Phase 2

[markcrivera]

Additional features added from Phase 2

• Excel outputs - POAM, Findings Worksheet
• Checklist export for boundary
• Certificate Import GUI
• Log configuration for Syslog
• Migration to crypto from bcrypt
• Update local password hashing to meet FIPS requirements
• Enforcing roles memberships
• User notification system
• Custom Group Terms

[Amndeep7]

Add an explanation for what this field should be.

We should probably add a .env-example file or something similar.

[Amndeep7]

Add a comment explaining the sqlite behavior which is why we gotta do this split in the execution path

[Amndeep7]

probably want to change this to have a better name like 'HMAC_SECRET'

[Amndeep7]

The seeder should only have the admin user provided with the expectation that the end user creates any normal user accounts that they need. If we want a user account for testing purposes to be available, it should be created during the test initialization phase.

[Amndeep7]

check if this is dead code, if so, remove

[Amndeep7]

replace numbers with constants if possible

[Amndeep7]

add a reference to the doc or website or guidance or whatever that explains the current source of all of these default / actually used values

[Amndeep7]

Add documentation explaining why the models are the way they are / the actual tables are the way they are / why some of the code is weird as it is to handle the sqlite vs postgres differences (usually where postgres offers some built-in functionality that sqlite doesn't have so we gotta do it by hand there)

[Amndeep7]

we discussed 'project tokens' as opposed to just 'user tokens' since there is a likelihood of a user story where someone wants to have an apikey/token that doesn't have visibility to every single thing that they have visibility to but instead just visibility into one or two projects/boundaries.

something to keep in mind is that it probably still needs to be associated with a user, not just the boundary itself, so that its always possible to connect actions that occur in a system to a user.

[Amndeep7]

Can we determine why the circular reference here is linking forward whereas in the other one it's linking backwards?

Can we change the db structure so that both link in the same direction (doesn't matter which)?

[Amndeep7]

Please add an explanation as to the necessity for the circular references?

[markcrivera]

Is the variable name not sufficient here?

[Amndeep7]

Please add a wiki page or other artifact explaining how the ingested data gets mapped onto the database.

[Amndeep7]

Please completely type all optional attributes

[Amndeep7]

allowNull: true is the default behavior on all columns aside from those defining a primary key. IMO we should only explicitly define allowNull when it is false to show how that field is the exception to the rule. It also doesn't help that we don't have a linter (unless you can find one) to enforce defining allowNull one way or the other on every field. I feel like my solution is the more consistent solution unless we can find a linter.

[Amndeep7]

@aaronlippold question - should we split 'typePolicy' and 'typeTechnical' into their own 'type' enum table and then have some like join table between the two instead of having booleans like this?

[Amndeep7]

naming consistency (snake / camel / etc)? seems like some of the fields come from the source data files and some come from column headers that we create. even if we don't rename everything to camelcase everywhere, can we at least group the attributes so that it's easier to determine which naming system applies to which block of attributes?

[Amndeep7]

rename to whatever the source document is so that it's easier to know that these are like the POAM kind of levels

[Amndeep7]

another example where reworking the grouping might make things clearer

[Amndeep7]

Delete unused code

[Amndeep7]

Maybe we can find out a better way to order/organize the code, but we couldn't figure out a good solution for this during the review time.

[Amndeep7]

Rename to clarify that this is the status override.

During the discussion, it turns out that this work is being done in another branch.

[Amndeep7]

Leave a comment saying that the schema allows for this to be any policy or guidance documentation but in practice it's basically just defining the NIST Control Family revision.

[Amndeep7]

Another comment about the attribute naming. We should just make sure its consistent even if it has multiple different types of consistency depending on if its a variable name that comes from an external document vs something that's internal to the db. In this case, the double underscore meaning XML attribute as opposed to node is coming out of left field. However we make it consistent, we should have some document explaining the naming patterns.

[Amndeep7]

Can we rename the MAC profiles to not be abbreviations

[Amndeep7]

We should probably have a description for every table not just the document ingest ones. In this case one or two two sentences to explain how the stig names don't always line up with the file names or whatever so we need some aliases to match everything properly. Then link out to a wiki page where you can go more in-depth on one or two specific examples of this issue (like the google chrome stig iirc).

[Amndeep7]

Why are we pulling from index.ts instead of their files where they're actually defined? And also why are we importing them as types?

[Amndeep7]

Maybe group the functions with the variables? Or at least put them in the same order as the variables are defined.

[Amndeep7]

Related to the 'allowNull' discussion, I believe that 'unique: true' is automatically applied to anything that has primaryKey: true, so let's get rid of the duplication.

[Amndeep7]

Not a blocker, but was wondering if you wanted to do hardcoded colors in the code vs having the colors be defined here. The other SAF products don't have multiple themes (at least anymore) so it's not as much of a concern for them, but it seems like yall are interested in having at least a light/dark mode which raises the question of potentially supporting custom themes as well in which case having that stuff listed in the db would probably help.

[Amndeep7]

Reminder about our conversation w/r to accessibility considerations (colors/contrasts/font sizes/labels/alt text/etc).

[Amndeep7]

As discussed, probably worthwhile to change Tier -> Company to match the default text used everywhere since it's a lot simpler to change the migration scripts now (ie without customers/users) instead of having to make a new migration to do it.

[Amndeep7]

As discussed, 'System' will be added

[Amndeep7]

postgresconnectionobject - port is hardcoded to 5432 but should probably come from an envvar

[Amndeep7]

My personal preference is to use 'for..of' as opposed to any of the other looping syntax options since it's usually the safest and most accurate. However, this is a nitpick so feel free to ignore it if you like.

https://2ality.com/2021/01/looping-over-arrays.html

[Amndeep7]

Maybe it's possible to set up the logger from umzug to do both console and file based at the same time. Otherwise I guess just the console is fine.

[Amndeep7]

Seems like this will require review to compare it against the Ckl->HDF->Ckl flow checklists to confirm that all the fields are mapped appropriately. Once discrepancy already found is that TIR automatically updates to match it against the STIG Library version which is fine I think. Another discrepancy is CHECK_CONTENT_REF. Another is the escaping for the xml/html areas, but I think those are semantically equivalent even if they're syntactically different. Another is that the 'legacy_id' field is missing, etc.

[Amndeep7]

maybe remove the alias section / commented out line

[Amndeep7]

rename to reference it being related to the HMAC stuff

[Amndeep7]

it least for heimdall we try to avoid using verbs in the envvars. imo this could be renamed to just 'sqlite'.

[Amndeep7]

I thought we were getting rid of ts-node? If it's no longer explicitly used by us then we can rid of it here I think.

[Amndeep7]

Not a blocker, but we will want to consider seeing which dependencies we can open up (^) vs keeping more locked down (~). I think it might be helped in the future by dependabot automating some of these validation/upgrade processes.

[Amndeep7]

reminder to swap out all the console logs for the logger

[Amndeep7]

Talk with artists/branding folks again w/r to coming up with a new logo.

Relatedly, still need to add the mitre branding.

[Amndeep7]

Add a section to this to make it clearer that you need to read the license/notice files.

Also should add like an authors section or something to clearly attribute work done by both the mitre and lm teams

[Amndeep7]

review these TODO comments to see if they're still applicable

[Amndeep7]

where is this supposed to be in the ckl? is it intended on being different from the xml comment that's on like line 2 of the mustache template which says 'tir' and which version of tir is being used?

[Amndeep7]

As based off of our discussion during this review / for the ldap stuff, we should be transitioning to an external auth package for nuxt that will make manually mucking around with cookies like this unnecessary.

[Amndeep7]

not sure if you need to convert the undefined into an explicit boolean. since undefined is a falsy value, it was behave as equivalent to a boolean called false when used in conditionals and stuff.

