How should Drupal sites best track 3rd party vulnerabilities?

Events happening in the community are now at Drupal community events on www.drupal.org.
You are viewing a wiki page. You are welcome to join the group and then edit it. Be bold!
Posted by greggles on September 6, 2019 at 8:01pm
Last updated by mxr576 on Tue, 2023年05月30日 06:45

In Various 3rd Party Vulnerabilities - PSA-2019年09月04日 the Drupal Security Team has clarified that 3rd party vulnerabilities will generally not make announcements about vulnerabilities in 3rd party code that is depended on by modules or themes that are hosted on drupal.org.

How can it be checked?

How to check javascript libraries?

How to check php code?

For libraries pulled in with composer:

Comments

Drupal is secure?

Posted by fen on September 6, 2019 at 9:19pm

I have been having a conversation about this with colleagues as we have clients for which we are to provide a level of confidence that the code we deliver is secure. I trust the Drupal security team, so Drupal is secure - at least until you run composer and pull in third party libraries. Even if I trust those libraries, what about the libraries they pull in? All it takes is one small, mom+pop code repository to get corrupted and all bets are off. We've seen this happen multiple time with npm packages...

Nothing can be completely secure, but we're considering a virtual cache of packages perhaps based on Artifactory or Nexus where we can run basic CVE and code-quality scanners on new packages that our developers want, and mark previously scanned packages as OK. It won't be perfect, but at least we'll have some basis for making the statement "we've done due diligence and believe these packages to be secure."

Ideally, Drupal.org or Acquia would provide such a service, of course with serious legal disclaimers that they are not guaranteeing that the code is secure, but that it has been checked for known vulnerabilities and CVEs.

Until we or they provide such a service, we're all just crossing our fingers.

Documentation on d.o

Posted by vijaycs85 on September 6, 2019 at 9:58pm

Hi,

I have added few pages to track external libraries used in Drupal 8 core. It is created agains 8.7.x and probably outdated in terms of version, but provides the list of libraries. We also have Drupal security advisories to block installing packages with security issues at composer level.

Thank you!

Posted by fen on September 7, 2019 at 1:21am

This is very helpful.

Don't want to lose this Slack History

Posted by generalredneck on September 11, 2019 at 4:40pm

The following was a slack conversation on this... going to stick the conversation here so it's a little more permanent. Formatting isn't beautiful, but mejor que nada.

julia_k Sep 6th at 9:39 AM
Does anyone have any suggestions for monitoring 3rd party library security advisories?

Luke Leber:speech_balloon: 5 days ago
https://github.com/sensiolabs/security-checker may be able to be plumbed into your CI pipeline.
sensiolabs/security-checker
PHP frontend for security.symfony.com
Website
https://security.symfony.com
Stars
1710
https://github.com/sensiolabs/security-checker|sensiolabs/security-checkersensiolabs/security-checker | Feb 1st, 2013 | Added by GitHub
:+1:
1

Luke Leber:speech_balloon: 5 days ago
Similarly, there's a https://www.npmjs.com/package/audit-ci project for node.
npmnpm
audit-ci
Audits npm and yarn projects in CI environments
:+1:
1

greggles 5 days ago
Github does it for some libraries, but not PHP https://help.github.com/en/articles/about-security-alerts-for-vulnerable...

cilefen:sunny: 5 days ago
Isn’t npm audit built in?

MiSc 5 days ago
@cilefen - depends on version of node used in a project.

cilefen:sunny: 5 days ago
retire can scan JS libraries that were not installed with a package manager: https://www.npmjs.com/package/retire
npmnpm
retire
Retire is a tool for detecting use of vulnerable libraries

julia_k 5 days ago
Thanks, everyone! Will check out these suggestions

Lisa Ridey 5 days ago
I’ve been using roave/security-advisories to check for vulnerabilities in third party libraries, with good success.

cilefen:sunny: 5 days ago
AFAIK roave only checks when dependencies change, it isn’t a scanner of existing dependencies: "its only purpose is to prevent installation of software with known and documented security issues"

Lisa Ridey 5 days ago
@cilefen Yes, you need to implement it when you initialize your project.

cilefen:sunny: 5 days ago
I just want to be absolutely clear that roave prevents installing libraries with known security issues but doesn’t scan for existing ones.

greggles 5 days ago
So roave wouldn’t work for a library that is being used on a site and then gets a newly detected problem. That is a very common scenario, I think.

Lisa Ridey 5 days ago
@greggles I believe it rescans on composer update

greggles 5 days ago
Yes, it does seem to. Thanks for clarifying. It’s an interesting strategy, but these nuances make me a bit wary of it.

cilefen:sunny: 5 days ago
The best one IMO these days is the symfony command.

cilefen:sunny: 5 days ago
I refer to https://symfony.com/download, which is newer than the symfony security-checker... for one thing it caches so you can check many 10s of projects quickly and not trigger an API usage error

Interesting tools, thanks.

Posted by robertoperuzzo on September 12, 2019 at 7:07am

I think my comment on another

Posted by mxr576 on May 31, 2021 at 9:03am

I think my comment on another issue is already related to this:
https://groups.drupal.org/node/535733#comment-1165465

Drupal Dependency Quality Gate Composer Audit plugin

Posted by mxr576 on May 30, 2023 at 6:46am

Added a reference to my Composer Audit extension that cover Drupal projects better than Composer Audit can OOTB.

https://packagist.org/packages/mxr576/ddqg-composer-audit

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /