cisagov · mitchelbaker-cisa · Jun 4, 2024 · Jun 4, 2024 · Jun 4, 2024 · Jun 4, 2024
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -13,37 +13,37 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    continue-on-error: true
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Lint Shell Scripts
-        continue-on-error: true
         run: |
           sudo apt-get update
           sudo apt-get install shellcheck
           shellcheck **/*.sh
 
       - name: Lint PowerShell Scripts
-        continue-on-error: true
+        if: failure()
         run: |
           pwsh -Command "Invoke-ScriptAnalyzer -EnableExit -Recurse -Path ."
 
       - name: Lint Lua
-        continue-on-error: true
+        if: failure()
         run: |
           sudo apt-get install -y luarocks
           sudo luarocks install luacheck
           luacheck **/*.lua
 
       - name: Lint TeX Files
-        continue-on-error: true
+        if: failure()
         run: |
           sudo apt-get install chktex
           chktex **/*.tex
 
       - name: Lint YAML Files
-        continue-on-error: true
+        if: failure()
         run: |
           sudo apt-get update
           sudo apt-get install yamllint
@@ -58,7 +58,6 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Semgrep Scan
-        continue-on-error: true
         run: |
           semgrep --config "p/r2c" .
 

diff --git a/testing/InstallTestbed.ps1 b/testing/InstallTestbed.ps1
@@ -44,7 +44,7 @@ else {
 }
 
 if ($Version -ne $false -and -not ($Version -match '^[0-9]+\.[0-9]+\.[0-9]+$')) {
-    Write-Host "Invalid version format: $Version. Expected format: X.Y.Z (e.g., 1.3.0)"
+    Write-Error "Invalid version format: $Version. Expected format: X.Y.Z (e.g., 1.3.0)"
     exit 1
 }
 
@@ -136,7 +136,7 @@ if (-Not $LinuxOnly) {
     Start-Sleep 10
 
     # See if we can see the forwarding computers in the DC
-    write-host "`nChecking if we can see the forwarding computers in the DC..."
+    Write-Output "`nChecking if we can see the forwarding computers in the DC..."
     $listForwardingComputersResponse = .\run_script_in_container.ps1 `
         -ResourceGroup $ResourceGroup `
         -VMName $DomainController `
@@ -255,7 +255,7 @@ $getElasticsearchPasswordsResponse = az vm run-command invoke `
   --command-id RunShellScript `
   --name $LinuxVM `
   --resource-group $ResourceGroup `
-  --scripts 'sed -n "/^## elastic/,/^####################/p" "/opt/lme/Chapter 3 Files/output.log"'  
+  --scripts 'sed -n "/^## elastic/,/^####################/p" "/opt/lme/Chapter 3 Files/output.log"'
 
 Write-Output $ProcessSeparator
 
@@ -364,15 +364,15 @@ $runTestResponse = az vm run-command invoke `
   --scripts '/home/admin.ackbar/lme/configure/linux_test_install.sh' | ConvertFrom-Json
 
 $message = $runTestResponse.value[0].message
-Write-Host "$message`n"
-Write-Host "--------------------------------------------"
+Write-Output "$message`n"
+Write-Output "--------------------------------------------"
 
 # Check if there is stderr content in the message field
 if ($message -match '\[stderr\]\n(.+)$') {
-    Write-Host "Tests failed"
+    Write-Output "Tests failed"
     exit 1
 } else {
-    Write-Host "Tests succeeded"
+    Write-Output "Tests succeeded"
 }
 
 Write-Output "`nInstall completed."
@@ -399,4 +399,4 @@ Branch: $Branch
 # Output the parameters to the end of the password file
 $paramsToWrite | Out-File -Append -FilePath $PasswordPath
 
-Get-Content -Path $PasswordPath
+Get-Content -Path $PasswordPath
diff --git a/testing/SetupTestbed.ps1 b/testing/SetupTestbed.ps1
@@ -123,6 +123,7 @@ function Get-RandomPassword {
 }
 
 function Set-AutoShutdown {
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "", Scope="Function")]
     param (
         [Parameter(Mandatory)]
         [string]$VMName
@@ -146,7 +147,8 @@ function Set-AutoShutdown {
     }
 }
 
-function Set-NetworkRules {
+function Set-NetworkRule {
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "", Scope="Function")]
     param (
         [Parameter(Mandatory)]
         $AllowedSourcesList
@@ -176,10 +178,11 @@ function Set-NetworkRules {
             "--source-address-prefixes $AllowedSourcesList " +
             "--destination-address-prefixes '*' " +
             "--destination-port-ranges $port " +
-            "--description 'Allow inbound from $sources on $port via $protocol connections.' " 
+            "--description 'Allow inbound from $sources on $port via $protocol connections.'"
 
