oxsecurity · nvuillam · Nov 23, 2025 · Oct 19, 2025 · Oct 20, 2025 · Oct 20, 2025
@@ -84,6 +84,21 @@
     "image": "https://opengraph.githubassets.com/bf0d187aea6f03a804178458080b2be18a5fd1bf8d8cc353ff3150743aae9805/greglook/cljstyle",
     "title": "GitHub - greglook/cljstyle: A tool for formatting Clojure code"
   },
+  "code-analyzer-apex": {
+    "description": "To get started scanning your code with Salesforce Code Analyzer, follow this developer workflow and choose resources that match your learning style.",
+    "image": null,
+    "title": "Get Started | Salesforce Code Analyzer | Salesforce Developers"
+  },
+  "code-analyzer-aura": {
+    "description": "To get started scanning your code with Salesforce Code Analyzer, follow this developer workflow and choose resources that match your learning style.",
+    "image": null,
+    "title": "Get Started | Salesforce Code Analyzer | Salesforce Developers"
+  },
+  "code-analyzer-lwc": {
+    "description": "To get started scanning your code with Salesforce Code Analyzer, follow this developer workflow and choose resources that match your learning style.",
+    "image": null,
+    "title": "Get Started | Salesforce Code Analyzer | Salesforce Developers"
+  },
   "coffeelint": {
     "description": "\n          CoffeeLint is a style checker that helps keep\n          CoffeeScript\n          code clean and consistent. CoffeeScript does a great job at\n          insulating programmers from many of\n          JavaScript's bad parts, but it won't help enforce a consistent style\n          across a code base. CoffeeLint can help with that.\n        ",
     "image": null,

@@ -15,6 +15,9 @@
     "clippy": "0.1.91",
     "clj-kondo": "2025.10.23",
     "cljstyle": "0.17.642",
+    "code-analyzer-apex": "5.6.1",
+    "code-analyzer-aura": "5.6.1",
+    "code-analyzer-lwc": "5.6.1",
     "coffeelint": "5.2.11",
     "cppcheck": "2.14.2",
     "cpplint": "2.0.2",
@@ -33,7 +36,7 @@
     "eslint-plugin-jsonc": "2.15.1",
     "flake8": "7.3.0",
     "gherkin-lint": "0.0.0",
-    "git_diff": "2.49.1",
+    "git_diff": "2.47.0",
     "gitleaks": "8.28.0",
     "golangci-lint": "2.6.2",
     "goodcheck": "3.1.0",

@@ -94,6 +94,9 @@
   "rst_rstfmt",
   "ruby_rubocop",
   "rust_clippy",
+  "salesforce_code_analyzer_apex",
+  "salesforce_code_analyzer_aura",
+  "salesforce_code_analyzer_lwc",
   "salesforce_sfdx_scanner_apex",
   "salesforce_sfdx_scanner_aura",
   "salesforce_sfdx_scanner_lwc",

@@ -1,5 +1,6 @@
 ({
 	convertValHlp : function(Val) {
+		eval("console.log('using eval')");
 		if (Val === 'true')
 			return true ;
 		else 

@@ -1,5 +1,6 @@
 ({
 	convertValHlp : function(Val) {
+		eval("console.log('using eval')");
 		if (Val === 'true')
 			return true ;
 		else 

@@ -66,15 +66,46 @@ export default class StockTable extends LightningElement {
   sortedBy;
   maxRows = DEFAULT_END_ARRAY;
 
+  // HIGH: @lwc/lwc/no-async-operation - Async operation in connectedCallback
+  connectedCallback() {
+    setTimeout(() => {
+      this.loadData();
+    }, 1000);
+
+    setInterval(() => {
+      console.log('Polling data...');
+    }, 5000);
+  }
+
+  // HIGH: @lwc/lwc/no-document-query - Direct DOM manipulation
+  // HIGH: @lwc/lwc/no-inner-html - Using innerHTML
+  loadData() {
+    const element = document.querySelector('.stock-table');
+    if (element) {
+      element.innerHTML = '<div>Loading...</div>';
+    }
+
+    const div = this.template.querySelector('div');
+    if (div) {
+      div.innerHTML = '<span>Unsafe content</span>';
+    }
+  }
+
   handleChangeDisplay(event) {
     this.maxRows = event.detail.pageSize;
     this.setStocksToDisplay(event.detail);
+
+    // HIGH: @lwc/lwc/no-api-reassignments - Reassigning @api property
+    this.stocks = [];
   }
 
   setStocksToDisplay({ start = DEFAULT_START_ARRAY, end = this.maxRows } = {}) {
     if (this._stocks) {
       console.log(`START : ${start} ==== END : ${end}`);
       this.stocksToDisplay = this._stocks.slice(start, end);
+
+      // HIGH: @lwc/lwc/no-leading-uppercase-api-name - Invalid API property name
+      this.ApiData = this.stocksToDisplay;
     }
   }
 
