You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Swiftmailer had an SA last night. No new release just the complete project were marked as unsupported. (According to updates.drupal.org). Also, the project has no supported branches anymore.
Due to these changes, all releases of Swiftmailer was marked an unsupported instead of insecure yesterday.
If we only leverage the updates.drupal.org API then the only way to have all releases marked as insecure by this tool is flagging them with the special "Insecure" term.
I asked that change on Drupal Slack (see thread dump below) - which may or may not be applied on the project releases - and it triggered an another changed on the published SA: Affected versions field were set to *, it was empty before.
Conclusion
For a more bulletproof process, probably there is no way to further delay parsing "affected versions" information from Drupal.org API and incorporating that to the results. Probably it would simplify version range guessing, or even eliminate that in some cases.
Tasks
Go through this list and collect field_affected_versions information for projects - IF it is available. (Watch out: "Pagination links are incorrect on https://www.drupal.org/api-d7/node.json, they contain node instead of node.json , which means when you follow those you get an HTML 404 page instead of a HTTP 200 JSON response.") For this, we need a new integration with this API endpoint.
Incorporate collected information the the insecure list generation process.
Store the SA's title, created date and URL in the generated composer.json's extra section for those packages where the new API provided the insecure version range. This information could be later leveraged in ddqg-composer-audit for exposing more accurate information.
Story
Swiftmailer had an SA last night. No new release just the complete project were marked as unsupported. (According to updates.drupal.org). Also, the project has no supported branches anymore.
Due to these changes, all releases of Swiftmailer was marked an unsupported instead of insecure yesterday.
If we only leverage the updates.drupal.org API then the only way to have all releases marked as insecure by this tool is flagging them with the special "Insecure" term.
I asked that change on Drupal Slack (see thread dump below) - which may or may not be applied on the project releases - and it triggered an another changed on the published SA: Affected versions field were set to
*
, it was empty before.Conclusion
For a more bulletproof process, probably there is no way to further delay parsing "affected versions" information from Drupal.org API and incorporating that to the results. Probably it would simplify version range guessing, or even eliminate that in some cases.
Tasks
field_affected_versions
information for projects - IF it is available. (Watch out: "Pagination links are incorrect on https://www.drupal.org/api-d7/node.json, they contain node instead of node.json , which means when you follow those you get an HTML 404 page instead of a HTTP 200 JSON response.") For this, we need a new integration with this API endpoint.Notes
The mentioned Swiftmailer SA as JSON: https://www.drupal.org/api-d7/node.json?nid=3416755
Attachments
Slack thread dump, generated at 2024/01/25 10:09:37
The text was updated successfully, but these errors were encountered: