feat: add the Drupal ecosystem

Signed-off-by: Gareth Jones <[email protected]>

Author: G-Rath

bindings/go/osvschema/constants.go

@@ -17,6 +17,7 @@ const (
 	EcosystemCRAN                       Ecosystem = "CRAN"
 	EcosystemCratesIO                   Ecosystem = "crates.io"
 	EcosystemDebian                     Ecosystem = "Debian"
+	EcosystemDrupal                     Ecosystem = "Drupal"
 	EcosystemGHC                        Ecosystem = "GHC"
 	EcosystemGitHubActions              Ecosystem = "GitHub Actions"
 	EcosystemGo                         Ecosystem = "Go"

docs/schema.md

@@ -790,6 +790,7 @@ The defined ecosystems are:
 | `CRAN` | The R package ecosystem. The `name` is an R package name. |
 | `crates.io` | The crates.io ecosystem for Rust; the `name` field is a crate name. |
 | `Debian` | The Debian package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Debian release. `<RELEASE>` is a numeric version specified in the [Debian distro-info-data](https://debian.pages.debian.net/distro-info-data/debian.csv). For example, the ecosystem string "Debian:7" refers to the Debian 7 (wheezy) release. |
+| `Drupal` | The Drupal CMS ecosystem, for packages sourced from the Drupal composer repository. The ecosystem implies https://packages.drupal.org/8 as the source repository, unless a :7 suffix is present in which case the repository is https://packages.drupal.org/7 |
 | `GHC` | The Haskell compiler ecosystem. The `name` field is the name of a component of the GHC compiler ecosystem (e.g., compiler, GHCI, RTS). |
 | `GitHub Actions` | The GitHub Actions ecosystem; the `name` field is the action's repository name with owner e.g. `{owner}/{repo}`. |
 | `Go` | The Go ecosystem; the `name` field is a Go module path. |

ecosystems.json

@@ -11,6 +11,7 @@
   "CRAN": "The R package ecosystem. The `name` is an R package name.",
   "crates.io": "The crates.io ecosystem for Rust; the `name` field is a crate name.",
   "Debian": "The Debian package ecosystem; the `name` is the name of the source package. The ecosystem string might optionally have a `:<RELEASE>` suffix to scope the package to a particular Debian release. `<RELEASE>` is a numeric version specified in the [Debian distro-info-data](https://debian.pages.debian.net/distro-info-data/debian.csv). For example, the ecosystem string \"Debian:7\" refers to the Debian 7 (wheezy) release.",
+  "Drupal": "The Drupal CMS ecosystem, for packages sourced from the Drupal composer repository. The ecosystem implies https://packages.drupal.org/8 as the source repository, unless a :7 suffix is present in which case the repository is https://packages.drupal.org/7",
   "GHC": "The Haskell compiler ecosystem. The `name` field is the name of a component of the GHC compiler ecosystem (e.g., compiler, GHCI, RTS).",
   "GitHub Actions": "The GitHub Actions ecosystem; the `name` field is the action's repository name with owner e.g. `{owner}/{repo}`.",
   "Go": "The Go ecosystem; the `name` field is a Go module path.",

tools/osv-linter/internal/checks/schema_generated.json

@@ -341,6 +341,7 @@
         "CRAN",
         "crates.io",
         "Debian",
+        "Drupal",
         "GHC",
         "GitHub Actions",
         "Go",
@@ -377,7 +378,7 @@
       "type": "string",
       "title": "Currently supported ecosystems",
       "description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
-      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
+      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|Drupal|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
     },
     "prefix": {
       "type": "string",

tools/osv-linter/internal/pkgchecker/ecosystems.go

@@ -51,6 +51,8 @@ func ExistsInEcosystem(pkg string, ecosystem string) bool {
 		return existsInCrates(pkg)
 	case "Debian":
 		return true
+	case "Drupal":
+		return true
 	case "GIT":
 		return true
 	case "GitHub Actions":
@@ -136,6 +138,8 @@ func VersionsExistInEcosystem(pkg string, versions []string, ecosystem string) e
 		return nil
 	case "Debian":
 		return nil
+	case "Drupal":
+		return nil
 	case "GIT":
 		return nil
 	case "GitHub Actions":

validation/schema.json

@@ -341,6 +341,7 @@
         "CRAN",
         "crates.io",
         "Debian",
+        "Drupal",
         "GHC",
         "GitHub Actions",
         "Go",
@@ -377,7 +378,7 @@
       "type": "string",
       "title": "Currently supported ecosystems",
       "description": "These ecosystems are also documented at https://ossf.github.io/osv-schema/#affectedpackage-field",
-      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
+      "pattern": "^(AlmaLinux|Alpaquita|Alpine|Android|BellSoft Hardened Containers|Bioconductor|Bitnami|Chainguard|ConanCenter|CRAN|crates\\.io|Debian|Drupal|GHC|GitHub Actions|Go|Hackage|Hex|Kubernetes|Linux|Mageia|Maven|MinimOS|npm|NuGet|openEuler|openSUSE|OSS-Fuzz|Packagist|Photon OS|Pub|PyPI|Red Hat|Rocky Linux|RubyGems|SUSE|SwiftURL|Ubuntu|Wolfi|GIT)(:.+)?$"
     },
     "prefix": {
       "type": "string",