Problem/Motivation

Security.Drupal.org will be replaced, not using Drupal. Security advisory drafting can move to www.drupal.org, where we have an advisory content type. This is currently used by security team members to copy/paste the advisory on release day. Instead, we can have maintainers do the drafting right on www.drupal.org, eliminating the copy/paste step, so everyone can focus on advisory content.

Remaining tasks

  • Complete remaining prerequisites: #3485753: Assign security advisory ID and creation date on publish, #3485756: Add by usernames for security advisory credit fields
  • Limit field access for publishing, is PSA, advisory ID, CVE ID to security team members at all times
  • Add a URL field to keep track of the security issue, this will help provide options for crediting later. Should be filled by a query argument, letting the field widget be read-only. Field access control should allow no one to view, only accessible by looking at the edit form
  • Once published, limit editing to security team members
  • Before publishing, allow editing by security team members, and maintainers of the project
  • Update documentation and any integrations
  • Make sure validation before advisory creation first checks that the current user is a maintainer of the project filled from the URL query parameter, then check that the issue filled from the query parameter is an issue for the same project. Enumerating in-progress security issues should not be possible.

Issue fork drupalorg-3485758

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

drumm created an issue. See original summary.

drumm opened merge request !324

  • drumm committed adb48ee4 on 7.x-3.x 
    Issue #3485758: Add GitLab security issue tracking to security...
drumm’s picture

drumm
he/him
Location NY, US
commented

Remaining work:

On D10 - add a prompt to draft a security advisory to the comment posted on security issue posting
D7 - update permissions so security team members can create & update drafts

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

It took me a second to understand the idea, but I think this will be a good improvement. Thanks for your effort on it.

drumm opened merge request !325

  • drumm committed 180bd406 on 1.0.x 
    Issue #3485758: Add note to security issue when Security advisory::...
drumm’s picture

drumm
he/him
Location NY, US
commented

Much of this is ready to test, but could use some documentation. Examples of it in action are at:

https://git.drupalcode.org/security/1-drupalorg-security/-/issues/1
https://git.drupalcode.org/security/2-drupalorg-security/-/issues/1

The remaining work on D7 is now to update permissions so project maintainers can create & update drafts, including various field permissions to limit some field to the security team members only.

  • drumm committed e92e598e on 7.x-3.x 
    Issue #3485758: Limit viewing security advisory revisions

  • drumm committed 99e77141 on 7.x-3.x 
    Issue #3485758: Allow project maintainers to create...

  • drumm committed 62acd323 on 7.x-3.x 
    Issue #3485758: Set a random URL alias for draft security advisories...

  • drumm committed 0dea1d3e on 7.x-3.x 
    Issue #3485758: Allow project maintainers to draft security advisories
drumm’s picture

drumm
he/him
Location NY, US
commented
Assigned: Unassigned » drumm
Status: Active » Fixed

All parts of this are now deployed. It is only active for security issues reported on git.drupalcode.org, there is no integration with the legacy security.drupal.org.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.