Contrib.social

API: Provide version number in the security advisory content type

Open on Drupal.org β†’
Created on 26 April 2018, almost 7 years ago
Updated 15 January 2025, 3 months ago

Problem/Motivation

In the wake of recent major core vulnerabilities (q.v. SA-CORE-2018-002 β†’ , SA-CORE-2018-004 β†’ ) and the time to proven exploit being measured in days or even hours, it would be valuable to be able to use the Drupal Security advisories API as a source for automated reporting and response tools, without first requiring human parsing.

The Security Advisory content type goes some way toward addressing these issues, but some of the most vital information for matching advisories to vulnerable project versions is missing.

Proposed resolution

  • Introduce field_sa_fixed_version field. This will be multivalued required field to provide accurate version-matching semantics. For example,"8.4.4" in this field means that any 8.4.x versions below 8.4.4 are affected. Which is in line with what current advisories are saying.
  • Field is multi-valued - so when multiple branches affected this can be specified like in SA-CORE-2018-004 field would have 3 values: 7.59, 8.5.3 & 8.4.8.
  • Expose the field in RestWS responses for SA content type.
✨ Feature request
Status

Fixed

Version

3.0

Component

Security advisories

Created by

πŸ‡³πŸ‡ΏNew Zealand DrCuriosity

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024