BCDA-7991: Address sonarqube security issues (#195)

## 🎫 Ticket https://jira.cms.gov/browse/BCDA-7991 ## 🛠 Changes Updated Dockerfile + problematic html file. ## ℹ️ Context for reviewers SonarQube had 8 "findings" related to the static site application: 2 related to the Dockerfile in the project, and 6 related to external link outs. 7 of those findings will be resolved with this PR, and one can remain ignored (the copying all files in a directory in the Dockerfile) as it's mitigated by addressing the second Dockerfile finding (ensuring that the docker container runs in user mode) ## ✅ Acceptance Validation Addressed/mitigated each security issue by ensuring the Dockerfile specifies the use of a non-root user and adding rel="noopener" tags. ## 🔒 Security Implications - [ ] This PR adds a new software dependency or dependencies. - [ ] This PR modifies or invalidates one or more of our security controls. - [ ] This PR stores or transmits data that was not stored or transmitted before. - [ ] This PR requires additional review of its security implications for other reasons. If any security implications apply, add Jason Ashbaugh (GitHub username: StewGoin) as a reviewer and do not merge this PR without his approval.
CMSgov · Apr 16, 2024 · df1e294 · df1e294
1 parent 657a472
commit df1e294
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/Dockerfiles/Dockerfile.static_site b/Dockerfiles/Dockerfile.static_site
@@ -5,3 +5,4 @@ WORKDIR /bcda-site-static
 COPY . .
 RUN ["bundle", "install"]
 ENTRYPOINT ["bundle", "exec", "jekyll", "build", "--config", "_config.yml,_version_config.yml"]
+USER 1000:1000
diff --git a/_includes/data/bcda_v2_data.html b/_includes/data/bcda_v2_data.html
@@ -19,7 +19,7 @@ <h3>
     The following table summarizes changes to the EOB resource due to changes between versions 3 (STU3) and 4 (R4) of the FHIR specification.
 </p>
 <p>
-    For details, see the <a href="http://www.hl7.org/fhir/explanationofbenefit.html#resource" target="_blank" class="in-text__link">FHIR Explanation of Benefit resource</a> page, and select the <strong>R3 Diff</strong> tab under section <strong>13.10.4 Resource Content</strong>
+    For details, see the <a href="http://www.hl7.org/fhir/explanationofbenefit.html#resource" target="_blank" class="in-text__link" rel="noopener">FHIR Explanation of Benefit resource</a> page, and select the <strong>R3 Diff</strong> tab under section <strong>13.10.4 Resource Content</strong>
 </p>
 <table style="width:100%" aria-describedby="EoB">
     <tr>
@@ -81,7 +81,7 @@ <h3>
     The following table summarizes changes to the Patient Resource due to changes between versions 3 (STU3) and 4 (R4) of the FHIR specification.  The Patient Resource is normative, with a maturity level of 5.  In other words, because this resource has been in a mature state for quite some time, the amount of change to this resource in R4 is minimal.
 </p>
 <p>
-    For details, see the <a href="http://hl7.org/fhir/R4/patient.html#resource" target="_blank" class="in-text__link">FHIR Patient resource</a> page, and select the <strong>R3 Diff</strong> tab under section <strong>8.1.2 Resource Content</strong>
+    For details, see the <a href="http://hl7.org/fhir/R4/patient.html#resource" target="_blank" class="in-text__link" rel="noopener">FHIR Patient resource</a> page, and select the <strong>R3 Diff</strong> tab under section <strong>8.1.2 Resource Content</strong>
 </p>
 <table style="width:100%" aria-describedby="Patient">
     <tr>
@@ -117,7 +117,7 @@ <h3>
     The following table summarizes changes to the Coverage Resource due to changes between versions 3 (STU3) and 4 (R4) of the FHIR specification. 
 </p>
 <p>
-    For details, see the <a href="http://hl7.org/fhir/R4/coverage.html#resource" target="_blank" class="in-text__link">FHIR Coverage resource</a> page, and select the <strong>R3 Diff</strong> tab under section <strong>13.1.3 Resource Content</strong>
+    For details, see the <a href="http://hl7.org/fhir/R4/coverage.html#resource" target="_blank" class="in-text__link" rel="noopener">FHIR Coverage resource</a> page, and select the <strong>R3 Diff</strong> tab under section <strong>13.1.3 Resource Content</strong>
 </p>
 <table style="width:100%" aria-describedby="Coverage">
     <tr>
@@ -160,11 +160,11 @@ <h2>
     Implementation Guide-Based Changes
 </h2>
 <p>
-    Version 1 of the API is based on the <a href="https://bluebutton.cms.gov/assets/ig/index.html" target="_blank" class="in-text__link">Blue Button 2.0 Implementation Guide</a>, Version 2 is based on the <a target="_blank" href="http://www.hl7.org/fhir/us/carin-bb/StructureDefinition-C4BB-ExplanationOfBenefit.html" class="in-text__link">CARIN CDPDE Implementation Guide</a>. 
+    Version 1 of the API is based on the <a href="https://bluebutton.cms.gov/assets/ig/index.html" target="_blank" class="in-text__link" rel="noopener">Blue Button 2.0 Implementation Guide</a>, Version 2 is based on the <a target="_blank" href="http://www.hl7.org/fhir/us/carin-bb/StructureDefinition-C4BB-ExplanationOfBenefit.html" class="in-text__link" rel="noopener">CARIN CDPDE Implementation Guide</a>. 
     Subsequently, there are minor changes to the mapping and values of certain data elements based on conformance to the CARIN Implementation Guide. 
     For instance, slicing/discriminator rules can be different, and some valuesets will be bound to CARIN or HL7 valusets instead of BlueButton. 
-    As an example,  Patient.identifier.type in V2 is bound to <a href="http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPatientIdentifierType.html" target="_blank" class="in-text__link">http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPatientIdentifierType.html</a>. 
-    As another example, EOB.Type is bound to <a href="http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPayeeType.html" target="_blank" class="in-text__link">http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPayeeType.html</a> and the associated value will be one of the codes in that valueset. 
+    As an example,  Patient.identifier.type in V2 is bound to <a href="http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPatientIdentifierType.html" target="_blank" class="in-text__link" rel="noopener">http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPatientIdentifierType.html</a>. 
+    As another example, EOB.Type is bound to <a href="http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPayeeType.html" target="_blank" class="in-text__link" rel="noopener">http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPayeeType.html</a> and the associated value will be one of the codes in that valueset. 
 </p>
 <p>
     The BCDA Data Dictionary provides additional information on how BCDA data is mapped to its CCLF counterparts, and how to use the discriminators for FHIR resources and extensions.