Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
One of the outstanding feature requests of site_audit is #2129415: Add security_review support - integration with Security Review. The submitter seems to have given up / lost interest, but I really would like to see this through and make site_audit more modular. I've been working on #2245239: Allow custom reports and checks to be added and actually have things working now. Going to post a patch in a moment, but let's discuss further!
Comment | File | Size | Author |
---|---|---|---|
#35 | rerolldiff_31-35.txt | 1.98 KB | ayush.khare |
#35 | 2279283-35.patch | 7.7 KB | ayush.khare |
#31 | 2279283-drupal-8-support.patch | 7.74 KB | jroberts |
Issue fork security_review-2279283
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #1
FluxSauce CreditAttribution: FluxSauce commentedComment #2
FluxSauce CreditAttribution: FluxSauce commentedComment #3
coltrane@FluxSauce excellent, this looks pretty good! Some of the check results have specific array structures which aren't standardized so getResultFail() outputs some $values in the report as
Array
.I'm working off your patch to see if I can leverage the check help functions for standardizing the structure so that Site Audit can use it consistently. My anonymous arrays are really becoming a pain in the ass here :(
Comment #4
FluxSauce CreditAttribution: FluxSauce commentedThanks for your time again at DrupalCon Austin! http://cgit.drupalcode.org/site_audit/tree/README.md now includes comprehensive documentation on adding custom reports and checks, let me know if there's anything else I can do to help!
Comment #5
Jaesin CreditAttribution: Jaesin commentedThe "as" alias is already used for the audit_status command. May I suggest "asec".
It would also be nice to have the details text (from /admin/reports/security-review/help/security_review/...) available in the report.
Comment #6
Jaesin CreditAttribution: Jaesin commentedI would also suggest limiting the number of files listed for "File system permissions" unless the --details option is passed.
Comment #7
codi CreditAttribution: codi commented+1 for asec
Comment #8
GrimreaperHello,
I want to test the patch but I have the following error Call to undefined function site_audit_common_options()
If I understand, site_audit is a drush extension ?
Is there a way to add something like
but for drush. Is there a function like "module_exists" but for drush command ?
Even with site_audit downloaded in ~/.drush/site_audit, I can't use drush cc all and any other drush command so I commented the new drush command.
Comment #9
FluxSauce CreditAttribution: FluxSauce commentedDoing some Pacific Northwest Drupal Summit sprinting on this.
Since we last spoke, I've added a Security Report to site_audit, so I've updated the patch accordingly and added a couple changes based on this feedback. If you're going to test this out, please grab the latest version of site_audit first (latest release should work fine).
Really appreciate the feedback, thanks!
I'm particularly keen on moving this forward, especially in light of recent vulnerabilities. Let me know if you have any other questions or concerns!
Comment #10
GrimreaperHello,
I test the patch. You forgot to add the file security_review.site_audit.inc
So I use the one in patch in comment number 1. And I remove the class SiteAuditReportSecurity extends.
And It works fine !!!
Thank you very much.
I attached a new patch with the modifications.
Comment #11
FluxSauce CreditAttribution: FluxSauce commentedWhoops, good catch #10 - thanks! There were a couple other improvements in there, I've re-rolled the patch - correctly this time and included an interdiff.
Comment #12
rocketeerbkw CreditAttribution: rocketeerbkw commentedI used
drush aa --skip=insights --html --detail --bootstrap > site-audit-report.html
and got the latest code from both side audit and security review.When running via Drupal I got "Drupal installation files and directories (except required) are not writable by the server." but running via Drush I got "Some files and directories in your install are writable by the server." Then it listed every file in my Drupal install. This must be because I'm running drush as my user account, which owns all the files.
For text formats check I got "Untrusted users are allowed to input dangerous HTML tags. -Array"
For drupal permissions I got "Untrusted roles have been granted administrative or trusted Drupal permissions. -Array"
When running via Drupal I got "There are Views that do not provide any access checks." but via drush there was no report for views.
Comment #13
FluxSauce CreditAttribution: FluxSauce commentedHi rocketeerbkw, thanks for the bug report! Confirmed several; they can be fixed by executing security_review's internal help system for rendering. I'll figure out a clean way to make that happen. That will sort the Array and no report bugs.
I can replicate this by going to /admin/config/content/formats/full_html and giving Anonymous users the ability to use full HTML.
Replicated by visiting /admin/people/permissions and adding any permission with the label of "Warning: Give to trusted roles only; this permission has security implications." to the anonymous user.
