Create issues to resolve all open CodeQL alerts

[roslynwythe]

Overview

Create issues to resolve open CodeQL alerts

Issues to create (this issue should remain open until these are closed)

• Epic: Create issues to resolve CodeQL alerts 1- 24, 98 "Potentially unsafe external link" #5129
• Resolve CodeQL alert 25 #5642
• Resolve CodeQL Alert 38-40: Missing variable declaration #5705
• Resolve CodeQL Alert 41: Missing variable declaration #5706
• Resolve CodeQL Alert #43 in guidepages.js- Generated by GHA #6670 Alert 42,43 - in assets/js/guidepages.js - this code is not in production
  • Dependency: pages/guides.html is published
• Resolve CodeQL alert 44 #6481
• Resolve CodeQL alert 45 #6480
• Resolve CodeQL alert 46 #6482
• Resolve CodeQL alert 47 #6483
• Alert 48 - wins-form-responses/Code.js
• Alert 49 - wins-share-form.html - not in production
  • page is published with permalink /share-your-wins/ but not linked
  • Dependency: wins-share-form.html is linked in place of Google Form
• Resolve CodeQL Alert 50 #6621
• Resolve CodeQL Alert 51 #6622
• Resolve CodeQL alert 52 #6623
• Resolve CodeQL alert 53 #6642
• Resolve CodeQL alert 54 #6644
• Resolve CodeQL Alert #55 - Generated by GHA #6826 Alert 55 Unused variable, import, function or class in wins-form-responses
• Resolve CodeQL query alert 56 #5473
• Resolve CodeQL query alert 57 #6479
• Alert 60 semicolon insertion in wins.js
• Alert 61 semicolon insertion in wins.js
• Alert 62 Unused loop iteration in wins.js
• Alert 84 syntax error in about.js
• Resolve CodeQL Alert #89 in post-comment.js - Generated by GHA #6665 Alert 89 Unused variable in github-actions/pr-instructions/post-comment.js:2
• Resolve CodeQL Alert #91 - Generated by GHA #6664 Alert 91 Semicolon insertion in contributors-data.js
• Resolve CodeQL Alert #92 - Generated by GHA #6663 Alert 92 Semicolon insertion in contributors-data.js
• Resolve CodeQL Alert #94 - Generated by GHA #6662 Alert 94 Unused variable, in check-labels.js
• Alert 97 Syntax error in assets/js/hamburger-nav.js

Currently as of 4/7/2024 alerts exist up to 107. Alerts not listed above are in Pull Requests.

Action Items

• Create an issue for each CodeQL alert listed above that does have an issue already
  • Replace every instance of [INSERT-ALERTID] with the alert number, for example 94
  • Provide testing instructions to the developer
  • Replace the text above with a link to the new issue
• Then move this issue to the "Ice Box" with a Dependency label. It can be closed when all the child issues are closed.

Template

### Prerequisite
1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our [Getting Started page](https://www.hackforla.org/getting-started).
2. Before you claim or start working on an issue, please make sure you have read our [How to Contribute to Hack for LA Guide](https://github.com/hackforla/website/blob/7f0c132c96f71230b8935759e1f8711ccb340c0f/CONTRIBUTING.md).

### Overview
As developers. we need to analyze [CodeQL query alert INSERT-ALERTID](https://github.com/hackforla/website/security/code-scanning/INSERT-ALERTID) and to either recommend dismissal of the alert or update the code to resolve the alert.    

### Action Items
- [ ] DO NOT DISMISS ANY ALERTS.  Dismissal of alerts should be done by dev leads only after review of the recommendation
- [ ] Browse to the link in the next Action Item and read the contents.  Click "See More" to view Recommendations, Examples and References.  
- [ ] https://github.com/hackforla/website/security/code-scanning/INSERT-ALERTID 
- [ ] Note these resources: 
   - [ ] See the wiki page "How to manage CodeQL alerts" (see under Resources)
   - [ ] To look at the resolution of similar alerts, visit the [code scanning page](https://github.com/hackforla/website/security/code-scanning) and query closed alerts for similar alert type.  To see the resolution of a closed alert, view the alert details and open the tracking issue (outlined in red in the screenshot under Resources)
- [ ] In a comment in this issue, provide your recommendation.  The recommendation can be one of the following: `dismiss as test`, `dismiss as false positive`, `dismiss as won't fix`, or `update code`.  An example of a 'false positive' is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as `---` or `{%`.  
- [ ] If the recommendation is to update code:
   - [ ] create an issue branch and proceed with the code update
   - [ ] Use docker to test locally, ensuring that there are no changes to the appearance or the behavior of any affected webpage(s) or GitHub actions.  If you are not certain how to test a particular code change, ask a merge team member or dev lead.  
   - [ ] proceed with pull request in the usual manner 
- [ ] If the recommendation is to dismiss, describe your reason for dismissal in the comment, then move the issue to `Questions/In Review` and apply the label `ready for dev lead`.  


### For merge team/dev lead
- [ ] If recommendation to dismiss is approved, dismiss the alert with a comment, then close the issue as completed.
- [ ] When this issue is closed please check off the dependency (under "Issues") in #5159.  If all issues are closed, close #5159 as completed.  
  
### Resources/Instructions

- [GitHub CodeQL documentation](https://codeql.github.com/docs/codeql-overview/about-codeql/)
- [code scanning page](https://github.com/hackforla/website/security/code-scanning)
- Wiki page "How to resolve CodeQL alerts" (if this page has not been published yet, see the draft at https://github.com/hackforla/website/issues/6463#issuecomment-2002573270)
- This issue is part of #5159

Resources/Instructions

• This issue is based on Epic: Manage CodeQL deployment #5005

[ExperimentsInHonesty]

I have added the following note to the agenda for 2024-03-04
BW: CodeQL issue making review

• Create issues to resolve all open CodeQL alerts #5159 I see the template, but how do you want them to change it?
• Epic: Manage CodeQL deployment #5005 - do we need a template for each type? or perhaps a wiki page with all the different instructions and the issue just tells them which one they need?

If most of the issues already made are medium, it looks like there are 57 medium issues we could make from the HfLA website: CodeQL scan alerts (issue #5060) spreadsheet. Is that correct?
If we clear up how to manage #5005 , we could remove RW from it, correct?

[roslynwythe]

I have added the following note to the agenda for 2024-03-04 BW: CodeQL issue making review

• Create issue template for resolving CodeQL alerts #5159 I see the template, but how do you want them to change it?
• Epic: Create Issues to Resolve CodeQL alerts #5005 - do we need a template for each type? or perhaps a wiki page with all the different instructions and the issue just tells them which one they need?

If most of the issues already made are medium, it looks like there are 57 medium issues we could make from the HfLA website: CodeQL scan alerts (issue #5060) spreadsheet. Is that correct? If we clear up how to manage #5005 , we could remove RW from it, correct?

• @ExperimentsInHonesty I've made some changes:
  • updated the template, making it a GitHub issue template Create new issue template for resolution of CodeQL alert #5242
  • the list of issues will not be sourced/tracked from a spreadsheet, rather from the "Issues" list in this issue
  • Loved the wiki idea, created Create wiki page to guide developers how to manage CodeQL alerts #6463
  • At this point, I think that Epic: Manage CodeQL deployment #5005 can be closed, do you agree?