PR 2/4: Fix PSScriptAnalyzer code quality warnings#29
Open
StrongWind1 wants to merge 6 commits intoCompassSecurity:mainfrom
Open
PR 2/4: Fix PSScriptAnalyzer code quality warnings#29StrongWind1 wants to merge 6 commits intoCompassSecurity:mainfrom
StrongWind1 wants to merge 6 commits intoCompassSecurity:mainfrom
Conversation
Run PSScriptAnalyzer with -Fix to automatically remove 695 instances of trailing whitespace across all .psm1 and .ps1 files. Rule: PSAvoidTrailingWhitespace (Information) No functional changes — whitespace-only diff.
Swap $consentCount -eq $null to $null -eq $consentCount in the consent count fallback logic (lines 4228-4229, 4672-4673). When $null is on the right side of -eq and the left operand is an array, PowerShell filters the array instead of performing a null check. Placing $null on the left ensures correct behavior regardless of the operand type. Rule: PSPossibleIncorrectComparisonWithNull (Warning)
Remove variables that are assigned but never read: - check_EnterpriseApps.psm1: $Owners (line 382), $EntraConnectApp (line 755) — flag set but never checked, warning added directly - check_PIM.psm1: $CapIssues (line 486) — boolean never read - EntraTokenAid.psm1: $AuthError init (line 210), $xms_cc (line 1645) — value extracted but never used - shared_Functions.psm1: $AuthCheck (line 5078) — auth test result discarded, error handling is in the catch block - Send-GraphBatchRequest.psm1: $ResultsList and $MoreNextLinks (lines 346-347) — lists initialized but never populated Rule: PSUseDeclaredVarsMoreThanAssignments (Warning)
Replace 8 empty catch blocks with Write-Verbose messages that log the suppressed exception. These catches are intentional (best-effort parsing of HTTP status codes, response bodies, date strings, and OS detection) but the empty blocks masked errors during debugging. The verbose messages only appear when -Verbose is used, so there is zero impact on normal operation. Affected files: - Send-ApiRequest.psm1: HTTP status, response body, JSON parsing - check_Tenant.psm1: date string parsing (4 instances) - shared_Functions.psm1: OS detection fallback Rule: PSAvoidUsingEmptyCatchBlock (Warning)
Add SuppressMessageAttribute for 14 parameters flagged as unused. Most are false positives where parameters are accessed by nested functions via parent scope (check_Roles, check_AppRegistrations, check_CAPs use inner Get-ObjectDetails/GetObjectInfo functions). Others are part of the shared module calling interface where the orchestrator passes all data to every module uniformly. Each suppression includes a comment explaining why the parameter is accepted but not directly referenced. Rule: PSReviewUnusedParameter (Warning)
- check_CAPs.psm1: Is-Empty -> Test-IsEmpty 'Is' is not an approved verb; 'Test' is the standard for boolean checks. - check_PIM.psm1: Parse-ISO8601Duration -> ConvertFrom-ISO8601Duration 'Parse' is not an approved verb; 'ConvertFrom' is the standard for converting input formats to PowerShell objects. Both are internal functions with all call sites updated. Rule: PSUseApprovedVerbs (Warning)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Branch:
fix/pssa-code-quality-fixesBase:
main(stacked on PR 1)This is the second of four PRs from my PSScriptAnalyzer review. It picks up the actionable code quality warnings, things like incorrect null comparisons, dead variables, empty catch blocks, encoding gaps, and non standard function names. Each fix is its own commit so they're easy to review one at a time.
What this does (5 commits)
Fix null comparison operand order in
check_Tenant.psm1(4 instances). Changed$consentCount -eq $nullto$null -eq $consentCount. This is a well known PowerShell gotcha where$nullon the right side of-eqcan cause PowerShell to filter an array instead of doing a boolean null check. Putting$nullon the left side makes sure it behaves correctly no matter what type the variable holds. PSScriptAnalyzer flags this asPSPossibleIncorrectComparisonWithNull.Remove unused variables in
check_EnterpriseApps.psm1,check_PIM.psm1,EntraTokenAid.psm1,shared_Functions.psm1, andSend-GraphBatchRequest.psm1. Removed 7 variables that were assigned but never read. Things like$Ownerswhich was initialized to$nulland never referenced,$EntraConnectAppwhich was a boolean flag that got set but never checked, and$ResultsListplus$MoreNextLinkswhich were lists created but never populated (probably leftover from a refactor). One interesting case was$AuthCheckwhich stored an auth test result that got discarded, so I changed it to$null = ...to make the intent clear.Add UTF-8 BOM to files with non ASCII characters in
check_Groups.psm1,EntraTokenAid.psm1, andrun_EntraFalcon.ps1. PowerShell 5.1 on Windows defaults to Windows 1252 encoding. Without a BOM, files containing Unicode characters can get misread, which could lead to corrupted output or subtle runtime issues. Adding the BOM tells PowerShell and other tools to use UTF-8. Since EntraFalcon supports PS 5.1, this felt like a good thing to add.Add verbose logging to empty catch blocks in
Send-ApiRequest.psm1,check_Tenant.psm1, andshared_Functions.psm1(8 instances). All 8 empty catches look intentional to me since they're doing best effort parsing of HTTP status codes, response bodies, date strings, and OS detection. But completely emptycatch {}blocks can make debugging tricky when something goes wrong unexpectedly. I addedWrite-Verbosemessages that only show up when-Verboseis used, so there's zero impact on normal operation but you get helpful diagnostic info when troubleshooting.Suppress false positive unused parameter warnings in
check_Roles.psm1,check_AppRegistrations.psm1,check_CAPs.psm1,check_PIM.psm1,check_Users.psm1,check_Groups.psm1, andSend-GraphBatchRequest.psm1. PSScriptAnalyzer flagged 14 parameters as unused, but most of them are actually accessed by nested functions via parent scope, and PSSA just can't see across scope boundaries. For example,check_Roles.psm1declares$Users,$EnterpriseApps, etc. as parameters, and the innerGet-ObjectDetailsfunction reads them from the parent scope. I added[SuppressMessageAttribute]with explanatory comments for each one so the intent is clear to both the linter and anyone reading the code later.Rename functions to use approved PowerShell verbs in
check_CAPs.psm1andcheck_PIM.psm1.Is-Emptyrenamed toTest-IsEmptysinceTestis the approved verb for boolean checks, andParse-ISO8601Durationrenamed toConvertFrom-ISO8601DurationsinceConvertFromis the approved verb for format conversion. Both are internal functions and all call sites were updated in the same commit.What I intentionally left alone
PSScriptAnalyzer still reports about 530 warnings after these fixes, but they all look like reasonable design choices for an interactive CLI tool like this. Write-Host (344) because EntraFalcon needs colored console output for progress and status. Global variables (115) since cross module shared state is by design, all nicely prefixed with
GLOBAL. Singular nouns (25) becauseInvoke-CheckUsersreads better thanInvoke-CheckUserfor a function that processes all users. And ShouldProcess (11) since these are mostly HTML builder functions that don't actually modify system state.This is PR 2 of 4, stacked on PR 1 (trailing whitespace). If you could merge PR 1 first, then this PR's diff will show only the 5 code quality commits.
Each PR builds on the previous one, so merging them in order keeps everything clean and conflict free. However, you can cherry pick individual commits if you would like.
Thanks for reviewing!