diff --git a/Policies/d7_security_module_updates.policy.yml b/Policies/d7_security_module_updates.policy.yml index 9ccbf9a..25074cd 100644 --- a/Policies/d7_security_module_updates.policy.yml +++ b/Policies/d7_security_module_updates.policy.yml @@ -1,6 +1,6 @@ title: "Drupal 7 Security Module Updates policy" class: \Drutiny\algm\Audit\D7SecurityModuleUpdates -name: algm:D7SecurityModuleUpdates +name: algm:Security:D7SecurityModuleUpdates tags: - Drupal 7 - Security @@ -12,6 +12,7 @@ description: | success: No security updates were found. failure: >- {{ updates }} +remediation: Review the security modules listed and update accordingly. warning: | There are modules with available updates. Please consider upgrading as it reduces the chance of introducing regressions when more urgent security updates diff --git a/Policies/d8_security_module_updates.policy.yml b/Policies/d8_security_module_updates.policy.yml index 38b0449..ddd4e96 100644 --- a/Policies/d8_security_module_updates.policy.yml +++ b/Policies/d8_security_module_updates.policy.yml @@ -1,6 +1,6 @@ title: "Drupal 8/9 Security Module Updates" class: \Drutiny\algm\Audit\D8SecurityModuleUpdates -name: algm:D8SecurityModuleUpdates +name: algm:Security:D8SecurityModuleUpdates tags: - Drupal 9 - Drupal 8 @@ -13,6 +13,7 @@ description: | success: No security updates were found. failure: >- {{ updates }} +remediation: Review the security modules listed and update accordingly. warning: | There are modules with available updates. Please consider upgrading as it reduces the chance of introducing regressions when more urgent security updates diff --git a/Profiles/algm_d7_sla_site.profile.yml b/Profiles/algm_d7_sla_site.profile.yml index 0922f3e..b51e974 100644 --- a/Profiles/algm_d7_sla_site.profile.yml +++ b/Profiles/algm_d7_sla_site.profile.yml @@ -1,14 +1,10 @@ title: 'ALGM Drupal 7 SLA audit' description: 'This audit is for Drupal 7 sites which are under the ALGM SLA' policies: - # ALGM specific - 'algm:HealthCheck': - { severity: high } - 'algm:DrushStatus': - { severity: normal } - 'algm:FileSystemAnalysis': - { severity: normal } # General + 'algm:HealthCheck': { severity: high } + 'algm:DrushStatus': { severity: normal } + 'algm:FileSystemAnalysis': { severity: normal } 'Drupal:moduleUpdates': { severity: normal } # Drupal 7 'Drupal-7:NoDuplicateModules': { severity: normal } @@ -24,7 +20,8 @@ policies: 'fs:largeFiles': { severity: normal } 'Drupal:largeFiles': { severity: normal } 'Drupal:updates': - { severity: normal, + { + severity: normal, parameters: { max_size: 1000, warning_size: 250 @@ -33,8 +30,8 @@ policies: 'Database:Fulltext': { severity: normal } 'Database:Size': { severity: normal } # Security + 'algm:Security:D7SecurityModuleUpdates': { severity: high } 'Drupal-7:User1LockDown': { severity: normal } - 'algm:D7SecurityModuleUpdates': { severity: high } 'fs:SensitivePublicFiles': { severity: high, @@ -43,4 +40,4 @@ policies: } } include: - - d7_security_review \ No newline at end of file + - d7_security_review diff --git a/Profiles/algm_sla_site.profile.yml b/Profiles/algm_sla_site.profile.yml index 4581d39..5820af1 100644 --- a/Profiles/algm_sla_site.profile.yml +++ b/Profiles/algm_sla_site.profile.yml @@ -1,17 +1,11 @@ -title: 'ALGM SLA audit' -description: 'This audit is for sites which are under the ALGM SLA' +title: 'ALGM Drupal 8 & 9 SLA audit' +description: 'This audit is for Drupal 8 & Drupal 9 sites which are under the ALGM SLA' policies: - # ALGM specific - 'algm:HealthCheck': - { severity: high } - 'algm:DrushStatus': - { severity: normal } - 'algm:ModuleUpdates': - { severity: high } - 'algm:D8SecurityModuleUpdates': - { severity: high } - 'algm:FileSystemAnalysis': - { severity: normal } + # General + 'algm:HealthCheck': { severity: high } + 'algm:DrushStatus': { severity: normal } + 'algm:FileSystemAnalysis': { severity: normal } + 'algm:ModuleUpdates': { severity: high } # D8 'Drupal-8:CronLast': { severity: normal } 'Drupal-8:JsAggregation': { severity: normal } @@ -27,7 +21,8 @@ policies: # FS and Database 'fs:largeFiles': { severity: normal } 'fs:DrupalThemeDirectory': - { severity: normal, + { + severity: normal, parameters: { path: '/app/web/themes/custom/', max_size: 50 @@ -35,7 +30,8 @@ policies: } 'Drupal:largeFiles': { severity: normal } 'Drupal:updates': - { severity: normal, + { + severity: normal, parameters: { max_size: 1000, warning_size: 250 @@ -44,6 +40,7 @@ policies: 'Database:Fulltext': { severity: normal } 'Database:Size': { severity: normal } # Security + 'algm:Security:D8SecurityModuleUpdates': { severity: high } 'fs:SensitivePublicFiles': { severity: high, @@ -53,11 +50,12 @@ policies: } 'Drupal-8:UserRegistrationAdminOnly': { severity: normal } 'Drupal-8:User1LockDown': - { severity: high, + { + severity: high, parameters: { blacklist: 'admin, root, drupa, amazee, amazeelabs, zhadmin', status: 1 } } include: - - d8_security_review \ No newline at end of file + - d8_security_review diff --git a/src/Audit/D8_SA_CORE_2020_009.php b/src/Audit/D8_SA_CORE_2020_009.php index 174ab1b..04764e5 100644 --- a/src/Audit/D8_SA_CORE_2020_009.php +++ b/src/Audit/D8_SA_CORE_2020_009.php @@ -60,7 +60,6 @@ public function audit(Sandbox $sandbox) return Audit::ERROR; } - if (!isset($info[$module])) { return Audit::NOT_APPLICABLE; } @@ -80,4 +79,4 @@ public function audit(Sandbox $sandbox) return call_user_func("Composer\Semver\Comparator::$comparator_method", $current_version, $version); } -} \ No newline at end of file +} diff --git a/src/Audit/ModuleUpdateStatus.php b/src/Audit/ModuleUpdateStatus.php index 0f2a416..e7e33a7 100644 --- a/src/Audit/ModuleUpdateStatus.php +++ b/src/Audit/ModuleUpdateStatus.php @@ -6,6 +6,7 @@ use Drutiny\Sandbox\Sandbox; use Drutiny\Annotation\Token; use Drutiny\algm\Utils\MarkdownTableGenerator; +use Exception; /** * Uses composer to look for contrib modules with available updates. @@ -21,7 +22,13 @@ class ModuleUpdateStatus extends Audit { * @inheritdoc */ public function audit(Sandbox $sandbox) { - $output = $sandbox->exec('COMPOSER_MEMORY_LIMIT=-1 composer show "drupal/*" -o --no-cache --format=json 2> /dev/null && echo \'\''); + try { + $output = $sandbox->exec('COMPOSER_MEMORY_LIMIT=-1 composer show "drupal/*" -o --no-cache --format=json 2> /dev/null && echo \'\''); + } + catch (Exception $e) { + throw new \Exception("Composer command failed: " . $e); + return Audit::ERROR; + } $modules = json_decode($output, TRUE); if ($modules === null) {