You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During the toolchain adoption in #98 (Biome, oxlint, type-aware ESLint, knip, attw) three sets of findings
were deliberately deferred or surfaced as advisory. This issue consolidates them into one tracked follow-up.
Important: the 461-file one-shot Biome reformat in #98 makes pre-existing lines count as "new code", so the
CodeQL "new alerts" check and the SonarCloud quality gate re-attribute PRE-EXISTING findings to that PR (their
own caveat: "code changes were too large"). The flagged files' diffs were verified to be formatting-only.
After #98 merges to main, the new-code baseline resets, so these stop blocking unrelated PRs - but the
underlying findings remain in the codebase and are tracked here for real resolution. None were introduced by #98.
In #98 the 8 firing jsx-a11y rules were set to warn (not disabled) to avoid turning a tooling PR into an
accessibility refactor of vendored shadcn/ui plus many components needing markup/behaviour changes.
Rules currently at warn in .oxlintrc.json: no-static-element-interactions, click-events-have-key-events, label-has-associated-control, prefer-tag-over-role, no-autofocus, control-has-associated-label, no-noninteractive-element-interactions, anchor-has-content.
Add keyboard handlers / roles for interactive non-button elements (click-events-have-key-events, no-static-element-interactions).
Associate labels with controls (label-has-associated-control, control-has-associated-label).
Replace role="list"/etc. with semantic tags where it does not fight upstream shadcn (prefer-tag-over-role).
Review no-autofocus usages.
Once clean, promote the 8 jsx-a11y rules from warn to error in .oxlintrc.json.
2. Triage CodeQL alerts (11: 5 high, 6 medium)
js/sql-injection (high) x4 - src/lib/db/providers/sql/mssql.ts:222, src/lib/db/providers/document/mongodb.ts:277,281,287. Expected to be largely by-design (the product's
purpose is executing user-supplied queries), but confirm each path is parameterised where it should be,
then fix or dismiss-as-by-design with a written justification.
js/log-injection (medium) x6 - src/lib/logger.ts:85,96,99,102, src/lib/db/base-provider.ts:261, src/lib/db/factory.ts:58. logger.ts already sanitises control chars/newlines; verify the sanitiser
covers each sink (likely false-positive) and dismiss, or route remaining sinks through it.
js/tainted-format-string (high) x1 - src/lib/logger.ts:85. Confirm the format string is not
user-controlled, or harden it.
3. SonarCloud new-code quality gate
new_coverage 92.9%, new_maintainability_rating 1, duplications 1.3%, hotspots 100% are all OK. Two
conditions fail, both pre-existing:
new_security_rating = 3 - 25x Make sure using this pseudorandom number generator is safe
(Math.random in src/components/TestDataGenerator.tsx). This is fake/sample-data generation, not
security-sensitive; mark the hotspots Safe in SonarCloud (or add a documented justification).
Context
During the toolchain adoption in #98 (Biome, oxlint, type-aware ESLint, knip, attw) three sets of findings
were deliberately deferred or surfaced as advisory. This issue consolidates them into one tracked follow-up.
Important: the 461-file one-shot Biome reformat in #98 makes pre-existing lines count as "new code", so the
CodeQL "new alerts" check and the SonarCloud quality gate re-attribute PRE-EXISTING findings to that PR (their
own caveat: "code changes were too large"). The flagged files' diffs were verified to be formatting-only.
After #98 merges to
main, the new-code baseline resets, so these stop blocking unrelated PRs - but theunderlying findings remain in the codebase and are tracked here for real resolution. None were introduced by
#98.
1. Accessibility pass (oxlint jsx-a11y) - 60 findings
In #98 the 8 firing
jsx-a11yrules were set towarn(not disabled) to avoid turning a tooling PR into anaccessibility refactor of vendored shadcn/ui plus many components needing markup/behaviour changes.
Rules currently at
warnin.oxlintrc.json:no-static-element-interactions,click-events-have-key-events,label-has-associated-control,prefer-tag-over-role,no-autofocus,control-has-associated-label,no-noninteractive-element-interactions,anchor-has-content.Representative locations:
ResultsGrid.tsx,DataImportModal.tsx,MaskingSettings.tsx,QueryHistory.tsx,StudioTabBar.tsx,SnapshotTimeline.tsx,SavedQueries.tsx,DataCharts.tsx,VisualExplain.tsx, plusvendored
ui/*(calendar, carousel, breadcrumb, pagination, input-group, field, item, spinner, button-group).click-events-have-key-events,no-static-element-interactions).label-has-associated-control,control-has-associated-label).role="list"/etc. with semantic tags where it does not fight upstream shadcn (prefer-tag-over-role).no-autofocususages.jsx-a11yrules fromwarntoerrorin.oxlintrc.json.2. Triage CodeQL alerts (11: 5 high, 6 medium)
js/sql-injection(high) x4 -src/lib/db/providers/sql/mssql.ts:222,src/lib/db/providers/document/mongodb.ts:277,281,287. Expected to be largely by-design (the product'spurpose is executing user-supplied queries), but confirm each path is parameterised where it should be,
then fix or dismiss-as-by-design with a written justification.
js/log-injection(medium) x6 -src/lib/logger.ts:85,96,99,102,src/lib/db/base-provider.ts:261,src/lib/db/factory.ts:58.logger.tsalready sanitises control chars/newlines; verify the sanitisercovers each sink (likely false-positive) and dismiss, or route remaining sinks through it.
js/tainted-format-string(high) x1 -src/lib/logger.ts:85. Confirm the format string is notuser-controlled, or harden it.
3. SonarCloud new-code quality gate
new_coverage92.9%,new_maintainability_rating1, duplications 1.3%, hotspots 100% are all OK. Twoconditions fail, both pre-existing:
new_security_rating= 3 - 25xMake sure using this pseudorandom number generator is safe(
Math.randominsrc/components/TestDataGenerator.tsx). This is fake/sample-data generation, notsecurity-sensitive; mark the hotspots Safe in SonarCloud (or add a documented justification).
new_reliability_rating= 4 - remaining bugs (theroute.tsconstant-||one was already fixed in feat(toolchain): adopt Biome, oxlint, attw; keep eslint-config-next + knip #98):src/components/PivotTable.tsx:87- provide a locale-aware compare function to.sort().src/components/SchemaDiagram.tsx:220- conditional returns the same value on both branches; simplify or fix.src/components/DataCharts.tsx:777- non-interactive element with a click handler (same class as the a11y item above).Acceptance
error.Refs: #98