On all projects on the menu on the right hand side, we have "Report a security vulnerability". For projects that have not opted in, we should redirect this to the public issue queue. If we could display a message at the top indicating why they are taken there, that would be even better, if not we could just remove the link.

Comments

mlhess created an issue. See original summary.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented

we could display a message at the top indicating why they are taken there

That is doable.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

One more useful idea would be to have a "Component" for Security or some other way to help categorize these items across projects (e.g. an issue tag). Can issue tags be pre-populated from the URL?

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented

Yes, they can: https://www.drupal.org/node/add/project-issue/securitydrupalorg?tags=sec...

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

They should probably also default to critical.

Another thought (not sure where to capture) is that a maintainer should not be able to opt-in to security advisory coverage if they have an open public security issue in their module.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented

Another thought (not sure where to capture) is that a maintainer should not be able to opt-in to security advisory coverage if they have an open public security issue in their module.

That should be a separate drupalorg issue.

They should probably also default to critical.

I’m also going to have it default to the issues being bugs.

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented
Status: Active » Needs review

This is running on https://drumm-drupal.dev.devdrupal.org for testing, and I’ve committed it to the dev branch, based on mlhess’s initial work.

mlhess’s picture

mlhess CreditAttribution: mlhess as a volunteer commented
Status: Needs review » Needs work

I looked at

  1. Reporting an issue to Drupal core-- I was redirected as I should be
  2. Reporting an issue to field_collection, I was taken to the public issue queue as I should be
  3. Reporting an issue on Drupal Core in the public issue queue, I was given the warning that this is not the place to report security issues

However, reporting an issue on a sandbox, results in an ugly exception.

https://drumm-drupal.dev.devdrupal.org/node/add/project-issue/2662180?ta...

drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented
Status: Needs work » Needs review

Fixed the exception for projects with no releases.

mlhess’s picture

mlhess CreditAttribution: mlhess as a volunteer commented
Status: Needs review » Reviewed & tested by the community

Looks good to me.

  • drumm committed 55ec004 on 7.x-3.x 
    Issue #2861822: Handle projects with no releases
  • drumm committed 9330854 on 7.x-3.x
    Issue #2861822 by drumm, mlhess: Redirect the Report a security...
drumm’s picture

drumm
he/him
Location NY, US
CreditAttribution: drumm at Drupal Association commented
Status: Reviewed & tested by the community » Fixed

This has been deployed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.