         Write-Output "Running command: $command"
 
+	# TODO: Avoid using Invoke-Expression; https://learn.microsoft.com/en-us/powershell/scripting/learn/deep-dives/avoid-using-invoke-expression?view=powershell-7.4
         $networkRuleResponse = Invoke-Expression $command
         Write-Output $networkRuleResponse
 
@@ -265,7 +268,7 @@ $createNsgResponse = az network nsg create --name NSG1 `
     --tags project=$Project created=$Today createdBy=$CurrentUser
 Write-Output $createNsgResponse
 
-Set-NetworkRules -AllowedSourcesList $AllowedSourcesList
+Set-NetworkRule -AllowedSourcesList $AllowedSourcesList
 
 ##################
 # Create the VMs #
@@ -432,14 +435,14 @@ if (-Not $LinuxOnly){
     Add-DnsServerResourceRecordA -Name LS1 -ZoneName $DomainName. -AllowUpdateAny -IPv4Address $LsIP -TimeToLive 01:00:00 -AsJob
 }
 `$job = Start-Job -ScriptBlock `$scriptBlock
-`$timeout = 120 
+`$timeout = 120
 if (Wait-Job -Job `$job -Timeout `$timeout) {
     Receive-Job -Job `$job
-    Write-Host 'The script completed within the timeout period.'
+    Write-Output 'The script completed within the timeout period.'
 } else {
     Stop-Job -Job `$job
     Remove-Job -Job `$job
-    Write-Host 'The script timed out after `$timeout seconds.'
+    Write-Output 'The script timed out after `$timeout seconds.'
 }
 "@
 
@@ -473,15 +476,15 @@ if (Wait-Job -Job `$job -Timeout `$timeout) {
     --scripts "Add-Content -Path 'C:\windows\system32\drivers\etc\hosts' -Value '$LsIP ls1.$DomainName ls1'"
     Show-FormattedOutput -FormattedOutput (Format-AzVmRunCommandOutput -JsonResponse "$writeToHostsFileResponse")
 
-    Write-Host "Checking if ls1 resolves. This should resolve to ls1.lme.local->${LsIP}, not another domain..."
+    Write-Output "Checking if ls1 resolves. This should resolve to ls1.lme.local->${LsIP}, not another domain..."
     $resolveLs1Response = az vm run-command invoke `
         --command-id RunPowerShellScript `
         --resource-group $ResourceGroup `
         --name DC1 `
         --scripts "Resolve-DnsName ls1"
     Show-FormattedOutput -FormattedOutput (Format-AzVmRunCommandOutput -JsonResponse "$resolveLs1Response")
 
-    Write-Host "Removing the Dns script. No output expected..."
+    Write-Output "Removing the Dns script. No output expected..."
     $removeDnsRecordScriptResponse = az vm run-command invoke `
         --command-id RunPowerShellScript `
         --name DC1 `

diff --git a/testing/configure/azure_scripts/copy_file_to_container.ps1 b/testing/configure/azure_scripts/copy_file_to_container.ps1
@@ -56,7 +56,7 @@ $UploadResponse = az storage blob upload `
     --overwrite
 
 # Write the upload response to the standard output stream
-Write-Host $UploadResponse
+Write-Output $UploadResponse
 
 $BlobName = (Split-Path $LocalFilePath -Leaf)
 $ExpiryTime = (Get-Date).AddDays(1).ToString('yyyy-MM-ddTHH:mm:ssZ')
@@ -72,7 +72,7 @@ $SasUrl = az storage blob generate-sas `
     --output tsv
 
 # Write the SAS URL generation response to the standard output stream
-Write-Host "SAS URL generated successfully."
+Write-Output "SAS URL generated successfully."
 
 # Set the full url var for returning to the user for use in the next script
 $FullUrl = "https://${StorageAccountName}.blob.core.windows.net/${ContainerName}/${BlobName}?${SasUrl}"

diff --git a/testing/configure/azure_scripts/create_blob_container.ps1 b/testing/configure/azure_scripts/create_blob_container.ps1
@@ -23,13 +23,14 @@ Replace "YourResourceGroupName" with the name of your Azure Resource Group.
 
