Comments

drumm created an issue. See original summary.

  • drumm committed 8bdd400 on 7.x-3.x, dev
    Issue #3068539: Stub out psa.json writing
    
drumm’s picture

https://updates.drupal.org/psa.json is now available hosting the file written by this.

  • drumm committed 82f484b on 7.x-3.x, dev
    Issue #3068539: File management is not necessary here
    

  • drumm committed c3811f7 on 7.x-3.x
    Issue #3068539 by drumm, mlhess: Add field to identify PSAs
    

  • drumm committed 5b88379 on 7.x-3.x
    Issue #3068539 by drumm, mlhess: Updates to use new PSA field
    
  • drumm committed 8741b41 on 7.x-3.x
    Issue #3068539 by drumm, mlhess: Actually generate the psa.json content
    

  • drumm committed d939d97 on 7.x-3.x, dev
    Issue #3068539: Remove legacy forum post PSAs from PSA View
    

  • drumm committed fa7e897 on 7.x-3.x
    Issue #3068539: Purge PSA feed when PSAs are updated
    

  • drumm committed 51bdce7 on 7.x-3.x, dev
    Issue #3068539: Do not show PSAs in core/contrib SA listings
    

drumm credited mlhess.

drumm’s picture

Status: Active » Needs review

This is now deployed. If we were to flag https://www.drupal.org/psa-2019-05-07 with this, https://updates.drupal.org/psa.json would have

[
   {
      "type" : "module",
      "project" : "securitydrupalorg",
      "title" : "Drupal 7 and 8 release on May 8th, 2019 - PSA-2019-05-07",
      "is_psa" : "1",
      "link" : "https://www.drupal.org/psa-2019-05-07",
      "insecure" : [],
      "pubDate" : "2019-09-12T21:35:54+00:00"
   }
]

I think next we should update that SA’s project to Drupal core, so insecure will be populated; and add functionality for writing to a test API endpoint.

  • drumm committed c201f14 on 7.x-3.x, dev
    Issue #3068539: Fix notice when nothing is currently insecure
    
  • drumm committed d880c8f on 7.x-3.x, dev
    Issue #3068539: Add option to write to test endpoint
    
DrCuriosity’s picture

This looks like an excellent initiative, and very much appreciated.

Is there any facility for a PSA item on this API to be updated, once it has been created? If so, it might be useful to include an update timestamp field in the JSON, and be able to sort the PSA items by that field.

My use case for this is a downstream system that tracks updates across a large number of managed Drupal systems, so that we can have a rapid turnaround in situations where patching needs active developer support. Some of our clients have high security assurance needs.

Being able to sort PSA by update time would mean that we could run checks incrementally, rather than having to re-process each item every time we poll the API in order to guarantee that their information is fully up to date.

Lastly, are there any plans for pagination on the API as the number of PSAs grows over time?

Thank you kindly :-)

drumm’s picture

Status: Needs review » Fixed

Documentation for the psa.json endpoint is at https://www.drupal.org/docs/8/update/automatic-updates#s-public-service-....

Is there any facility for a PSA item on this API to be updated, once it has been created? If so, it might be useful to include an update timestamp field in the JSON, and be able to sort the PSA items by that field.

Yes, PSAs may be updated. Notably, the insecure list of releases will be updated to include newly-insecure releases as the related SA is published. We could take the maximum of the PSA updated date, and all the insecure releases, but that would keep needlessly updating as release notes are revised. The time a release was marked insecure is only stored in the revision log, going through that is technically possible, but would not be great code to maintain.

The planned use of this API is only for highly critical updates which we hope as many Drupal sites as possible set to automatically update. It does not include all PSAs. I recommend using the existing API https://www.drupal.org/drupalorg/docs/api#s-show-all-thesecurity-advisor... for all recent security advisories. PSAs are nodes with the sa content type, and field_is_psa = 1, which can be filtered on, if needed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.