ER: Analyze CodeQL security/code quality alerts

[roslynwythe]

Emergent Requirement - Problem

CodeQL is scanning the gh-pages branch for security and code quality issues weekly, and alerts are displayed in the hackforla/website repository "Security" tab on the 'code scanning' page. This ER addresses the need to analyze each alert and to create issues as needed to modify the code. We also need to determine how the team will manage new alerts.

Issue you discovered this emergent requirement in

• GitHub Actions: Implement CodeQL #2400
• Code scanning was initiated following the merge of codeql-implementation #4886

Date discovered

6/26/2023

Did you have to do something temporarily

• YES
• NO but I looked through all the alerts to make sure none required immediate attention

Who was involved

@SAUMILDHANKAR @t-will-gillis @roslynwythe

What happens if this is not addressed

We won't benefit from potential security and code quality improvements.

Resources

For more information about GitHub code scanning, check out the documentation.
Code Scan Results

Recommended Action Items

• Make a new issue - see Epic: Manage CodeQL deployment #5005 and Create GHA to create issues when new CodeQL alerts are detected #5059
• Discuss with team
• Let a Team Lead know

Potential solutions [draft]

Create an Epic to create issues to analyze each alert type and if necessary to create issues to modify specific code files to remove the alert, or to mark the alert as a false positive. Results should be detailed in the CodeQL Audit spreadsheet.

It appears that a GHA will be required in order so that when new alert appears, a GitHub issue will be created for a developer to review the alert and either dismiss the alert of create issues as necessary to resolve the alert.

• Related Issue: see ER: GHA to create issues to manage CodeQL alerts #5007

[github-actions]

Hi @roslynwythe.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing:
Complexity, Role, Feature

NOTE: Please ignore the adding proper labels comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards.
To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

• Wiki: How to create issues
• Wiki: How to read and interpret labels

[github-actions]

Hi @roslynwythe, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[roslynwythe]

• New Epic Epic: Manage CodeQL deployment #5005