- πΊπΈUnited States fen
Came across this - great work getting Drupal to 96%! Quick review, all looks good. The URL has changed, now: https://www.bestpractices.dev/en/projects/5602
Re: Dynamic Code Analysis, I know of several teams that have integrated OWASP ZAP into the build/test pipeline. Not sure how d.o is set up, but if it could be added that would notch us up another point or two. :-)
- πΊπΈUnited States greggles Denver, Colorado, USA
Thanks, fen. Drupal is now using gitlab CI so if you have ideas on configuring gitlab to do that scan that would be great.
Updating the issue summary for the new URL and to list out the items we haven't yet answered as "meets" or "N/A"
I'm at Open Source Software North America conference and will try to connect with some folks who work on OpenSSF to get advice on these.
- πΊπΈUnited States cmlara
I should note Drupal may not technically be able to answer "yes" to "Publicly known vulnerabilities fixed"
Drupal Core likely breached the timeline with CVE-2024-45440 which took untiill at least Decmeber 4th to commit to the D7 repo.
There is still an open second part in π Maintenance Pages leak sensitive environment information - pt2 Active .
If we ignore that for a moment, we should also consider that there are a large number of issues that are public that may qualify for a CVE if escalate through the CNA dispute process. At the moment they would not technically disqualify Drupal, however is it in the best interest of the project to assert a strong security focus if it has not resolved those open issues?