@@ -88,10 +119,20 @@ export default class StockTable extends LightningElement {
 
     this._stocks = cloneData;
     this.setStocksToDisplay();
-    this.template.querySelector("c-stock-paginator").setPagesAttributes();
-    this.template.querySelector("c-stock-paginator").setControlClass();
+
+    // HIGH: @lwc/lwc/no-async-operation - Using setTimeout in event handler
+    setTimeout(() => {
+      this.template.querySelector("c-stock-paginator").setPagesAttributes();
+      this.template.querySelector("c-stock-paginator").setControlClass();
+    }, 100);
+
     this.sortedBy = sortedBy;
     this.sortDirection = sortDirection;
+
+    // HIGH: @lwc/lwc/no-restricted-browser-globals-during-ssr - Using window object
+    if (window.location.href.includes('stock')) {
+      console.log('Stock page');
+    }
   }
 
   sortBy(field, sortDirection) {
@@ -102,7 +143,7 @@ export default class StockTable extends LightningElement {
       let aKey = key(a);
       let bKey = key(b);
 
-      if (typeof a = "string") {
+      if (typeof a == "string") {
         aKey = aKey.toUpperCase();
         bKey = bKey.toUpperCase();
       }

@@ -66,6 +66,21 @@ export default class StockTable extends LightningElement {
   sortedBy;
   maxRows = DEFAULT_END_ARRAY;
 
+  // HIGH: @lwc/lwc/no-async-operation - Async operation in connectedCallback
+  connectedCallback() {
+    setTimeout(() => {
+      this.initializeTable();
+    }, 500);
+  }
+
+  // HIGH: @lwc/lwc/no-document-query - Direct DOM query
+  initializeTable() {
+    const tableEl = document.getElementById('stock-table');
+    if (tableEl) {
+      tableEl.classList.add('initialized');
+    }
+  }
+
   handleChangeDisplay(event) {
     this.maxRows = event.detail.pageSize;
     this.setStocksToDisplay(event.detail);
@@ -92,6 +107,9 @@ export default class StockTable extends LightningElement {
     this.template.querySelector("c-stock-paginator").setControlClass();
     this.sortedBy = sortedBy;
     this.sortDirection = sortDirection;
+
+    // HIGH: Using document directly
+    document.title = 'Stock Table Sorted';
   }
 
   sortBy(field, sortDirection) {
@@ -102,7 +120,7 @@ export default class StockTable extends LightningElement {
       let aKey = key(a);
       let bKey = key(b);
 
-      if (typeof a = "string") {
+      if (typeof a == "string") {
         aKey = aKey.toUpperCase();
         bKey = bKey.toUpperCase();
       }

@@ -91,6 +91,7 @@ CVE-2025-48734
 CVE-2025-55163
 # Remove when migrated to code-analyzer
 CVE-2025-59419
+CVE-2025-64756
 
 # octokit
 CVE-2025-25288
@@ -161,6 +162,8 @@ CVE-2025-9288
 CVE-2025-64118
 #  https://avd.aquasec.com/nvd/cve-2025-65106 : Langchain core vulnerable to prompt injection. As prompts are built only by MegaLinter or local overrides in the repo, this is harmless
 CVE-2025-65106
+# https://avd.aquasec.com/nvd/cve-2025-64756 : Glob command injection. Harmless in MegaLinter context as user inputs are not passed to glob patterns
+CVE-2025-64756
 # Dockerfile
 DS001
 DS002

