Resolve CodeQL Alert #94 - Generated by GHA

[HackforLABot]

Prerequisite

1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our Getting Started page.
2. Before you claim or start working on an issue, please make sure you have read our How to Contribute to Hack for LA Guide.

Overview

We need to resolve the new alert (94) and either recommend dismissal of the alert or update the code files to resolve the alert.

Action Items

• The following action item serves to "link" this issue as the "tracking issue" for the CodeQL alert and to provide more details regarding the alert:
• https://github.com/hackforla/website/security/code-scanning/94
• In a comment in this issue, add your analysis and recommendations. The recommendation can be one of the following: dismiss as test, dismiss as false positive, dismiss as won't fix, or update code. An example of a false positive is a report of a JavaScript syntax error that is caused by markdown or liquid symbols such as --- or {%
• If the recommendation is to dismiss the alert:
  • Apply the label ready for dev lead
  • Move the issue to Questions/In Review
• If the recommendation is to update code:
  • Create an issue branch and proceed with the code update
  • The code github-actions/trigger-issue/add-missing-labels-to-issues/check-labels.js is used in the workflow .github/workflows/issue-trigger.yml and cannot be tested using Docker; instead it must be tested in the developer's fork of the hackforla/website repository. For testing guidance see Create Wiki page to fill in missing GHA documentation: Issue Trigger #5166 (comment)
  • Proceed with pull request in the usual manner

Resources/Instructions

• HfLA website: CodeQL scan alert audits - issue 5005
• Code scanning results page
• CodeQL query help for JavaScript
• How to manage CodeQL alerts

This issue was automatically generated from the codeql.yml workflow

[github-actions]

Hi @JackCasica, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[JackCasica]

Availability: May 5, 2024 (Sunday)
ETA: May 5, 2024 (Sunday)

[JackCasica]

My recommendation is to update code by removing unused variable results

  try {
    const results = await github.rest.issues.setLabels({
      owner: owner,
      repo: repo,
      issue_number: issueNum,
      labels: labels
    })
    if (labelsToAdd.length > 0) {
      console.log('Succesfully added labels: ', labelsToAdd);
    }
    return true
  }
  catch(err) {
    console.log('Error editing labels: ', err)
    return false
  }

Will be:

  try {
    await github.rest.issues.setLabels({
      owner: owner,
      repo: repo,
      issue_number: issueNum,
      labels: labels
    })
    if (labelsToAdd.length > 0) {
      console.log('Succesfully added labels: ', labelsToAdd);
    }
    return true
  }
  catch(err) {
    console.log('Error editing labels: ', err)
    return false
  }

[t-will-gillis]

Hey @JackCasica I think your proposal to update code sounds correct.

Given this, you can continue working on this issue. I will move this back to "In Progress (actively working)" and remove the ready for dev lead label and you can continue with it. If you need help with setting up an environment for testing, there is this document Hack for LA's GitHub Actions and feel free to send questions in Slack.

[t-will-gillis]

Also, you can uncheck the boxes at the section titled since you are proposing to update the code:

- [ ] If the recommendation is to dismiss the alert:
  - [ ] Apply the label ready for dev lead
  - [ ] Move the issue to Questions/In Review