That is actually in security_review itself. If you use
drush secrev --results
you'll see the same result. I suspect that's a "works as designed", but I'd recommend opening a bug report on that separately.Comment #14
heathdutton CreditAttribution: heathdutton commented@FluxSauce this is looking great! You probably have a better solution in the works, but for now I just convert the nested arrays to nested unordered lists (or indented strings). The results aren't the most beautiful, but works consistently:
Comment #15
heathdutton CreditAttribution: heathdutton commentedComment #16
FluxSauce CreditAttribution: FluxSauce commentedI've got time again! Nice fix heathdutton, I've done a couple more tweaks and I'm pretty happy with it. It fully addresses all the outstanding functional issues now.
Comment #17
mparker17I've tested this and it works well. My environment:
security_review-7.x-1.x
at3141b79
site_audit-7.x-1.x
at5b8f832
drops-7
site.... I see the Menu Router, File system permissions, Text formats, Content, Error reporting, Private files, Allowed upload extensions, Drupal permissions, Executable PHP, Drupal base URL, and Temporary files checks, and the output from site_audit matches the output from the security_review UI on the same site.
***
There are a few coding standards errors and DrupalPractice warnings in the new file,
security_review.site_audit.inc
: you can see the output from these two commands in the attached text file,2279283-16-coding-standards.txt
. Note there are existing coding standards and DrupalPractice issues in thesecurity_review.drush.inc
file, BUT not in the code added in this patch (i.e.: this patch does not introduce problems in that file).***
Once the coding standards issues are fixed, this is RTBC from me.
Comment #18
FluxSauce CreditAttribution: FluxSauce at Four Kitchens commentedHi Matt,
Thanks for the review, really appreciate it! Some of those coding standard concerns were legit and I've fixed them, but some are Drupal 8 I believe.
Comment #19
mparker17Great!
Looks like the patch in #18 meets all Drupal 7 coding standards and best practices.
This is RTBC from me now.
Comment #20
AohRveTPV CreditAttribution: AohRveTPV commentedIf you want some superficial documentation standards feedback:
- Verb in summary sentence should be third-person singular present tense (i.e., "generates").
- Missing param type "array" for $array. It is obvious given the variable name but I think it is supposed to be indicated.
- Supposed to be blank line (beyond asterisk) between
@param
and@return
. ("Some tags also trigger paragraph breaks: @param, @return, @see, @var.")- Grammar: "a unordered" -> "an unordered"
See: https://www.drupal.org/coding-standards/docs
Comment #21
FluxSauce CreditAttribution: FluxSauce at Four Kitchens commentedThanks for the feedback, AohRveTPV; I had already addressed most of those, but I didn't get the method description - good catch! Updated, and I also added a paragraph to the README.txt. No functional changes.
Comment #22
FluxSauce CreditAttribution: FluxSauce at Four Kitchens commentedCaught a typo in the instructions.
Comment #23
dsnopekThanks, @FluxSauce! This works great in my testing! Committed. :-)
Comment #25
FluxSauce CreditAttribution: FluxSauce at Four Kitchens commentedFantastic, thank you very much! Also, welcome to the project!
Comment #26
dsnopekThanks!
Actually, I just noticed that there's a D8 version of site_audit. We should probably port this to the 8.x branch of security_review! Updating issue status...
Comment #27
FluxSauce CreditAttribution: FluxSauce at Four Kitchens commentedYou want help with that or you got it?
Comment #28
dsnopekHelp would be appreciated! :-) There's some other things in the queue I was planning to work on before circling back to digging into this.
Comment #29
fuzzy76 CreditAttribution: fuzzy76 commentedNeither 7.x-dev or a stable release since the commit to D7. Is a release with this far away?
Comment #30
dsnopekIt's been a really long time since the last release, and there's some good improvements in 7.x-1.x-dev... I'll discuss with the other maintainers!
Comment #31
jroberts CreditAttribution: jroberts at DesignHammer commentedI've rolled a version of @FluxSauce's patch against the 8.x-1.x branch of Security Review. This enables integration between Site Audit 8.x-2.x-dev
and Security Review 8.x-1.x-dev.
Comment #32
vuilThe patch needs to be updated to Site Audit 8.x-3.x version. I also hide the previous patch.
Comment #33
SocialNicheGuru CreditAttribution: SocialNicheGuru commentedany update on this for 3.x site audit version?
Comment #34
smustgrave CreditAttribution: smustgrave commentedIf this is still a valid feature request think we will need a reroll.
Comment #35
ayush.khare CreditAttribution: ayush.khare at OpenSense Labs for DrupalFit commentedReroll of #31 for 2.0.x.
Comment #36
smustgrave CreditAttribution: smustgrave commentedDid you check to see if this integrates with site audit? They appear to use plugins now and don’t think this solution works. Also there are additional tests that were excluded.
Comment #37
smustgrave CreditAttribution: smustgrave commentedIs this still a desired feature?
Comment #38
smustgrave CreditAttribution: smustgrave commentedClosing out. If still a desired feature please reopen.