Drupal blog: Drupal security advisories are now available in OSV database
Drupal is now in the OSV database, see some examples.
One of the key parts of keeping a website secure is making sure you have updated to incorporate security updates. Today, we're excited to share that Drupal's security information will be available in a new channel that has some benefits compared to existing tools. This is another large step forward in making it easier for Drupal sites to stay secure.
How can people get security data today?Since 2005 people have been able to subscribe to emails or an RSS feed with security announcements. More recently those feeds were mirrored on social media sites as well. However, these feeds include a lot of "noise" - news about releases for software that are not installed on a specific site.
Since 2007, Drupal has provided a built-in mechanism for site maintainers to check if their site was out of date. Sites using the Update module could check if they needed updates and email that report to the site owner or show it inside the system or via a "drush" command on the command line. This report is focused on what the site needs: the administrator only learns about updates to the software running on the site, but it requires knowing a Drupal-specific tool.
Modern versions of Drupal leverage the composer package manager. Drupal has supported the composer audit command which was introduced in 2022. However, again, this is a tool that is mostly used in the php community and doesn't provide security data about other package types.
Drupal sites often include npm packages and other 3rd party libraries that might have their own update monitoring mechanism.
Staying aware of available releases is a subjective and personal question. What works well for one organization might not work well for another. Knowing these options and their shortcomings, can we make it easier for site owners to monitor their sites?
How is the OSV format better?The OSV format and database provide several advantages. Perhaps the biggest one for Drupal sites is they provide support for a wide variety of packages. Publishing Drupal's security advisories in OSV.dev will enable the OSV-scanner automated scanning tool to create accurate reports for Drupal sites making it easier for organizations to adopt Drupal and help ensure it is up to date. It will also make it easier for other projects to support Drupal if they incorporate OSV.dev data.
Who made this happen?For OSV.dev support, there was a collaboration across several teams and timezones: folks at Google, Ackama, the Drupal Association, and members of the Drupal Security Team have collaborated to automate osv support. In particular, Gold, Gareth Jones, Greg Knaddison, Dave Long, Peter Wolanin, and Neil Drumm worked to help get it launched or will help maintain it. The result will hopefully provide greater awareness, easier support, and minimal additional manual work to support this new channel.
Also, we should recognize efforts in this field that provided a great foundation. Derek Wright (dww) did a ton of work to help Drupal's infrastructure related to the Update module for many years. The integration of data that gets into osv.dev relies on an API from drupal.org that is provided with a lot of work from the Drupal Association. The content of the feed, of course, comes from project maintainers and the Drupal Security Team.
