Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure list: fetch "affected versions" information from SA-s for more accurate reporting #10

Open
mxr576 opened this issue Jan 25, 2024 · 1 comment
Open

Insecure list: fetch "affected versions" information from SA-s for more accurate reporting #10

mxr576 opened this issue Jan 25, 2024 · 1 comment

Comments

@mxr576
Copy link
Owner

mxr576 commented Jan 25, 2024
edited

Story

Swiftmailer had an SA last night. No new release just the complete project were marked as unsupported. (According to updates.drupal.org). Also, the project has no supported branches anymore.

Due to these changes, all releases of Swiftmailer was marked an unsupported instead of insecure yesterday.

If we only leverage the updates.drupal.org API then the only way to have all releases marked as insecure by this tool is flagging them with the special "Insecure" term.

I asked that change on Drupal Slack (see thread dump below) - which may or may not be applied on the project releases - and it triggered an another changed on the published SA: Affected versions field were set to *, it was empty before.

Conclusion

For a more bulletproof process, probably there is no way to further delay parsing "affected versions" information from Drupal.org API and incorporating that to the results. Probably it would simplify version range guessing, or even eliminate that in some cases.

Tasks

  • Go through this list and collect field_affected_versions information for projects - IF it is available. (Watch out: "Pagination links are incorrect on https://www.drupal.org/api-d7/node.json, they contain node instead of node.json , which means when you follow those you get an HTML 404 page instead of a HTTP 200 JSON response.") For this, we need a new integration with this API endpoint.
  • Incorporate collected information the the insecure list generation process.

Notes

The mentioned Swiftmailer SA as JSON: https://www.drupal.org/api-d7/node.json?nid=3416755

Attachments

Slack thread dump, generated at 2024/01/25 10:09:37
@mxr576
Copy link
Owner Author

mxr576 commented Jan 25, 2024
edited

Hint:

The project is only available by preference on an SA... exchanging references to project names may come with a small overhead.

      "field_project": {
        "uri": "https://www.drupal.org/api-d7/node/1163884",
        "id": "1163884",
        "resource": "node"
      },

Idea:

Store the SA's title, created date and URL in the generated composer.json's extra section for those packages where the new API provided the insecure version range. This information could be later leveraged in ddqg-composer-audit for exposing more accurate information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mxr576