upgrade code analyzer to v5 (#6386)

* upgrade code analyzer to v5

* change reference of sfdx-scanner dependency to code-analyzer

* updated commands syntax to the new syntax of code-analyzer v5

* fix command argument per line issue

* use new name of code-analyzer package name

* Update salesforce.megalinter-descriptor.yml

* Update salesforce.megalinter-descriptor.yml

* [build-command] Update generated files

* Update salesforce.megalinter-descriptor.yml

* Update salesforce.megalinter-descriptor.yml

* [build-command] Update generated files

* Apply suggestion for renovate comment

* [build-command] Update generated files

* add code-analyzer as a new linter and keep sfdx-scanner

* revise entrypoint and pyproject

* Delete .eslintignore

* revert changelog

* move lightning flow scanner under sfdx scanner

* fix one line per argument

* [build-command] Update generated files

* generate documenation for new linter (code-analyzer)

* fix descriptor

* modify regex for the test class

* chore(deps): update dependency langchain_core to v1.0.7 [security]

* chore(deps): update actions/checkout action to v6

* Handle more checkout action use cases

* trvy

* Add deprecations

* trvy

* fix: update Salesforce code analyzer configuration and references

* test classes

* fix

* trvy

* Updates Salesforce Code Analyzer to v5.6.1

Updates the Salesforce Code Analyzer to version 5.6.1 in all relevant files.
This ensures that the latest rules and improvements are used during code analysis.
It also updates the sfdx-hardis version.

---------

Co-authored-by: Nicolas Vuillamy <nicolas.vuillamy@gmail.com>
Co-authored-by: Edouard Choinière <27212526+echoix@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: 5 people

.automation/generated/linter-helps.json

@@ -84,6 +84,21 @@
     "image": "https://opengraph.githubassets.com/bf0d187aea6f03a804178458080b2be18a5fd1bf8d8cc353ff3150743aae9805/greglook/cljstyle",
     "title": "GitHub - greglook/cljstyle: A tool for formatting Clojure code"
   },
+  "code-analyzer-apex": {
+    "description": "To get started scanning your code with Salesforce Code Analyzer, follow this developer workflow and choose resources that match your learning style.",
+    "image": null,
+    "title": "Get Started | Salesforce Code Analyzer | Salesforce Developers"
+  },
+  "code-analyzer-aura": {
+    "description": "To get started scanning your code with Salesforce Code Analyzer, follow this developer workflow and choose resources that match your learning style.",
+    "image": null,
+    "title": "Get Started | Salesforce Code Analyzer | Salesforce Developers"
+  },
+  "code-analyzer-lwc": {
+    "description": "To get started scanning your code with Salesforce Code Analyzer, follow this developer workflow and choose resources that match your learning style.",
+    "image": null,
+    "title": "Get Started | Salesforce Code Analyzer | Salesforce Developers"
+  },
   "coffeelint": {
     "description": "\n          CoffeeLint is a style checker that helps keep\n          CoffeeScript\n          code clean and consistent. CoffeeScript does a great job at\n          insulating programmers from many of\n          JavaScript's bad parts, but it won't help enforce a consistent style\n          across a code base. CoffeeLint can help with that.\n        ",
     "image": null,

.automation/generated/linter-links-previews.json

@@ -15,6 +15,9 @@
     "clippy": "0.1.91",
     "clj-kondo": "2025.10.23",
     "cljstyle": "0.17.642",
+    "code-analyzer-apex": "5.6.1",
+    "code-analyzer-aura": "5.6.1",
+    "code-analyzer-lwc": "5.6.1",
     "coffeelint": "5.2.11",
     "cppcheck": "2.14.2",
     "cpplint": "2.0.2",
@@ -33,7 +36,7 @@
     "eslint-plugin-jsonc": "2.15.1",
     "flake8": "7.3.0",
     "gherkin-lint": "0.0.0",
-    "git_diff": "2.49.1",
+    "git_diff": "2.47.0",
     "gitleaks": "8.28.0",
     "golangci-lint": "2.6.2",
     "goodcheck": "3.1.0",

