Merge develop into master (14 Nov)#2685
Conversation
…into rb-oct-30-risk-mng-class-based
- Add invisible placeholder to maintain consistent height across all tabs - Wrap Overview and Settings tabs in AI Trust Center with createTabLabelWithCount - Ensures all tabs align horizontally regardless of badge presence
- Show zero counts by default (changed showZero default to true) - Add count badges to Use case risks and Linked models tabs in project view - Fetch counts on page load and refresh - Ensure all tabs use createTabLabelWithCount for consistent alignment
- Change isSearchBarVisible initial state from false to true - Affects Policies, Incident Management, Model Inventory, and Training Registrar pages - Users no longer need to click search icon to expand search box
- Add minHeight: 34px to searchBoxStyle - Ensures search box and status filter dropdown have consistent heights
…onent, tasks table - Restructure vendor modal layout with aligned fields and narrowed modal width - Fix Select component width handling for proper alignment - Increase breadcrumb height by 20% and adjust chevron spacing - Remove focus outline from breadcrumb links - Convert Validate fairness button to CustomizableButton - Add tooltips to view toggle switcher - Improve empty state messaging for framework linked models with link - Update model risk modal to sentence case - Change View controls buttons to links in risk management table - Replace 'project' with 'use case' in risk forms - Update RiskChip to have consistent 34px height and 110px minWidth - Replace Stack with RiskChip component for risk level display - Fix vendor risks button hover issue with fixed width - Make search boxes always visible on overview page - Replace large RiskChip with compact badges in Tasks table for Priority and Overdue 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
UI/UX visual improvements: layout fixes, component enhancements
…based Rb oct 30 risk mng class based
…om user-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 13: Database query built from user-controlled sources
…ing or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 20: Incomplete string escaping or encoding
…om user-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 14: Database query built from user-controlled sources
…into yb-nov-3-integrate-class-based-Organizational-view
Updated 36 files to ensure consistent sentence case formatting across: - Modal and dialog titles (15 instances) - Button labels (7 instances) - Form labels and placeholders (9 instances) - Drawer and tab labels (8 instances) - Navigation menu items in Sidebar - Command palette labels in registry Examples of changes: - "Confirm Delete" → "Confirm delete" - "Risk Management" → "Risk management" - "Add/Remove risks" → "Add/remove risks" - "Select Users" → "Select users" This improves UI consistency and follows proper sentence case conventions where only the first letter of a sentence is capitalized. 🤖 Generated with [Claude](https://claude.com/) Co-Authored-By: Claude <noreply@anthropic.com>
Reverted changes to sidebar menu items and page headers to maintain Title Case formatting, while keeping sentence case for: - Modal and dialog titles - Button labels - Form labels and placeholders - Drawer and tab action labels This ensures proper hierarchy where navigation and headers use Title Case for prominence, while interactive elements use sentence case. 🤖 Generated with [Claude](https://claude.com/) Co-Authored-By: Claude <noreply@anthropic.com>
- Updated "Use cases" → "Use Cases" - Updated "Organizational view" → "Organizational View" - Updated "AI training registry" → "AI Training Registry" (page header and drawer) Ensures all sidebar navigation and page headers consistently use Title Case. 🤖 Generated with [Claude](https://claude.com/) Co-Authored-By: Claude <noreply@anthropic.com>
Updated page header in Organizational View from "Frameworks" to "Organizational Frameworks" for better clarity and consistency. 🤖 Generated with [Claude](https://claude.com/) Co-Authored-By: Claude <noreply@anthropic.com>
Convert all UI text elements to sentence case
- Update drawer header font size to 15px for consistency - Restructure parameter selection layout with text on top and buttons below - Align parameter selection buttons to the right - Remove chart titles and show only timeframe toggles - Adjust chart margins and legend positioning (35px padding) - Reduce chart height from 400px to 300px - Add EmptyState component with message "There is no historical data here" - Apply consistent styling across Model Inventory and Risk Management analytics 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove unused 'title' parameter from both chart components - Remove 'hidden' property from legend config (not a valid property) - Legend is shown by default without the hidden property 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove padding property from legend config in both chart components - Property is not supported by MUI Charts legend type - Legend positioning controlled through bottom margin instead 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Remove itemMarkWidth, itemMarkHeight, markGap, itemGap, and labelStyle - These properties are not supported by MUI Charts legend type - Use only direction and position properties which are type-safe - Legend will use default MUI Charts styling 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Add analytics tab for Risks and Model Inventory
Removed redundant fields at control level that were duplicated in subcontrols.
This simplifies the modal UI and maintains field management only at subcontrol level.
Changes:
- Remove control-level dropdowns (Status, Approver, Risk Review, Owner, Reviewer, Due Date, Implementation Details)
- Remove control-level risk associations ("Add/remove risks" button and displays)
- Update form submission to only send structural fields (title, description, order_no)
- Backend: Remove risk query and update logic from control operations
- Simplify control state management
Frontend:
- NewControlPane.tsx: Remove DropDowns component and risk UI from control level
Backend:
- eu.ctrl.ts: Remove risk parameters from saveControls
- eu.utils.ts: Remove risk fetching and updating in control queries
This keeps the PR focused on simplification. Risk linking to subcontrols will be added in a future PR.
Addressed critical type safety and code quality issues identified in review: Type Safety: - Make Control.risks optional with deprecation comment - Remove unused control-level fields from frontend state initialization Backend Cleanup: - Remove dead code that processed undefined control-level fields - Simplify controller to not update control-level status fields - Control record no longer updated (all editable fields at subcontrol level) Database: - Add migration documenting deprecation of controls_eu__risks table - Document that existing data preserved for historical reference Changes: - Clients/src/domain/types/Control.ts: Make risks optional - Clients/src/presentation/components/Modals/Controlpane/NewControlPane.tsx: Clean state initialization - Servers/controllers/eu.ctrl.ts: Remove undefined field processing - Servers/database/migrations/20251113000000-deprecate-control-level-risks.js: Document table deprecation All changes compile without TypeScript errors.
Fix file manager download and delete
The migration was failing because it tried to add a comment to controls_eu__risks in the public schema, but the table exists in tenant-specific schemas (e.g., "a4ayc80OGd"). Changes: - Query all organizations and check each tenant schema - Add deprecation comment only where table exists - Handle case where table doesn't exist (fresh databases) - Gracefully skip if getTenantHash is unavailable This ensures the migration works across all environments: - Production databases with multiple tenant schemas - Development databases without the deprecated table - Fresh installations Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
…ration-field Updated `duration` field validation for training registry
Fix/security modal upload
…tory-bug Fix model inventory bug
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| // Validate URL (accept without http/https) | ||
| const urlPattern = /^((https?:\/\/)?[\w-]+(\.[\w-]+)+([\/\w-]*)*(\?.*)?(#.*)?)$/i; | ||
| const urlPattern = /^((https?:\/\/)?[\w-]+(\.[\w-]+)+([\/\w]*)*(\?.*)?(#.*)?)$/i; |
Check failure
Code scanning / CodeQL
Inefficient regular expression High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
General strategy:
To fix the problem, we need to rewrite the regular expression so that there is no ambiguity causing excessive backtracking. In particular, the ambiguous part is [\/\w]*, which can match an empty string and all the same substrings as the previous sequences (e.g., / and \w are almost always part of URL "paths"). The goal is to explicitly and unambiguously describe the allowed path segment. One common approach is to replace ambiguous character classes or repetitions ([\/\w]*) inside a complicated group with a more constrained alternative—such as a negated character class that matches until the next "delimiter" (e.g., ?, #).
Detailed fix:
-
Locate line 334 in Clients/src/presentation/pages/AITrustCenter/Subprocessors/index.tsx.
-
Replace the problematic regex with an improved version.
-
The old regex:
/^((https?:\/\/)?[\w-]+(\.[\w-]+)+([\/\w]*)*(\?.*)?(#.*)?)$/i -
Improved version (for basic URL validation, safer for performance and retains original intent):
/^((https?:\/\/)?[\w-]+(\.[\w-]+)+(\/[^\s?#]*)?(\?.*)?(#.*)?)$/i- Change: Replace
([\/\w]*)*with(\/[^\s?#]*)?- This now matches zero or one path sections of slashes followed by non-"?", "#", or whitespace characters, eliminating catastrophic backtracking.
- Change: Replace
-
The rest of the code remains unchanged.
Required edits and imports:
- Only a single line needs editing.
