{"id":28903755,"url":"https://github.com/ackama/drupal-advisory-database","last_synced_at":"2025-07-22T23:03:02.138Z","repository":{"id":299320703,"uuid":"927406279","full_name":"ackama/drupal-advisory-database","owner":"ackama","description":null,"archived":false,"fork":false,"pushed_at":"2025-07-17T23:53:52.000Z","size":1961,"stargazers_count":0,"open_issues_count":5,"forks_count":0,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-07-18T04:28:33.114Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ackama.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-04T22:39:34.000Z","updated_at":"2025-07-16T23:16:03.000Z","dependencies_parsed_at":null,"dependency_job_id":"c72fb392-3b0d-4e8d-b9f0-e24a9c01fde5","html_url":"https://github.com/ackama/drupal-advisory-database","commit_stats":null,"previous_names":["ackama/drupal-advisory-database"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ackama/drupal-advisory-database","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ackama%2Fdrupal-advisory-database","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ackama%2Fdrupal-advisory-database/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ackama%2Fdrupal-advisory-database/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ackama%2Fdrupal-advisory-database/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ackama","download_url":"https://codeload.github.com/ackama/drupal-advisory-database/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ackama%2Fdrupal-advisory-database/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266586840,"owners_count":23952200,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-21T12:06:24.653Z","updated_at":"2025-07-22T23:03:02.127Z","avatar_url":"https://github.com/ackama.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Drupal Advisory Database\n\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/ackama/drupal-advisory-database/badge)](https://scorecard.dev/viewer/?uri=github.com/ackama/drupal-advisory-database)\n\nA community-driven database of known security vulnerabilities in Drupal packages\nsourced from [drupal.org](https://www.drupal.org/security) using the\n[OSV](https://ossf.github.io/osv-schema/) format.\n\nThe data is primarily sourced using the drupal.org\n[REST API](https://www.drupal.org/drupalorg/docs/apis/rest-and-other-apis).\n\n## Using this database\n\nThis database can be used by any tool that supports ingesting OSV advisories.\n\nIf you are using [`osv-detector`](https://github.com/G-Rath/osv-detector), you\ncan configure this database as an\n[extra database](https://github.com/G-Rath/osv-detector?tab=readme-ov-file#extra-databases):\n\n```yaml\nextra-databases:\n  - url: https://github.com/ackama/drupal-advisory-database/archive/refs/heads/main.zip\n    name: Drupal Advisory Database\n    working-directory: 'drupal-advisory-database-main/advisories'\n```\n\n## Updating the advisories\n\nAdvisories are managed through a series of Python scripts that live in the\n`scripts` directory - to use these, you need to install the dependencies listed\nin `pyproject.toml` using\n[`poetry`](https://python-poetry.org/docs/#installation).\n\n```shell\n# 1. download the Drupal SA advisories from drupal.org\npoetry run scripts/download_sa_advisories.py\n\n# 2. download nodes from drupal.org related to the advisories\n# (this is not required, but will significantly improve performance of the next step)\npoetry run scripts/precache_nodes.py\n\n# 3. generate the OSV advisories based on the Drupal advisories\npoetry run scripts/generate_osv_advisories.py\n```\n\n### Landing automated advisory updates\n\nA\n[GitHub Actions workflow](https://github.com/ackama/drupal-advisory-database/blob/main/.github/workflows/generate.yml)\nruns regularly to regenerate the advisories, opening a pull request if there are\nchanges.\n\nBefore being landed the changes should be reviewed for accuracy especially with\nthe version constraints and ranges - these will usually be flagged by the\ngeneration script as warnings included in the `database_specific` sections of\nthe advisories where relevant.\n\nIf an advisory does have a warning, you should aim to have it addressed using\n`patches.toml` described in the next section. This can be done by either pushing\na new commit directly to the pull request branch, or through a new pull request\nafter landing the changes to the advisories.\n\n## Fixing incorrect data\n\nSometimes an advisory will have incorrect data, such as an affected version\nrange which is syntactically or semantically incorrect; these can be temporarily\naddressed by adding a \"patch\" for the impacted advisory to the\n[`patches.toml`](./patches.toml) file in the root of this repository.\n\nWhen patching an advisory, you need to provide a tuple assigned to the SA\nadvisory property whose value you wish to replace - the first element in the\ntuple should be the current value, and the second element should be the\nreplacement value. The patch will only be applied if the current value matches\nto ensure patches don't mistakenly undo upstream changes (which hopefully are\nthe result of the incorrect data being fixed!)\n\n\u003e [!NOTE]\n\u003e\n\u003e Currently, the patcher only supports the `field_affected_versions` property\n\u003e since that's the only property we've needed to patch; feel free to add support\n\u003e for additional properties when needed\n\nThe generator will mark advisories that have been patched to make it clear that\nhas happened; it will also attempt to identity some types of issues with the\ndata, which will be captured as `warnings`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fackama%2Fdrupal-advisory-database","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fackama%2Fdrupal-advisory-database","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fackama%2Fdrupal-advisory-database/lists"}