Suggestion for: (3469565) Security Team Members

Created on 31 January 2025, 2 months ago

Documentation location/URL

https://www.drupal.org/dashboard

Problem/Motivation

I have six Drupal Government websites I monitor security for. There is no way I can get one list of all the modules I have subscribe to email updates. I can not run a script to scrape the data of the Drupal.org website. Etc. There are hundreds of modules used over these sites.

Proposed resolution

table of all the modules where I can see things like:
Module -
Name (With link to the Project's webpage.)
Latest Supported Version(s)
Drupal Versions Supported
Brief Description
Last Updated
Obsolete - If the project is deprecated.
If the project is not covered by the security advisory policy.
It would be great if I could have a way to tag or put notes on what site the module is used.

Remaining tasks

Feature request
Status

Active

Component

New documentation

Created by

🇺🇸United States davidwise

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

  • Issue created by @davidwise
  • 🇮🇹Italy apaderno Brescia, 🇮🇹

    This issue queue is for changes that should be done in documentation pages.

    What described here is not related to https://www.drupal.org/node/3469565 , as the title suggests. It is rather a support request about getting a list of modules to which subscribe to get email updates, which can be answered in Drupal slack or in the forums .

  • 🇺🇸United States davidwise

    Ciao Alberto,

    Thank you for your reply. I am not a developer myself, but I work in a security role overseeing multiple Drupal websites—currently tracking 311 contributed modules.

    I've have subscribed to emails, but keeping track of module versions, deprecated projects, and security coverage is challenging. Mostly the emails have "Bug report", "Feature request", "Support request", etc. Specifically, I am interested in:

    - Identifying obsolete/deprecated modules.
    - Monitoring the latest versions and update timelines.
    - Knowing which modules are not covered by the Drupal security advisory policy—those flagged as “Use at your own risk!”

    Since web scraping isn’t allowed on the drupal.org website, I manually maintain a Microsoft List for tracking, but it quickly becomes outdated. My columns include things like the module name, latest versions (D7, D9, D10), release dates, security coverage, project type, and notes.

    A process improvement suggestion that could add value to the Drupal community:
    Would Drupal.org consider offering a custom module tracking dashboard? This would allow subscribed users to view all their selected contributed modules in one place, with filters for security status, deprecated projects, or unsupported versions (e.g., D7 modules not available in D10/11).

    A centralized Drupal Module Status Dashboard would significantly enhance security tracking and maintenance for customers managing multiple sites.

    Thanks again, Alberto! I’d love to hear your thoughts and if you have any suggestions on where I can post this request.

  • 🇺🇸United States cmlara

    This sounds like it could go into Drupal.org Customization as a new feature for the website or at least perhaps some additions to the Update Status module in Drupal Core.

    Re-opening and transferring queue for a proper review.

    I can not run a script to scrape the data of the Drupal.org website.

    Why not? (This data is available via various API's) (I'm not saying making everyone do this is the best method, however I'm sure this would be asked so should at least have an answer for the D.O. developers ready).

  • 🇺🇸United States drumm NY, US

    I recommend using composer audit, which will include advisories from Drupal.org, and elsewhere for your non-Drupal dependencies.

  • 🇺🇸United States davidwise

    Thanks avpaderno, cmlara, and Drumm -

    I am not a developer or a sys admin, but in a security role between management and the development team. We basically use a in house private Platform as a Service (PaaS). (So I can not run commands on PHP, I don't have access to the LAMP stack, etc.) My main role is with security compliance, documentation, processes, etc.

    I have built a Microsoft SharePoint List of the modules manually getting the modules from the configuration files I got from our code management solution. (I uploaded a screenshot of what I built for tracking.) This took hours of work and is quickly outdated as modules are updated (both on our websites, and on the Drupal.org side.) I have subscribed to all the 300+ project emails but the emails don't easily provide the data that I am looking for. (Feature Request and bug tracking, etc.)

    I did try to see if I could scrape the data of the 300+ modules via the project pages using Microsoft Powershell (since it is included on all Windows systems and I do not have administrator rights to my Government computer. But the websites will give an error about using methods such as this to try and scrape the data. I was not aware of any APIs or composer audit.

    The API could be preferred solution since I could possibly create a csv file of the data needed and then use it (maybe with Microsoft Power Automate) to update the SharePoint List.

    My goal are to track/know:

    1. The modules we use in our organization and on what system those modules are used on.
    2. The latest information on the module such as the latest supported version, latest update date.
    3. What Drupal versions are supported on the module.
    4. If module is obsolete and/or if the module is deprecated.
    5. If the project is not covered by the Drupal security advisory policy.

    I think it would be great if the Drupal Security dashboard would allow me to have a table 2-5. If there was a way to put my own notes in, (or my own tags) I could mark #1 - so I could tell what sites have the modules.

    If you can provide me details on how to use the API to get the data, I might be able to script a solution to save the data to Microsoft Excel.

  • 🇺🇸United States drumm NY, US

    The API Composer uses for security advisories is described at https://packagist.org/apidoc#list-security-advisories if you need to implement it outside of using Composer. Drupal.org packages are installed via packages.drupal.org, so the API endpoint is for example https://packages.drupal.org/8/security-advisories/?packages[]=drupal/core

    The APIs used by Composer also have additional metadata, for example https://packages.drupal.org/files/packages/8/p2/drupal/token.json.

    Update status used by Drupal is backed by API requests like https://updates.drupal.org/release-history/token/current

Production build 0.71.5 2024