CCM-15866: Address Sonar Findings (#105)

* CCM-15866: Address Sonar Findings - Avoid input interpolation within run blocks

* CCM-15866: Address Sonar Findings - Bash Conditional Construct Fixes

* CCM-15866: Address Sonar Findings - Bash Conditional Construct Fixes

* CCM-15866: Address Sonar Findings - Exclude Container Tests

* CCM-15866: Address Sonar Findings - Exclude Container Tests and ESLint config

* CCM-15866: Address Sonar Findings - Better Perms in Jekyll Container

* CCM-15866: Address Sonar Findings - Revert Better Perms in Jekyll Container

* CCM-15866: Address Sonar Findings - Additional Excludes for Coverage of Boilerplate Coder

* CCM-15866: Address Sonar Findings - Additional Excludes for Coverage of Boilerplate Coder

* CCM-15866: Address Sonar Findings - Lots more

Author: jamesthompson26-nhs

.github/actions/build-docs/action.yml

@@ -30,10 +30,12 @@ runs:
       working-directory: ./docs
       # Outputs to the './_site' directory by default
       shell: bash
-      run: make build BASE_URL="${{ steps.pages.outputs.base_path }}" VERSION="${{ inputs.version }}"
+      run: make build BASE_URL="$BASE_URL" VERSION="$VERSION"
       #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
       env:
         JEKYLL_ENV: production
+        BASE_URL: ${{ steps.pages.outputs.base_path }}
+        VERSION: ${{ inputs.version }}
     - name: Upload artifact
       # Automatically uploads an artifact from the './_site' directory by default
       uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3

.github/actions/create-lines-of-code-report/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Create CLOC report"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-lines-of-code-report.sh
     - name: "Compress CLOC report"
       shell: bash
@@ -40,8 +41,15 @@ runs:
     - name: "Check prerequisites for sending the report"
       shell: bash
       id: check
+      env:
+        ROLE_NAME: ${{ inputs.idp_aws_report_upload_role_name }}
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
       run: |
-        echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+        if [[ -n "$ROLE_NAME" && -n "$BUCKET_ENDPOINT" ]]; then
+          echo "secrets_exist=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "secrets_exist=false" >> "$GITHUB_OUTPUT"
+        fi
     - name: "Authenticate to send the report"
       if: steps.check.outputs.secrets_exist == 'true'
       uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
@@ -51,7 +59,10 @@ runs:
     - name: "Send the CLOC report to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./lines-of-code-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-lines-of-code-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-lines-of-code-report.json.zip"

.github/actions/perform-static-analysis/action.yaml

@@ -16,13 +16,21 @@ runs:
     - name: "Check prerequisites for performing static analysis"
       shell: bash
       id: check
-      run: echo "secret_exist=${{ inputs.sonar_token != '' }}" >> $GITHUB_OUTPUT
+      env:
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
+      run: |
+        if [[ -n "$SONAR_TOKEN" ]]; then
+          echo "secret_exist=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "secret_exist=false" >> "$GITHUB_OUTPUT"
+        fi
     - name: "Perform static analysis"
       shell: bash
       if: steps.check.outputs.secret_exist == 'true'
+      env:
+        SONAR_ORGANISATION_KEY: ${{ inputs.sonar_organisation_key }}
+        SONAR_PROJECT_KEY: ${{ inputs.sonar_project_key }}
+        SONAR_TOKEN: ${{ inputs.sonar_token }}
       run: |
         export BRANCH_NAME=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
-        export SONAR_ORGANISATION_KEY=${{ inputs.sonar_organisation_key }}
-        export SONAR_PROJECT_KEY=${{ inputs.sonar_project_key }}
-        export SONAR_TOKEN=${{ inputs.sonar_token }}
         ./scripts/reports/perform-static-analysis.sh

.github/actions/scan-dependencies/action.yaml

@@ -24,8 +24,9 @@ runs:
   steps:
     - name: "Generate SBOM"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/create-sbom-report.sh
     - name: "Compress SBOM report"
       shell: bash
@@ -39,8 +40,9 @@ runs:
         retention-days: 21
     - name: "Scan vulnerabilities"
       shell: bash
+      env:
+        BUILD_DATETIME: ${{ inputs.build_datetime }}
       run: |
-        export BUILD_DATETIME=${{ inputs.build_datetime }}
         ./scripts/reports/scan-vulnerabilities.sh
     - name: "Compress vulnerabilities report"
       shell: bash
@@ -55,7 +57,15 @@ runs:
     - name: "Check prerequisites for sending the reports"
       shell: bash
       id: check
-      run: echo "secrets_exist=${{ inputs.idp_aws_report_upload_role_name != '' && inputs.idp_aws_report_upload_bucket_endpoint != '' }}" >> $GITHUB_OUTPUT
+      env:
+        ROLE_NAME: ${{ inputs.idp_aws_report_upload_role_name }}
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+      run: |
+        if [[ -n "$ROLE_NAME" && -n "$BUCKET_ENDPOINT" ]]; then
+          echo "secrets_exist=true" >> "$GITHUB_OUTPUT"
+        else
+          echo "secrets_exist=false" >> "$GITHUB_OUTPUT"
+        fi
     - name: "Authenticate to send the reports"
       if: steps.check.outputs.secrets_exist == 'true'
       uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6
@@ -65,10 +75,13 @@ runs:
     - name: "Send the SBOM and vulnerabilities reports to the central location"
       shell: bash
       if: steps.check.outputs.secrets_exist == 'true'
+      env:
+        BUCKET_ENDPOINT: ${{ inputs.idp_aws_report_upload_bucket_endpoint }}
+        BUILD_TIMESTAMP: ${{ inputs.build_timestamp }}
       run: |
         aws s3 cp \
           ./sbom-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-sbom-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-sbom-repository-report.json.zip"
         aws s3 cp \
           ./vulnerabilities-repository-report.json.zip \
-          ${{ inputs.idp_aws_report_upload_bucket_endpoint }}/${{ inputs.build_timestamp }}-vulnerabilities-repository-report.json.zip
+          "$BUCKET_ENDPOINT/$BUILD_TIMESTAMP-vulnerabilities-repository-report.json.zip"

.github/scripts/dispatch_internal_repo_workflow.sh

@@ -50,6 +50,7 @@ Usage:
     [--overrideProjectName <name>] \
     [--overrideRoleName <name>]
 EOF
+  return 0
 }
 
 require_arg() {
@@ -61,6 +62,8 @@ require_arg() {
     usage
     exit 1
   fi
+
+  return 0
 }
 
 while [[ $# -gt 0 ]]; do
@@ -110,7 +113,7 @@ while [[ $# -gt 0 ]]; do
       shift 2
       ;;
     *)
-    echo "[ERROR] Unknown argument: $1"
+    echo "[ERROR] Unknown argument: $1" >&2
       exit 1
       ;;
   esac
@@ -124,20 +127,23 @@ require_arg "--targetComponent" "${targetComponent:-}"
 require_arg "--targetAccountGroup" "${targetAccountGroup:-}"
 
 if [[ -z "$APP_PEM_FILE" ]]; then
-  echo "[ERROR] PEM_FILE environment variable is not set or is empty."
+  echo "[ERROR] PEM_FILE environment variable is not set or is empty." >&2
   exit 1
 fi
 
 if [[ -z "$APP_CLIENT_ID" ]]; then
-  echo "[ERROR] CLIENT_ID environment variable is not set or is empty."
+  echo "[ERROR] CLIENT_ID environment variable is not set or is empty." >&2
   exit 1
 fi
 
 now=$(date +%s)
 iat=$((${now} - 60)) # Issues 60 seconds in the past
 exp=$((${now} + 600)) # Expires 10 minutes in the future
 
-b64enc() { openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'; }
+b64enc() {
+  openssl base64 | tr -d '=' | tr '/+' '_-' | tr -d '\n'
+  return 0
+}
 
 header_json='{
     "typ":"JWT",
@@ -178,7 +184,7 @@ PR_TRIGGER_PAT=$(curl --request POST \
 
 # Set default values if not provided
 if [[ -z "$PR_TRIGGER_PAT" ]]; then
-  echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty."
+  echo "[ERROR] PR_TRIGGER_PAT environment variable is not set or is empty." >&2
   exit 1
 fi
 
