.15';
+export const PMD_APPEXCHANGE_RULES_VERSION = '0.16';
 
 // Keep this in sync with <repoRoot>/sfge/build.gradle.kts > version
 export const SFGE_VERSION = '1.0.1-pilot';