ER: CodeQL did not raise alerts on each instance of "Potentially unsafe external link"

[roslynwythe]

Dependencies

The issue could be resolved with:

• 6548

Emergent Requirement - Problem

• The file _includes/current_guides.html contained two instances of "Potentially unsafe external links" but only one CodeQL alert was raised.
• The file _includes/about-page/about-card-sponsors contained four instance of ""Potentially unsafe external links" but only one CodeQL alert was raised

Details

Regarding _includes/current_guides.html:

• The first instance is on line 77 as detailed in https://github.com/hackforla/website/security/code-scanning/3
• The second instance is on line 80. No CodeQL alert was found addressing this instance and so #6484 was created

Issue you discovered this emergent requirement in

• 6044

Date discovered

3/4/2024

Did you have to do something temporarily

• [x] YES #6484 was created
• [ ] NO

Who was involved

@djbradleyii

What happens if this is not addressed

code security/quality issues may be missed

Resources

Recommended Action Items

• [ ] Make a new issue
• [ ] Discuss with team
• [ ] Let a Team Lead know

Potential solutions [draft]

• We are aware that CodeQL runs into errors scanning Javascript code files with liquid statements. In both files in which CodeQL failed to report errors, liquid code was found. Therefore I suggest putting this ER on hold, with a dependency on #6387
• Search/audit the codebase for any other instances of "Potentially unsafe external link" that are not detected by CodeQL
• resarch to determine possible reasons why CodeQL did not create an alert for this instance of "Potentially unsafe external link"

[github-actions[bot]]

Hi @roslynwythe.

Please don't forget to add the proper labels to this issue. Currently, the labels for the following are missing:

• Complexity, Role, Feature

NOTE: Please ignore this comment if you do not have 'write' access to this directory.

To add a label, take a look at Github's documentation here.

Also, don't forget to remove the "missing labels" afterwards. To remove a label, the process is similar to adding a label, but you select a currently added label to remove it.

After the proper labels are added, the merge team will review the issue and add a "Ready for Prioritization" label once it is ready for prioritization.

Additional Resources:

• Wiki: How to create issues
• Wiki: How to read and interpret labels

[github-actions[bot]]

Hi @roslynwythe, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[elliot-d-kim]

During my testing in #5234, the issues downstream of the top-most YAML or Liquid lines would not generate CodeQL alerts. As noted in that issue:

Remove only the empty YAML front-matter: CodeQL errors moved down the files to the next non-JS (i.e. Liquid) lines.

I.e., YAML/Liquid errors prevent CodeQL from scanning the remainder of the file for potential errors it would otherwise typically detect.

This may be the reason why issues such as this fail to generate CodeQL alerts.