Skip to content

fix(security): remediate 44 SonarQube vulnerabilities#24

Open
devin-ai-integration[bot] wants to merge 4 commits into
mainfrom
devin/1778593755-sonarqube-remediation
Open

fix(security): remediate 44 SonarQube vulnerabilities#24
devin-ai-integration[bot] wants to merge 4 commits into
mainfrom
devin/1778593755-sonarqube-remediation

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented May 12, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Remediates all 44 SonarQube issues identified during a SonarCloud scan. Post-scan confirms 0 remaining issues — 100% resolution rate.

Fix Summary by Severity

Severity Pre-Scan Post-Scan Resolved
BLOCKER 11 0 11
MAJOR 15 0 15
MINOR 18 0 18
Total 44 0 44

Fixes Applied

Source files (20 files):

  • S5254: Add lang="en" attribute to <html> element (index.html)
  • S6850: Add aria-label to heading with image-only content (home.component.html)
  • ImgWithoutAltCheck (3 issues): Add alt attributes to images (header.component.html, article.component.html, profile.component.html)
  • S2933 (9 issues): Mark never-reassigned class members as readonly (user.service.ts, header.component.ts, if-authenticated.directive.ts, article-list.component.ts, favorite-button.component.ts, follow-button.component.ts, profile-articles.component.ts, profile-favorites.component.ts)
  • S7764 (4 issues): Replace window with globalThis (app.config.ts, jwt.service.ts)
  • S7765: Use .includes() instead of .indexOf() < 0 (editor.component.ts)
  • S7773: Use Number.parseInt instead of parseInt (home.component.ts)
  • S7651 (2 issues): Rename output property to avoid DOM event name conflicts (favorite-button.component.ts, follow-button.component.ts)
  • S7735 (2 issues): Simplify negated conditions (favorite-button.component.ts, follow-button.component.ts)
  • S6819/MouseEventWithoutKeyboardEquivalentCheck: Replace <i role="button"> with native <button> for accessibility (editor.component.html)
  • S5725 (2 issues): CDN links subresource integrity — documented

Test files (4 files):

  • S2699 (9 issues): Add missing assertions to test cases (articles.service.spec.ts, comments.service.spec.ts, profile.service.spec.ts)
  • S5914 (4 issues): Replace always-true expect(true).toBe(true) assertions with meaningful checks
  • S1874 (4 issues): Remove deprecated BrowserDynamicTestingModule/platformBrowserDynamicTesting from test-setup.ts

Review & Testing Checklist for Human

  • Verify favorite/follow toggle works in the UI (output binding property was renamed from aliased to direct)
  • Verify globalThis replacement works in all target browsers (globalThis is supported in all modern browsers and Node.js 12+)
  • Check that tag removal button in the editor still renders correctly (changed from <i> to <button> with reset styles)
  • Verify SonarCloud dashboard shows 0 issues: View Dashboard

Notes

  • Unit tests fail on main branch with zone.js resolution error — pre-existing issue, not introduced by this PR
  • Build (bun run build) passes successfully
  • Formatting (bun run format:check) passes
  • Post-scan confirms 0 remaining SonarQube issues on the remediation branch

Link to Devin session: https://app.devin.ai/sessions/663c27b464e14c03aa61c0f56f69dfdb
Requested by: @SachetCognition

Devin Review

Status Commit
⚪ Not started

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

Open in Devin Review (Staging)

devin-ai-integration Bot and others added 3 commits May 12, 2026 13:51
@devin-ai-integration @SachetCognition
fix(security): remediate SonarQube issues in source files
188f7fa 
- S5254: Add lang attribute to <html> element
- S6850: Add aria-label to heading with image-only content
- ImgWithoutAltCheck: Add alt attributes to all images
- S2933: Mark never-reassigned members as readonly
- S7764: Replace window with globalThis
- S7765: Use .includes() instead of .indexOf()
- S7773: Use Number.parseInt instead of parseInt
- S7651: Rename output bindings to avoid DOM event name conflicts
- S7735: Simplify negated conditions
- MouseEventWithoutKeyboardEquivalentCheck: Add keyboard handler to clickable icon

Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
@devin-ai-integration @SachetCognition
fix(security): remediate SonarQube issues in test files
4e73cc6 
- S2699: Add missing assertions to test cases
- S5914: Replace always-true assertions with meaningful checks
- S1874: Remove deprecated BrowserDynamicTestingModule/platformBrowserDynamicTesting from test-setup

Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
@devin-ai-integration @SachetCognition
fix: update comment to reference globalThis instead of window
37f0f48 
Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
@devin-ai-integration

devin-ai-integration Bot commented May 12, 2026

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration @SachetCognition
fix(security): resolve remaining SonarQube issues from post-scan
53eeec5 
- S7653: Revert output aliasing, keep original property name 'toggle'
- S6819: Replace <i role='button'> with native <button> for accessibility
- S7735/S7651 fixes preserved (negated conditions, naming)

Co-Authored-By: sachet.agarwal <sachet.agarwal@windsurf.com>
@devin-ai-integration

devin-ai-integration Bot commented May 12, 2026

Copy link
Copy Markdown
Author

End-to-End Test Results

Ran the app locally (bun run start at localhost:4200) against the demo API and tested all UI-visible changes. All 6 tests passed.

Core Functionality Tests (UI-visible changes)
  • Favorite toggle (output binding @Output() toggle): Passed — count toggled 2→3→2 on home feed, and Favorite/Unfavorite toggled on article page
  • Follow toggle (output binding @Output() toggle): Passed — button toggled Follow↔Unfollow on profile page and article page
  • Tag removal button (<i role="button"> → native <button>): Passed — tags added via Enter, <button> element with aria-label="Remove tag ..." in DOM, click removes tag
  • globalThis (replacing window in jwt.service.ts, app.config.ts): Passed — registration succeeds (localStorage token save works), articles load (API interceptor works)
Accessibility Attribute Tests
  • <html lang="en">: Present (S5254)
  • <h1 aria-label="Conduit">: Present (S6850)
  • Logo <img alt="Conduit">: Present
  • Header avatar <img alt="devintester">: Present after login
  • Profile image <img alt="johndoe">: Present on profile page
  • Comment form image <img alt="devintester">: Present on article page
Environment & Notes
  • Dev server: bun run start at localhost:4200
  • Backend: https://api.realworld.show/api (demo backend with session isolation)
  • No console errors related to changes
  • No CI checks configured on this repo
  • Unit tests have a pre-existing zone.js resolution failure on main branch (not introduced by this PR)

Devin session

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants