Automatic checking of modules security states

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
Anonymous's picture
Posted by Anonymous on August 25, 2017 at 12:02pm

Hi all

I'm running more and more sites on D7 and D8 and nedd a way to automatically check if all the hundreds modules these sites are running are safe (to me it means stable version, enough installs, actively maintained, no known vulnerabilities).
By now I haven't found a way to do so other tha uglyly parsing html found on https://www.drupal.org/security and https://www.drupal.org/project/project_module

Has anyone tried before?

Maybe the Drupal security team (as they have it all in their DB) could provide these data through a Rest API or at leas a csv file.

Hope I'm not the only one to look forward it!

Best regards

Comments

Hi!

Posted by jlbellido on August 25, 2017 at 12:13pm
jlbellido's picture

I think you can use the API provided by Drupal.org to check the project information.

For instance for the project devel : the call would be :

https://www.drupal.org/api-d7/node.json?field_project_machine_name=devel

You would find in the response the value for the field "field_security_advisory_coverage"

More info aqbout the API is available at : https://www.drupal.org/drupalorg/docs/api

With that information you would be sure you will get notifications about new security releases for those modules.

I hope this helps.

The core "update" module

Posted by dsnopek on August 25, 2017 at 1:03pm
dsnopek's picture

EDIT: Oops! I just realized I misread the question. The answer above mine is better. Sorry for the noise!

The core "update" module accesses some XML documents under http://updates.drupal.org/release-history that can be used to determine if a project at a particular version needs a security update. Other than looking at the "update" module, though, that "API" is not really documented.

There's some existing tools for aggregating this data for the modules used on multiple sites, like:

https://www.drupal.org/project/drd

As well as some commercial ones like:

http://dropshark.io/

https://lumturio.com/

That way you can see what updates are needed across all your sites at once!

I think the release history

Posted by greggles on September 12, 2017 at 6:53pm
greggles's picture

I think the release history from updates.drupal.org is still very useful and relevant to this goal.

Another thought is to use drush and the pm-updatestatus command or similar commands.

This can be used by code by using --format=json and then to focus on security use the --security-only flag.

knaddison blog | Morris Animal Foundation

I've heard good things about

Posted by loopduplicate on August 25, 2017 at 3:55pm
loopduplicate's picture

I've heard good things about Evercurrent too, if you don't feel like rolling your own solution out:
https://www.drupal.org/project/evercurrent

Thanx to all

Posted by François R (not verified) on September 13, 2017 at 3:40pm
François R's picture

Hi guys sorry for this late thanx, big rush over here!
Picking ideas in your answers, I found a way to reach my goal, fires tests seem pretty OK but I need to tune it. I'll get back here when it will be fine to give you feedback (anbnd ideas?!!)
Bye