We should be able to produce a report that identifies which, and which do not, Drupal extensions required by the project have security team coverage.
#!/usr/bin/env bash
echo "Checking Drupal.org security coverage for installed contributed modules..."
composer show drupal/* --format=json | jq -r '.installed[].name' | while read pkg; do
machine_name="${pkg##*/}"
response=$(curl -s "https://www.drupal.org/api-d7/node.json?type=project_module&field_project_machine_name=$machine_name")
coverage=$(echo "$response" | jq -r '.list[0].field_security_advisory_coverage // "unknown"')
title=$(echo "$response" | jq -r '.list[0].title // "Unknown project"')
if [[ "$coverage" != "Covered" ]]; then
echo "$title ($machine_name) — $coverage"
fi
done
We should be able to produce a report that identifies which, and which do not, Drupal extensions required by the project have security team coverage.