@@ -244,7 +250,7 @@ trigger_response=$(curl -s -L \
   -d "$DISPATCH_EVENT" 2>&1)
 
 if [[ $? -ne 0 ]]; then
-  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response"
+  echo "[ERROR] Failed to trigger workflow. Response: $trigger_response" >&2
   exit 1
 fi
 
@@ -264,8 +270,8 @@ for _ in {1..18}; do
     "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch")
 
   if ! echo "$response" | jq empty 2>/dev/null; then
-    echo "[ERROR] Invalid JSON response from GitHub API during workflow polling:"
-    echo "$response"
+    echo "[ERROR] Invalid JSON response from GitHub API during workflow polling:" >&2
+    echo "$response" >&2
     exit 1
   fi
 
@@ -303,7 +309,7 @@ for _ in {1..18}; do
 done
 
 if [[ -z "$workflow_run_url" || "$workflow_run_url" == null ]]; then
-  echo "[ERROR] Failed to get the workflow run url. Exiting."
+  echo "[ERROR] Failed to get the workflow run url. Exiting." >&2
   exit 1
 fi
 
@@ -318,21 +324,21 @@ while true; do
   status=$(echo "$response" | jq -r '.status')
   echo "[$(date '+%Y-%m-%d %H:%M:%S')] Workflow status: $status"
 
-  if [ "$status" == "completed" ]; then
+  if [[ "$status" == "completed"  ]]; then
     conclusion=$(echo "$response" | jq -r '.conclusion')
     echo "[$(date '+%Y-%m-%d %H:%M:%S')] Workflow conclusion: $conclusion"
 
-    if [ -z "$conclusion" ] || [ "$conclusion" == "null" ]; then
+    if [[ -z "$conclusion" || "$conclusion" == "null" ]]; then
       echo "[WARN] Workflow marked completed but conclusion not yet available, retrying..."
       sleep 5
       continue
     fi
 
-    if [ "$conclusion" == "success" ]; then
+    if [[ "$conclusion" == "success"  ]]; then
       echo "[SUCCESS] Workflow completed successfully!"
       exit 0
     else
-      echo "[FAIL] Workflow failed with conclusion: $conclusion"
+      echo "[FAIL] Workflow failed with conclusion: $conclusion" >&2
       exit 1
     fi
   fi

.github/workflows/cicd-3-deploy.yaml

@@ -76,8 +76,10 @@ jobs:
         shell: bash
         env:
           GH_TOKEN: ${{ github.token }}
+          INCLUDE_PRERELEASES: ${{ inputs.include_prereleases }}
+          REQUESTED_VERSION: ${{ inputs.version }}
         run: |
-          if [[ ${{inputs.include_prereleases}} == true ]]; then
+          if [[ "$INCLUDE_PRERELEASES" == "true" ]]; then
             json=$(gh release list --json tagName --limit 1 --exclude-drafts)
           else
             json=$(gh release list --json tagName --limit 1 --exclude-drafts --exclude-pre-releases)
@@ -88,19 +90,20 @@ jobs:
           release_version=$(echo $json | (jq -r '.[0].tagName'))
           if [[ $release_version == null ]]; then exit 1; else echo $release_version; fi
 
-          if [[ ${{inputs.version}} == latest ]]; then
-            echo release_version=$(echo $release_version) >> $GITHUB_OUTPUT
+          if [[ "$REQUESTED_VERSION" == "latest" ]]; then
+            echo "release_version=$release_version" >> "$GITHUB_OUTPUT"
           else
-            echo release_version=$(echo ${{inputs.version}}) >> $GITHUB_OUTPUT
+            echo "release_version=$REQUESTED_VERSION" >> "$GITHUB_OUTPUT"
           fi
 
       - name: "Get release version"
         id: download-asset
         shell: bash
         env:
           GH_TOKEN: ${{ github.token }}
+          RELEASE_VERSION: ${{ steps.get-asset-version.outputs.release_version }}
         run: |
-          gh release download ${{steps.get-asset-version.outputs.release_version}} -p jekyll-docs-*.tar --output artifact.tar
+          gh release download "$RELEASE_VERSION" -p jekyll-docs-*.tar --output artifact.tar
 
       - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:

containers/example-app/src/server.ts

@@ -1,5 +1,5 @@
 // Placeholder HTTP server for AppRunner. Replace with real application code.
-import http from 'http';
+import http from 'node:http';
 
 export const createRequestHandler = () => {
   return (_req: http.IncomingMessage, res: http.ServerResponse) => {

scripts/config/sonar-scanner.properties

@@ -3,8 +3,9 @@
 sonar.host.url=https://sonarcloud.io
 sonar.qualitygate.wait=true
 sonar.sourceEncoding=UTF-8
-sonar.exclusions=lambdas/*/src/__tests__/**/*
+sonar.sources=.
+sonar.exclusions=lambdas/*/src/__tests__/**/*,infrastructure/terraform/bin/terraform.sh
 sonar.terraform.provider.aws.version=5.54.1
 sonar.cpd.exclusions=**.test.*
-sonar.coverage.exclusions=tests/, **/*.dev.*, lambdas/**/src/__tests__, utils/utils/src/zod-validators.ts ,**/jest.config.ts,scripts/**/*
+sonar.coverage.exclusions=tests/, **/*.dev.*, lambdas/**/src/__tests__, utils/utils/src/zod-validators.ts ,**/jest.config.ts,scripts/**/*, containers/**/src/__tests__, eslint.config.mjs, docs/assets/js/nhs-notify.js, containers/example-app/src/server.ts
 sonar.javascript.lcov.reportPaths=lcov.info

scripts/docker/dgoss.sh

@@ -15,6 +15,7 @@ CONTAINER_RUNTIME="${CONTAINER_RUNTIME:-docker}"
 
 info() {
     echo -e "INFO: $*" >&2;
+    return 0
 }
 error() {
     echo -e "ERROR: $*" >&2;
@@ -24,14 +25,15 @@ error() {
 cleanup() {
     set +e
     { kill "$log_pid" && wait "$log_pid"; } 2> /dev/null
-    if [ -n "$CONTAINER_LOG_OUTPUT" ]; then
+    if [[ -n "$CONTAINER_LOG_OUTPUT"  ]]; then
         cp "$tmp_dir/docker_output.log" "$CONTAINER_LOG_OUTPUT"
     fi
     rm -rf "$tmp_dir"
     if [[ $id ]];then
         info "Deleting container"
         $CONTAINER_RUNTIME rm -vf "$id" > /dev/null
     fi
+    return 0
 }
 
 run(){
@@ -47,7 +49,7 @@ run(){
     case "$GOSS_FILES_STRATEGY" in
       mount)
         info "Starting $CONTAINER_RUNTIME container"
-        if [ "$CONTAINER_RUNTIME" == "podman" -a $# == 2 ]; then
+        if [[ "$CONTAINER_RUNTIME" == "podman" && $# == 2 ]]; then
             id=$($CONTAINER_RUNTIME run -d -v "$tmp_dir:/goss:z" "${@:2}" sleep infinity)
         else
             id=$($CONTAINER_RUNTIME run -d -v "$tmp_dir:/goss:z" "${@:2}")
@@ -67,6 +69,7 @@ run(){
     $CONTAINER_RUNTIME logs -f "$id" > "$tmp_dir/docker_output.log" 2>&1 &
     log_pid=$!
     info "Container ID: ${id:0:8}"
+    return 0
 }
 
 get_docker_file() {
@@ -79,6 +82,7 @@ get_docker_file() {
         $CONTAINER_RUNTIME cp "${cid}:${src}" "${dst}"
         info "Copied '${src}' from container to '${dst}'"
     fi
+    return 0
 }
 
 # Main
@@ -113,7 +117,7 @@ case "$1" in
         fi
         [[ $GOSS_SLEEP ]] && { info "Sleeping for $GOSS_SLEEP"; sleep "$GOSS_SLEEP"; }
         info "Container health"
-        if [ "true" != "$($CONTAINER_RUNTIME inspect -f '{{.State.Running}}' "$id")" ]; then
+        if [[ "true" != "$($CONTAINER_RUNTIME inspect -f '{{.State.Running}}' "$id")"  ]]; then
             $CONTAINER_RUNTIME logs "$id" >&2
             error "the container failed to start"
         fi