[Prod] Create backend for QA dashboard, add tests for goal services, historical cleanup, new grant filter

frontend/src/components/filter/GrantStatus.js

@@ -0,0 +1,54 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+import { Dropdown } from '@trussworks/react-uswds';
+
+export function displayGrantsStatus(q) {
+  if (q === 'active') {
+    return 'Active';
+  }
+
+  if (q === 'inactive') {
+    return 'Inactive';
+  }
+
+  if (q === 'interim-management-cdi') {
+    return 'Interim management (CDI)';
+  }
+
+  return '';
+}
+
+export default function GrantStatus({ onApply, query, inputId }) {
+  const onApplyTTAType = (e) => {
+    const { target: { value } } = e;
+    onApply(value);
+  };
+
+  return (
+    <>
+      { /* eslint-disable-next-line jsx-a11y/label-has-associated-control */ }
+      <label className="sr-only" htmlFor={inputId}>Select grant status to filter by</label>
+      <Dropdown name={inputId} id={inputId} value={query} onChange={onApplyTTAType}>
+        <option value="active">
+          Active
+        </option>
+        <option value="inactive">
+          Inactive
+        </option>
+        <option value="interim-management-cdi">
+          Interim management (CDI)
+        </option>
+      </Dropdown>
+    </>
+  );
+}
+
+GrantStatus.propTypes = {
+  onApply: PropTypes.func.isRequired,
+  query: PropTypes.string.isRequired,
+  inputId: PropTypes.string,
+};
+
+GrantStatus.defaultProps = {
+  inputId: 'grantStatus',
+};

frontend/src/components/filter/__tests__/GrantStatus.js

@@ -0,0 +1,47 @@
+import '@testing-library/jest-dom';
+import React from 'react';
+import {
+  render,
+  screen,
+} from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import GrantStatus, { displayGrantsStatus } from '../GrantStatus';
+
+const { findByRole } = screen;
+
+describe('displayCdiGrantStatus', () => {
+  it('returns the correct string for active', () => {
+    expect(displayGrantsStatus('active')).toEqual('Active');
+  });
+
+  it('returns the correct string for inactive', () => {
+    expect(displayGrantsStatus('inactive')).toEqual('Inactive');
+  });
+
+  it('returns the correct string for interim-management-cdi', () => {
+    expect(displayGrantsStatus('interim-management-cdi')).toEqual('Interim management (CDI)');
+  });
+
+  it('returns an empty string for an empty string', () => {
+    expect(displayGrantsStatus('')).toEqual('');
+  });
+});
+
+describe('CdiGrantFilter', () => {
+  const renderCdiGrantSelect = (appliedType, onApply) => (
+    render(
+      <GrantStatus
+        onApply={onApply}
+        inputId="cdiGrantFilter"
+        appliedTTAType={appliedType}
+      />,
+    ));
+
+  it('calls the on apply handler', async () => {
+    const onApply = jest.fn();
+    renderCdiGrantSelect('inactive', onApply);
+    const select = await findByRole('combobox', { name: /Select grant status to filter by/i });
+    userEvent.selectOptions(select, 'active');
+    expect(onApply).toHaveBeenCalled();
+  });
+});

frontend/src/components/filter/activityReportFilters.js

@@ -26,6 +26,7 @@ import FilterStateSelect from './FilterStateSelect';
 import FilterOtherEntitiesSelect from './FilterOtherEntitiesSelect';
 import FilterParticipantsSelect from './FilterParticipantsSelect';
 import FilterTTAType, { displayTtaTypeQuery } from './FilterTTAType';
+import GrantStatus, { displayGrantsStatus } from './GrantStatus';
 import MyReportsSelect from './MyReportsSelect';
 import FilterGroups from './FilterGroups';
 import FilterDeliveryMethod from './FilterDeliveryMethod';
@@ -347,6 +348,24 @@ export const ttaTypeFilter = {
   ),
 };
 
