From ca629262cb141893aab6b1b4500d364e605000d5 Mon Sep 17 00:00:00 2001 From: Rhys Cox Date: Fri, 24 Apr 2026 14:32:56 +0100 Subject: [PATCH] Fixed more sonar issues --- .../dispatch_internal_repo_workflow.sh | 21 ++++---- .github/workflows/cicd-3-deploy.yaml | 6 ++- docs/assets/js/nhs-notify.js | 52 +++++++------------ scripts/docker/dgoss.sh | 6 ++- scripts/docker/docker.lib.sh | 4 +- scripts/githooks/check-markdown-format.sh | 4 ++ scripts/githooks/scan-secrets.sh | 4 ++ scripts/shellscript-linter.sh | 2 +- scripts/terraform/terraform.sh | 9 +++- scripts/terraform/trivy-scan.sh | 38 +++++++------- 10 files changed, 76 insertions(+), 70 deletions(-) diff --git a/.github/scripts/dispatch_internal_repo_workflow.sh b/.github/scripts/dispatch_internal_repo_workflow.sh index 6edddf9a..dec2c3a6 100755 --- a/.github/scripts/dispatch_internal_repo_workflow.sh +++ b/.github/scripts/dispatch_internal_repo_workflow.sh @@ -34,6 +34,9 @@ set -e +readonly GH_ACCEPT_HEADER="Accept: application/vnd.github+json" +readonly GH_API_VERSION_HEADER="X-GitHub-Api-Version: 2022-11-28" + usage() { cat >&2 <<'EOF' Usage: @@ -171,16 +174,16 @@ signature=$( JWT="${header_payload}"."${signature}" INSTALLATION_ID=$(curl -X GET \ - -H "Accept: application/vnd.github+json" \ + -H "${GH_ACCEPT_HEADER}" \ -H "Authorization: Bearer ${JWT}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ + -H "${GH_API_VERSION_HEADER}" \ --url "https://api.github.com/app/installations" | jq -r '.[0].id') PR_TRIGGER_PAT=$(curl --request POST \ --url "https://api.github.com/app/installations/${INSTALLATION_ID}/access_tokens" \ - -H "Accept: application/vnd.github+json" \ + -H "${GH_ACCEPT_HEADER}" \ -H "Authorization: Bearer ${JWT}" \ - -H "X-GitHub-Api-Version: 2022-11-28" | jq -r '.token') + -H "${GH_API_VERSION_HEADER}" | jq -r '.token') # Set default values if not provided if [[ -z "$PR_TRIGGER_PAT" ]]; then @@ -243,9 +246,9 @@ echo "[INFO] Triggering workflow '$targetWorkflow' in nhs-notify-internal..." trigger_response=$(curl -s -L \ --fail \ -X POST \ - -H "Accept: application/vnd.github+json" \ + -H "${GH_ACCEPT_HEADER}" \ -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ + -H "${GH_API_VERSION_HEADER}" \ "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/workflows/$targetWorkflow/dispatches" \ -d "$DISPATCH_EVENT" 2>&1) @@ -264,9 +267,9 @@ workflow_run_url="" for _ in {1..18}; do response=$(curl -s -L \ - -H "Accept: application/vnd.github+json" \ + -H "${GH_ACCEPT_HEADER}" \ -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ + -H "${GH_API_VERSION_HEADER}" \ "https://api.github.com/repos/NHSDigital/nhs-notify-internal/actions/runs?event=workflow_dispatch") if ! echo "$response" | jq empty 2>/dev/null; then @@ -318,7 +321,7 @@ while true; do sleep 10 response=$(curl -s -L \ -H "Authorization: Bearer ${PR_TRIGGER_PAT}" \ - -H "Accept: application/vnd.github+json" \ + -H "${GH_ACCEPT_HEADER}" \ "$workflow_run_url") status=$(echo "$response" | jq -r '.status') diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml index 3a4dfd14..67a4810e 100644 --- a/.github/workflows/cicd-3-deploy.yaml +++ b/.github/workflows/cicd-3-deploy.yaml @@ -18,8 +18,6 @@ on: run-name: "Include prerelease: ${{ inputs.include_prereleases }} Version: ${{ inputs.version }} by @${{ github.actor }}" permissions: contents: read - pages: write - id-token: write jobs: metadata: @@ -66,6 +64,10 @@ jobs: make list-variables deploy-jekyll: + permissions: + contents: read + pages: write + id-token: write environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/docs/assets/js/nhs-notify.js b/docs/assets/js/nhs-notify.js index 426448b2..a7aebc2e 100644 --- a/docs/assets/js/nhs-notify.js +++ b/docs/assets/js/nhs-notify.js @@ -1,9 +1,9 @@ // Quick poc for view full screen -window.addEventListener("load", (event) => { - var fullScreenParamName = "fullscreen"; - var urlParams = new URLSearchParams(document.location.search); - var param = urlParams.get(fullScreenParamName); +window.addEventListener("load", () => { + const fullScreenParamName = "fullscreen"; + const urlParams = new URLSearchParams(document.location.search); + const param = urlParams.get(fullScreenParamName); if (param) { tempViewFullScreen(); } else { @@ -11,10 +11,10 @@ window.addEventListener("load", (event) => { } }); -let nhsNotify = nhsNotifyDefaults(); +const nhsNotify = nhsNotifyDefaults(); function nhsNotifyDefaults() { - var defaults = {}; + const defaults = {}; defaults.storageName = "cb-checked"; defaults.buttonName = "fullScreenButton"; defaults.standard = "Standard"; @@ -24,16 +24,16 @@ function nhsNotifyDefaults() { function tempViewFullScreen() { viewFullScreen(); - var buttons = document.getElementsByName(nhsNotify.buttonName); + const buttons = document.getElementsByName(nhsNotify.buttonName); buttons.forEach((item) => { item.style.display = "none"; }); } function viewFullScreen() { - var sideBar = document.getElementsByClassName("side-bar")[0]; - var main = document.getElementsByClassName("main")[0]; - var pageInfo = document.getElementsByClassName("page-info")[0]; + const sideBar = document.getElementsByClassName("side-bar")[0]; + const main = document.getElementsByClassName("main")[0]; + const pageInfo = document.getElementsByClassName("page-info")[0]; sideBar.style.display = "none"; main.style.maxWidth = "100%"; main.style.marginLeft = "0px"; @@ -45,9 +45,9 @@ function setFullScreen() { } function setStandard() { - var sideBar = document.getElementsByClassName("side-bar")[0]; - var main = document.getElementsByClassName("main")[0]; - var pageInfo = document.getElementsByClassName("page-info")[0]; + const sideBar = document.getElementsByClassName("side-bar")[0]; + const main = document.getElementsByClassName("main")[0]; + const pageInfo = document.getElementsByClassName("page-info")[0]; sideBar.style.display = ""; main.style.maxWidth = ""; main.style.marginLeft = ""; @@ -56,7 +56,7 @@ function setStandard() { } function setViewAtStart() { - var currentStatus = localStorage.getItem(nhsNotify.storageName); + const currentStatus = localStorage.getItem(nhsNotify.storageName); if (currentStatus == nhsNotify.fullScreen) makeChange(currentStatus); } @@ -69,10 +69,8 @@ function makeChange(newStatus) { } function afterChange(currentStatus, newStatus) { - var storageName = nhsNotify.storageName; - var buttonName = nhsNotify.buttonName; - var buttons = document.getElementsByName(buttonName); - localStorage.setItem(storageName, newStatus); + const buttons = document.getElementsByName(nhsNotify.buttonName); + localStorage.setItem(nhsNotify.storageName, newStatus); buttons.forEach((item) => { item.textContent = currentStatus + " View"; @@ -80,13 +78,8 @@ function afterChange(currentStatus, newStatus) { } function fullScreenToggle() { - var standard = nhsNotify.standard; - var fullScreen = nhsNotify.fullScreen; - var storageName = nhsNotify.storageName; - var currentStatus = ""; - var newStatus = ""; - - currentStatus = localStorage.getItem(storageName); + const { standard, fullScreen, storageName } = nhsNotify; + let currentStatus = localStorage.getItem(storageName); if ( currentStatus == "false" || @@ -94,16 +87,9 @@ function fullScreenToggle() { currentStatus == null ) { currentStatus = standard; - newStatus = fullScreen; } - if (currentStatus == standard) { - newStatus = fullScreen; - currentStatus = standard; - } else { - newStatus = standard; - currentStatus = fullScreen; - } + const newStatus = currentStatus == standard ? fullScreen : standard; makeChange(newStatus); } diff --git a/scripts/docker/dgoss.sh b/scripts/docker/dgoss.sh index 9d01cd8c..c7e2b5cd 100644 --- a/scripts/docker/dgoss.sh +++ b/scripts/docker/dgoss.sh @@ -18,7 +18,8 @@ info() { return 0 } error() { - echo -e "ERROR: $*" >&2; + local message="$*"; + echo -e "ERROR: $message" >&2; exit 1; } @@ -98,7 +99,8 @@ GOSS_SLEEP=${GOSS_SLEEP:-0.2} [[ $CONTAINER_RUNTIME =~ ^(docker|podman)$ ]] || { error "Runtime must be one of docker or podman"; } -case "$1" in +readonly command="$1" +case "$command" in run) run "$@" if [[ -e "${GOSS_FILES_PATH}/goss_wait.yaml" ]]; then diff --git a/scripts/docker/docker.lib.sh b/scripts/docker/docker.lib.sh index 4227ef1b..095dfd58 100644 --- a/scripts/docker/docker.lib.sh +++ b/scripts/docker/docker.lib.sh @@ -189,7 +189,7 @@ function docker-get-image-version-and-pull() { local version="latest" if [[ -f "$versions_file" ]]; then line=$(grep "docker/${name} " "$versions_file" | sed "s/^#\s*//; s/\s*#.