Create wiki page to guide developers how to manage CodeQL alerts

[roslynwythe]

Overview

We require a wiki page to guide developers how to manage and resolve CodeQL alerts

Action Items

• [ ] We are currently in the process of moving the old wiki to the new website-wiki repo, so we will not be making any changes or additions to the old wiki at this time. Thus, we will be adding wiki content through a different process now. Read How to Contribute to the Wiki
• [ ] Create a wiki page "How to manage CodeQL alerts" that covers the following topics:
  • [ ] Overview of code scanning and its implementation in code.yml workflow
  • [ ] Important elements of the code scanning alert page and details, including the concept of the tracking issue
    • [ ] How to use alert tags to determine if an alert represents a security risk
    • [ ] Example query to find closed alerts of a specific query type
  • [ ] Options for resolving alerts
  • [ ] how to resolve specific alert query types
    • [ ] Unused variable, import, function or class (for sample resolution see https://github.com/hackforla/website/security/code-scanning/94)
    • [ ] Potentially unsafe external link (see sample resolved alert https://github.com/hackforla/website/security/code-scanning/3)
    • [ ] Malformed id attribute (see sample https://github.com/hackforla/website/security/code-scanning/25)
    • [ ] Missing variable declaration (for sample resolution see https://github.com/hackforla/website/security/code-scanning/49)
    • [ ] Use of returnless function
    • [ ] Syntax error (see sample https://github.com/hackforla/website/security/code-scanning/97 not resolved)
    • [ ] Inclusion of functionality from an untrusted source (see sample resolution https://github.com/hackforla/website/security/code-scanning/37)
    • [ ] Superfluous trailing arguments (for sample resolution see https://github.com/hackforla/website/security/code-scanning/35)

After this issue is completed

• [ ] Release dependency on #5242

Resources/Instructions

• This issue resulted from #5005

[github-actions[bot]]

Hi @roslynwythe.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing:

• Complexity, Role, Feature, Size

NOTE: Please ignore this comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards. To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

• Wiki: How to create issues
• Wiki: How to read and interpret labels

[github-actions[bot]]

Hi @roslynwythe, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[roslynwythe]

Draft Wiki page: How to manage CodeQL alerts

Overview of CodeQL scanning

• CodeQL scanning is implemented via the workflow .github/workflows/codeql.yml which is triggered by push, pull request on gh-pages, and scheduled weekly. See #4886 for details
• The queries (tests) executed by CodeQL are grouped into query packs. Our workflow specifies the security-and-quality query pack.
• Code scanning results are available from the code scanning page You can browse to this page from the Security menu item throughout the hackforla/website repository. Note that by default only open alerts are displayed. Closed alerts are those that have been fixed (by code change) or dismissed.
• To view information about the past resolution of a particular query type, for example "Missing variable declaration", use a query such as "Missing variable declaration" is:closed branch:gh-pages
• Here is a sample alert detail page https://github.com/hackforla/website/security/code-scanning/40

Screenshot of CodeQL alert detail page with tracking issue outlined in red

• Note these elements of the detail page
  • The tracking issue (in red) is the issue intended to manage the alert. An issue is linked as a tracking issue for an alert if the alert URL appears in an issue action Item.
  • The code alert details include the file path and line number. Note that the same problem may exist in several locations within a code file. Only update the section of code indicated in the alert detail page.
  • In the right hand column there is important information: the severity of the alert and the tags, which will indicate if the alert is a security alert
  • Dismiss Alert button/form - Alerts should be dismissed only by merge team after review of an issue recommending dismissal. Other developers should not dismiss alerts! When an alert is dismissed the dev lead/merge team member must select one of the following options: false positive, used in test or wont fix.
  • If you are assigned to an issue to resolve a CodeQL alert and you recommend dismissal, document your recommendation in a comment within the tracking issue, then place the issue into the "Questions/In Review" column with a ready for dev lead label. If you are a dev lead or merge team member closing an issue with a recommendation to dismiss, be sure to visit the alert detail page and complete the dismissal.

Issues for resolving CodeQL alerts

• The workflow .github/workflows/codeql.yml scans all open CodeQL alerts and if an alert is found without a tracking issue, the workflow will create an issue linked to the CodeQL alert.

How to resolve specific alert types

Potentially unsafe external link - sample https://github.com/hackforla/website/security/code-scanning/3

Details

For this alert type we modify the code, adding the attribute rel="noopener noreferrer" to the <a> tag, as recommended in the alert detail page.

Unused variable, import, function or class - sample https://github.com/hackforla/website/security/code-scanning/94

Details

We remove declarations for unused variables, functions or classes to improve readability of the code

Inclusion of functionality from an untrusted source - sample https://github.com/hackforla/website/security/code-scanning/37

Details

These are resolved by implementing SRI check as detailed in https://github.com/hackforla/website/issues/6120

Malformed id attribute (see sample https://github.com/hackforla/website/security/code-scanning/25)

Details

The sample is an example of a false positive which results from the fact that CodeQL scans static HTML. In the static HTML source, the id attribute is empty, but in fact it is populated via Javascript on page load

Syntax error - sample https://github.com/hackforla/website/security/code-scanning/97 not resolved

Details

The sample is an example of a false positive which results from the inclusion of Jekyll/liquid front matter which CodeQL attempts to parse as Javascript.

Superfluous trailing arguments - sample resolution see https://github.com/hackforla/website/security/code-scanning/35

Details

A code quality and readability issue that may indicate a bug

Use of returnless function - https://github.com/hackforla/website/security/code-scanning/57

Details

This usually indicates a bug or a misunderstanding of the syntax

Missing variable declaration - https://github.com/hackforla/website/security/code-scanning/44

Details

A variable is used like a local variable but is missing a declaration, and so it becomes a global variable by default, subject to risk of global variable corruption. Resolved by adding the appropriate variable declaration, followed by testing to confirm that behavior of the code is unchanged.

[roslynwythe]

• @ExperimentsInHonesty This is time-sensitive because it is a dependency on #5242 which is a dependency on #5159, so I started work on it. If you approve please place in "In Progress"

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, March 26, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, April 2, 2024 at 12:05 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, April 16, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, April 23, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, April 30, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, May 7, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, May 14, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, May 21, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, May 28, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, June 4, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, June 11, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, June 18, 2024 at 12:06 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Wednesday, June 19, 2024 at 1:48 PM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, July 30, 2024 at 12:05 AM PST.}

[github-actions[bot]]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, August 6, 2024 at 12:04 AM PST.}

[HackforLABot]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, August 13, 2024 at 12:14 PM PST.}

[HackforLABot]

@roslynwythe

Please add update using the below template (even if you have a pull request). Afterwards, remove the '2 weeks inactive' label and add the 'Status: Updated' label.

1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
2. Blockers: "Difficulties or errors encountered."
3. Availability: "How much time will you have this week to work on this issue?"
4. ETA: "When do you expect this issue to be completed?"
5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

_{You are receiving this comment because your last comment was before Tuesday, August 27, 2024 at 12:04 AM PST.}