Security policy updates

Policies/d7_security_module_updates.policy.yml

@@ -1,6 +1,6 @@
 title: "Drupal 7 Security Module Updates policy"
 class: \Drutiny\algm\Audit\D7SecurityModuleUpdates
-name: algm:D7SecurityModuleUpdates
+name: algm:Security:D7SecurityModuleUpdates
 tags:
   - Drupal 7
   - Security
@@ -12,6 +12,7 @@ description: |
 success: No security updates were found.
 failure: >-
   {{ updates }}
+remediation: Review the security modules listed and update accordingly.
 warning: |
   There are modules with available updates. Please consider upgrading as it
   reduces the chance of introducing regressions when more urgent security updates

Policies/d8_security_module_updates.policy.yml

@@ -1,6 +1,6 @@
 title: "Drupal 8/9 Security Module Updates"
 class: \Drutiny\algm\Audit\D8SecurityModuleUpdates
-name: algm:D8SecurityModuleUpdates
+name: algm:Security:D8SecurityModuleUpdates
 tags:
   - Drupal 9
   - Drupal 8
@@ -13,6 +13,7 @@ description: |
 success: No security updates were found.
 failure: >-
   {{ updates }}
+remediation: Review the security modules listed and update accordingly.
 warning: |
   There are modules with available updates. Please consider upgrading as it
   reduces the chance of introducing regressions when more urgent security updates

Profiles/algm_d7_sla_site.profile.yml

@@ -1,14 +1,10 @@
 title: 'ALGM Drupal 7 SLA audit'
 description: 'This audit is for Drupal 7 sites which are under the ALGM SLA'
 policies:
-    # ALGM specific
-    'algm:HealthCheck':
-      { severity: high }
-    'algm:DrushStatus':
-      { severity: normal }
-    'algm:FileSystemAnalysis':
-      { severity: normal }
     # General
+    'algm:HealthCheck': { severity: high }
+    'algm:DrushStatus': { severity: normal }
+    'algm:FileSystemAnalysis': { severity: normal }
     'Drupal:moduleUpdates': { severity: normal }
     # Drupal 7
     'Drupal-7:NoDuplicateModules': { severity: normal }
@@ -24,7 +20,8 @@ policies:
     'fs:largeFiles': { severity: normal }
     'Drupal:largeFiles': { severity: normal }
     'Drupal:updates':
-      { severity: normal,
+      {
+        severity: normal,
         parameters: {
           max_size: 1000,
           warning_size: 250
@@ -33,8 +30,8 @@ policies:
     'Database:Fulltext': { severity: normal }
     'Database:Size': { severity: normal }
     # Security
+    'algm:Security:D7SecurityModuleUpdates': { severity: high }
     'Drupal-7:User1LockDown': { severity: normal }
-    'algm:D7SecurityModuleUpdates': { severity: high }
     'fs:SensitivePublicFiles':
       {
         severity: high,
@@ -43,4 +40,4 @@ policies:
         }
       }
 include:
-  - d7_security_review
+  - d7_security_review

Profiles/algm_sla_site.profile.yml

@@ -1,17 +1,11 @@
-title: 'ALGM SLA audit'
-description: 'This audit is for sites which are under the ALGM SLA'
+title: 'ALGM Drupal 8 & 9 SLA audit'
+description: 'This audit is for Drupal 8 & Drupal 9 sites which are under the ALGM SLA'
 policies:
-    # ALGM specific
-    'algm:HealthCheck':
-      { severity: high }
-    'algm:DrushStatus':
-      { severity: normal }
-    'algm:ModuleUpdates':
-      { severity: high }
-    'algm:D8SecurityModuleUpdates':
-      { severity: high }
-    'algm:FileSystemAnalysis':
-      { severity: normal }
+    # General
+    'algm:HealthCheck': { severity: high }
+    'algm:DrushStatus': { severity: normal }
+    'algm:FileSystemAnalysis': { severity: normal }
+    'algm:ModuleUpdates': { severity: high }
     # D8
     'Drupal-8:CronLast': { severity: normal }
     'Drupal-8:JsAggregation': { severity: normal }
@@ -27,15 +21,17 @@ policies:
     # FS and Database
     'fs:largeFiles': { severity: normal }
     'fs:DrupalThemeDirectory':
-      { severity: normal,
+      {
+        severity: normal,
         parameters: {
           path: '/app/web/themes/custom/',
           max_size: 50
         }
       }
     'Drupal:largeFiles': { severity: normal }
     'Drupal:updates':
-      { severity: normal,
+      {
+        severity: normal,
         parameters: {
           max_size: 1000,
           warning_size: 250
@@ -44,6 +40,7 @@ policies:
     'Database:Fulltext': { severity: normal }
     'Database:Size': { severity: normal }
     # Security
+    'algm:Security:D8SecurityModuleUpdates': { severity: high }
     'fs:SensitivePublicFiles':
       {
         severity: high,
@@ -53,11 +50,12 @@ policies:
       }
     'Drupal-8:UserRegistrationAdminOnly': { severity: normal }
     'Drupal-8:User1LockDown':
-      { severity: high,
+      {
+        severity: high,
         parameters: {
           blacklist: 'admin, root, drupa, amazee, amazeelabs, zhadmin',
           status: 1
         }
       }
 include:
-  - d8_security_review
+  - d8_security_review

src/Audit/D8_SA_CORE_2020_009.php

@@ -60,7 +60,6 @@ public function audit(Sandbox $sandbox)
       return Audit::ERROR;
     }
 
-
     if (!isset($info[$module])) {
       return Audit::NOT_APPLICABLE;
     }
@@ -80,4 +79,4 @@ public function audit(Sandbox $sandbox)
 
     return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, $version);
   }
-}
+}

src/Audit/ModuleUpdateStatus.php

@@ -6,6 +6,7 @@
 use Drutiny\Sandbox\Sandbox;
 use Drutiny\Annotation\Token;
 use Drutiny\algm\Utils\MarkdownTableGenerator;
+use Exception;
 
 /**
  * Uses composer to look for contrib modules with available updates.
@@ -21,7 +22,13 @@ class ModuleUpdateStatus extends Audit {
    * @inheritdoc
    */
   public function audit(Sandbox $sandbox) {
-    $output = $sandbox->exec('COMPOSER_MEMORY_LIMIT=-1 composer show "drupal/*" -o --no-cache --format=json 2> /dev/null && echo \'\'');
+    try {
+      $output = $sandbox->exec('COMPOSER_MEMORY_LIMIT=-1 composer show "drupal/*" -o --no-cache --format=json 2> /dev/null && echo \'\'');
+    }
+    catch (Exception $e) {
+      throw new \Exception("Composer command failed: " . $e);
+      return Audit::ERROR;
+    }
 
     $modules = json_decode($output, TRUE);
     if ($modules === null) {