Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
On all projects on the menu on the right hand side, we have "Report a security vulnerability". For projects that have not opted in, we should redirect this to the public issue queue. If we could display a message at the top indicating why they are taken there, that would be even better, if not we could just remove the link.
Comments
Comment #2
drummThat is doable.
Comment #3
gregglesOne more useful idea would be to have a "Component" for Security or some other way to help categorize these items across projects (e.g. an issue tag). Can issue tags be pre-populated from the URL?
Comment #4
drummYes, they can: https://www.drupal.org/node/add/project-issue/securitydrupalorg?tags=sec...
Comment #5
gregglesThey should probably also default to critical.
Another thought (not sure where to capture) is that a maintainer should not be able to opt-in to security advisory coverage if they have an open public security issue in their module.
Comment #6
drummThat should be a separate drupalorg issue.
I’m also going to have it default to the issues being bugs.
Comment #7
drummThis is running on https://drumm-drupal.dev.devdrupal.org for testing, and I’ve committed it to the
dev
branch, based on mlhess’s initial work.Comment #8
mlhess CreditAttribution: mlhess as a volunteer commentedI looked at
However, reporting an issue on a sandbox, results in an ugly exception.
https://drumm-drupal.dev.devdrupal.org/node/add/project-issue/2662180?ta...
Comment #9
drummFixed the exception for projects with no releases.
Comment #10
mlhess CreditAttribution: mlhess as a volunteer commentedLooks good to me.
Comment #12
drummThis has been deployed.