RELEASE: @W-13805530@: Merging dev to release for 3.15.0

.gitignore

@@ -1,6 +1,7 @@
 /build
 /test-results
 /test-coverage
+/typescript-test-results
 .DS_Store
 *-debug.log
 *-error.log
@@ -11,6 +12,10 @@
 /tmp
 node_modules
 /out
+# Build folders
+/sample-code/pmd-example-rules/target
+
+
 # Logs
 logs
 *.log

README.md

@@ -1,26 +1,26 @@
-[![CircleCI](https://circleci.com/gh/forcedotcom/sfdx-scanner/tree/master.svg?style=shield)](https://circleci.com/gh/forcedotcom/sfdx-scanner/tree/master)
 [![License](https://img.shields.io/npm/l/scanner.svg)](https://github.com/forcedotcom/sfdx-scanner/blob/master/package.json)
 
-# Salesforce CLI Scanner Plug-in
-The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code, in multiple languages (including Apex), with a consistent command-line interface and report output. We currently support the PMD rule engine and ESLint. We may add support for more rule engines in the future.
+# Salesforce Code Analyzer
+Salesforce Code Analyzer is a unified tool for static analysis of source code.
+Code Analyzer analyzes multiple languages.
+It relies on a consistent command-line interface and produces a results file of rule violations.
+Use the results to review and improve your code.
 
-The Salesforce CLI Scanner Plug-in creates "Rule Violations" when the scanner identifies issues. Developers use this information as feedback to fix their code.
+If you're listing a managed package on AppExchange, it must pass security review.
+You're also required to upload your Salesforce Code Analyzer scan reports.
+Attach your Code Analyzer reports to your submission in the AppExchange Security Review Wizard.
+For more info, read [Scan Your Code with Salesforce Code Analyzer](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_code_analyzer_scan.htm) and [AppExchange Security Review](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_overview.htm).
 
-You can integrate this plug-in into your CI/CD solution to enforce the rules and expect high-quality code.
+Code Analyzer current supports the PMD rule engine, PMD Copy Paste Detector, ESLint, RetireJS, and Salesforce Graph Engine.
 
-# Official Documentation
-All the official documentation on the Salesforce CLI Scanner plug-in is hosted on [GitHub Pages](https://forcedotcom.github.io/sfdx-scanner/). These documents include instructions on how to install the plug-in, the command reference, writing and managing custom rules and an overview of the architecture of the plug-in.
+Integrate Code Analyzer into your Continuous Integration/Continuous Development (CI/CD) process to enforce rules that you define and to produce high-quality code.
 
-### Document Link
-https://forcedotcom.github.io/sfdx-scanner/
+# Salesforce Code Analyzer Documentation
+Read [Salesforce Code Analyzer](https://forcedotcom.github.io/sfdx-scanner/) documentation to learn:
+* how to install Code Analyzer
+* what is included in the Code Analyzer command reference
+* the structure of Code Analyzer architecture
+* how to write and manage custom rules
 
-### Building/Contributing
-Instructions [here](CONTRIBUTING.md).
-
-=======
-
-# Usage
-
-Here is the information on [How to Install the plugin](https://forcedotcom.github.io/sfdx-scanner/en/v3.x/getting-started/install/)
-
-Please check out the [Salesforce CLI Scanner Plug-In Command Reference](https://forcedotcom.github.io/sfdx-scanner/en/v3.x/scanner-commands/run/) for usage and demo of the plugin. 
+### Contribute to Salesforce Code Analyzer
+Read these instructions to [contribute to Code Analyzer](https://github.com/forcedotcom/sfdx-scanner/blob/dev/CONTRIBUTING.md)

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "@salesforce/sfdx-scanner",
 	"description": "Static code scanner that applies quality and security rules to Apex code, and provides feedback.",
-	"version": "3.14.0",
+	"version": "3.15.0",
 	"author": "ISV SWAT",
 	"bugs": "https://github.com/forcedotcom/sfdx-scanner/issues",
 	"dependencies": {

