feat: add support for Drupal advisory database (#372)

The [Drupal Advisory
Database](https://github.com/DrupalSecurityTeam/drupal-advisory-database)
is a database maintained by Ackama on behalf of the Drupal community
that provides [Drupal security
advisories](https://www.drupal.org/drupal-security-team/security-advisory-process-and-permissions-policy)
in OSV format to allow them to be ingested by osv.dev.

While Drupal packages are installed and managed using Composer, they are
(mostly) sourced from a dedicated repository rather than the Packagist
repository; since these packages are all within the `drupal/` namespace
which is owned by the Drupal community, it's been agreed that it is fine
to still use the Packagist rather than introduce a new one.

This means that existing tools like `osv-scanner` and libraries like
`osv-scalibr` should "just work" with the advisories in this database.

For the database prefix, the community are decided to use `DRUPAL` as
that is straightforward and matches what other has been proposed in
other tools like
[`dependency-track`](DependencyTrack/dependency-track#4515),
which replaces the "SA" prefix used by advisories published on
drupal.org so advisory ids can be easily mapped to their original
advisory by just replacing `DRUPAL` with `SA`.

Discussion on this can be found
[here](https://www.drupal.org/project/drupalorg/issues/3410338#comment-16200707)
and
[here](https://www.drupal.org/project/drupalorg/issues/3410338#comment-16200707)

---------

Signed-off-by: Gareth Jones <3151613+G-Rath@users.noreply.github.com>

Author: G-Rath

docs/schema.md

@@ -267,6 +267,17 @@ The defined database prefixes and their "home" databases are:
         </ul>
       </td>
     </tr>
+    <tr>
+      <td><code>DRUPAL</code></td>
+      <td><a href="https://github.com/DrupalSecurityTeam/drupal-advisory-database">Drupal Advisory Database</a></td>
+      <td>
+        <ul>
+          <li>How to contribute: <a href="https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/reporting-a-security-issue">https://www.drupal.org/docs/develop/issues/issue-procedures-and-etiquette/reporting-a-security-issue</a></li>
+          <li>Source URL: <code>https://www.drupal.org/security/</code></li>
+          <li>OSV Formatted URL: <code>https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/&gt;module&lt;/&gt;ID&lt;.json</code></li>
+        </ul>
+      </td>
+    </tr>
     <tr>
       <td><code>DSA</code>/<code>DLA</code>/<code>DTSA</code></td>
       <td><a href="https://www.debian.org/security/">Debian Security Advisory Database (provided by OSV.dev)</a></td>

tools/osv-linter/internal/checks/schema_generated.json

@@ -387,7 +387,7 @@
       "type": "string",
       "title": "Currently supported home database identifier prefixes",
       "description": "These home databases are also documented at https://ossf.github.io/osv-schema/#id-modified-fields",
-      "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DSA|DLA|ELA|DTSA|ECHO|EEF|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
+      "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DRUPAL|DSA|DLA|ELA|DTSA|ECHO|EEF|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
     },
     "severity": {
       "type": [

tools/osv-linter/internal/pkgchecker/ecosystems_test.go

@@ -550,6 +550,96 @@ func Test_versionsExistInPackagist(t *testing.T) {
 	}
 }
 
+func Test_versionsExistInPackagist_Drupal(t *testing.T) {
+	t.Parallel()
+
+	type args struct {
+		pkg      string
+		versions []string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "multiple_versions_which_all_exist_on_packagist_repo",
+			args: args{
+				pkg:      "drupal/core-recommended",
+				versions: []string{"8.0.3", "10.1.0-rc1", "11.2.0"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple_versions_which_all_exist_on_drupal_repo",
+			args: args{
+				pkg:      "drupal/simple_sitemap",
+				versions: []string{"1.3.0", "3.0.0-rc3", "4.1.3"},
+			},
+			wantErr: false,
+		},
+		{
+			// the drupal repo has advisories for this package, but not versions
+			name: "multiple_versions_which_all_exist_on_both_repos",
+			args: args{
+				pkg:      "drupal/core",
+				versions: []string{"8.0.1", "9.4.0-beta1", "11.0.2"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "multiple_versions_with_one_that_does_not_exist_on_packagist_repo",
+			args: args{
+				pkg:      "drupal/core-recommended",
+				versions: []string{"8.9.14", "9.5.0-rc3", "10.5.1"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "multiple_versions_with_one_that_does_not_exist_on_drupal_repo",
+			args: args{
+				pkg:      "drupal/simple_sitemap",
+				versions: []string{"1.1.0", "3.0.0-rc5", "4.1.1"},
+			},
+			wantErr: true,
+		},
+		{
+			// the drupal repo has advisories for this package, but not versions
+			name: "multiple_versions_with_one_that_does_not_exist_on_both_repos",
+			args: args{
+				pkg:      "drupal/core",
+				versions: []string{"8.7.5", "10.1.9", "11.1.4"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "an_invalid_version",
+			args: args{
+				pkg:      "drupal/simple_sitemap",
+				versions: []string{"!"},
+			},
+			wantErr: true,
+		},
+		{
+			name: "a_package_that_does_not_exit",
+			args: args{
+				pkg:      "drupal/not-a-real-package",
+				versions: []string{"1.0.0"},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			if err := versionsExistInPackagist(tt.args.pkg, tt.args.versions); (err != nil) != tt.wantErr {
+				t.Errorf("versionsExistInPackagist() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
 func Test_versionsExistInPub(t *testing.T) {
 	t.Parallel()
 

