The Joomla Vulnerable Extension List, is a public list published by Joomla.org of reported plugins, extensions, modules and/or templates from 3rd party developers that have known or resolved security issues with them.
Currently the information on each VEL entry is published in individual content articles with no provisions for machine-readable output. Many requests have been made to provide a machine readable output to the community to make it easier to find out if a specific extension is listed on the VEL or not. The person generally wants to do for example one of the following things with the VEL information:
- develop a plugin that automatically sends an email to the site administrator when an installed extension gets listed
- add a feature to the built-in installer to warn users when a listed extension should be uninstalled
- develop a tool for web hosts that allows them to specifically search for vulnerable Joomla installations on their servers
The solution to this problem is quite simple and the following points provide some idea as to what we are looking to do.
General:
- VEL has 2 lists: Live and Resolved.
Live are vulnerable extensions and resolved are ones removed from live list after developer has resolved issue(s) - JSON as best output - easy to integrate in almost all programming languages
- Data will fall under Joomla! Electronic Documentation Licensehttps://docs.joomla.org/JEDL copy of which must be included
Backend:
- Auto data gather from database (MySQL)
- Auto update JSON as data is added to live/resolved list.
- Auto update last_updated date in JSON when changes are made
- Way to periodically auto update JSON data
How Accomplished:
- Scripting
- PHP
- Joomla Component
- Other
Frontend:
- Provide lightweight way for public to access JSON data
The VEL team needs help in accomplishing this task. We are building a team that can help formulate and program a solution. If you are interested in donating some time to help accomplish this task then please contact the