- No new imports or complex logic required.
| @@ -331,7 +331,7 @@ | ||
| } | ||
|
|
||
| // Validate URL (accept without http/https) | ||
| const urlPattern = /^((https?:\/\/)?[\w-]+(\.[\w-]+)+([\/\w]*)*(\?.*)?(#.*)?)$/i; | ||
| const urlPattern = /^((https?:\/\/)?[\w-]+(\.[\w-]+)+(\/[^\s?#]*)?(\?.*)?(#.*)?)$/i; | ||
| if (!urlPattern.test(newSubprocessor.url)) { | ||
| setEditSubprocessorError("Subprocessor URL must be a valid URL"); | ||
| return; |
|
|
||
| return result[0]; | ||
| } catch (error) { | ||
| console.error(`Error recording history snapshot for parameter ${parameter}:`, error); |
Check failure
Code scanning / CodeQL
Use of externally-controlled format string High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this issue, make sure that untrusted user input is not directly interpolated into the format string when logging. Instead, supply the format string with static text and use the %s format specifier for the potentially unsafe variable, passing the variable as an extra argument to console.error. Specifically, replace `Error recording history snapshot for parameter ${parameter}:` with 'Error recording history snapshot for parameter %s:' and pass parameter as the second argument to console.error. This is analogous to the recommended fix in the background documentation. There are no required import changes or additional methods needed for implementation — only an adjustment of the logging invocation in recordHistorySnapshot (at line 43 in Servers/utils/history/modelInventoryHistory.utils.ts).
| @@ -40,7 +40,7 @@ | ||
|
|
||
| return result[0]; | ||
| } catch (error) { | ||
| console.error(`Error recording history snapshot for parameter ${parameter}:`, error); | ||
| console.error('Error recording history snapshot for parameter %s:', parameter, error); | ||
| throw error; | ||
| } | ||
| } |
| `SELECT ${parameter}, COUNT(*) as count | ||
| FROM "${tenant}".model_inventories | ||
| GROUP BY ${parameter}`, |
Check failure
Code scanning / CodeQL
Database query built from user-controlled sources High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 months ago
To fix this vulnerability, we need to ensure that only trusted, expected column names can be used for dynamic queries. This is best achieved through whitelisting: define a set of allowed values (valid column names), and for all "generic" cases, only allow these. If the input parameter is not one of the allowed column names, we should reject the request or handle it safely.
Specifically:
- In
getCurrentParameterCounts(inServers/utils/history/modelInventoryHistory.utils.ts), before using${parameter}in the query string, check ifparameteris in the whitelist (e.g.:name,version,owner, etc.—all valid model_inventory table columns that you intend to support). - If the user input is not one of the allowed columns, throw an error or return a value indicating invalid input.
- The whitelist should be set at the top of the file so it's accessible to all relevant logic and easy to maintain.
- No additional imports are required, just a constant and a check.
This fixes all variants flagged by CodeQL, as all flows reach the vulnerable SQL construction. No other files need to be altered based on the snippets shown.
| @@ -3,6 +3,17 @@ | ||
| import { ModelInventoryStatus } from "../../domain.layer/enums/model-inventory-status.enum"; | ||
| import { Transaction, QueryTypes } from "sequelize"; | ||
|
|
||
| // Whitelist of allowed parameter names for aggregation | ||
| const ALLOWED_PARAMETERS = [ | ||
| "name", | ||
| "version", | ||
| "owner", | ||
| // add all other safe column names intended to be exposed | ||
| "type", | ||
| "created_at", | ||
| // DO NOT add user-controlled column names unless they're safe | ||
| ]; | ||
|
|
||
| /** | ||
| * Record a snapshot of parameter counts in history | ||
| */ | ||
| @@ -101,6 +112,9 @@ | ||
| }); | ||
| } else { | ||
| // Generic handling for other parameters | ||
| if (!ALLOWED_PARAMETERS.includes(parameter)) { | ||
| throw new Error(`Invalid parameter: ${parameter}`); | ||
| } | ||
| const paramCounts = await sequelize.query( | ||
| `SELECT ${parameter}, COUNT(*) as count | ||
| FROM "${tenant}".model_inventories |
|
|
||
| return counts; | ||
| } catch (error) { | ||
| console.error(`Error getting current parameter counts for ${parameter}:`, error); |
Check failure
Code scanning / CodeQL
Use of externally-controlled format string High
Copilot Autofix
AI 5 months ago
Copilot could not generate an autofix suggestion
Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.
…ls-modal Simplify EU AI Act controls modal by removing control-level fields
9 participants
Describe your changes
Write your issue number after "Fixes "
Enter the corresponding issue number after "Fixes #"
Please ensure all items are checked off before requesting a review: