diff --git a/package.json b/package.json
index 86fc1ac50..3c8832829 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
{
"name": "@salesforce/sfdx-scanner",
"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
- "version": "3.18.0",
+ "version": "3.19.0",
"author": "ISV SWAT",
"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
"dependencies": {
diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json
index b8b1f771b..669d6720c 100644
--- a/retire-js/RetireJsVulns.json
+++ b/retire-js/RetireJsVulns.json
@@ -8,11 +8,11 @@
"CWE-477"
],
"identifiers": {
+ "summary": "bug summary",
"CVE": [
"CVE-XXXX-XXXX"
],
- "bug": "1234",
- "summary": "bug summary"
+ "bug": "1234"
},
"info": [
"http://github.com/eoftedal/retire.js/"
@@ -44,16 +44,16 @@
"CWE-79"
],
"identifiers": {
+ "summary": "XSS with location.hash",
"CVE": [
"CVE-2011-4969"
],
- "summary": "XSS with location.hash",
"githubID": "GHSA-579v-mp3v-rrw5"
},
"info": [
- "https://nvd.nist.gov/vuln/detail/CVE-2011-4969",
"http://research.insecurelabs.org/jquery/test/",
- "https://bugs.jquery.com/ticket/9521"
+ "https://bugs.jquery.com/ticket/9521",
+ "https://nvd.nist.gov/vuln/detail/CVE-2011-4969"
]
},
{
@@ -62,19 +62,19 @@
"CWE-64",
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "Selector interpreted as HTML",
"CVE": [
"CVE-2012-6708"
],
"bug": "11290",
- "summary": "Selector interpreted as HTML",
"githubID": "GHSA-2pqj-h3vj-pqgw"
},
- "severity": "medium",
"info": [
"http://bugs.jquery.com/ticket/11290",
- "https://nvd.nist.gov/vuln/detail/CVE-2012-6708",
- "http://research.insecurelabs.org/jquery/test/"
+ "http://research.insecurelabs.org/jquery/test/",
+ "https://nvd.nist.gov/vuln/detail/CVE-2012-6708"
]
},
{
@@ -82,14 +82,14 @@
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove \"\", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.\n\n\n## Recommendation\n\nUpgrade to version 1.9.0 or later.",
"CVE": [
"CVE-2020-7656"
],
- "summary": "Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove \"\", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.\n\n\n## Recommendation\n\nUpgrade to version 1.9.0 or later.",
"githubID": "GHSA-q4m3-2j7h-f7xw"
},
- "severity": "medium",
"info": [
"https://github.com/advisories/GHSA-q4m3-2j7h-f7xw",
"https://nvd.nist.gov/vuln/detail/CVE-2020-7656"
@@ -101,84 +101,108 @@
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
- "issue": "2432",
"summary": "3rd party CORS request may execute",
+ "issue": "2432",
"CVE": [
"CVE-2015-9251"
],
"githubID": "GHSA-rmxg-73gg-4p98"
},
- "severity": "medium",
"info": [
- "https://github.com/jquery/jquery/issues/2432",
"http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
- "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
- "http://research.insecurelabs.org/jquery/test/"
+ "http://research.insecurelabs.org/jquery/test/",
+ "https://bugs.jquery.com/ticket/11974",
+ "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
+ "https://github.com/jquery/jquery/issues/2432",
+ "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
]
},
{
- "atOrAbove": "1.12.3",
- "below": "3.0.0-beta1",
+ "atOrAbove": "1.8.0",
+ "below": "1.12.0",
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
- "issue": "2432",
"summary": "3rd party CORS request may execute",
+ "issue": "2432",
"CVE": [
"CVE-2015-9251"
],
"githubID": "GHSA-rmxg-73gg-4p98"
},
- "severity": "medium",
"info": [
- "https://github.com/jquery/jquery/issues/2432",
"http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
- "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
- "http://research.insecurelabs.org/jquery/test/"
+ "http://research.insecurelabs.org/jquery/test/",
+ "https://bugs.jquery.com/ticket/11974",
+ "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
+ "https://github.com/jquery/jquery/issues/2432",
+ "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
]
},
{
- "atOrAbove": "1.8.0",
- "below": "1.12.0",
+ "atOrAbove": "1.12.2",
+ "below": "2.2.0",
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "3rd party CORS request may execute",
+ "issue": "2432",
"CVE": [
"CVE-2015-9251"
],
- "issue": "11974",
- "summary": "parseHTML() executes scripts in event handlers",
"githubID": "GHSA-rmxg-73gg-4p98"
},
- "severity": "medium",
"info": [
+ "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
+ "http://research.insecurelabs.org/jquery/test/",
"https://bugs.jquery.com/ticket/11974",
- "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
- "http://research.insecurelabs.org/jquery/test/"
+ "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
+ "https://github.com/jquery/jquery/issues/2432",
+ "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
]
},
{
- "atOrAbove": "1.12.2",
- "below": "2.2.0",
+ "below": "2.999.999",
+ "cwe": [
+ "CWE-1104"
+ ],
+ "severity": "low",
+ "identifiers": {
+ "summary": "jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates",
+ "retid": "73"
+ },
+ "info": [
+ "https://github.com/jquery/jquery.com/issues/162"
+ ]
+ },
+ {
+ "atOrAbove": "1.12.3",
+ "below": "3.0.0-beta1",
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "3rd party CORS request may execute",
+ "issue": "2432",
"CVE": [
"CVE-2015-9251"
],
- "issue": "11974",
- "summary": "parseHTML() executes scripts in event handlers",
"githubID": "GHSA-rmxg-73gg-4p98"
},
- "severity": "medium",
"info": [
+ "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
+ "http://research.insecurelabs.org/jquery/test/",
"https://bugs.jquery.com/ticket/11974",
- "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
- "http://research.insecurelabs.org/jquery/test/"
+ "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
+ "https://github.com/jquery/jquery/issues/2432",
+ "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
]
},
{
@@ -187,19 +211,22 @@
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "3rd party CORS request may execute",
+ "issue": "2432",
"CVE": [
"CVE-2015-9251"
],
- "issue": "11974",
- "summary": "parseHTML() executes scripts in event handlers",
"githubID": "GHSA-rmxg-73gg-4p98"
},
- "severity": "medium",
"info": [
+ "http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/",
+ "http://research.insecurelabs.org/jquery/test/",
"https://bugs.jquery.com/ticket/11974",
- "https://nvd.nist.gov/vuln/detail/CVE-2015-9251",
- "http://research.insecurelabs.org/jquery/test/"
+ "https://github.com/advisories/GHSA-rmxg-73gg-4p98",
+ "https://github.com/jquery/jquery/issues/2432",
+ "https://nvd.nist.gov/vuln/detail/CVE-2015-9251"
]
},
{
@@ -208,14 +235,14 @@
"cwe": [
"CWE-400"
],
+ "severity": "high",
"identifiers": {
+ "summary": "Denial of Service in jquery",
"CVE": [
"CVE-2016-10707"
],
- "summary": "Denial of Service in jquery",
"githubID": "GHSA-mhpp-875w-9cpv"
},
- "severity": "high",
"info": [
"https://nvd.nist.gov/vuln/detail/CVE-2016-10707"
]
@@ -227,73 +254,58 @@
"CWE-1321",
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution",
"CVE": [
"CVE-2019-11358"
],
"PR": "4333",
- "summary": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution",
"githubID": "GHSA-6c3j-c64m-qhgq"
},
- "severity": "medium",
"info": [
"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
- "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
- "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b"
+ "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b",
+ "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
]
},
{
+ "atOrAbove": "1.0.3",
"below": "3.5.0",
- "atOrAbove": "1.2.0",
"cwe": [
"CWE-79"
],
+ "severity": "medium",
"identifiers": {
+ "summary": "passing HTML containing