I've spent most of this summer working on the Drupal module called Security Review. My project was porting it to Drupal 8 as part of Google Summer of Code 2015. I'm happy to say that the requirements have been met long before the end of the programme, so there was no rush at the end of the coding period.
This was the 12th week of Google Summer of Code 2015 and we have reached the firm pencils down date. I've been working on porting the Security Review Drupal module to Drupal 8, and if you are familiar with my previous blog posts, you know that it has been finished for quite some time now (according to my GSoC proposal).
This week I was working on cleaning the code, adding missing comments etc. so it wasn't very exciting, but these are also necessary steps in software development, as it makes other people's lives easier. And in open source other people means a lot of people.
I've been working on porting the Security Review Drupal module to Drupal 8 the last 10 weeks as part of Google Summer of Code. If we'd measure the progress in percentages, it would be about 105%. The functionality of the Drupal 7 version of the module has already been ported, and a new check called Trusted Hosts has been introduced which is described below.
Week 9 of Google Summer of Code has passed and my project, which is porting the Security Review module to Drupal 8, has significantly slowed down due to it being done and I'm basically addressing issues that reviewers and my mentor coltrane find. There are still 3 weeks left of the coding period, so I'm not worried about the project.
I'm writing this post because it took me one and a half hours to get a proper feed on Drupal 8 that validates, so maybe it will help others.
The problem with the Views feed in Drupal 8 (at the moment) is that it does not encode HTML in feed rows' description tags. This is a known bug - Issue #2500931. The easiest workaround is setting up a title-only feed. It will validate because <description> is empty, and the rest of the feed is good.
I'm working on porting Security Review to Drupal 8 as my Google Summer of Code project this year. 8 weeks have passed since the beginning of the coding period, and the port is ready to be reviewed. In the remaining 4 weeks I'm going to address issues found by reviewers, possibly add more functionality and solve some issues related to the old version of the module prioritizing issues that are already solved in the D8 port.
What is Security Review?
Security Review automates checking many of the configuration errors that lead to an insecure Drupal site and looks for existing vulnerabilities and attack attempts. The primary goal of the module is to elevate your awareness of the importance of securing your Drupal site.
How can you help?
If you would like to help, you could review the ported module and post your findings in this issue. It helps if you have used Security Review before.
The 8.x-1.x branch of the code can be downloaded from here. For installation instructions check README.txt.
Alternatively you can use simplytest.me and you won't even have to leave your browser. Start writing Security Review in the first input box, choose the 8.x-1.x branch and start the sandbox! After going through the Drupal installation enable the module on /admin/modules (Extend) and you are ready to start testing. Note: the module has a Drush function that won't be testable this way.
This was the 7th week of Google Summer of Code, and I'm making good progress on porting Security Review to Drupal 8. I'd say it's about 90% done, and I've learnt a lot about Drupal while getting to this point.
For this week my plan was:
- Finish porting the security checks
- Write the missing parts of the documentation
- Implement the Drush-specific run methods for File permissions and Executable PHP checks
- Start cleaning up the code
There were personal technical issues, but progress has been made and the finish line is in sight.