.automation/generated/linter-versions.json

@@ -94,6 +94,9 @@
   "rst_rstfmt",
   "ruby_rubocop",
   "rust_clippy",
+  "salesforce_code_analyzer_apex",
+  "salesforce_code_analyzer_aura",
+  "salesforce_code_analyzer_lwc",
   "salesforce_sfdx_scanner_apex",
   "salesforce_sfdx_scanner_aura",
   "salesforce_sfdx_scanner_lwc",

.automation/generated/linters_matrix.json

@@ -1,5 +1,6 @@
 ({
 	convertValHlp : function(Val) {
+		eval("console.log('using eval')");
 		if (Val === 'true')
 			return true ;
 		else 

.automation/test/salesforce/bad/force-app/main/default/aura/auraIf/auraIfHelper.js

@@ -1,5 +1,6 @@
 ({
 	convertValHlp : function(Val) {
+		eval("console.log('using eval')");
 		if (Val === 'true')
 			return true ;
 		else 

.automation/test/salesforce/bad/force-app/main/default/aura/auraIf2/auraIf2Helper.js

@@ -66,15 +66,46 @@ export default class StockTable extends LightningElement {
   sortedBy;
   maxRows = DEFAULT_END_ARRAY;
 
+  // HIGH: @lwc/lwc/no-async-operation - Async operation in connectedCallback
+  connectedCallback() {
+    setTimeout(() => {
+      this.loadData();
+    }, 1000);
+    
+    setInterval(() => {
+      console.log('Polling data...');
+    }, 5000);
+  }
+
+  // HIGH: @lwc/lwc/no-document-query - Direct DOM manipulation
+  // HIGH: @lwc/lwc/no-inner-html - Using innerHTML
+  loadData() {
+    const element = document.querySelector('.stock-table');
+    if (element) {
+      element.innerHTML = '<div>Loading...</div>';
+    }
+    
+    const div = this.template.querySelector('div');
+    if (div) {
+      div.innerHTML = '<span>Unsafe content</span>';
+    }
+  }
+
   handleChangeDisplay(event) {
     this.maxRows = event.detail.pageSize;
     this.setStocksToDisplay(event.detail);
+    
+    // HIGH: @lwc/lwc/no-api-reassignments - Reassigning @api property
+    this.stocks = [];
   }
 
   setStocksToDisplay({ start = DEFAULT_START_ARRAY, end = this.maxRows } = {}) {
     if (this._stocks) {
       console.log(`START : ${start} ==== END : ${end}`);
       this.stocksToDisplay = this._stocks.slice(start, end);
+      
+      // HIGH: @lwc/lwc/no-leading-uppercase-api-name - Invalid API property name
+      this.ApiData = this.stocksToDisplay;
     }
   }
 
@@ -88,10 +119,20 @@ export default class StockTable extends LightningElement {
 
     this._stocks = cloneData;
     this.setStocksToDisplay();
-    this.template.querySelector("c-stock-paginator").setPagesAttributes();
-    this.template.querySelector("c-stock-paginator").setControlClass();
+    
+    // HIGH: @lwc/lwc/no-async-operation - Using setTimeout in event handler
+    setTimeout(() => {
+      this.template.querySelector("c-stock-paginator").setPagesAttributes();
+      this.template.querySelector("c-stock-paginator").setControlClass();
+    }, 100);
+    
     this.sortedBy = sortedBy;
     this.sortDirection = sortDirection;
+    
+    // HIGH: @lwc/lwc/no-restricted-browser-globals-during-ssr - Using window object
+    if (window.location.href.includes('stock')) {
+      console.log('Stock page');
+    }
   }
 
   sortBy(field, sortDirection) {
@@ -102,7 +143,7 @@ export default class StockTable extends LightningElement {
       let aKey = key(a);
       let bKey = key(b);
 
-      if (typeof a = "string") {
+      if (typeof a == "string") {
         aKey = aKey.toUpperCase();
         bKey = bKey.toUpperCase();
       }