[Amndeep7]

having an enum here or something more clearer than '3' would be good.

[Amndeep7]

for..in has issues (ex. inherited attributes will be iterated). my preference here would be to do a for..of of Object.entries(body) so that way you get both the key and the value at the same time and don't accidentally iterate over something you weren't intending to.

[Amndeep7]

As discussed, might want to do a research spike into the CASL stuff for not just page access but also for actions that you can do.

https://github.com/mitre/heimdall2/blob/master/apps/backend/src/casl/casl-ability.factory.ts

https://casl.js.org/v6/en/package/casl-vue

[Amndeep7]

maybe we should validate the input here (body) to ensure that it has the shape that we need - sanitization, etc.

[Amndeep7]

remove

[Amndeep7]

Unauthorized - typo

Might be worthwhile doing a single pass of a spellchecker through the repo to catch this stuff before we merge it

[Amndeep7]

let's be consistent for pathing (tilda or doing the dots) but i think in this case it's a global func cause of how nuxt works with the utils so we could probably just delete this line

[Amndeep7]

maybe we should consider crashing on startup if the user has not supplied all the envvars it needs to run. the hope is that the rest of the code can be DRYer if we don't need to worry about these envvars not being initialized in multiple locations. maybe there's some way to force the nuxt config to state that the vars are required? it'd need some research.

[Amndeep7]

do not need to narrow/define the type since it knows that these are strings

[Amndeep7]

logger if we're gonna keep this around, but i think this will be all reworked with the replacement auth stuff

[Amndeep7]

seems like you can get rid of the expires attribute down there. the secure attribute should probably be that commented out code.

[Amndeep7]

There's no error handling in the case that the transaction failed. It's fine that we don't cause the error gets bubbled up, but we should at least make sure that the UI shows that its a 500 failure instead of gaslighting the user into thinking that it's an issue on their end or not providing any info at all (the error modal pops up with no message inside).

[Amndeep7]

nitpick: should probably be 'aliases' or something else plural

[Amndeep7]

should probably figure out alias.put as well

[Amndeep7]

might be worthwhile investigating if we want to swap to 'archiver'

questions: does it only work in a node context or can it work from a browser context too? can it reduce the number of dependencies that you have (since it has built in support for both zip and tar)?

[Amndeep7]

would help if we could self document / just actually straight up document that assessment.stigid is like the db id and then oldstig.stigid is the id coming from the stig itself (firefox blah blah)

[Amndeep7]

maybe explore doing preprocessing here instead of doing a find in each iteration here. it'd be something that'd return the full union set as well as the set that remains unique to each assessment. you can iterate over all of that in one go then.

[Amndeep7]

nitpick: i like having functions that are depended upon be above their users, so in this case 'findmatch' is depended upon by 'migrateboundary' so it would be above 'migrateboundary'.

[Amndeep7]

instead of doing a '-4' on the filename, we could probably use some paths built-in to extract the basename of the file

[Amndeep7]

would be nice to have a diagram or docs or something explaining the user upload stig library -> gets saved to disk -> gets processed from disk and the content inserted into the db -> gets deleted from disk flow

[Amndeep7]

i think it would still be interesting to see if we could make this completely in memory so that we don't need to handle all the potential failures from doing disk io, but it would need to be a measured approach to determine how much memory usage spikes on the application. if the spikes are too large, then we might just be stuck.

[Amndeep7]

as discussed, disa has changed the naming format so we can no longer extract out the information we need. we're going to need to explore if it can be extracted from some internal data structure.

[Amndeep7]

i think interfaces are usually PascalCase not camelCase.

[Amndeep7]

as discussed, this delete is because we know for sure that the library has already been processed in full and so we no longer need the zip file. for all the other ones, we apparently want to keep the zip around since we aren't sure what could be causing the issues with saving it to the db.

if we're going to keep this stuff on disk, we should probably have a way for an admin to view these zipfiles and delete/clean them up if necessary so that way disk usage doesn't just grow indefinitely over time. it probably won't since nominally we will only need to upload a stig library on a quarterly basis and this area should be cleared out regularly enough when the application (if containerized) is redeployed but just to be on the safe side.

