Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WPScan API: Ensure comments are only submitted for changed add-ons #327

Merged
merged 30 commits into from
Nov 11, 2022
Merged

WPScan API: Ensure comments are only submitted for changed add-ons #327

merged 30 commits into from
Nov 11, 2022

Conversation

gudmdharalds
Copy link
Contributor

@gudmdharalds gudmdharalds commented Nov 3, 2022
edited
Loading

This pull request introduces code to ensure that WPScan API issues are only submitted for files changed. Previously comments could be submitted for vulnerable/obsolete add-ons that are placed in sub-directories of other add-ons, even if they were not altered. This pull request resolves this by introducing logic to associate all add-ons with changes in pull requests, and if that cannot be done, no comment will be posted for these add-ons.

TODO:

  • Function to ensure issues are only submitted for changed plugins (vipgoci_wpscan_filter_unchanged_addons())
    • Rename function to vipgoci_wpscan_get_altered_addons_data_and_slugs()
  • Function to determine what add-ons do not have associated changes in pull requests (vipgoci_wpcore_misc_get_addons_not_altered()).
  • Add/update tests
    • Update tests/integration/WpscanScanDirsAlteredTest.php
    • Update tests/integration/WpscanScanFindAddonDirsAlteredTest.php
    • Update tests/integration/WpscanScanSaveForSubmissionTest.php
    • Add test for vipgoci_wpscan_get_altered_addons_data_and_slugs()
    • Add test for vipgoci_wpcore_misc_get_addons_not_altered()
  • Add to, or update, Scan run detail report as applicable
  • Check status of automated tests
  • Ensure PHPDoc comments are up to date for functions added or altered
  • Changelog entry (for VIP) [ Changelog for version 1.3.3 #312 ]

@gudmdharalds gudmdharalds added this to the 1.3.3 milestone Nov 3, 2022
@gudmdharalds gudmdharalds self-assigned this Nov 3, 2022
wpcomvip-vipgoci-bot
wpcomvip-vipgoci-bot requested changes Nov 3, 2022
View reviewed changes
Copy link
Collaborator

@wpcomvip-vipgoci-bot wpcomvip-vipgoci-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code analysis identified issues

VIP Code Analysis Bot has identified potential problems in this pull request during automated scanning. We recommend reviewing the issues noted and that they are resolved.

phpcs scanning turned up:

🚫 16 errors

⚠️ 3 warnings

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

Scan run detail

Software versions

  • vip-go-ci version: 1.3.2
  • PHP runtime version for vip-go-ci: 8.1.12
  • PHP runtime for linting:
    • PHP 8.1: 8.1.12
  • PHP runtime version for PHPCS: 7.4.33
  • PHPCS version: 3.7.1
  • PHP runtime version for SVG scanner: 7.4.33

Options file (.vipgoci_options)

Options file enabled: true

Configurable options:

  • skip-execution
  • skip-draft-prs
  • lint-modified-files-only
  • phpcs
  • phpcs-severity
  • phpcs-sniffs-include
  • phpcs-sniffs-exclude
  • report-no-issues-found
  • review-comments-sort
  • review-comments-include-severity
  • post-generic-pr-support-comments
  • review-comments-sort
  • scan-details-msg-include
  • svg-checks
  • autoapprove
  • autoapprove-php-nonfunctional-changes

Options altered:

  • phpcs-severityset to1
  • phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode
  • phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax
  • skip-draft-prsset to

PHP lint options

PHP lint files enabled: true

Lint modified files only: true

Directories not PHP linted:

  • None

SVG configuration

SVG scanning enabled: true

Auto-approval configuration

Auto-approvals enabled: true

Non-functional changes auto-approved: true

Auto-approved file-types:

  • css
  • csv
  • eot
  • gif
  • gz
  • ico
  • ini
  • jpeg
  • jpg
  • json
  • less
  • map
  • md
  • mdown
  • mo
  • mp4
  • otf
  • pcss
  • pdf
  • po
  • pot
  • png
  • sass
  • scss
  • styl
  • ttf
  • txt
  • woff
  • woff2
  • yml

PHPCS configuration

PHPCS scanning enabled: true

PHPCS severity level: 1

Standard(s) used:

  • PHPCompatibility
  • PHPCompatibilityParagonieRandomCompat
  • PHPCompatibilityParagonieSodiumCompat
  • VariableAnalysis
  • WordPress

Runtime set:

  • testVersion 8.1-

Custom sniffs included:

  • Generic.PHP.DisallowShortOpenTag
  • Squiz.PHP.CommentedOutCode

Custom sniffs excluded:

  • WordPress.Security.EscapeOutput
  • WordPress.PHP.DevelopmentFunctions
  • WordPress.WP.AlternativeFunctions
  • WordPress.PHP.DiscouragedPHPFunctions
  • WordPress.Files.FileName
  • Squiz.Commenting.FileComment
  • Generic.PHP.Syntax