*$//" | grep "${match_version:-".*"}") - [ -n "$line" ] && version=$(echo "$line" | awk '{print $2}') + [[ -n "$line" ]] && version=$(echo "$line" | awk '{print $2}') fi # Split the image version into two, tag name and digest sha256. @@ -250,7 +250,7 @@ function _replace-image-latest-by-specific-version() { # First, list the entries specific for Docker to take precedence, then the rest but exclude comments content=$(grep " docker/" "$versions_file"; grep -v " docker/" "$versions_file" ||: | grep -v "^#") echo "$content" | while IFS= read -r line; do - [ -z "$line" ] && continue + [[ -z "$line" ]] && continue line=$(echo "$line" | sed "s/^#\s*//; s/\s*#.*$//" | sed "s;docker/;;") name=$(echo "$line" | awk '{print $1}') version=$(echo "$line" | awk '{print $2}') diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh index 05f4f691..d43b6168 100755 --- a/scripts/githooks/check-markdown-format.sh +++ b/scripts/githooks/check-markdown-format.sh @@ -49,6 +49,10 @@ function main() { "branch") files="$( (git diff --diff-filter=ACMRT --name-only "${BRANCH_NAME:-origin/main}" "*.md"; git diff --name-only "*.md") | sort | uniq )" ;; + *) + echo "Unknown check mode: $check" >&2 + return 1 + ;; esac if [[ -n "$files" ]] && command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh index a5045cea..b3a70913 100755 --- a/scripts/githooks/scan-secrets.sh +++ b/scripts/githooks/scan-secrets.sh @@ -54,6 +54,10 @@ function get-cmd-to-run() { "staged-changes") cmd="protect --source $dir --verbose --staged" ;; + *) + echo "Unknown check mode: $check" >&2 + return 1 + ;; esac # Include base line file if it exists if [[ -f "$dir/scripts/config/.gitleaks-baseline.json" ]]; then diff --git a/scripts/shellscript-linter.sh b/scripts/shellscript-linter.sh index 2d2fade6..17f7a47a 100755 --- a/scripts/shellscript-linter.sh +++ b/scripts/shellscript-linter.sh @@ -21,7 +21,7 @@ function main() { cd "$(git rev-parse --show-toplevel)" - [ -z "${file:-}" ] && echo "WARNING: 'file' variable not set, defaulting to itself" + [[ -z "${file:-}" ]] && echo "WARNING: 'file' variable not set, defaulting to itself" local file=${file:-scripts/shellscript-linter.sh} if command -v shellcheck > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then file="$file" run-shellcheck-natively diff --git a/scripts/terraform/terraform.sh b/scripts/terraform/terraform.sh index 73f37c1a..0909f97e 100755 --- a/scripts/terraform/terraform.sh +++ b/scripts/terraform/terraform.sh @@ -27,6 +27,8 @@ function main() { else cmd=$cmd run-terraform-in-docker fi + + return 0 } # Run Terraform natively. @@ -36,6 +38,8 @@ function run-terraform-natively() { # shellcheck disable=SC2086 terraform $cmd + + return 0 } # Run Terraform in a Docker container. @@ -54,13 +58,16 @@ function run-terraform-in-docker() { --workdir /workdir \ "$image" \ $cmd + + return 0 } # ============================================================================== function is-arg-true() { + local arg="$1" - if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then + if [[ "$arg" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then return 0 else return 1 diff --git a/scripts/terraform/trivy-scan.sh b/scripts/terraform/trivy-scan.sh index 1588f531..db995223 100755 --- a/scripts/terraform/trivy-scan.sh +++ b/scripts/terraform/trivy-scan.sh @@ -28,38 +28,36 @@ function main() { local dir_to_scan="." while [[ $# -gt 0 ]]; do - local current_arg="$1" - case "$current_arg" in + local arg="$1" + case "$arg" in --mode|-m) if [[ $# -lt 2 ]]; then echo "Error: --mode requires an argument." >&2 usage exit 1 fi - local mode_arg="$2" - scan_mode="$mode_arg" + scan_mode="$2" shift 2 - exit 0 - ;; - --) - shift - break - ;; - -*) ;; - usage - exit 1 - ;; - *) - dir_to_scan="$current_arg" - shift --help|-h) - dir_to_scan="$trailing_arg" + usage + exit 0 + ;; + --) + shift + break + ;; + -*) + echo "Unknown option: $arg" >&2 + usage + exit 1 + ;; + *) + dir_to_scan="$arg" shift ;; esac - local trailing_arg="$1" - dir_to_scan="$trailing_arg" + done if [[ $# -gt 0 ]]; then dir_to_scan="$1"