[Amndeep7]

since we've already paid the 'coloring' price and marked this function as async, we can probably just use the async functions here and await them as necessary. used to be that they only had a callback variant or a sync variant, but now promise based variants exist so it's ergonomic enough.

https://nodejs.org/dist/latest-v16.x/docs/api/fs.html#fspromisesmkdirpath-options

[Amndeep7]

maybe extractalltoasync?

[Amndeep7]

This seems to be a completely independent set of operations so we can probably split this up into a collection of promises that are awaited as a group instead of having to sequentially do all of them like this

[Amndeep7]

this feels like it's going to be one of the slowest parts of the ingest just cause we're forced to await on each stig finishing being processed before we can move on. we discussed that the ingestion of these stigs needed to be done in order so as to prevent some conflicts that occasionally occurred.

i think we should spend some research time into seeing if we can as discussed do some pre-processing to figure out the dependency problem and then be able to go full async on upload into the db.

[markcrivera]

HMAC Rename to match previous comments.

[markcrivera]

Remove unused code

Suggested change

// const fileHash = await hashFile(xmlFilePath);

[markcrivera]

Unused import

Suggested change

// import { hashFile } from "./hash";

[markcrivera]

Suggest removing relative pathing on import

Suggested change

	import { Stig, StigIdent, StigLibrary, StigReference, StigResponsibility } from "../../db/models";
	import { Stig, StigIdent, StigLibrary, StigReference, StigResponsibility } from "~/db/models";

[markcrivera]

Remove unused code

Suggested change

// newStig.dataValues.hash = fileHash;

[markcrivera]

Unused code

Suggested change

	// const addRequestResult = await addStigToLibrary(newStig.dataValues.id, stigLibraryId);
	// console.log(addRequestResult);

[markcrivera]

perfTimer should probably be turned off for production

[markcrivera]

Migrate to Winston

[Amndeep7]

Maybe we should rename importStig and importStigData to get rid of the verb and just be a noun like the other util modules (stigLibrary, etc)

[Amndeep7]

xml2js doesn't seem to be under as active maintenance as fast-xml-parser so you might want to transition to that. we currently use both xml2js and fast-xml-parser in the saf, but I want to consolidate on fast-xml-parser where possible.

the other thing that you might be interested in doing is that since xccdf is a format that has a schema, you could consider using mitre's fork of jsonix to do a more accurate mapping onto json via the xccdf schema so that you can sidestep issues that the parsers have to deal with like the singleton vs array of one question

[Amndeep7]

in functions that are already marked async, it might be worthwhile to just do an await on the async versions of these functions as opposed to using the sync versions

[Amndeep7]

Instead of treating jsonObj as type 'any', might be worthwhile following along with my suggestion to use JSONIX to have it create a typescript type definition for you from the xccdf schema. If you don't want to do that, then you could just manually write out a type definition to match what the output of your parser should be giving you.

[Amndeep7]

Usually I like trying to take a functional approach, but based off of our discussion it doesn't seem like it'd be that feasible to do here due to performance reasons. This is fine; however, my hope is that this is one of the few exceptions to the rule.

[Amndeep7]

Suggested change

	logger.error(`Error Parsig STIG: ${path.basename(xmlFile)}`);
	logger.error(`Error Parsing STIG: ${path.basename(xmlFile)}`);

[Amndeep7]

Could probably take all three of these do a Promise.all around them instead of individually awaiting them

[Amndeep7]

Discussion that happened here:

Notification system (that originally would just populate some application inbox, but could have reporters added to integrate with email or IRC equivalents) could provide a summary on the successes and failures of the import process. How many STIGs were ingested. How many files' deletions failed (which is a problem that the admin then needs to resolve at some point cause it could be a disk usage leak). etc.

[Amndeep7]

Another example of mismatch between return type defined in the function vs what is actually done

[Amndeep7]

remove commented out code

[Amndeep7]

Line 174 - StigLibraryInterface - is this interface still necessary? couldn't we adjust the modal to declare whatever attributes we needed?

[Amndeep7]

Probably should not be doing console logs and logger stuff at the same time

[Amndeep7]

might be worthwhile using a library to handle the sanitization just cause they are probably catching all the cases that we might be missing

[Amndeep7]

It seems like it's fine with a partial upload of a stiglibrary succeeding, but we should have some sort of warning assigned to stigs that didn't get pulled through properly to explain that there might be some data loss or corruption that happened.

[Amndeep7]

should probably figure out alias.put as well

[Amndeep7]

Based off of our discussion, I think we are in agreement that it's probably best to just import the functionality from the util module every time instead of relying on it being a global.

[Amndeep7]

https://github.com/mitre/heimdall2/tree/master/libs/hdf-converters/src/ckl-mapper

might be worthwhile comparing the types that yall rolled out here with the types that we're using in the mapper. both the types spit out by jsonix which directly match the schema in all its painful ambiguity as well as the hand crafted types we derived from them.

[Amndeep7]

I respect this, but I dunno how necessary it is to do the generics here.

[Amndeep7]

why are we returning an empty string at all here?

in any case, you could just check the value of singlestigperckl to know if you needed to return a singleton or an array

[Amndeep7]

actually thinking about this a bit more, doesn't it make more sense to return an error here if we can't find a system that this ckl should apply to?

[Amndeep7]

i think the generics usage here could probably be simplified to just checking if it's singlestigperckl or not.

[Amndeep7]

Suggested change

	logger.error("Unkown result from cci list validation.", { validationResult });
	logger.error("Unknown result from cci list validation.", { validationResult });

[Amndeep7]

also this is ckl verification, not anything to do with ccis

[Amndeep7]

swap all of this to async / promises as opposed to nothing / callbacks

[Amndeep7]

linter might complain here about how you have a template string but nothing templated inside of it

[Amndeep7]

move singlestigperckl variable definition here to where it's actually being used. could also probs simplify this to a ternary thing.

[Amndeep7]

After discussion, we probably shouldn't be pulling data from the join table.

[markcrivera]

Will be handled in Issue #11

[Amndeep7]

Probably also wanna remove the join table usages here as well

[markcrivera]

Will be handled in issue #11

[Amndeep7]

do we want to modify this status message to clarify that we've run outta space on the backend or is that information we want to obscure from the user / potential attacker?

[Amndeep7]

considerations to have from user supplied names like this is a) invalid characters (ex. slashes, escaped characters ex \0, etc for both linux/windows/wherever else it might be deployed) and b) length of filepath (I think windows' max file length is surprisingly short relatively speaking).

we tested the \0 in the system name and it broke stuff so we gotta be careful about it.

[Amndeep7]

Seems like adm-zip has a function to return a zip object as a buffer instead of just to a zipfile on disk. This means that we could potentially avoid having to write the zip file to disk and then immediately read it again. Relevant since we forgot to do any checking on if the file was successfully written or read before execution proceeded - if we could avoid that being a necessity by everything just staying in memory then life is a bit easier.

Additionally, zipdirectorycontents should probably be doing validation itself alongside swapping to return the buffer.

[Amndeep7]

Another join table usage that we probably want to remove

[Amndeep7]

not using the aliases

[Amndeep7]

alias

[Amndeep7]

join table usage here should be removed

[Amndeep7]

I prefer using guard clauses which I think in this case will also help with making the if statements easier to read.

On (what is currently) line 34, instead of doing if (i am not the owner AND i am not an admin) { blah } else { delete boundary } and then eventually doing the return with the success code, my preference would be if (i am the owner OR i am an admin) {delete boundary; return early with success code} and then the subsequent checks which themselves now no longer need to be indented up to the third level.

