Skip to content

WPScan fixes: Ensure that WPScan type of items are not removed from results when filtering #339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jan 16, 2023
Merged

WPScan fixes: Ensure that WPScan type of items are not removed from results when filtering #339

merged 6 commits into from
Jan 16, 2023

Conversation

gudmdharalds
Copy link
Contributor

@gudmdharalds gudmdharalds commented Jan 11, 2023
edited
Loading

This pull request will ensure that WPScan type of items are not filtered from results due to the underlying files being auto-approved.

The rationale is that WPScan type of items should always be reported; the fact that a add-on has a known issue or is obsolete will not be overridden by the file-ending or the fact that the changes were non-functional.

TODO:

  • Added patch to ensure WPScan type of items are not filtered away.
  • Add test
    • Verify that WPScan items are not filtered away.
  • [N/A] Add to, or update, Scan run detail report as applicable
  • Check status of automated tests
    • Run integration tests manually (see comment).
  • Update README
    • The README file already mentions that a pull request with obsolete or vulnerable plugin or theme is not auto-approved.
    • Remove reference to database of previously reviewed, safe code.
  • Ensure PHPDoc comments are up to date for functions added or altered
  • Changelog entry (for VIP) [ Changelog for version 1.3.4 #333 ]

@gudmdharalds gudmdharalds self-assigned this Jan 11, 2023
@gudmdharalds gudmdharalds added this to the 1.3.4 milestone Jan 11, 2023
chriszarate
chriszarate approved these changes Jan 11, 2023
View reviewed changes
Copy link
Member

@chriszarate chriszarate left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look ok, not sure why tests are failing

@gudmdharalds
Copy link
Contributor Author

Thanks @chriszarate !

The integration tests fail due to GitHub HTTP request rate limit. This is not easy to fix, but is on the agenda to resolve.

I will run the tests manually.

@wpcomvip-vipgoci-bot
Copy link
Collaborator

No issues were found to report when scanning latest commit (commit-ID: 1f4356b)

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

Scan run detail

Software versions

  • vip-go-ci version: 1.3.3
  • PHP runtime version for vip-go-ci: 8.1.14
  • PHP runtime for linting:
    • PHP 8.1: 8.1.14
  • PHP runtime version for PHPCS: 7.4.33
  • PHPCS version: 3.7.1
  • PHP runtime version for SVG scanner: 7.4.33

Options file (.vipgoci_options)

Options file enabled: true

Configurable options:

  • skip-execution
  • skip-draft-prs
  • lint-modified-files-only
  • phpcs
  • phpcs-severity
  • phpcs-sniffs-include
  • phpcs-sniffs-exclude
  • report-no-issues-found
  • review-comments-sort
  • review-comments-include-severity
  • post-generic-pr-support-comments
  • review-comments-sort
  • scan-details-msg-include
  • svg-checks
  • autoapprove
  • autoapprove-php-nonfunctional-changes

Options altered:

  • phpcs-severityset to1
  • phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode
  • phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax
  • skip-draft-prsset to

PHP lint options

PHP lint files enabled: true

Lint modified files only: true

Lint files with file extensions:

  • php

Directories not PHP linted:

  • None

SVG configuration

SVG scanning enabled: true

Scan added/modified files with file extensions:

  • svg

Auto-approval configuration

Auto-approvals enabled: true

Non-functional changes auto-approved: true

Files with file extensions to consider for non-functional change auto-approval: php

Auto-approved file-types:

  • css
  • csv
  • eot
  • gif
  • gz
  • ico
  • ini
  • jpeg
  • jpg
  • json
  • less
  • map
  • md
  • mdown
  • mo
  • mp4
  • otf
  • pcss
  • pdf
  • po
  • pot
  • png
  • sass
  • scss
  • styl
  • ttf
  • txt
  • woff
  • woff2
  • yml

PHPCS configuration

PHPCS scanning enabled: true

PHPCS severity level: 1

Standard(s) used:

  • PHPCompatibility
  • PHPCompatibilityParagonieRandomCompat
  • PHPCompatibilityParagonieSodiumCompat
  • VariableAnalysis
  • WordPress

Runtime set:

  • testVersion 8.1-

Scan added/modified files with file extensions:

  • php
  • js
  • twig

Custom sniffs included:

  • Generic.PHP.DisallowShortOpenTag
  • Squiz.PHP.CommentedOutCode

Custom sniffs excluded:

  • WordPress.Security.EscapeOutput
  • WordPress.PHP.DevelopmentFunctions
  • WordPress.WP.AlternativeFunctions
  • WordPress.PHP.DiscouragedPHPFunctions
  • WordPress.Files.FileName
  • Squiz.Commenting.FileComment
  • Generic.PHP.Syntax

Directories not PHPCS scanned:

  • None

WPScan API configuration

WPScan API scanning enabled: true

WPScan API URL: https://wpscan.com/api/v3

Directories scanned:

  • plugins
  • client-mu-plugins
  • themes

Directories not scanned:

  • None

Scan added/modified plugins based on headers present in files with file extensions:

  • php

Scan added/modified themes based on headers present in files with file extensions:

  • css

@gudmdharalds gudmdharalds merged commit abee7db into trunk Jan 16, 2023
@gudmdharalds gudmdharalds deleted the fix/wpscan-results-filter branch January 16, 2023 13:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chriszarate chriszarate chriszarate approved these changes

Assignees

@gudmdharalds gudmdharalds

Labels
[Pri] Normal [Type] Enhancement
Projects
None yet
Milestone
1.3.4
Development

Successfully merging this pull request may close these issues.
3 participants
@gudmdharalds @wpcomvip-vipgoci-bot @chriszarate