How to get Drupal.org Security Advisory Coverage for your module in 3 easy steps
Overview
So you’ve finally submitted your module to Drupal.org but now you’re seeing that warning on your module page that it isn’t covered under the security advisory policy. How do you go about getting this pesky warning removed?
First thing: what is Drupal’s security advisory? This is a method where Drupal’s security team will be able to help advise you as a maintainer when there is a vulnerability in your code and steps to help mitigate this. Then, they will issue an announcement after a fix is in place to the Drupal community.
What also is important to know is that the security advisory coverage is on a per-user basis. This is something that our team sorta goofed on. We have multiple people working on projects together and realized halfway through our application that one person needed to be the one committing and fixing found issues. The people reviewing your application will be looking at your coding style and practices. After your module is covered, feel free to invite other maintainers, but during this process you will want to have only the applicant committing code.
Step 1: Create a Drupal.org module and get it release ready
You can create sandbox projects all day long (here’s a step by step on how) to test out your code and ideas but when you’re ready for an officially contributed project you’ll need to convert your sandbox projects into a full project. Before you do that, you’ll want to get your code into a release-ready state.
Make sure your module doesn’t already exist elsewhere. The Drupal community promotes collaboration over competition. This means if the functionality of your new module already exists, it’s preferred you submit a patch, take over an abandoned project and/or work with existing project maintainers to improve rather than having 12 different modules that do the exact same thing.
Step 2: Prepare for the application process.
Go through the security application checklist. There’s a lot outlined there. Some things to note:
- Double check that you’ve written secure code. There are a slew of suggestions and best practices that are outlined here.
- Follow Drupal’s coding standards and best practices. These documents can be quite lengthy and tough to read through but it’s important to take a look to make sure your module is ready for release and it will speed up your submission process later. There are some additional tools that can help speed this process up. You can do this by submitting your project for a pareview and/or downloading and using the Coder module. This will outline warnings and some best practices that perhaps were missed.
- Review your code for common issues.
Step 3: Submit the application
One thing that I didn’t realize is that the application process is based on the user NOT necessarily the module. When submitting your application, you want to make sure that you are the one creating fixes and patching. First, create a new issue in the Drupal.org security advisory coverage applications queue. Follow the instructions for your application:
Other maintainers will look at your module and suggest fixes for them. Each time you apply a new patch or fix, you’ll want to update your project application issue to “Needs Review” status. This will signal to the different folks reviewing applications that this one is ready to review again. Remember, the same individual who submitted the application must make the fixes/patches.
In the meantime, you can review other applications to speed up your own. This is what the Drupal community calls “Review bonus”. Here’s some detailed instructions on how to complete this.
The whole process took me about a month to complete. Between our regular client work and waiting on enough individuals to review my application. After the application is approved, an individual from Drupal.org adds a tag to your Drupal.org profile. Then when you edit your module page, you’ll have the option to opt into security advisory coverage.
Now any of our modules can be covered under Drupal.org Security Coverage and the big orange warning is no longer visible.
Interactive Knowledge has a few Drupal.org modules our team maintains for you to check out for your Drupal project:
- Constant Contact Module
Provides integration to your Constant Contact lists using the v3 of the API.
- Modal Management Module
Creates a custom entity to be able to show modals to users based on date or location.
- AbuseIPDB Module
This module provides connection to the AbuseIPDB database.