@@ -340,6 +340,8 @@ ARG GEM_RUBOCOP_RAILS_VERSION=2.34.0
 ARG GEM_RUBOCOP_RAKE_VERSION=0.7.1
 # renovate: datasource=rubygems depName=rubocop-rspec
 ARG GEM_RUBOCOP_RSPEC_VERSION=3.8.0
+# renovate: datasource=npm depName=@salesforce/plugin-code-analyzer
+ARG SALESFORCE_CODE_ANALYZER_VERSION=5.6.1
 # renovate: datasource=npm depName=@salesforce/sfdx-scanner
 ARG SALESFORCE_SFDX_SCANNER_VERSION=4.12.0
 # renovate: datasource=pypi depName=snakemake
@@ -1097,6 +1099,23 @@ RUN curl -sSfL https://raw.githubusercontent.com/anchore/syft/refs/tags/v${REPOS
 #
 # rubocop installation
 #
+# code-analyzer-apex installation
+    && sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
+    && (npm cache clean --force || true) \
+    && rm -rf /root/.npm/_cacache \
+#
+# code-analyzer-aura installation
+# Next line commented because already managed by another linter
+# RUN sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
+#     && (npm cache clean --force || true) \
+#     && rm -rf /root/.npm/_cacache
+#
+# code-analyzer-lwc installation
+# Next line commented because already managed by another linter
+# RUN sf plugins install code-analyzer@${SALESFORCE_CODE_ANALYZER_VERSION} \
+#     && (npm cache clean --force || true) \
+#     && rm -rf /root/.npm/_cacache
+#
 # sfdx-scanner-apex installation
     && sf plugins install @salesforce/sfdx-scanner@${SALESFORCE_SFDX_SCANNER_VERSION} \
     && (npm cache clean --force || true) \

@@ -0,0 +1,75 @@
+# ======================================================================
+# CODE ANALYZER CONFIGURATION
+# To learn more about this configuration, visit:
+#   https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/config-custom.html
+# ======================================================================
+# Level at which to log messages to log files.
+# Possible values are:
+#   1 or 'Error' - Includes only error messages in the log.
+#   2 or 'Warn' - Includes warning and error messages in the log.
+#   3 or 'Info' - Includes informative, warning, and error messages in the log.
+#   4 or 'Debug' - Includes debug, informative, warning, and error messages in the log.
+#   5 or 'Fine' - Includes fine detail, debug, informative, warning, and error messages in the log.
+# If unspecified, or if specified as null, then the 'Debug' log level will be used.
+log_level: 4
+
+# Engine specific custom configuration settings of the format engines.{engine_name}.{property_name} = {value} where:
+#   {engine_name} is the name of the engine containing the setting that you want to override.
+#   {property_name} is the name of a property that you would like to override.
+# Each engine may have its own set of properties available to help customize that particular engine's behavior.
+engines:
+  # ======================================================================
+  # PMD ENGINE CONFIGURATION
+  # To learn more about this configuration, visit:
+  #   https://developer.salesforce.com/docs/platform/salesforce-code-analyzer/guide/engine-pmd.html#pmd-configuration-reference
+  # ======================================================================
+  pmd:
+
+    # Whether to turn off the 'pmd' engine so that it is not included when running Code Analyzer commands.
+    disable_engine: false
+
+    # Specifies the list of file extensions to associate to each rule language.
+    # The rule(s) associated with a given language will run against all the files in your workspace containing one of
+    # the specified file extensions. Each file extension can only be associated to one language. If a specific language
+    # is not specified, then a set of default file extensions for that language will be used.
+    file_extensions:
+      apex:
+        - .cls
+        - .trigger
+      html:
+        - .html
+        - .htm
+        - .xhtml
+        - .xht
+        - .shtml
+        - .cmp
+      javascript:
+        - .js
+        - .cjs
+        - .mjs
+      typescript:
+        - .ts
+      visualforce:
+        - .page
+        - .component
+      xml:
+        - .xml
+
+    # List of xml ruleset files containing custom PMD rules to be made available for rule selection.
+    # Each ruleset must be an xml file that is either:
+    #   - on disk (provided as an absolute path or a relative path to 'config_root')
+    #   - or a relative resource found on the Java classpath.
+    # Not all custom rules can be fully defined within an xml ruleset file. For example, Java based rules may be defined in jar files.
+    # In these cases, you will need to also add your additional files to the Java classpath using the 'java_classpath_entries' field.
+    # See https://pmd.github.io/pmd/pmd_userdocs_making_rulesets.html to learn more about PMD rulesets.
+    custom_rulesets: [
+      ./apex-pmd-ruleset.xml
+    ]
+
+  eslint:
+    # Whether to turn off the 'pmd' engine so that it is not included when running Code Analyzer commands.
+    disable_engine: false
+
+# ======================================================================
+# END OF CODE ANALYZER CONFIGURATION
+# ======================================================================