retire-js/RetireJsVulns.json

@@ -70,7 +70,7 @@
           "summary": "Selector interpreted as HTML",
           "githubID": "GHSA-2pqj-h3vj-pqgw"
         },
-        "severity": "high",
+        "severity": "medium",
         "info": [
           "http://bugs.jquery.com/ticket/11290",
           "https://nvd.nist.gov/vuln/detail/CVE-2012-6708",
@@ -269,7 +269,8 @@
         ],
         "identifiers": {
           "CVE": [
-            "CVE-2020-11023"
+            "CVE-2020-11023",
+            "CVE-2020-23064"
           ],
           "issue": "4647",
           "summary": "passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.",
@@ -388,7 +389,7 @@
       },
       {
         "below": "1.19.4",
-        "severity": "low",
+        "severity": "medium",
         "cwe": [
           "CWE-1333"
         ],
@@ -834,6 +835,84 @@
       "hashes": {}
     }
   },
+  "jquery.terminal": {
+    "vulnerabilities": [
+      {
+        "below": "1.21.0",
+        "severity": "medium",
+        "cwe": [
+          "CWE-79"
+        ],
+        "identifiers": {
+          "summary": "Reflected Cross-Site Scripting in jquery.terminal",
+          "githubID": "GHSA-2hwp-g4g7-mwwj"
+        },
+        "info": [
+          "https://github.com/jcubic/jquery.terminal/commit/c8b7727d21960031b62a4ef1ed52f3c634046211",
+          "https://www.npmjs.com/advisories/769"
+        ]
+      },
+      {
+        "below": "2.31.1",
+        "severity": "low",
+        "cwe": [
+          "CWE-79",
+          "CWE-80"
+        ],
+        "identifiers": {
+          "summary": "jquery.terminal self XSS on user input",
+          "githubID": "GHSA-x9r5-jxvq-4387",
+          "CVE": [
+            "CVE-2021-43862"
+          ]
+        },
+        "info": [
+          "https://github.com/jcubic/jquery.terminal/security/advisories/GHSA-x9r5-jxvq-4387",
+          "https://nvd.nist.gov/vuln/detail/CVE-2021-43862"
+        ]
+      }
+    ],
+    "extractors": {
+      "uri": [
+        "/jquery.terminal[@/](§§version§§)/"
+      ],
+      "filecontent": [
+        "version (§§version§§)[\\s]+\\*[\\s]+\\* This file is part of jQuery Terminal.",
+        "\\$\\.terminal=\\{version:\"(§§version§§)\""
+      ]
+    }
+  },
+  "jquery-deparam": {
+    "vulnerabilities": [
+      {
+        "below": "999",
+        "severity": "high",
+        "cwe": [
+          "CWE-1321"
+        ],
+        "identifiers": {
+          "githubID": "GHSA-xg68-chx2-253g",
+          "CVE": [
+            "CVE-2021-20087"
+          ]
+        },
+        "info": [
+          "https://nvd.nist.gov/vuln/detail/CVE-2021-20087"
+        ]
+      }
+    ],
+    "extractors": {
+      "hashes": {
+        "61c9d49ae64331402c3bde766c9dc504ed2ca509": "0.5.3",
+        "10a68e5048995351a01b0ad7f322bb755a576a02": "0.5.2",
+        "b8f063c860fa3aab266df06b290e7da648f9328d": "0.4.2",
+        "851bc74dc664aa55130ecc74dd6b1243becc3242": "0.4.1",
+        "2aae12841f4d00143ffc1effa59fbd058218c29f": "0.4.0",
+        "967942805137f9eb0ae26005d94e8285e2e288a0": "0.3.0",
+        "fbf2e115feae7ade26788e38ebf338af11a98bb2": "0.1.0"
+      }
+    }
+  },
   "jPlayer": {
     "bowername": [
       "jPlayer"
@@ -1062,16 +1141,13 @@
       },
       {
         "below": "4.9.7",
-        "severity": "medium",
+        "severity": "high",
         "cwe": [
           "CWE-79"
         ],
         "identifiers": {
           "summary": "TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.",
-          "githubID": "GHSA-p7j5-4mwm-hv86",
-          "CVE": [
-            "CVE-2020-17480"
-          ]
+          "githubID": "GHSA-p7j5-4mwm-hv86"
         },
         "info": [
           "https://github.com/tinymce/tinymce/security/advisories/GHSA-p7j5-4mwm-hv86"
@@ -1080,16 +1156,13 @@
       {
         "below": "5.1.4",
         "atOrAbove": "5.0.0",
-        "severity": "medium",
+        "severity": "high",
         "cwe": [
           "CWE-79"
         ],
         "identifiers": {
           "summary": "TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parser, the paste plugin, and the visualchars plugin by using the clipboard or APIs to insert content into the editor.",
-          "githubID": "GHSA-p7j5-4mwm-hv86",
-          "CVE": [
-            "CVE-2020-17480"
-          ]
+          "githubID": "GHSA-p7j5-4mwm-hv86"
         },
         "info": [
           "https://github.com/tinymce/tinymce/security/advisories/GHSA-p7j5-4mwm-hv86"
@@ -1138,8 +1211,10 @@
         ],
         "identifiers": {
           "summary": "Cross-site scripting vulnerability in TinyMCE",
-          "retid": "63",
-          "githubID": "GHSA-vrv8-v4w8-f95h"
+          "githubID": "GHSA-vrv8-v4w8-f95h",
+          "CVE": [
+            "CVE-2020-12648"
+          ]
         },
         "info": [
           "https://github.com/tinymce/tinymce/security/advisories/GHSA-vrv8-v4w8-f95h"
@@ -1154,8 +1229,10 @@
         ],
         "identifiers": {
           "summary": "Cross-site scripting vulnerability in TinyMCE",
-          "retid": "63",
-          "githubID": "GHSA-vrv8-v4w8-f95h"
+          "githubID": "GHSA-vrv8-v4w8-f95h",
+          "CVE": [
+            "CVE-2020-12648"
+          ]
         },
         "info": [
           "https://github.com/tinymce/tinymce/security/advisories/GHSA-vrv8-v4w8-f95h"
@@ -1170,7 +1247,10 @@
         ],
         "identifiers": {
           "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
-          "githubID": "GHSA-27gm-ghr9-4v95"
+          "githubID": "GHSA-27gm-ghr9-4v95",
+          "CVE": [
+            "CVE-2020-17480"
+          ]
         },
         "info": [
           "https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95"
@@ -1184,7 +1264,10 @@
         ],
         "identifiers": {
           "summary": "The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs",
-          "githubID": "GHSA-27gm-ghr9-4v95"
+          "githubID": "GHSA-27gm-ghr9-4v95",
+          "CVE": [
+            "CVE-2020-17480"
+          ]
         },
         "info": [
           "https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95"

