Multiple issues with Drupal ecosystem support

[RoSk0]

• Outdated information It looks like there is no fresh advisory data was ingested for a long time
• Existing advisory data has bad information For example this vulnerability https://ossindex.sonatype.org/vuln/bfa559f5-909e-47be-a2ac-9c7ccd2c101c , dated 2009, for the webform module, lists version 6.0.0 as affected, when version is 6.0.0 was released on 25 December 2020. I choose this vulnerability because it's first in table for the webform module https://ossindex.sonatype.org/component/pkg:drupal/webform
• purl drupal type Most probably refers to to Drupal modules packaged by https://www.drupal.org/ as archives. While this was a default and preferred way of installing Drupal modules/themes this is not the recommended/supported way for the new projects. https://www.drupal.org/ has it's Composer repository that projects use to install modules with dependencies. Some docs for example: https://www.drupal.org/docs/user_guide/en/install-decide.html , https://www.drupal.org/docs/installing-drupal/step-1-get-the-code . What all of that means is that when you will generate SBOM for the Drupal project that is Composer-managed, all you components would be refereed to as pkg:composer/drupal/group rather then pkg:drupal/group. Ideally, all pkg:composer/drupal/ components would be linked to it https://drupal.org project page, for example pkg:composer/drupal/group => https://www.drupal.org/project/group . Because at the moment you can find some Drupal modules in Composer ecosystem like https://ossindex.sonatype.org/component/pkg:composer/drupal/plugin & https://ossindex.sonatype.org/component/pkg:composer/drupal/ldap which both linked to 404 pages on https://packagist.org .

I'm happy to split this issue if that would help and provide as much information/guidance/help as necessary to improve Drupal ecosystem support by OSS index.

[RoSk0]

Drupal.org issue to expose fixed in version in advisory API properly https://www.drupal.org/project/drupalorg/issues/2966246 .

[ken-duck]

Thanks for the update. Up till now there has not been much interest in the Drupal data, so it has languished (as you noticed). We are going to approach this with a two-prong approach.

We are actually in the process of doing a major overhaul of all data collection systems for OSS Index. This is being phased in over time, "old" style Drupal packages are expected to be done by early to mid summer (all going well, maybe earlier if we are really lucky).

The "new" style, being packages in Composer, are further down the pipeline due to the sheer volume of data. In this case we can work on importing the drupal composer packages and matching applicable vulnerabilities in the older OSS Index data system to tide us over. This can be worked on over the next few weeks, and all going well we should start seeing results reasonably soon-ish.

We'll keep you updated as to progress so you can check it out and perhaps even help us make sure everything is being done correctly.

Thanks again.

[RoSk0]

Thanks for sharing. Looking forwards for updates in this space.

[RoSk0]

Hi @ken-duck ,

It there any news on Drupal support?