From df1e2942d7eb0ecc5f05a72d3353b4d1ed4da536 Mon Sep 17 00:00:00 2001 From: alex-dzeda <120701369+alex-dzeda@users.noreply.github.com> Date: Tue, 16 Apr 2024 11:55:36 -0500 Subject: [PATCH] BCDA-7991: Address sonarqube security issues (#195) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## đŸŽĢ Ticket https://jira.cms.gov/browse/BCDA-7991 ## 🛠 Changes Updated Dockerfile + problematic html file. ## ℹī¸ Context for reviewers SonarQube had 8 "findings" related to the static site application: 2 related to the Dockerfile in the project, and 6 related to external link outs. 7 of those findings will be resolved with this PR, and one can remain ignored (the copying all files in a directory in the Dockerfile) as it's mitigated by addressing the second Dockerfile finding (ensuring that the docker container runs in user mode) ## ✅ Acceptance Validation Addressed/mitigated each security issue by ensuring the Dockerfile specifies the use of a non-root user and adding rel="noopener" tags. ## 🔒 Security Implications - [ ] This PR adds a new software dependency or dependencies. - [ ] This PR modifies or invalidates one or more of our security controls. - [ ] This PR stores or transmits data that was not stored or transmitted before. - [ ] This PR requires additional review of its security implications for other reasons. If any security implications apply, add Jason Ashbaugh (GitHub username: StewGoin) as a reviewer and do not merge this PR without his approval. --- Dockerfiles/Dockerfile.static_site | 1 + _includes/data/bcda_v2_data.html | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/Dockerfiles/Dockerfile.static_site b/Dockerfiles/Dockerfile.static_site index 83ffe98..9394972 100644 --- a/Dockerfiles/Dockerfile.static_site +++ b/Dockerfiles/Dockerfile.static_site @@ -5,3 +5,4 @@ WORKDIR /bcda-site-static COPY . . RUN ["bundle", "install"] ENTRYPOINT ["bundle", "exec", "jekyll", "build", "--config", "_config.yml,_version_config.yml"] +USER 1000:1000 \ No newline at end of file diff --git a/_includes/data/bcda_v2_data.html b/_includes/data/bcda_v2_data.html index 0339319..af90127 100644 --- a/_includes/data/bcda_v2_data.html +++ b/_includes/data/bcda_v2_data.html @@ -19,7 +19,7 @@

The following table summarizes changes to the EOB resource due to changes between versions 3 (STU3) and 4 (R4) of the FHIR specification.

- For details, see the FHIR Explanation of Benefit resource page, and select the R3 Diff tab under section 13.10.4 Resource Content + For details, see the FHIR Explanation of Benefit resource page, and select the R3 Diff tab under section 13.10.4 Resource Content

@@ -81,7 +81,7 @@

The following table summarizes changes to the Patient Resource due to changes between versions 3 (STU3) and 4 (R4) of the FHIR specification. The Patient Resource is normative, with a maturity level of 5. In other words, because this resource has been in a mature state for quite some time, the amount of change to this resource in R4 is minimal.

- For details, see the FHIR Patient resource page, and select the R3 Diff tab under section 8.1.2 Resource Content + For details, see the FHIR Patient resource page, and select the R3 Diff tab under section 8.1.2 Resource Content

@@ -117,7 +117,7 @@

The following table summarizes changes to the Coverage Resource due to changes between versions 3 (STU3) and 4 (R4) of the FHIR specification.

- For details, see the FHIR Coverage resource page, and select the R3 Diff tab under section 13.1.3 Resource Content + For details, see the FHIR Coverage resource page, and select the R3 Diff tab under section 13.1.3 Resource Content

@@ -160,11 +160,11 @@

Implementation Guide-Based Changes

- Version 1 of the API is based on the Blue Button 2.0 Implementation Guide, Version 2 is based on the CARIN CDPDE Implementation Guide. + Version 1 of the API is based on the Blue Button 2.0 Implementation Guide, Version 2 is based on the CARIN CDPDE Implementation Guide. Subsequently, there are minor changes to the mapping and values of certain data elements based on conformance to the CARIN Implementation Guide. For instance, slicing/discriminator rules can be different, and some valuesets will be bound to CARIN or HL7 valusets instead of BlueButton. - As an example, Patient.identifier.type in V2 is bound to http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPatientIdentifierType.html. - As another example, EOB.Type is bound to http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPayeeType.html and the associated value will be one of the codes in that valueset. + As an example, Patient.identifier.type in V2 is bound to http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPatientIdentifierType.html. + As another example, EOB.Type is bound to http://www.hl7.org/fhir/us/carin-bb/ValueSet-C4BBPayeeType.html and the associated value will be one of the codes in that valueset.

The BCDA Data Dictionary provides additional information on how BCDA data is mapped to its CCLF counterparts, and how to use the discriminators for FHIR resources and extensions.