Tidy a few findings from SonarQube #164
Conversation
🦙 MegaLinter status:
|
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 4 | 0 | 0.06s | |
| scss-lint | 2 | 1 | 2.23s | ||
| ✅ JAVASCRIPT | prettier | 6 | 0 | 0 | 1.11s |
| ✅ JSON | jsonlint | 7 | 0 | 0.19s | |
| ✅ JSON | npm-package-json-lint | yes | no | 0.39s | |
| ✅ JSON | prettier | 7 | 0 | 0 | 1.57s |
| ✅ JSON | v8r | 7 | 0 | 11.54s | |
| ✅ MARKDOWN | markdownlint | 20 | 0 | 0 | 2.09s |
| ✅ MARKDOWN | markdown-link-check | 20 | 0 | 52.63s | |
| ✅ MARKDOWN | markdown-table-formatter | 20 | 0 | 0 | 0.33s |
| ✅ REPOSITORY | checkov | yes | no | 13.24s | |
| ✅ REPOSITORY | gitleaks | yes | no | 0.14s | |
| ✅ REPOSITORY | git_diff | yes | no | 0.2s | |
| grype | yes | 3 | 12.37s | ||
| ✅ REPOSITORY | secretlint | yes | no | 2.45s | |
| trivy | yes | 1 | 6.73s | ||
| ✅ REPOSITORY | trivy-sbom | yes | no | 1.46s | |
| ✅ REPOSITORY | trufflehog | yes | no | 3.13s | |
| cspell | 20 | 1 | 2.68s | ||
| ✅ YAML | prettier | 14 | 0 | 0 | 1.31s |
| ✅ YAML | v8r | 11 | 0 | 15.05s | |
| ✅ YAML | yamllint | 14 | 0 | 0.44s |
See detailed report in MegaLinter reports
MegaLinter is graciously provided by
Pa11y testing results``` Welcome to Pa11y
Results for URL: https://federalist-a2423046-fe43-4e75-a2ef-2651e5e123ca.sites.pages.cloud.gov/preview/gsa-tts/tts.gsa.gov//161-sonarqube/ • Error: This element has insufficient contrast at this conformance level. Expected a contrast ratio of at least 4.5:1, but text in this element has a contrast ratio of 3.68:1. Recommendation: change background to #63686c. For over 50 years, GSA has been... • Error: Duplicate id attribute value "svg-bedding" found on the web page. • Error: Duplicate id attribute value "svg-camping" found on the web page. • Error: Duplicate id attribute value "svg-chevron_left" found on the web page. • Error: Duplicate id attribute value "svg-chevron_right" found on the web page. • Error: Duplicate id attribute value "svg-clothes" found on the web page. • Error: Duplicate id attribute value "svg-construction_worker" found on the web page. • Error: Duplicate id attribute value "svg-flickr" found on the web page. • Error: Duplicate id attribute value "svg-flooding" found on the web page. • Error: Duplicate id attribute value "svg-github" found on the web page. • Error: Duplicate id attribute value "svg-hospital" found on the web page. • Error: Duplicate id attribute value "svg-hurricane" found on the web page. • Error: Duplicate id attribute value "svg-identification" found on the web page. • Error: Duplicate id attribute value "svg-instagram" found on the web page. • Error: Duplicate id attribute value "svg-linkedin" found on the web page. • Error: Duplicate id attribute value "svg-navigate_far_before" found on the web page. • Error: Duplicate id attribute value "svg-navigate_far_next" found on the web page. • Error: Duplicate id attribute value "svg-rain" found on the web page. • Error: Duplicate id attribute value "svg-severe_weather" found on the web page. • Error: Duplicate id attribute value "svg-snow" found on the web page. • Error: Duplicate id attribute value "svg-sort_arrow" found on the web page. • Error: Duplicate id attribute value "svg-tornado" found on the web page. • Error: Duplicate id attribute value "svg-twitter" found on the web page. • Error: Duplicate id attribute value "svg-x" found on the web page. • Error: Duplicate id attribute value "svg-youtube" found on the web page. 25 Errors |
Pa11y testing results``` Welcome to Pa11y
Results for URL: https://federalist-a2423046-fe43-4e75-a2ef-2651e5e123ca.sites.pages.cloud.gov/preview/gsa-tts/tts.gsa.gov//161-sonarqube/ • Error: This element has insufficient contrast at this conformance level. Expected a contrast ratio of at least 4.5:1, but text in this element has a contrast ratio of 3.68:1. Recommendation: change background to #63686c. For over 50 years, GSA has been... • Error: Duplicate id attribute value "svg-bedding" found on the web page. • Error: Duplicate id attribute value "svg-camping" found on the web page. • Error: Duplicate id attribute value "svg-chevron_left" found on the web page. • Error: Duplicate id attribute value "svg-chevron_right" found on the web page. • Error: Duplicate id attribute value "svg-clothes" found on the web page. • Error: Duplicate id attribute value "svg-construction_worker" found on the web page. • Error: Duplicate id attribute value "svg-flickr" found on the web page. • Error: Duplicate id attribute value "svg-flooding" found on the web page. • Error: Duplicate id attribute value "svg-github" found on the web page. • Error: Duplicate id attribute value "svg-hospital" found on the web page. • Error: Duplicate id attribute value "svg-hurricane" found on the web page. • Error: Duplicate id attribute value "svg-identification" found on the web page. • Error: Duplicate id attribute value "svg-instagram" found on the web page. • Error: Duplicate id attribute value "svg-linkedin" found on the web page. • Error: Duplicate id attribute value "svg-navigate_far_before" found on the web page. • Error: Duplicate id attribute value "svg-navigate_far_next" found on the web page. • Error: Duplicate id attribute value "svg-rain" found on the web page. • Error: Duplicate id attribute value "svg-severe_weather" found on the web page. • Error: Duplicate id attribute value "svg-snow" found on the web page. • Error: Duplicate id attribute value "svg-sort_arrow" found on the web page. • Error: Duplicate id attribute value "svg-tornado" found on the web page. • Error: Duplicate id attribute value "svg-twitter" found on the web page. • Error: Duplicate id attribute value "svg-x" found on the web page. • Error: Duplicate id attribute value "svg-youtube" found on the web page. 25 Errors |
|
We have opted not to enable script integrity hashes at this time. Accepting this poses minimal risk given that of the three libraries being imported, two are TTS-supported (DAP and Search). The decision will be further documented in an ADR. |
|
see #178 |
Changes proposed in this pull request
This addresses several of the issues SonarQube identified as security hotspots. The most significant changes are that several of our scripts now have hashes presented in the
<script />tags and, should the deployed scripts change, our stuff may break which will require us to rehash and update our scripts.security considerations
These ought to help us address CWE-353.
closes #161