sample-code/pmd-example-rules/README.md

@@ -0,0 +1,17 @@
+# PMD Example Rules
+Salesforce Code Analyzer supports the use of custom PMD rules. If your custom PMD rules include Java code,
+then you must compile your Java code into a JAR before you register it with Code Analyzer.
+
+This project is an example of how to write Java-based PMD rules, and use Maven to compile them into a JAR.
+
+## How do I build this project?
+1. Install [Maven](https://maven.apache.org/guides/getting-started/maven-in-five-minutes.html).
+2. Clone the [Code Analyzer](https://github.com/forcedotcom/sfdx-scanner) project.
+3. From the `sample-code/pmd-example-rules` directory, run `mvn clean package`.
+4. Notice the new folder was created named `target`. It contains a file named `pmd-example-rules-1.0-SNAPSHOT.jar`.
+5. From the `sample-code/pmd-example-rules` directory, run `sfdx scanner:rule:add --language apex --path ./target/pmd-example-rules-1.0-SNAPSHOT.jar`.
+6. Run `scanner:rule:list --category CustomRules --engine pmd` to confirm the addition of the new rule.
+7. Run `scanner:run --category CustomRules --engine pmd --target path/to/any/apexfile.cls` and view the new rule violation.
+
+## What else can I do with this project?
+Use this project as a template for how to define and build your own custom rules, categories, and rulesets.

sample-code/pmd-example-rules/pom.xml

@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This is a sample POM file allowing this module to be compiled and bundled into a JAR via maven.
+If you have Maven properly configured on your machine, you can run `mvn clean package` to build
+a JAR containing everything needed to register and run a custom rule.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>org.example</groupId>
+	<!-- These two tags determine the name of the created JAR. -->
+	<artifactId>pmd-example-rules</artifactId>
+	<version>1.0-SNAPSHOT</version>
+
+	<properties>
+		<maven.compiler.source>11</maven.compiler.source>
+		<maven.compiler.target>11</maven.compiler.target>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>net.sourceforge.pmd</groupId>
+			<artifactId>pmd</artifactId>
+			<version>6.55.0</version>
+			<type>pom</type>
+		</dependency>
+		<dependency>
+			<groupId>net.sourceforge.pmd</groupId>
+			<artifactId>pmd-apex</artifactId>
+			<version>6.55.0</version>
+		</dependency>
+		<dependency>
+			<groupId>net.sourceforge.pmd</groupId>
+			<artifactId>pmd-apex-jorje</artifactId>
+			<version>6.55.0</version>
+			<type>pom</type>
+		</dependency>
+		<dependency>
+			<groupId>org.ow2.asm</groupId>
+			<artifactId>asm</artifactId>
+			<version>9.4</version>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-compiler-plugin</artifactId>
+				<version>3.8.1</version>
+				<configuration>
+					<release>11</release>
+				</configuration>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-jar-plugin</artifactId>
+				<configuration>
+					<includes>
+						<!-- Make sure to include all your custom Java. -->
+						<include>com/**/*.class</include>
+						<!-- Make sure to include all your custom category and ruleset XMLs. -->
+						<include>category/**/*.xml</include>
+						<include>rulesets/**/*.xml</include>
+					</includes>
+					<archive>
+						<manifest>
+							<addClasspath>true</addClasspath>
+						</manifest>
+						<addMavenDescriptor>false</addMavenDescriptor>
+					</archive>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+</project>

sample-code/pmd-example-rules/src/main/java/com/example/pmd/ExampleCustomRule.java

@@ -0,0 +1,20 @@
+package com.example.pmd;
+
+import net.sourceforge.pmd.lang.apex.ast.ASTUserClass;
+import net.sourceforge.pmd.lang.apex.rule.AbstractApexRule;
+
+/**
+ * This class is an example for how one can write a custom PMD rule for Apex.
+ */
+public class ExampleCustomRule extends AbstractApexRule {
+
+    /**
+     * This is a sample implementation for a `visit()` method. It throws a violation
+     * for every Apex class it encounters. Your rule will probably be more interesting than this.
+     */
+    @Override
+    public Object visit(ASTUserClass someClass, Object data) {
+        asCtx(data).addViolation(someClass);
+        return data;
+    }
+}