Probably also want to make the code DRYer by ideally having all the clauses that allow for one to delete a boundary within the same if statement with the early return, and then you have the error logging + throwing at the end of the function just the one time as well.

[Amndeep7]

I think we can extract out the types from sequelize and might not necessarily need to do this inferattributes thing. Additionally, even if we keep it, I think that updateboundaryrequest can be defined on this or directly on sequelize as well instead of being written by hand. The assumption is that both types are more or less the exact same, at least based off of my understanding of the cast that happens in line 84, but if a change happens to the model, there's nothing forcing an update to happen for the types in this file as well.

[Amndeep7]

missing building up the edit message here

[Amndeep7]

same as for delete w/r to simplifying this section via guard clauses and DRY

[Amndeep7]

prefer to avoid foreach

[Amndeep7]

I think there was an accidental commit of this file. Providing an example file or response is fine, but this feels like it was something used for testing.

[Amndeep7]

Probably want to add two envvars: one is the debug level for the debugger output and the second is for dis/enabling the performance timer.

Incidentally, could probably pass the value of the dis/enable variable in the constructor of the timer object so that it turns any other functions you run into no-ops so that your usage of that object can be simpler by not having to remember to check if it is undefined first. Alternatively you could more or less keep what you're doing with the conditional instantiation of the object, but use the optional chaining operator wherever you're using the timer.

[Amndeep7]

https://github.com/mitre/tir/blob/Update-1.0/server/utils/cci.ts#L161 - just iterate through in batches as opposed to using a random cci as the breakpoint

https://github.com/mitre/tir/blob/Update-1.0/server/utils/cci.ts#L182 - probably want to move the reading of that file (and instantiation of that variable) closer to where it's being used (i'd put it right above line 190 where we define xsdDoc)

https://github.com/mitre/tir/blob/Update-1.0/server/utils/cci.ts#L182 - probably a good idea to have error checking here to make sure all the file read stuff and xml parsing stuff would be fine

[Amndeep7]

Delete the commented out code

[Amndeep7]

FindingCounts.arbitrary_key (as defined on line 24) is apparently not used according to our discussion. We should probably remove it since it's probably an error if we see something outside of the enum of expected values anyways.

[Amndeep7]

FindingsSheetItem might be a good target for another dev doc to explain where the different fields are sourced from

Might also be worthwhile having an additional tab or something within the generated spreadsheet that acts as a legend or guide so that the end user also knows where the stuff is sourced from (stig vs poam worksheet area vs wherever)

[Amndeep7]

We worked through an alternative implementation for the whereclause stuff on line 62 so that we didn't need to explicitly use the "is keyof" stuff by just doing object.entries.filter([,v] => v).map([k,] => k)

[Amndeep7]

Since the sequelize findAll will always return an array, you can get rid of the wrapping if statement on line 160

[Amndeep7]

Seems like you use that if (probablyanarray) { for (const thing of probablyanarray) } paradigm a lot but you could simplify to just for (const thing of probablyanarray || []) and then for (const thing of alwaysanarray) like for finding.assessmentitems.

[Amndeep7]

Currently we only have a client side validation that the system name is not an empty string. We should add that validation to the backend api / sequalize definition as well. Probably will hold true for other fields as well (boundary name?).

[Amndeep7]

Might be worthwhile swapping from procedural approaches to more functional approaches for iterating over the arrays for finding.assessmentitems and finding.stigidents.

Ex. for stigidents you could probs just do const identList = finding.StigIdents.map(i => i.text); and call it a day instead of constantly appending to the end of that array.

[Amndeep7]

For addFindings, another opportunity to potentially have used lodash (_.mergeWith). Anyways, you can get rid of the if statement in there I think. Checking if the value is non-zero before doing the addition seems pointless.

