Contrib.social

Display SA coverage icon based on a release/branch of the module going to be installed

Open on Drupal.org โ†’
Created on 6 December 2024, 16 days ago

Problem/Motivation

This is a follow-up to ๐Ÿ› Missing information about the version of the project going to be installed Active

Currently it seems like that the information about the security coverage of the module is a global information (based on a module), rather than information about the security coverage of the specific release/branch, which is going to be installed on a site by project browser.

So it can happen, that for example Webform has the icon, that the project is covered, but you do not see a version and when you install it, you will get Webform 6.3.0-alpha2, which is not covered.

This has a potential to cause a lot of confusion for users and a false sense of security (there was an icon, so why I am not covered, etc..).

(I selected Webform as an example, but this can be even more risky on smaller modules)

I have added a Security tag, as this have security implications.

Steps to reproduce

On Drupal 11.1RC:
Open project browser (/admin/modules/browse)
Find Webform module
Observe that there is a SA coverage icon displayed
Try to find a version, which is going to be installed if you click so - you will be unable to find it
Install Webform
Observe that Webform 6.3.0-alpha2 was installed, which is not covered by SA policy

Proposed resolution

Show the SA coverage icon based on the release/branch going to be installed, not globally

๐Ÿ› Bug report
Status

Active

Version

2.0

Component

Code

Created by

๐Ÿ‡ธ๐Ÿ‡ฐSlovakia poker10

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupalโ€™s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the โ€œReport a security vulnerabilityโ€ link in the project pageโ€™s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @poker10
  • Comment 13 days ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡ทGreece vensires
  • First commit to issue fork.
  • Comment 10 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States chrisfromredfin Portland, Maine

    Things that make this hard:

    (1) the security coverage IS itself a project-level flag on Drupal.org - whether or not that project is opted in. The fact that you are getting an uncovered 3x is more about the governance rules of what gets actual reviews (green releases only)

    (2) whether or not. you get the "green" or "yellow" can actually depend on your composer config - whether you allow beta releases, for example.

    I'm not sure if we can just educate users around this or if there's something more drastic that might need to happen. I'm not really convinced it's a true security issue, it feels like a UX issue.

  • Comment 10 days ago โ†’
    ๐Ÿ‡ช๐Ÿ‡ธSpain fjgarlin

    Agree, which version of the module you get will be based on the composer.json configuration. Right now the opt-in is a project-wide setting, so I'm not sure we can do something about this. Perhaps Package Manager can detect the composer.json configuration that would allow for non-stable packages and throw a warning in the page?

  • Comment 10 days ago โ†’
    ๐Ÿ‡ธ๐Ÿ‡ฐSlovakia poker10

    From the security point of view, there is a policy, that anything non-stable is not covered. If project browser know what is going to be installed (which I suppose it should know), then I think this can be solved.

    Other than that, I think that because of the fact that Drupal CMS includes also alpha versions, the composer.json "minimum-stability": "alpha" is hardcoded, so no, sites may not be aware what will happen, which is not good. For sites using project browser outside of Drupal CMS, it could be/is different.

    Or am I missing something?

  • Comment 10 days ago โ†’
    ๐Ÿ‡ธ๐Ÿ‡ฐSlovakia poker10

    From the Slack discussion:

    The projects on d.o. have this text: "Stable releases for this project are covered..."
    The projects in PB have this text: "Module is covered..."

    So one possible way how to at least lower the impact here is to change the text to match the Drupal Security Team policy.

  • Comment 10 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States greggles Denver, Colorado, USA

    IMO this is a critical bug, so adjusting priority.

  • Comment 10 days ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch
  • Comment 8 days ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States drumm NY, US

    None of this should be hard-coded into the client. While there are no changes to the security advisory policy coming up, change is inevitable long-term.

    https://packages.drupal.org/files/packages/8/p2/drupal/token.json has the data and text for each version: "security-coverage":{"status":"covered","message":"Covered by Drupal\u0027s security advisory policy"}

  • Comment 1 day ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch
  • Comment 1 day ago โ†’
    ๐Ÿ‡ฌ๐Ÿ‡งUnited Kingdom catch

    Agreed with #10 that the policy could change so it would be better to hardcode it. However I also think doing a quick fix to match the current policy might be worth doing anyway, because the final fix seems non-trivial to me.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024