.automation/test/salesforce/bad/force-app/main/default/lwc/stockTable/stockTable.js

@@ -66,6 +66,21 @@ export default class StockTable extends LightningElement {
   sortedBy;
   maxRows = DEFAULT_END_ARRAY;
 
+  // HIGH: @lwc/lwc/no-async-operation - Async operation in connectedCallback
+  connectedCallback() {
+    setTimeout(() => {
+      this.initializeTable();
+    }, 500);
+  }
+
+  // HIGH: @lwc/lwc/no-document-query - Direct DOM query
+  initializeTable() {
+    const tableEl = document.getElementById('stock-table');
+    if (tableEl) {
+      tableEl.classList.add('initialized');
+    }
+  }
+
   handleChangeDisplay(event) {
     this.maxRows = event.detail.pageSize;
     this.setStocksToDisplay(event.detail);
@@ -92,6 +107,9 @@ export default class StockTable extends LightningElement {
     this.template.querySelector("c-stock-paginator").setControlClass();
     this.sortedBy = sortedBy;
     this.sortDirection = sortDirection;
+    
+    // HIGH: Using document directly
+    document.title = 'Stock Table Sorted';
   }
 
   sortBy(field, sortDirection) {
@@ -102,7 +120,7 @@ export default class StockTable extends LightningElement {
       let aKey = key(a);
       let bKey = key(b);
 
-      if (typeof a = "string") {
+      if (typeof a == "string") {
         aKey = aKey.toUpperCase();
         bKey = bKey.toUpperCase();
       }

.automation/test/salesforce/bad/force-app/main/default/lwc/stockTable2/stockTable2.js

@@ -91,6 +91,7 @@ CVE-2025-48734
 CVE-2025-55163
 # Remove when migrated to code-analyzer
 CVE-2025-59419
+CVE-2025-64756
 
 # octokit
 CVE-2025-25288
@@ -161,6 +162,8 @@ CVE-2025-9288
 CVE-2025-64118
 #  https://avd.aquasec.com/nvd/cve-2025-65106 : Langchain core vulnerable to prompt injection. As prompts are built only by MegaLinter or local overrides in the repo, this is harmless
 CVE-2025-65106
+# https://avd.aquasec.com/nvd/cve-2025-64756 : Glob command injection. Harmless in MegaLinter context as user inputs are not passed to glob patterns
+CVE-2025-64756
 # Dockerfile
 DS001
 DS002

.trivyignore

@@ -340,6 +340,8 @@ ARG GEM_RUBOCOP_RAILS_VERSION=2.34.0
 ARG GEM_RUBOCOP_RAKE_VERSION=0.7.1
 # renovate: datasource=rubygems depName=rubocop-rspec
 ARG GEM_RUBOCOP_RSPEC_VERSION=3.8.0
+# renovate: datasource=npm depName=@salesforce/plugin-code-analyzer
+ARG SALESFORCE_CODE_ANALYZER_VERSION=5.6.1
 # renovate: datasource=npm depName=@salesforce/sfdx-scanner
 ARG SALESFORCE_SFDX_SCANNER_VERSION=4.12.0
 # renovate: datasource=pypi depName=snakemake
@@ -1097,6 +1099,23 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/refs/tags/v${REPOS
 #
 # rubocop installation
 #
+# code-analyzer-apex installation
+    && sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
+    && (npm cache clean --force || true) \
+    && rm -rf /root/.npm/_cacache \
+#
+# code-analyzer-aura installation
+# Next line commented because already managed by another linter
+# RUN sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
+#     && (npm cache clean --force || true) \
+#     && rm -rf /root/.npm/_cacache
+#
+# code-analyzer-lwc installation
+# Next line commented because already managed by another linter
+# RUN sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
+#     && (npm cache clean --force || true) \
+#     && rm -rf /root/.npm/_cacache
+#
 # sfdx-scanner-apex installation
     && sf plugins install @salesforce/sfdx-scanner@${SALESFORCE_SFDX_SCANNER_VERSION} \
     && (npm cache clean --force || true) \