Directories not PHPCS scanned:

  • None

WPScan API configuration

WPScan API scanning enabled: false

Posting will continue in further review(s)

wpscan-scan.php Show resolved Hide resolved
wpscan-scan.php Show resolved Hide resolved
wpscan-scan.php Show resolved Hide resolved
wpscan-scan.php Show resolved Hide resolved
wpscan-scan.php Show resolved Hide resolved
wpscan-scan.php Outdated Show resolved Hide resolved
wpscan-scan.php Outdated Show resolved Hide resolved
wpscan-scan.php Outdated Show resolved Hide resolved
wpscan-scan.php Outdated Show resolved Hide resolved
wpscan-scan.php Outdated Show resolved Hide resolved
wpcomvip-vipgoci-bot
wpcomvip-vipgoci-bot previously requested changes Nov 3, 2022
View reviewed changes
Copy link
Collaborator

@wpcomvip-vipgoci-bot wpcomvip-vipgoci-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Previous scan continued.

wpscan-scan.php Outdated Show resolved Hide resolved
@wpcomvip-vipgoci-bot wpcomvip-vipgoci-bot dismissed their stale review November 3, 2022 16:42

Dismissing review as all inline comments are obsolete by now

@gudmdharalds gudmdharalds marked this pull request as ready for review November 10, 2022 15:29
@wpcomvip-vipgoci-bot
Copy link
Collaborator

Scanning latest commit did not yield any new issues. Please have a look at older feedback still existing (commit-ID: 77d49c6)

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

Scan run detail

Software versions

  • vip-go-ci version: 1.3.2
  • PHP runtime version for vip-go-ci: 8.1.12
  • PHP runtime for linting:
    • PHP 8.1: 8.1.12
  • PHP runtime version for PHPCS: 7.4.33
  • PHPCS version: 3.7.1
  • PHP runtime version for SVG scanner: 7.4.33

Options file (.vipgoci_options)

Options file enabled: true

Configurable options:

  • skip-execution
  • skip-draft-prs
  • lint-modified-files-only
  • phpcs
  • phpcs-severity
  • phpcs-sniffs-include
  • phpcs-sniffs-exclude
  • report-no-issues-found
  • review-comments-sort
  • review-comments-include-severity
  • post-generic-pr-support-comments
  • review-comments-sort
  • scan-details-msg-include
  • svg-checks
  • autoapprove
  • autoapprove-php-nonfunctional-changes

Options altered:

  • phpcs-severityset to1
  • phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode
  • phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax
  • skip-draft-prsset to

PHP lint options

PHP lint files enabled: true

Lint modified files only: true

Directories not PHP linted:

  • None

SVG configuration

SVG scanning enabled: true

Auto-approval configuration

Auto-approvals enabled: true

Non-functional changes auto-approved: true

Auto-approved file-types:

  • css
  • csv
  • eot
  • gif
  • gz
  • ico
  • ini
  • jpeg
  • jpg
  • json
  • less
  • map
  • md
  • mdown
  • mo
  • mp4
  • otf
  • pcss
  • pdf
  • po
  • pot
  • png
  • sass
  • scss
  • styl
  • ttf
  • txt
  • woff
  • woff2
  • yml

PHPCS configuration

PHPCS scanning enabled: true

PHPCS severity level: 1

Standard(s) used:

  • PHPCompatibility
  • PHPCompatibilityParagonieRandomCompat
  • PHPCompatibilityParagonieSodiumCompat
  • VariableAnalysis
  • WordPress

Runtime set:

  • testVersion 8.1-

Custom sniffs included:

  • Generic.PHP.DisallowShortOpenTag
  • Squiz.PHP.CommentedOutCode

Custom sniffs excluded:

  • WordPress.Security.EscapeOutput
  • WordPress.PHP.DevelopmentFunctions
  • WordPress.WP.AlternativeFunctions
  • WordPress.PHP.DiscouragedPHPFunctions
  • WordPress.Files.FileName
  • Squiz.Commenting.FileComment
  • Generic.PHP.Syntax

Directories not PHPCS scanned:

  • None

WPScan API configuration

WPScan API scanning enabled: false

@gudmdharalds gudmdharalds merged commit a240d35 into trunk Nov 11, 2022
@gudmdharalds gudmdharalds deleted the fix/wpscan-api-addon-notification branch November 11, 2022 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wpcomvip-vipgoci-bot wpcomvip-vipgoci-bot wpcomvip-vipgoci-bot left review comments

Assignees

@gudmdharalds gudmdharalds

Labels
[Pri] Normal [Type] Bug
Projects
None yet
Milestone
1.3.3
Development

Successfully merging this pull request may close these issues.
2 participants
@gudmdharalds @wpcomvip-vipgoci-bot