Contrib.social

Provide contrib security advisories in OpenSSF Vulnerability format for dependency tracking

Open on Drupal.org β†’
Created on 21 December 2023, 9 months ago
Updated 27 December 2023, 9 months ago

Problem/Motivation

We use DependencyTrack to track our applications packages (composer, node, server, and so on). When the Drupal security releases a core security update, those get a Common Vulnerabilities and Exposures (CVE) identifier and are added to CVE databases like NIST (e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-5256). Those then appear appropriately in DependencyTrack to let us know we have to update Drupal core. The request is could we also do a version of that for security advisories on contributed modules?

There are Drupal slack thread that generating CVEs is a lot of work. So what if the contrib security advisories provided the details in the OpenSSF Vulnerability format? If that is setup then those could be added to the OSV database and make it to DependencyTrack through that process.

We will try to contribute back that addition but I wanted to create the issue to see if there is interest and also discuss how could that addition be made.

✨ Feature request
Status

Active

Version

3.0

Component

Security advisories

Created by

πŸ‡ΊπŸ‡ΈUnited States dmundra Eugene, OR

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @dmundra
  • Comment 9 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States drumm NY, US

    A good place to start would be generating a couple samples of this data to show how data on Drupal.org maps to this format.

  • Comment 9 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dmundra Eugene, OR

    Thank you @drumm.

    Below is an example where I tried to convert the latest security advisory https://www.drupal.org/sa-contrib-2023-055 β†’ to the OSV format. I made some assumptions like the summary, description, affected values, references, and database specific. For severity and package I think there would need to be a PR submitted to add Drupal specific security risk and package manager to OSV schema (see https://ossf.github.io/osv-schema/#severity-field).

    Another example is an analyst took the https://www.drupal.org/sa-core-2023-006 β†’ entered in NIST and added it to the GitHub security advisory database here https://github.com/github/advisory-database/blob/main/advisories/github-.... That uses the same OSV format.

    {
  "schema_version": "1.4.0",
  "id": "DRUPAL-SA-CONTRIB-2023-055",
  "modified": "2023-12-20T17:53:15Z",
  "published": "2023-12-20T17:02:51Z",
  "summary": "Cross Site Scripting in drupal/dvf",
  "details": "This module allows you to turn various data sources (Eg CSV or JSON file) into interactive visualisation. The DVF module provides a field (storage, widget & formatter) that can be added to any entity.\nThis module uses two third-party JS libraries having from low to medium vulnerabilities. One of the vulnerabilities is a Cross Site Scripting vulnerability that may affect Drupal sites as a Persistent Cross Site Scripting vulnerability (i.e. not reflected). This release updates the libraries.\nThe issue is mitigated by the fact an attacker needs the permission to create or edit content that is displayed using the Data Visualization Framework.\nSolution:\nInstall the latest version:\nIf you use the Data Visualisation Framework for Drupal module (DVF for short), upgrade to dvf 2.0.2",

  "severity": [

  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Drupal",
        "name": "drupal/dvf",
        "purl": "https://packages.drupal.org/8"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://www.drupal.org/sa-contrib-2023-055"
    },
    {
      "type": "PACKAGE",
      "url": "https://www.drupal.org/project/dvf"
    },
    {
      "type": "WEB",
      "url": "https://www.drupal.org/project/dvf/releases/2.0.2"
    }
  ],
  "database_specific": {
    "sa_id": [
      "SA-CONTRIB-2023-055"
    ],
    "severity": "MODERATE"
  }
}
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024