+export const grantStatusFilter = {
+  id: 'grantStatus',
+  display: 'Grant status',
+  conditions: FILTER_CONDITIONS,
+  defaultValues: {
+    is: 'active',
+    'is not': 'active',
+  },
+  displayQuery: displayGrantsStatus,
+  renderInput: (id, condition, query, onApplyQuery) => (
+    <GrantStatus
+      inputId={`grantStatus-${condition.replace(/ /g, '-')}-${id}`}
+      onApply={onApplyQuery}
+      query={query}
+    />
+  ),
+};
+
 export const specialistRoleFilter = {
   id: 'role',
   display: 'Specialist roles',

frontend/src/components/filter/grantFilters.js

@@ -6,6 +6,7 @@ import FilterGroups from './FilterGroups';
 import { useDisplayGroups, fixQueryWhetherStringOrArray } from './utils';
 import { formatDateRange } from '../../utils';
 import FilterDateRange from './FilterDateRange';
+import GrantStatus, { displayGrantsStatus } from './GrantStatus';
 
 export const groupsFilter = {
   id: 'group',
@@ -74,3 +75,21 @@ export const recipientsWithoutTTA = {
     />
   ),
 };
+
+export const grantStatusFilter = {
+  id: 'grantStatus',
+  display: 'Grant status',
+  conditions: FILTER_CONDITIONS,
+  defaultValues: {
+    is: 'active',
+    'is not': 'active',
+  },
+  displayQuery: displayGrantsStatus,
+  renderInput: (id, condition, query, onApplyQuery) => (
+    <GrantStatus
+      inputId={`grantStatus-${condition.replace(/ /g, '-')}-${id}`}
+      onApply={onApplyQuery}
+      query={query}
+    />
+  ),
+};

frontend/src/pages/CourseDashboard/constants.js

@@ -20,6 +20,7 @@ import {
   reportTextFilter,
   ttaTypeFilter,
   activityReportGoalResponseFilter,
+  grantStatusFilter,
 } from '../../components/filter/activityReportFilters';
 import { goalNameFilter } from '../../components/filter/goalFilters';
 
@@ -45,6 +46,7 @@ const COURSE_DASHBOARD_FILTER_CONFIG = [
   targetPopulationsFilter,
   topicsFilter,
   ttaTypeFilter,
+  grantStatusFilter,
 ];
 
 COURSE_DASHBOARD_FILTER_CONFIG.sort((a, b) => a.display.localeCompare(b.display));

frontend/src/pages/Landing/constants.js

@@ -20,6 +20,7 @@ import {
   reportTextFilter,
   ttaTypeFilter,
   activityReportGoalResponseFilter,
+  grantStatusFilter,
 } from '../../components/filter/activityReportFilters';
 import { goalNameFilter } from '../../components/filter/goalFilters';
 
@@ -48,6 +49,7 @@ export const LANDING_FILTER_CONFIG = (withRegions = false) => {
     targetPopulationsFilter,
     topicsFilter,
     ttaTypeFilter,
+    grantStatusFilter,
   ];
 
   if (withRegions) {

frontend/src/pages/RecipientSearch/constants.js

@@ -1,13 +1,14 @@
 /* eslint-disable import/prefer-default-export */
 import { regionFilter } from '../../components/filter/activityReportFilters';
 import { goalNameFilter } from '../../components/filter/goalFilters';
-import { groupsFilter, recipientsWithoutTTA } from '../../components/filter/grantFilters';
+import { groupsFilter, recipientsWithoutTTA, grantStatusFilter } from '../../components/filter/grantFilters';
 
 const RECIPIENT_SEARCH_FILTER_CONFIG = [
   goalNameFilter,
   groupsFilter,
   regionFilter,
   recipientsWithoutTTA,
+  grantStatusFilter,
 ];
 
 // sort by display prop

frontend/src/pages/RegionalDashboard/constants.js

@@ -19,6 +19,7 @@ import {
   reportTextFilter,
   deliveryMethodFilter,
   activityReportGoalResponseFilter,
+  grantStatusFilter,
 } from '../../components/filter/activityReportFilters';
 import { goalNameFilter } from '../../components/filter/goalFilters';
 import { groupsFilter } from '../../components/filter/grantFilters';
@@ -45,6 +46,7 @@ const DASHBOARD_FILTER_CONFIG = [
   targetPopulationsFilter,
   topicsFilter,
   ttaTypeFilter,
+  grantStatusFilter,
 ];
 
