A community-driven database of known security vulnerabilities in Drupal packages sourced from drupal.org using the OSV format.
The data is primarily sourced using the drupal.org REST API.
This database can be used by any tool that supports ingesting OSV advisories.
If you are using osv-detector, you
can configure this database as an
extra database:
extra-databases:
- url: https://github.com/ackama/drupal-advisory-database/archive/refs/heads/main.zip
name: Drupal Advisory Database
working-directory: 'drupal-advisory-database-main/advisories'Advisories are managed through a series of Python scripts that live in the
scripts directory - to use these, you need to install the dependencies listed
in pyproject.toml using
poetry.
# 1. download the Drupal SA advisories from drupal.org
poetry run scripts/download_sa_advisories.py
# 2. download nodes from drupal.org related to the advisories
# (this is not required, but will significantly improve performance of the next step)
poetry run scripts/precache_nodes.py
# 3. generate the OSV advisories based on the Drupal advisories
poetry run scripts/generate_osv_advisories.pyA GitHub Actions workflow runs regularly to regenerate the advisories, opening a pull request if there are changes.
Before being landed the changes should be reviewed for accuracy especially with
the version constraints and ranges - these will usually be flagged by the
generation script as warnings included in the database_specific sections of
the advisories where relevant.
If an advisory does have a warning, you should aim to have it addressed using
patches.toml described in the next section. This can be done by either pushing
a new commit directly to the pull request branch, or through a new pull request
after landing the changes to the advisories.
Sometimes an advisory will have incorrect data, such as an affected version
range which is syntactically or semantically incorrect; these can be temporarily
addressed by adding a "patch" for the impacted advisory to the
patches.toml file in the root of this repository.
When patching an advisory, you need to provide a tuple assigned to the SA advisory property whose value you wish to replace - the first element in the tuple should be the current value, and the second element should be the replacement value. The patch will only be applied if the current value matches to ensure patches don't mistakenly undo upstream changes (which hopefully are the result of the incorrect data being fixed!)
Note
Currently, the patcher only supports the field_affected_versions property
since that's the only property we've needed to patch; feel free to add support
for additional properties when needed
The generator will mark advisories that have been patched to make it clear that
has happened; it will also attempt to identity some types of issues with the
data, which will be captured as warnings.