[Amndeep7]

For catFromSeverity,

1. I would probably call it catSeverity or categorySeverity instead of romanSeverity.
2. Line 272 you defined the variable as Cat instead of it being lowercase
3. Could probably simplify the instantiation of cat by using the square brace access into the map, ex. const cat = severityMap[rawSeverity] || "";.

[Amndeep7]

We need to determine if this is a public facing api endpoint or not.

[Amndeep7]

We spent some time and eventually discovered import {PassThrough} from "stream"; which is more than enough to handle our simple usecase and thereby not need to have the "into-stream" import here. Seems like it is probable that we can remove the import from the project entirely since we're doing the same thing in other locations.

This works because the xlsx workbook thing can write to a stream not just a buffer.

[Amndeep7]

might be worthwhile to have this match the frontend where it's ${boundaryname}-findings.xlsx or something like that as the default value but then have the option to use a provided value as the name

[Amndeep7]

Another endpoint where we are unsure if it will be public or not. During the discussion it seemed like the intent was for it to be public, so we're going to need to replace the cookie thing with the actual auth solution using apikeys or some such.

After further discussion, revised auth is on the way but might not be here for this PR so should probably ensure that this endpoint and others (ex. the findingsdownload one) are still locked down to just application only.

[Amndeep7]

Delete the unused? export that might've been auto-added.

[Amndeep7]

remove commented out code throughout the file

[Amndeep7]

If we need to do the userid validation, then we should do it here before we look up the user.

[Amndeep7]

If we move the validation up, then we can just pass the valid User object through to the generatePoam function and save on a db call. Alternatively, we could pass through precisely whatever attributes we need.

[Amndeep7]

usually one should not define an interface in-line in a function

after further discussion, yall are in the process of phasing these out because the sequelize models now include the join table info so you don't need to do it manually here.

there are other locations where this is happening

[Amndeep7]

This looks like you're trying to handroll an enum. Enums under the hood are integer indexed I believe, so you could just make an enum for this and grab the values that way.

https://bobbyhadz.com/blog/typescript-convert-enum-to-string

Don't forget that enums are PascalCase for both their own name as well as the items defined in them.

[Amndeep7]

The 'undefined' in the middle looks kinda wonky. I would recommend leaving the required parameter as it is (boundaryId), but moving the other two parameters to an options (or whatever you wanna call it) object that would have those parameters as optional attributes.

This would change this function call to look like getEvaluationSummary(boundaryId, {poam: true}).

[Amndeep7]

currentUser.ts has some commented out code in it

[Amndeep7]

Continue stripping out the join table stuff

[Amndeep7]

for the variable allFindingsOrdered, is the variable name wrong and there's no explicit ordering other than what the db gives us or is the code wrong and something that should be ordered isn't?

[Amndeep7]

I prefer defining types outside of functions, and also if the type is derivative of another then I usually like to represent that via the various typescript utility types even if we then have to union a couple fields on top since at least it shows the lineage.

In this case, we might be interested in this one: https://www.typescriptlang.org/docs/handbook/utility-types.html#picktype-keys

[Amndeep7]

We want to explicitly import all the stuff from utils so will want to add initializeCounts here

[Amndeep7]

After discussion, seems like this hack is going to be removed once the functionality is changed to create the assessment information upon the addition of a stig to a system.

[Amndeep7]

line 213, that variable definition could be made const and a one liner by doing a ternary statement.

[Amndeep7]

Might be worthwhile reviewing all the perftimer usages so that they're only for relevant / performance sensitive parts of the application. The usage right below line 213 to create the single object does not seem worthwhile to time.

[Amndeep7]

You have some closures defined at the bottom of this function definition (i.e. past the return statement but before the function closes) that have side effects for example adding on to the boundaryView list. I would separate them out into their own functions and at least pass in the boundaryView variable as a parameter so that it's clearer something is happening even if you make the modifications to that same variable as opposed to returning a new copy.

[Amndeep7]

Commented out code mostly at the bottom