 // sort by display prop

frontend/src/pages/RegionalGoalDashboard/constants.js

@@ -18,6 +18,7 @@ import {
   participantsFilter,
   myReportsFilter,
   ttaTypeFilter,
+  grantStatusFilter,
 } from '../../components/filter/activityReportFilters';
 
 const DASHBOARD_FILTER_CONFIG = [
@@ -39,6 +40,7 @@ const DASHBOARD_FILTER_CONFIG = [
   targetPopulationsFilter,
   topicsFilter,
   ttaTypeFilter,
+  grantStatusFilter,
 ];
 
 // sort by display prop

frontend/src/pages/ResourcesDashboard/constants.js

@@ -20,6 +20,7 @@ import {
   reportTextFilter,
   ttaTypeFilter,
   activityReportGoalResponseFilter,
+  grantStatusFilter,
 } from '../../components/filter/activityReportFilters';
 import { goalNameFilter } from '../../components/filter/goalFilters';
 
@@ -45,6 +46,7 @@ const RESOURCES_DASHBOARD_FILTER_CONFIG = [
   targetPopulationsFilter,
   topicsFilter,
   ttaTypeFilter,
+  grantStatusFilter,
 ];
 
 RESOURCES_DASHBOARD_FILTER_CONFIG.sort((a, b) => a.display.localeCompare(b.display));

frontend/yarn-audit-known-issues

@@ -2,4 +2,4 @@
 {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}}
 {"type":"auditAdvisory","data":{"resolution":{"id":1097682,"path":"react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["react-scripts>jest>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-environment-jsdom>jsdom>tough-cookie","react-scripts>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-environment-jsdom>jsdom>tough-cookie"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\n- https://lists.fedoraproject.org/archives/list/[email protected]/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\n- https://security.netapp.com/advisory/ntap-20240621-0006\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","id":1097682,"npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","metadata":null,"cves":["CVE-2023-26136"],"access":"public","severity":"moderate","module_name":"tough-cookie","vulnerable_versions":"<4.1.3","github_advisory_id":"GHSA-72xf-g2v4-qvf3","recommendation":"Upgrade to version 4.1.3 or later","patched_versions":">=4.1.3","updated":"2024-06-21T21:33:53.000Z","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"cwe":["CWE-1321"],"url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}}
 {"type":"auditAdvisory","data":{"resolution":{"id":1099525,"path":"react-scripts>webpack-dev-server>express>serve-static>send","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.18.0","paths":["react-scripts>webpack-dev-server>express>serve-static>send"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg\n- https://nvd.nist.gov/vuln/detail/CVE-2024-43799\n- https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35\n- https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","created":"2024-09-10T19:42:41.000Z","id":1099525,"npm_advisory_id":null,"overview":"### Impact\n\npassing untrusted user input - even after sanitizing it - to `SendStream.redirect()` may execute untrusted code\n\n### Patches\n\nthis issue is patched in send 0.19.0\n\n### Workarounds\n\nusers are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist\n\n### Details\n\nsuccessful exploitation of this vector requires the following:\n\n1. The attacker MUST control the input to response.redirect()\n1. express MUST NOT redirect before the template appears\n1. the browser MUST NOT complete redirection before:\n1. the user MUST click on the link in the template\n","reported_by":null,"title":"send vulnerable to template injection that can lead to XSS","metadata":null,"cves":["CVE-2024-43799"],"access":"public","severity":"moderate","module_name":"send","vulnerable_versions":"<0.19.0","github_advisory_id":"GHSA-m6fv-jmcg-4jfg","recommendation":"Upgrade to version 0.19.0 or later","patched_versions":">=0.19.0","updated":"2024-09-10T19:42:42.000Z","cvss":{"score":5,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},"cwe":["CWE-79"],"url":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1099597,"path":"react-admin>ra-ui-materialui>dompurify","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.4.4","paths":["react-admin>ra-ui-materialui>dompurify"]}],"found_by":null,"deleted":null,"references":"- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674\n- https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21\n- https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc\n- https://nvd.nist.gov/vuln/detail/CVE-2024-45801\n- https://github.com/advisories/GHSA-mmhx-hmjr-r674","created":"2024-09-16T20:34:26.000Z","id":1099597,"npm_advisory_id":null,"overview":"It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check.\n\nThis renders dompurify unable to avoid XSS attack.\n\nFixed by https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.x branch) and https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.x branch).","reported_by":null,"title":"DOMPurify allows tampering by prototype pollution","metadata":null,"cves":["CVE-2024-45801"],"access":"public","severity":"high","module_name":"dompurify","vulnerable_versions":"<2.5.4","github_advisory_id":"GHSA-mmhx-hmjr-r674","recommendation":"Upgrade to version 2.5.4 or later","patched_versions":">=2.5.4","updated":"2024-09-16T22:37:33.000Z","cvss":{"score":7,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L"},"cwe":["CWE-1321","CWE-1333"],"url":"https://github.com/advisories/GHSA-mmhx-hmjr-r674"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1099846,"path":"react-scripts>webpack-dev-server>express>cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.6.0","paths":["react-scripts>webpack-dev-server>express>cookie"]}],"found_by":null,"deleted":null,"references":"- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x","created":"2024-10-04T20:31:00.000Z","id":1099846,"npm_advisory_id":null,"overview":"### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167","reported_by":null,"title":"cookie accepts cookie name, path, and domain with out of bounds characters","metadata":null,"cves":["CVE-2024-47764"],"access":"public","severity":"low","module_name":"cookie","vulnerable_versions":"<0.7.0","github_advisory_id":"GHSA-pxg6-pf52-xh8x","recommendation":"Upgrade to version 0.7.0 or later","patched_versions":">=0.7.0","updated":"2024-10-04T20:31:01.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-74"],"url":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x"}}}

