Closed (won't fix)
Project:
Drupal.org security advisory coverage applications
Component:
module
Priority:
Minor
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
4 Apr 2025 at 12:20 UTC
Updated:
20 Apr 2026 at 16:43 UTC
Jump to comment: Most recent
Comments
Comment #2
vishal.kadamComment #3
avpadernoThank you for applying!
Please read Review process for security advisory coverage: What to expect for more details and Security advisory coverage application checklist to understand what reviewers look for. Tips for ensuring a smooth review gives some hints for a smoother review.
The important notes are the following.
To the reviewers
Please read How to review security advisory coverage applications, Application workflow, What to cover in an application review, and Tools to use for reviews.
The important notes are the following.
For new reviewers, I would also suggest to first read In which way the issue queue for coverage applications is different from other project queues.
Comment #4
avpadernoI do not have time for a full review, but the following point needs to be fixed.
Projects hosted on drupal.org are licensed under GPLv2+, the same license used from Drupal core. If you are licensing a project under a different license, it cannot he hosted on drupal.org. More details are given in Drupal Git Contributor Agreement & Repository Usage Policy.
For code licensed under GPLv3, see See I want to release my work under GPL version 3 or under GPL version 2-only. Can I do so and host it on Drupal.org?
Comment #5
avpadernoFurthermore, is the account used to create this application a shared account?
Comment #6
srtmdev commentedHello,
I updated the license term in readme.md from GPLv3 to GPLv3 or later. Please look into the matter and try to resolve my issue as soon as possible.
Comment #7
avpadernoIt must be GPLV2-or-later. It still is GPLv3.
I also asked if the account used to create this application is a shared account.
Comment #8
srtmdev commentedHello,
I updated the license term in readme.md from GPLv3 or later to GPLv2 or later.
Comment #9
avpadernoThe question about the account is still without answer.
Comment #10
avpadernoComment #11
srtmdev commentedHello,
Initially it was an shared account, but not now.
Comment #12
srtmdev commentedHello,
Please verify the project license. It's not under the GNU General Public License v3.0 only.
Comment #13
avpadernoMay you put your first name and last name on your account?
Remove also the 1.1.1-rc1 branch, which has the wrong name.
Comment #14
srtmdev commentedHello,
Removed the 1.1.1-rc1 branch from drupal's git lab account.
Comment #15
avpadernoComment #16
srtmdev commentedNo, I didn't provided my first name and last name on account.
Comment #17
srtmdev commentedHello,
when our project is going to Opt into security advisory coverage?
Comment #18
avpadernoYou need to put your first and last name on your account.
Comment #19
srtmdev commentedHello,
Updated the first name and last name in account.
Comment #20
srtmdev commentedHello,
When our project is going to Opt into security advisory coverage?
Comment #21
avpadernoComment #22
avpadernomandatly_cookie_compliance.module
\Drupal::logger('mandatly_cookie_compliance')->notice('mandatly_cookie_compliance_page_attachments triggered');Remove any debugging code, such as the lines logging when a hook is invoked.
Translatable strings do no concatenate strings but use placeholders.
src/Controller/BannerController.php
Since that class does not use any method from the parent class, it does not need to use
ControllerBaseas parent class. Controllers do not need to have a parent class; as long as they implement\Drupal\Core\DependencyInjection\ContainerInjectionInterface, they are fine.That description is not for that method.
The description of the return value is missing.
Any dependency must be injected using the dependency injection container, except in the case the dependency is used only from static methods.
There is no need to use a controller to show a form. A form can be associated to a route.
src/Form/SettingsForm.php
Any text shown in the user interface must be translatable.
There is no need to use
$this->configFactory()when there is$this->config().Comment #23
vishal.kadam1. FILE: README.md
The README file is missing the required sections - Requirements, and Configuration.
2. FILE: mandatly_cookie_compliance.info.yml
core_version_requirement: ^9 || ^10 || ^11FILE: composer.json
"drupal/core": "^8 || ^9 || ^10 || ^11"Inconsistent drupal core dependencies.
3. FILE: mandatly_cookie_compliance.module
The usual description for a .module file is “Hook implementations for the [module name] module”, where [module name] is the module name given in the .info.yml file.
The correct doc comment is "Implements hook_preprocess_page()".
4. FILE: css/toggle-switch.css
Twig code needs to be correctly indented. Drupal uses two spaces for indentation, not four spaces or tabs.
5. FILE: src/Controller/BannerController.php
// $form = $this->formBuilder->getForm('Drupal\mandatly_cookie_compliance\Form\HeaderForm');Remove commented code.
Comment #24
srtmdev commentedI updated the module. Now Please verify it and try to resolve my issue as soon as possible.
Comment #25
vishal.kadamFILE: README.md
The README file is still missing the required sections - Requirements, and Configuration. It should follow the content and formatting described in README.md template.
FILE: mandatly_cookie_compliance.module
The documentation comment for
hook_page_attachments()is currently missing. It should be added separately and not merged with the module’s general description to maintain clarity and follow Drupal coding standards.Comment #26
srtmdev commentedI updated the module as per your comment. Now Please verify it and try to resolve my issue as soon as possible.
Comment #27
vishal.kadamComment #28
srtmdev commentedHello,
When our project is going to Opt into security advisory coverage?
Comment #29
cmlara@srtmdev I suggest reading the links in #3
Specifically in the what to expect:
There is no Service Level Agreement(SLA) in this process.
The application will be processed, when is a 'wait and see', it could be today, it could be several months before anyone makes another review. Following the priority steps listed in the links given may reduce the amount of time waiting, although there is no gurantee it will.
Note that the process does not enroll your project in the security advisory opt in process, it tests a developer(yourself) to have the permission to do so. It is not the module being tested here, it is yourself as an individual and if/when process completes you will opt the project in not the reviewers in this queue.
I'm assuming based on your issues that your primarily doing this so that the company module is not subject to D.O. suggesting users publicly disclose security vulnerabilities, if so you are unfortunately caught in a portion of D.O. that is not very corporate or security industry friendly and will just have to 'wait it out'.
Comment #30
rushikesh raval commentedI am changing priority as per Issue priorities.
Comment #31
bbu23It seems to me that this module contains too few code to be able to properly review.
Though at a first quick look, here are some of the issues that I noticed. These issues do not reflect everything:
There are still phpcs errors (Standard and Practice), with many
\Drupalcalls instead of dependency injection. There are also some questionable choices like the following lines in the form'ssubmitForm:The module is working with configuration, but there's no schema definition and no default configuration.
A better choice for the module package would be
package: User interface.There's no help page.
Comment #32
avpadernoI am changing priority as per Issue priorities.
Comment #33
avpadernoThis thread has been idle, in the needs work state with no activity for some months.
May you confirm you are still pursuing this application? If this is the case, and you made commits basing on what previously reported, or you can answer the questions previously asked, please change the status to Needs review.
Comment #34
avpadernoThis thread has been idle, in the Needs work state with no activity for about six months or more; the application has been created about 11 months ago or more. Therefore, I marked it as Closed (won't fix).
If this is incorrect, and you are still pursuing this application, please feel free to re-open it and set the issue status to Needs work or Needs review, depending on the current status of your code.
Comment #35
avpaderno