{"id":13454522,"url":"https://github.com/cqframework/cql-exec-fhir","last_synced_at":"2026-03-06T12:34:10.772Z","repository":{"id":32465136,"uuid":"134662661","full_name":"cqframework/cql-exec-fhir","owner":"cqframework","description":"A FHIR data source for the JavaScript CQL Execution project","archived":false,"fork":false,"pushed_at":"2025-08-22T22:06:50.000Z","size":776,"stargazers_count":24,"open_issues_count":6,"forks_count":11,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-08-23T00:02:18.821Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cqframework.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-24T04:54:32.000Z","updated_at":"2024-11-06T07:37:52.000Z","dependencies_parsed_at":"2024-01-18T17:44:14.028Z","dependency_job_id":"3e1b5397-b7b1-48cd-a5ac-b5f1a362ed10","html_url":"https://github.com/cqframework/cql-exec-fhir","commit_stats":{"total_commits":53,"total_committers":9,"mean_commits":5.888888888888889,"dds":"0.39622641509433965","last_synced_commit":"666930c1511a5a69e6ee03ff3d42220c61d6e966"},"previous_names":[],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/cqframework/cql-exec-fhir","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cqframework%2Fcql-exec-fhir","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cqframework%2Fcql-exec-fhir/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cqframework%2Fcql-exec-fhir/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cqframework%2Fcql-exec-fhir/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cqframework","download_url":"https://codeload.github.com/cqframework/cql-exec-fhir/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cqframework%2Fcql-exec-fhir/sbom","scorecard":{"id":306905,"data":{"date":"2025-08-11","repo":{"name":"github.com/cqframework/cql-exec-fhir","commit":"666930c1511a5a69e6ee03ff3d42220c61d6e966"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.5,"checks":[{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":7,"reason":"Found 19/24 approved changesets -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci-workflow.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/cqframework/cql-exec-fhir/ci-workflow.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/cqframework/cql-exec-fhir/ci-workflow.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/cqframework/cql-exec-fhir/ci-workflow.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci-workflow.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/cqframework/cql-exec-fhir/ci-workflow.yml/master?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:15","Warn: npmCommand not pinned by hash: .github/workflows/ci-workflow.yml:35","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   2 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 27 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"10 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-67hx-6x53-jw92","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-grv7-fg5c-xmjg","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-4q6p-r6v2-jvc5","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-c2qf-rxjj-qqgw","Warn: Project is vulnerable to: GHSA-76p7-773f-r4q5","Warn: Project is vulnerable to: GHSA-j8xg-fqg3-53r7"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T22:17:58.282Z","repository_id":32465136,"created_at":"2025-08-17T22:17:58.282Z","updated_at":"2025-08-17T22:17:58.282Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30176322,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-06T11:48:51.886Z","status":"ssl_error","status_checked_at":"2026-03-06T11:48:51.460Z","response_time":250,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T08:00:54.940Z","updated_at":"2026-03-06T12:34:10.590Z","avatar_url":"https://github.com/cqframework.png","language":"JavaScript","funding_links":[],"categories":["CQL"],"sub_categories":[],"readme":"# CQL Execution FHIR Data Source\n\nThis project establishes a FHIR-based data source module for use with the CQL Execution Engine.  Currently,\nFHIR 1.0.2 (DSTU2), FHIR 3.0.0 (STU3), FHIR 4.0.0 ,and FHIR 4.0.1 (R4) are supported.\n\n# Setting Up the Environment\n\nTo use this project, you should perform the following steps:\n\n1. Install [Node.js](https://nodejs.org/en/download/)\n2. Execute the following from this project's root directory: `npm install`\n\n# Using the FHIR Patient Data Source\n\nThe FHIR Data Source expects each patient to be represented as a single FHIR Bundle containing all of the patient's\nrelevant data.  The FHIR Data Source does _not_ query FHIR servers, but rather, expects the Bundles to be passed to\nit.\n\nThe following is a simple example of how it would be used to execute over two patients:\n\n```js\nconst cqlfhir = require('cql-exec-fhir');\n\n// Code setting up the CQL library, executor, etc, and getting the patient data as a bundle\n// ...\n\nconst patientSource = cqlfhir.PatientSource.FHIRv401(); // or .FHIRv102() or .FHIRv300() or .FHIRv400()\npatientSource.loadBundles([patient01, patient02]);\nconst results = executor.exec(patientSource);\n```\n\n## (Optional) Trusted Environment with meta.profile\n\n**NOTE**: This feature will only work with `cql-execution` version 2.4.1 or higher.\n\nIf desired, the FHIR Data Source can be configured to use the `meta.profile` list on FHIR resources as a source of truth for whether or not that resource should be included when looking through the Bundle of data.\n\n```js\nconst cqlfhir = require('cql-exec-fhir');\n\n// Including \"requireProfileTagging: true\" in an object passed in to the constructor enables the trusted environment\nconst patientSource = cqlfhir.PatientSource.FHIRv401({\n  requireProfileTagging: true,\n}); // or .FHIRv102() or .FHIRv300() or .FHIRv400()\n```\n\nAs an example, if an ELM Retrieve expression asks for a FHIR Condition Resource with profile `http://hl7.org/fhir/us/core/StructureDefinition/us-core-condition-encounter-diagnosis`, the default behavior of the FHIR Data Source is to find any FHIR Condition resource.\nWith the trusted environment enabled however, the FHIR Data Source will _only_ find resources with the string `'http://hl7.org/fhir/us/core/StructureDefinition/us-core-condition-encounter-diagnosis'` included in their `meta.profile` lists.\n\n# Using the FHIRWrapper\n\nIf you are passing in individual FHIR resources to the execution engine as parameters, you can use FHIRWrapper\nto convert the raw json FHIR resources into FHIRObjects that work with the execution engine.\n\nExample:\n\n```js\nconst cqlfhir = require('cql-exec-fhir');\nconst fhirWrapper = cqlfhir.FHIRWrapper.FHIRv401(); // or .FHIRv102() or .FHIRv300() or .FHIRv400()\n\nconst conditionRawResource = { \"resourceType\": \"Condition\", \"id\": \"f201\", \"clinicalStatus\": \"active\", ... }\nconst conditionFhirObject = fhirWrapper.wrap(conditionResource)\n// Now conditionFhirObject can be passed into the cql execution engine\n```\n\n# Testing the Code\n\nTo run the automated unit tests, execute the following command:\n```\n$ npm test\n```\n\n# Linting the Code\n\nTo encourage quality and consistency within the code base, all code should pass eslint without any warnings.  Many text editors can be configured to automatically flag eslint violations.  We also provide an npm script for running eslint on the project.  To check your code against eslint's rules, execute the following command:\n```\n$ npm run lint\n```\n\nTo automatically fix code that violates eslint's rules:\n```\n$ npm run lint:fix\n```\n\n# Prettier\n\nTo encourage quality and consistency within the code base, all code should also be formatted using [Prettier](https://prettier.io/).  Many text editors can be configured to automatically reformat code using Prettier on save.  We also provide an npm script for running prettier on the project.  To check your code against Prettier's rules, execute the following command:\n```\n$ npm run prettier\n```\n\nTo automatically fix any code that violates Prettier's rules:\n```\n$ npm run prettier:fix\n```\n\n# Altogether Now!\n\nTo run the unit tests, linter, and prettier all in one shot, execute the following command:\n```\n$ npm run test:plus\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcqframework%2Fcql-exec-fhir","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcqframework%2Fcql-exec-fhir","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcqframework%2Fcql-exec-fhir/lists"}