feat: switch to DRUPAL prefix

G-Rath · G-Rath · commit 3b841674d2f4 · 2025-11-06T13:58:14.000+13:00
diff --git a/scripts/generate_osv_advisories.py b/scripts/generate_osv_advisories.py
@@ -342,10 +342,12 @@ class DrupalAdvisoryPatch(typing.TypedDict):
   patches: dict[str, DrupalAdvisoryPatch] = tomllib.load(fi)
 
 
-def patch_advisory(sa_id: str, sa_advisory: drupal.Advisory) -> bool:
+def patch_advisory(osv_id: str, sa_advisory: drupal.Advisory) -> bool:
   """
   Attempts to apply any patches to the advisory that are defined in patches.toml
   """
+  sa_id = f'SA-{osv_id.removeprefix("DRUPAL-")}'
+
   if sa_id in patches:
     before, after = patches[sa_id]['field_affected_versions']
 
@@ -367,14 +369,14 @@ def unix_timestamp_to_rfc3339(unix: int) -> str:
 
 
 def build_osv_advisory(
-  sa_id: str,
+  osv_id: str,
   sa_advisory: drupal.Advisory,
 ) -> osv.Vulnerability | None:
   """
   Builds a representation of the given Drupal SA advisory in OSV format
   """
 
-  patched = patch_advisory(sa_id, sa_advisory)
+  patched = patch_advisory(osv_id, sa_advisory)
 
   # we expect that the downloader has excluded PSA type entries, but
   # we still guard against them here just in case one slips through
@@ -391,14 +393,14 @@ def build_osv_advisory(
 
   osv_advisory: osv.Vulnerability = {
     'schema_version': '1.7.0',
-    'id': f'D{sa_id}',
+    'id': osv_id,
     'modified': unix_timestamp_to_rfc3339(int(sa_advisory['changed'])),
     'published': unix_timestamp_to_rfc3339(int(sa_advisory['created'])),
     'aliases': sa_advisory['field_sa_cve'],
     'details': markdownify(sa_advisory['field_sa_description']['value']),
     'affected': [
       {
-        # todo: figure out if we need a dedicated ecosystem i.e. Drupal, Drupal8, etc
+
         'package': {
           'ecosystem': 'Packagist',
           'name': determine_composer_package_name(sa_advisory),
@@ -430,10 +432,10 @@ def fetch_affected_packages(osv_advisory: osv.Vulnerability) -> list[str]:
 
 
 def is_existing_advisory_ahead(
-  name: str, sa_id: str, proposed_modified_at: str
+  name: str, osv_id: str, proposed_modified_at: str
 ) -> bool:
   try:
-    with open(f'advisories/{name}/D{sa_id}.json') as f:
+    with open(f'advisories/{name}/{osv_id}.json') as f:
       existing_advisory = typing.cast(osv.Vulnerability, json.load(f))
       # RFC3339 dates are designed to be comparable as strings, so this is safe
       return existing_advisory['modified'] > proposed_modified_at
@@ -449,8 +451,8 @@ def generate_osv_advisories() -> None:
     with open(file.path) as f:
       sa_advisory: drupal.Advisory = json.load(f)
     print(f'processing {sa_advisory["url"]}')
-    sa_id = file.name.removesuffix('.json')
-    osv_advisory = build_osv_advisory(sa_id, sa_advisory)
+    osv_id = f'DRUPAL-{file.name.removeprefix("SA-").removesuffix(".json")}'
+    osv_advisory = build_osv_advisory(osv_id, sa_advisory)
 
     if osv_advisory is None:
       continue
@@ -463,7 +465,7 @@ def generate_osv_advisories() -> None:
     for affected_package in affected_packages:
       name = affected_package.removeprefix('drupal/')
       os.makedirs(f'advisories/{name}', exist_ok=True)
-      if is_existing_advisory_ahead(name, sa_id, osv_advisory['modified']):
+      if is_existing_advisory_ahead(name, osv_id, osv_advisory['modified']):
         print(
           ' \\- '
           + text_is.error(
@@ -472,7 +474,7 @@ def generate_osv_advisories() -> None:
         )
         exit(1)
 
-      with open(f'advisories/{name}/D{sa_id}.json', 'w') as f:
+      with open(f'advisories/{name}/{osv_id}.json', 'w') as f:
         json.dump(osv_advisory, f, indent=2)
         f.write('\n')
 