 #>
 
-
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
 param(
     [Parameter(Mandatory=$true)]
     [string]$ResourceGroup
 )
 
 function New-AzureName {
+    [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseShouldProcessForStateChangingFunctions", "", Scope="Function")]
     param (
         [Parameter(Mandatory=$true)]
         [string]$Prefix

diff --git a/testing/configure/azure_scripts/download_in_container.ps1 b/testing/configure/azure_scripts/download_in_container.ps1
@@ -74,6 +74,9 @@ if ($Os -eq "linux") {
     $DirectoryCreationScript = "mkdir -p '/home/$UserName/lme'"
     # TODO: We don't want to output this until we fix it so we can put all of the output from thw whole script into one json object
     # We are just ignoring the output for now
+    #
+    # Suppress error message temporarily because of the above TODO: remove when fixed
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseDeclaredVarsMoreThanAssignments", "")]
     $CreateDirectoryResponse = az vm run-command invoke `
         --command-id RunShellScript `
         --resource-group $ResourceGroup `

diff --git a/testing/configure/azure_scripts/lib/utilityFunctions.ps1 b/testing/configure/azure_scripts/lib/utilityFunctions.ps1
@@ -121,6 +121,7 @@ function Get-PrivateKeyFromJson {
 }
 
 function Invoke-GPUpdateOnVMs {
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSUseSingularNouns", "")]
     param(
         [Parameter(Mandatory = $true)]
         [string]$ResourceGroup,

diff --git a/testing/configure/trust_ls1_ssh_key.ps1 b/testing/configure/trust_ls1_ssh_key.ps1
@@ -12,6 +12,7 @@ if (-not (Test-Path -Path $SshDirectory)) {
 
 # Function to set ACL for the directory, granting FullControl to SYSTEM and applying inheritance
 function Set-SystemOnlyAclForDirectory {
+    [CmdletBinding(SupportsShouldProcess)]
     param (
         [string]$path
     )
@@ -31,6 +32,7 @@ function Set-SystemOnlyAclForDirectory {
 
 # Function to set ACL for a file, granting FullControl only to SYSTEM
 function Set-SystemOnlyAclForFile {
+    [CmdletBinding(SupportsShouldProcess)]
     param (
         [string]$path
     )

diff --git a/testing/development/destroy_cluster.ps1 b/testing/development/destroy_cluster.ps1
@@ -12,7 +12,7 @@ $resourceGroupExists = az group exists --name "$env:RESOURCE_GROUP"
 if ($resourceGroupExists -eq 'true') {
     # Delete the resource group if it exists
     az group delete --name "$env:RESOURCE_GROUP" --yes --no-wait
-    Write-Host "Deletion of resource group $($env:RESOURCE_GROUP) initiated."
+    Write-Output "Deletion of resource group $($env:RESOURCE_GROUP) initiated."
 } else {
-    Write-Host "Resource group $($env:RESOURCE_GROUP) does not exist. No action taken."
+    Write-Output "Resource group $($env:RESOURCE_GROUP) does not exist. No action taken."
 }
diff --git a/testing/development/install_lme.ps1 b/testing/development/install_lme.ps1
@@ -22,7 +22,7 @@ $targetDirectory = Join-Path -Path $PSScriptRoot -ChildPath "..\\"
 Set-Location -Path $targetDirectory
 
 # Prepare the parameters for InstallTestbed.ps1
-$installTestbedParams = "" 
+$installTestbedParams = ""
 if ($v) {
     $installTestbedParams += " -v $v "
 }
@@ -37,4 +37,5 @@ if ($m) {
 $command = ".\InstallTestbed.ps1 -ResourceGroup $env:RESOURCE_GROUP $installTestbedParams | Tee-Object -FilePath ./$env:RESOURCE_GROUP.output.log"
 
 # Execute the command
+# TODO: Remove use of Invoke-Expression
 Invoke-Expression $command
diff --git a/testing/internet_toggle.ps1 b/testing/internet_toggle.ps1
@@ -1,5 +1,4 @@
-
-
+[Diagnostics.CodeAnalysis.SuppressMessageAttribute("PSReviewUnusedParameter", "")]
 param (
     [Parameter(Mandatory)]
     [Alias("RG")]
@@ -28,7 +27,7 @@ function disable {
       --access Deny `
       --destination-address-prefixes Internet `
       --destination-port-ranges '*'
-      
+
   az network nsg rule create --name DENYLOAD `
       --resource-group $ResourceGroup `
       --nsg-name $NSG `