diff --git a/package.json b/package.json index d6ed9833f..0653241e5 100644 --- a/package.json +++ b/package.json @@ -1,7 +1,7 @@ { "name": "@salesforce/sfdx-scanner", "description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.", - "version": "4.10.0", + "version": "4.11.0", "author": "Salesforce Code Analyzer Team", "bugs": "https://github.com/forcedotcom/sfdx-scanner/issues", "dependencies": { diff --git a/pmd7/build.gradle.kts b/pmd7/build.gradle.kts index 8790f32f2..7bc450416 100644 --- a/pmd7/build.gradle.kts +++ b/pmd7/build.gradle.kts @@ -10,7 +10,7 @@ repositories { } // Keep this in sync with src/Constants.ts > PMD7_VERSION -var pmd7Version = "7.10.0" +var pmd7Version = "7.11.0" val pmdDist7Dir = "$buildDir/../../dist/pmd7" diff --git a/retire-js/RetireJsVulns.json b/retire-js/RetireJsVulns.json index 83635da4f..e52816ab9 100644 --- a/retire-js/RetireJsVulns.json +++ b/retire-js/RetireJsVulns.json @@ -4482,6 +4482,30 @@ "https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc", "https://github.com/cure53/DOMPurify" ] + }, + { + "atOrAbove": "0", + "below": "3.2.4", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "DOMPurify allows Cross-site Scripting (XSS)", + "CVE": [ + "CVE-2025-26791" + ], + "githubID": "GHSA-vhxf-7vqr-mrjg" + }, + "info": [ + "https://github.com/advisories/GHSA-vhxf-7vqr-mrjg", + "https://nvd.nist.gov/vuln/detail/CVE-2025-26791", + "https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02", + "https://ensy.zip/posts/dompurify-323-bypass", + "https://github.com/cure53/DOMPurify", + "https://github.com/cure53/DOMPurify/releases/tag/3.2.4", + "https://nsysean.github.io/posts/dompurify-323-bypass" + ] } ], "extractors": { @@ -6142,6 +6166,30 @@ "https://github.com/axios/axios/releases/tag/v1.7.4", "https://jeffhacks.com/advisories/2024/06/24/CVE-2024-39338.html" ] + }, + { + "atOrAbove": "0", + "below": "1.8.2", + "cwe": [ + "CWE-918" + ], + "severity": "high", + "identifiers": { + "summary": "axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL", + "CVE": [ + "CVE-2025-27152" + ], + "githubID": "GHSA-jr5f-v2jv-69x6" + }, + "info": [ + "https://github.com/advisories/GHSA-jr5f-v2jv-69x6", + "https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6", + "https://nvd.nist.gov/vuln/detail/CVE-2025-27152", + "https://github.com/axios/axios/issues/6463", + "https://github.com/axios/axios/commit/fb8eec214ce7744b5ca787f2c3b8339b2f54b00f", + "https://github.com/axios/axios", + "https://github.com/axios/axios/releases/tag/v1.8.2" + ] } ], "extractors": { @@ -7128,6 +7176,27 @@ "https://froala.com/wysiwyg-editor/changelog/#4.1.4", "https://github.com/advisories/GHSA-hvpq-7vcc-5hj5" ] + }, + { + "atOrAbove": "0", + "below": "4.3.1", + "cwe": [ + "CWE-79" + ], + "severity": "medium", + "identifiers": { + "summary": "Froala WYSIWYG editor allows cross-site scripting (XSS)", + "CVE": [ + "CVE-2024-51434" + ], + "githubID": "GHSA-549p-5c7f-c5p4" + }, + "info": [ + "https://github.com/advisories/GHSA-549p-5c7f-c5p4", + "https://nvd.nist.gov/vuln/detail/CVE-2024-51434", + "https://georgyg.com/home/froala-wysiwyg-editor---xss-cve-2024-51434", + "https://github.com/froala/wysiwyg-editor" + ] } ], "extractors": { diff --git a/src/Constants.ts b/src/Constants.ts index 5c79ee33b..1e9ef70c1 100644 --- a/src/Constants.ts +++ b/src/Constants.ts @@ -2,7 +2,7 @@ import os = require('os'); import path = require('path'); // Keep this in sync with /pmd7/build.gradle.kts > pmd7Version -export const PMD7_VERSION = '7.10.0'; +export const PMD7_VERSION = '7.11.0'; export const PMD_APPEXCHANGE_RULES_VERSION = '0.16';