frontend/yarn.lock

@@ -5067,9 +5067,9 @@ domhandler@^4.0.0, domhandler@^4.2.0, domhandler@^4.3.1:
     domelementtype "^2.2.0"
 
 dompurify@^2.4.3:
-  version "2.4.4"
-  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.4.4.tgz#c17803931dd524e1b68e0e940a84567f9498f4bd"
-  integrity sha512-1e2SpqHiRx4DPvmRuXU5J0di3iQACwJM+mFGE2HAkkK7Tbnfk9WcghcAmyWc9CRrjyRRUpmuhPUH6LphQQR3EQ==
+  version "2.5.6"
+  resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.5.6.tgz#8402b501611eaa7fb3786072297fcbe2787f8592"
+  integrity sha512-zUTaUBO8pY4+iJMPE1B9XlO2tXVYIcEA4SNGtvDELzTSCQO7RzH+j7S180BmhmJId78lqGU2z19vgVx2Sxs/PQ==
 
 domutils@^1.7.0:
   version "1.7.0"

package.json

@@ -126,6 +126,7 @@
     "json5": "^2.2.3",
     "luxon": "^1.23.1",
     "qs": "^6.9.7",
+    "cookie": "^0.7.0",
     "cookiejar": "^2.1.4",
     "http-cache-semantics": "^4.1.1",
     "path-to-regexp": "^0.1.10",
@@ -148,6 +149,7 @@
     ],
     "parser": "@typescript-eslint/parser",
     "parserOptions": {
+      "ecmaVersion": 2020,
       "project": "./src/tsconfig.json"
     },
     "plugins": [

src/goalServices/goals.js

@@ -1053,7 +1053,7 @@ export async function removeUnusedGoalsObjectivesFromReport(reportId, currentObj
   await removeObjectives(objectiveIdsToRemove, reportId);
 }
 
-async function createObjectivesForGoal(goal, objectives) {
+export async function createObjectivesForGoal(goal, objectives) {
   /*
      Note: Objective Status
      We only want to set Objective status from here on initial Objective creation.
@@ -1066,10 +1066,10 @@ async function createObjectivesForGoal(goal, objectives) {
 
   return Promise.all(objectives.filter((o) => o.title
     || o.ttaProvided
-    || o.topics.length
-    || o.resources.length
-    || o.courses.length
-    || o.files.length).map(async (objective, index) => {
+    || o.topics?.length
+    || o.resources?.length
+    || o.courses?.length
+    || o.files?.length).map(async (objective, index) => {
     const {
       id,
       isNew,