Production

[oslynn]

This PR ...

If you are suggesting a fix for a currently exploitable issue, please disclose the issue to the prime-reportstream team directly outside of GitHub instead of filing a PR, so we may immediately patch the affected systems before a disclosure. See SECURITY.md/Reporting a Vulnerability for more information.

Test Steps:

1. Include steps to test these changes

Changes

• Include a comprehensive list of changes in this PR
• (For web UI changes) Include screenshots/video of changes

Checklist

Testing

• Tested locally?
• Ran ./prime test or ./gradlew testSmoke against local Docker ReportStream container?
• (For Changes to /frontend-react/...) Ran npm run lint:write?
• Added tests?

Process

• Are there licensing issues with any new dependencies introduced?
• Includes a summary of what a code reviewer should test/verify?
• Updated the release notes?
• Database changes are submitted as a separate PR?
• DevOps team has been notified if PR requires ops support?

Linked Issues

• Fixes #issue

To Be Done

Create GitHub issues to track the work remaining, if any

• #issue

Specific Security-related subjects a reviewer should pay specific attention to

• Does this PR introduce new endpoints?
  • new endpoint A
  • new endpoint B
• Does this PR include changes in authentication and/or authorization of existing endpoints?
• Does this change introduce new dependencies that need vetting?
• Does this change require changes to our infrastructure?
• Does logging contain sensitive data?
• Does this PR include or remove any sensitive information itself?

If you answered 'yes' to any of the questions above, conduct a detailed Review that addresses at least:

• What are the potential security threats and mitigations? Please list the STRIDE threats and how they are mitigated
  • Spoofing (faking authenticity)
    • Threat T, which could be achieved by A, is mitigated by M
  • Tampering (influence or sabotage the integrity of information, data, or system)
  • Repudiation (the ability to dispute the origin or originator of an action)
  • Information disclosure (data made available to entities who should not have it)
  • Denial of service (make a resource unavailable)
  • Elevation of Privilege (reduce restrictions that apply or gain privileges one should not have)
• Have you ensured logging does not contain sensitive data?
• Have you received any additional approvals needed for this change?

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details

Scanned Manifest Files

[github-actions]

Test Results

1 265 tests  +18   1 261 ✅ +18   7m 28s ⏱️ -10s
  164 suites + 2       4 💤 ± 0 
  164 files   + 2       0 ❌ ± 0 

Results for commit 7e793f5. ± Comparison against base commit 7895c62.

This pull request removes 5 and adds 23 tests. Note that renamed tests count towards both.

gov.cdc.prime.router.azure.BlobAccessTests ‑ copy blob()
gov.cdc.prime.router.fhirengine.utils.HL7ReaderTests ‑ get getMessages can parse a message that uses the deprecated CE type in OBX2()
gov.cdc.prime.router.fhirengine.utils.HL7ReaderTests ‑ get getMessages no mapped models()
gov.cdc.prime.router.fhirengine.utils.HL7ReaderTests ‑ get getMessages v27 succeeds()
gov.cdc.prime.router.fhirengine.utils.HL7ReaderTests ‑ test getMessageProfile()

gov.cdc.prime.router.ReceiverTests ‑ test MAJURO receiver timezone()
gov.cdc.prime.router.azure.ReportFunctionTests ‑ return ack if requested and enabled()
gov.cdc.prime.router.azure.service.SubmissionResponseBuilderTest ‑ build ACK response when enabled for sender and correct conditions ()
gov.cdc.prime.router.azure.service.SubmissionResponseBuilderTest ‑ build JSON response when enabled for sender but HL7 does not request it()
gov.cdc.prime.router.azure.service.SubmissionResponseBuilderTest ‑ build JSON response when enabled for sender but is a batch message()
gov.cdc.prime.router.azure.service.SubmissionResponseBuilderTest ‑ build JSON response when processing was unsuccessful()
gov.cdc.prime.router.fhirengine.engine.CustomTranslationFunctionsTest ‑ test mojuroTimezone with convertDateTimeToHL7()
gov.cdc.prime.router.fhirengine.engine.FhirConverterTests ‑ test condition code stamping without message header()
gov.cdc.prime.router.fhirengine.engine.FhirTranslatorTests ‑ test translation happy path with file digest exception()
gov.cdc.prime.router.fhirengine.translation.hl7.utils.CustomFHIRFunctionsTests ‑ test changeTimezone with date as string - exception()
…

♻️ This comment has been updated with latest results.

[github-actions]

Branch deployed to Chromatic 🚀.

• ⚠️ Detected 3 tests with visual changes.
• ✅ All tests passed.

View via:

• Chromatic: https://www.chromatic.com/build?appId=6419b81d4a47163c3050f14a&number=1381
• Storybook: https://6419b81d4a47163c3050f14a-umtieykdpy.chromatic.com/

[github-actions]

⚠️ Broken Links ⚠️

❌ https://www.hhs.gov/vulnerability-disclosure-policy/index.html

Error: Request failed with status code 403

---

❌ /assets/xlsm/20241204_ReportStream-Mapping-Template.xlsm

Error: Internal link: Page error

---

❌ https://www.cdc.gov/poxvirus/mpox/lab-personnel/report-results.html

Error: Request failed with status code 404

---