tools/osv-linter/internal/pkgchecker/package_check.go

@@ -127,6 +127,15 @@ func existsInNuget(pkg string) bool {
 
 // Validate the existence of a package in Packagist.
 func existsInPackagist(pkg string) bool {
+	// most drupal packages are published in a dedicated repository, so check there first
+	if strings.HasPrefix(pkg, "drupal/") {
+		drupalInstanceURL := fmt.Sprintf("%s/%s.json", "https://packages.drupal.org/files/packages/8/p2", pkg)
+
+		if checkPackageExists(drupalInstanceURL) {
+			return true
+		}
+	}
+
 	packageInstanceURL := fmt.Sprintf("%s/%s.json", EcosystemBaseURLs["Packagist"], pkg)
 
 	return checkPackageExists(packageInstanceURL)

tools/osv-linter/internal/pkgchecker/package_check_test.go

@@ -152,14 +152,29 @@ func Test_existsInPackagist(t *testing.T) {
 	}{
 		{
 			name: "existing package",
+			pkg:  "composer/installers",
+			want: true,
+		},
+		{
+			name: "existing drupal packagist package",
 			pkg:  "drupal/core",
 			want: true,
 		},
+		{
+			name: "existing drupal repo package",
+			pkg:  "drupal/simple_sitemap",
+			want: true,
+		},
 		{
 			name: "non-existing package",
 			pkg:  "non-existing-package",
 			want: false,
 		},
+		{
+			name: "non-existing drupal package",
+			pkg:  "drupal/non-existing-package",
+			want: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

tools/osv-linter/internal/pkgchecker/version_check.go

@@ -1,6 +1,7 @@
 package pkgchecker
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -15,6 +16,8 @@ import (
 	"golang.org/x/mod/semver"
 )
 
+var errPathNotFound = errors.New("path not found")
+
 func fetchPackageData(packageInstanceURL string) ([]byte, error) {
 	resp, err := faulttolerant.Get(packageInstanceURL)
 	if err != nil {
@@ -43,7 +46,14 @@ func versionsExistInGeneric(
 
 	// Fetch all known versions of package.
 	versionsInRepository := []string{}
-	for _, result := range gjson.GetBytes(respJSON, versionsPath).Array() {
+
+	r := gjson.GetBytes(respJSON, versionsPath)
+
+	if !r.Exists() {
+		return errPathNotFound
+	}
+
+	for _, result := range r.Array() {
 		versionsInRepository = append(versionsInRepository, result.String())
 	}
 	// Determine which referenced versions are missing.
@@ -278,6 +288,30 @@ func versionsExistInJulia(pkg string, versions []string) error {
 
 // Confirm that all specified versions of a package exist in Packagist.
 func versionsExistInPackagist(pkg string, versions []string) error {
+	// most drupal packages are published in a dedicated repository, so check there first
+	if strings.HasPrefix(pkg, "drupal/") {
+		drupalInstanceURL := fmt.Sprintf("%s/%s.json", "https://packages.drupal.org/files/packages/8/p2", pkg)
+
+		err := versionsExistInGeneric(
+			pkg, versions,
+			"Packagist",
+			drupalInstanceURL,
+			fmt.Sprintf("packages.%s.#.version", pkg),
+		)
+
+		if err == nil {
+			return err
+		}
+
+		// not all drupal packages are published on the drupal repository,
+		// and some packages are only present with security advisories
+		//
+		// todo: ideally we should not be checking the error message itself
+		if !strings.HasSuffix(err.Error(), "bad response: 404") && !errors.Is(err, errPathNotFound) {
+			return err
+		}
+	}
+
 	packageInstanceURL := fmt.Sprintf("%s/%s.json", EcosystemBaseURLs["Packagist"], pkg)
 
 	return versionsExistInGeneric(

validation/schema.json

@@ -387,7 +387,7 @@
       "type": "string",
       "title": "Currently supported home database identifier prefixes",
       "description": "These home databases are also documented at https://ossf.github.io/osv-schema/#id-modified-fields",
-      "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DSA|DLA|ELA|DTSA|ECHO|EEF|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
+      "pattern": "^(ASB-A|PUB-A|ALPINE|ALSA|ALBA|ALEA|BELL|BIT|CGA|CURL|CVE|DEBIAN|DRUPAL|DSA|DLA|ELA|DTSA|ECHO|EEF|GHSA|GO|GSD|HSEC|JLSEC|KUBE|LBSEC|LSN|MAL|MINI|MGASA|OESA|OSV|openSUSE-SU|PHSA|PSF|PYSEC|RHBA|RHEA|RHSA|RLSA|RXSA|RSEC|RUSTSEC|SUSE-[SRFO]U|UBUNTU|USN|V8)-"
     },
     "severity": {
       "type": [