cqframework / mct Goto Github PK
View Code? Open in Web Editor NEWMeasure Calculation Tool for reporting and calculating FHIR-based digital quality measures (dQMs).
License: Other
Measure Calculation Tool for reporting and calculating FHIR-based digital quality measures (dQMs).
License: Other
Front-end: Examine Select-all Behavior in FacilitiesMultiSelect.js
Behavior could be as expected, but worth examining for possible performance improvements.
src/components/FacilitiesMultiSelect.js
Inside the useEffect, you are checking the length of facilities against the length of
selected facilities to determine if "Select All" should be on or off. In this case, the
selectedFacilities dependency could potentially cause frequent re-renders.
The code block: selectedFacilities.indexOf(id) > -1 inside the map function
can be performance-intensive if there are many facilities since indexOf would be O(n).
The "Select All" option toggles the state, which means if all facilities are already selected
and a user clicks "Select All" again, it will deselect all. If this is the desired behavior, it's
okay. If not, you might want to address it.
DOCKERFILE Improvements
Running as a non-root user helps to avoid security risks; Using Security Headers is a good best practice.
DOCKERFILE
The Dockerfile is structured in a multi-stage build format which is good for optimizing the
final image size. I'll walk you through each part of the Dockerfile and point out any concerns or
recommendations:
FROM node:18.12.1-alpine as builder: You're using a specific version of Node.js
with Alpine, which is a lightweight distro. This is a good practice as it minimizes
the image size and reduces potential attack surfaces.
COPY package.json yarn.lock ./: Good! You're copying only the necessary files
for the yarn install command. This takes advantage of Docker's caching
mechanism and ensures faster builds if no dependencies change.
Recommendations: Consider using a non-root user even in the builder stage. Running as a non-root
user is a security best practice.
Hardcoded values in the initialState object:date: 'q1'.
Hardcoded values can have unexpected consequences and make the code less reusable, so, we expect not to use them.
src/store/reducers/filter.js
.env committed to repo
Committing the .env file increases chances of credentials or other sensitive info being leaked. Using an .example.env or other placeholder file instead can help reduce risk.
.env
CQF Ruler
MCT Backend (mct/java)
MCT Frontend (mct/frontend)
Navigate to localhost:3000 in browser, which should display the MCT landing page
Backend: Dependency Version Bumping
Versions are updated to mitigate known vulnerabilities. Let's enable dependabot after this to stay ahead of future dep issues.
Dependencies
The following packages are out of date and have reported vulnerabilities:
Missing Security Headers?
Security Headers are typically present in production-quality projects (acknowledging this is a proof-of-concept.)
public/index.html
When running the app, there are several security headers that are missing during
development. Do not know if they have been added to the app, or if it even matters, in
production
Unvalidated/Unsanitized user input in src/store/reducers/data.js
User input should be validated and sanitized to prevent potential security issues.
src/store/reducers/data.js
Bellese Code Review of MCT Repo (9-1-23).pdf
Our friends over at Bellese have conducted another code review of the MCT codebase, and identified a few issues that they would like the project to address.
Attached is that review above for future reference.
As I see it, highest priority should be resolved pre-release, lower priority can be resolved post-release. If y'all think these priorities should be shifted, please comment here with updated lists.
Highest Priority:
Lower Priority:
Missing 404 and other Error Pages?
Having a default 404 page at a minimum, other pages for other HTTP codes desirable.
There is no default 404 error page, or any other error pages.
Path Traversal Vulnerability in MctConfig.java
Limitation of a pathname to a restricted directory.
Lack of limitation of a pathname to a restricted directory.
/java/src/main/java/org/config/MctConfig.java
public MctNpmPackageValidationSupport mctNpmPackageValidationSupport(
FhirContext fhirContext, MctProperties properties) throws IOException {
MctNpmPackageValidationSupport validationSupport = new
MctNpmPackageValidationSupport(fhirContext);
NpmPackage basePackage;
for (Map.Entry<String, MctProperties.ImplementationGuide> igs :
properties.getImplementationGuides().entrySet()) {
if (igs.getValue().getUrl() != null) {
basePackage = NpmPackage.fromUrl(igs.getValue().getUrl());
}
Missing Route-based access control?
As concisely as possible, describe the expected behavior.
src/routes/MainRoutes.js
lodash dependency swap?
/Package.json
lodash has had multiple vulnerabilities in the past and it may be worth considering limiting
importing to necessary libraries or taking advantage of the latest ECMA standard, which should,
theoretically, increase performance.
I am able to navigate to the CQF MCT site on my localhost and click through all the different options (single vs multi facility, facility name, date range, etc.). However, after selecting all of those options, clicking get report takes me to a blank screen that does not populate with any information. Any help would be appreciated. Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.