Renovate does not recognize Drupal security releases as security updates

[YesCT]

How are you running Renovate?

Mend Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

N/A

If you're self-hosting Renovate, select which platform you are using.

None

Was this something which used to work for you, and then stopped?

I am trying to get this working for the first time

Describe the problem

https://docs.renovatebot.com/configuration-options/#prconcurrentlimit says:

Renovate always creates security PRs, even if the concurrent PR limit is already reached. Security PRs have [SECURITY] in their PR title.

For Drupal Core or contrib modules, those are rate limited, and do not have [SECURITY] in the PR title.

For example, https://www.drupal.org/project/office_hours/releases/8.x-1.11 was rate limited, we checked the checkbox to manually create the PR, and the PR title appeared like: "Update dependency drupal/office_hours to ^1.11.0"

Maybe there is no fix for renovate? Maybe the fix needs to come from drupal infrastructure, like this issue: d.o 3301876: Implement “list security advisories” Packagist/Composer API

Relevant debug logs

Logs

Copy/paste the relevant log(s) here, between the starting and ending backticks

I'll attempt to make a minimal reproduction repo.

Have you created a minimal reproduction repository?

I have explained in the description why a minimal reproduction is impossible

[Churro]

Can be explained by the fact that sa-contrib-2023-020 is a security advisory you find only on Drupal's website. The underlying vulnerability has no CVE identifier assigned and is unknown to common vulnerability databases, incl the sources that renovate relies upon.

[YesCT]

There has been a change to drupal.org meta data about security releases. https://www.drupal.org/project/project_composer/issues/3301876#comment-15240460 I'm not certain yet if that is sufficient for renovate to start picking up the drupal security releases as security releases.

[YesCT]

Can renovate get the security info by running https://packagist.org/apidoc#list-security-advisories with packages.drupal.org/8 ??

[HonkingGoose]

Try osvVulnerabilityAlerts first before building more stuff

Can Renovate get the security info by running https://packagist.org/apidoc#list-security-advisories with packages.drupal.org/8?

Renovate has a osvVulnerabilityAlerts feature, maybe that fixes the problem of Renovate not labeling Drupal security updates as security type.

Please create a minimal reproduction

Can you please:

1. Create a minimal reproduction repository (follow the instructions from the bot below). This reproduction should:
   • have one vulnerable Drupal package.
   • only use the config:recommended preset in the renovate.json.
2. See if Renovate creates a normal or security update for the vulnerable package.
3. Write in the readme what Renovate does.
4. Then set osvVulnerabilityAlerts to true.
5. Write in the readme what Renovate does after osvVulnerabilityAlerts=true: are you getting a security update now, or still a normal update?
6. And finally: post a new comment in this discussion with a link to the minimal reproduction, and a short summary of the results.

Why I'm asking for a minimal reproduction

The Renovate docs for the osvVulnerabilityAlerts config options say Renovate can query the OSV database for dependencies that use the packagist datasource. By default osvVulnerabilityAlerts is false, so I first want to know what happens when this option is set to true.

Vulnerability must be in the OSV database

Of course osvVulnerabilityAlerts can only work if the Drupal vulnerability is in the OSV database!

[github-actions[bot]]

Hi there,

Get your discussion fixed faster by creating a minimal reproduction. This means a repository dedicated to reproducing this issue with the minimal dependencies and config possible.

Before we start working on your issue we need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. Discussions without reproductions are less likely to be converted to Issues.

Please follow these steps:

1. Read our guide on creating a minimal reproduction.
2. Go to our minimal reproduction template repository.
3. Select the Use this template button to create a new repository based on the template.
4. Work on the minimal reproduction in your own repository.
5. Fill out the information in your repository's README.md.
6. Add the link to your reproduction to the first post of your Discussion. If you are not the original author, you can post a new comment with the link.

Good luck,

The Renovate team