Merge branch 'develop' into trunk

CHANGELOG.md

@@ -4,7 +4,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
-## [1.2.0] - 2023-07-31
+## [1.2.1] - 2024-04-01
+### Added
+- Introduce new filter, `vuln_skip_vulnerability_check`, that can be used to skip the vulnerability check for a specific vulnerability (props [@burhandodhy](https://github.com/burhandodhy), [@shahzaib10up](https://github.com/shahzaib10up), [@iamdharmesh](https://github.com/iamdharmesh) via [#101](https://github.com/10up/wpcli-vulnerability-scanner/pull/101)).
+- Plugin banner and icon images (props [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter) via [#99](https://github.com/10up/wpcli-vulnerability-scanner/pull/99)).
+
+## [1.2.0] - 2023-08-02
 ### Added
 - Functional tests (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@peterwilsoncc](https://github.com/peterwilsoncc) via [#75](https://github.com/10up/wpcli-vulnerability-scanner/pull/75))
 - Wordfence Intelligence as an API provider. (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [Charles Sweethill](https://github.com/wordfence), [@barmat](https://github.com/barmat), [@szepeviktor](https://github.com/szepeviktor) via [#78](https://github.com/10up/wpcli-vulnerability-scanner/pull/78))
@@ -50,6 +55,7 @@ All notable changes to this project will be documented in this file, per [the Ke
 ## [0.0.1] - 2016-06-02
 
 [Unreleased]: https://github.com/10up/wpcli-vulnerability-scanner/compare/trunk...develop
+[1.2.1]: https://github.com/10up/wpcli-vulnerability-scanner/compare/1.2.0...1.2.1
 [1.2.0]: https://github.com/10up/wpcli-vulnerability-scanner/compare/1.1.0...1.2.0
 [1.1.0]: https://github.com/10up/wpcli-vulnerability-scanner/compare/1.0.0...1.1.0
 [1.0.0]: https://github.com/10up/wpcli-vulnerability-scanner/compare/59bc742...1.0.0

CREDITS.md

@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Kailey Lampert (@trepmal)](https://github.com/trepmal), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Robert Lilly (@rclilly)](https://github.com/rclilly), [Steve Hulet (@hulet)](https://github.com/hulet), [Allan Collins (@allan23)](https://github.com/allan23), [Phil Banks (@phlbnks)](https://github.com/phlbnks), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Vladimir Knobel (@vladox)](https://github.com/vladox), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Thorsten Ott (@tott)](https://github.com/tott), [Tyler Cherpak (@tylercherpak)](https://github.com/tylercherpak), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Zachary Brown (@TheLastCicada)](https://github.com/TheLastCicada), [Rahul Prajapati (@rahulsprajapati)](https://github.com/rahulsprajapati), [Max Lyuchin (@cadic)](https://github.com/cadic), [Jozsef Kozo (@kojraai)](https://github.com/kojraai), [Chris Wiegman (@ChrisWiegman)](https://github.com/ChrisWiegman), [ssnepenthe (@ssnepenthe)](https://github.com/ssnepenthe), [Evan Tobin (@evantobin)](https://github.com/evantobin), [Victor Dieppa Garriga (@dieppon)](https://github.com/dieppon), [marek (@marekmaurizio)](https://github.com/marekmaurizio), [planetahuevo (@planetahuevo)](https://github.com/planetahuevo), [bo.johnson (@boyeatssteak)](https://github.com/boyeatssteak), [Erik Hausen (@ehausen)](https://github.com/ehausen), [Eduardo Aranda Hernández (@eduardoarandah)](https://github.com/eduardoarandah), [Angelo Rocha (@angelorock)](https://github.com/angelorock), [Frankie Bordone (@frankiebordone)](https://github.com/frankiebordone), [t2d (@t2d)](https://github.com/t2d), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Alexander Dimitrov (@randstring)](https://github.com/randstring), [Andrew Minion (@andrewminion-luminfire)](https://github.com/andrewminion-luminfire), [Russell F (@rfair404)](https://github.com/rfair404), [Sean Dietrich (@sean-e-dietrich)](https://github.com/sean-e-dietrich), [André Durão (@andredurao)](https://github.com/andredurao), [Ben Greeley (@bengreeley)](https://github.com/bengreeley), [Amit Singh (@thecancerus)](https://github.com/thecancerus), [Igor Radovanov (@igorradovanov)](https://github.com/igorradovanov), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Mohammed Razzaq (@MARQAS)](https://github.com/MARQAS), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Charles Sweethill (@wordfence)](https://github.com/wordfence), [Matt Barry (@barmat)](https://github.com/barmat), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi).
+[Kailey Lampert (@trepmal)](https://github.com/trepmal), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Robert Lilly (@rclilly)](https://github.com/rclilly), [Steve Hulet (@hulet)](https://github.com/hulet), [Allan Collins (@allan23)](https://github.com/allan23), [Phil Banks (@phlbnks)](https://github.com/phlbnks), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Vladimir Knobel (@vladox)](https://github.com/vladox), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Thorsten Ott (@tott)](https://github.com/tott), [Tyler Cherpak (@tylercherpak)](https://github.com/tylercherpak), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Pablo Amato (@pabamato)](https://github.com/pabamato), [Zachary Brown (@TheLastCicada)](https://github.com/TheLastCicada), [Rahul Prajapati (@rahulsprajapati)](https://github.com/rahulsprajapati), [Max Lyuchin (@cadic)](https://github.com/cadic), [Jozsef Kozo (@kojraai)](https://github.com/kojraai), [Chris Wiegman (@ChrisWiegman)](https://github.com/ChrisWiegman), [ssnepenthe (@ssnepenthe)](https://github.com/ssnepenthe), [Evan Tobin (@evantobin)](https://github.com/evantobin), [Victor Dieppa Garriga (@dieppon)](https://github.com/dieppon), [marek (@marekmaurizio)](https://github.com/marekmaurizio), [planetahuevo (@planetahuevo)](https://github.com/planetahuevo), [bo.johnson (@boyeatssteak)](https://github.com/boyeatssteak), [Erik Hausen (@ehausen)](https://github.com/ehausen), [Eduardo Aranda Hernández (@eduardoarandah)](https://github.com/eduardoarandah), [Angelo Rocha (@angelorock)](https://github.com/angelorock), [Frankie Bordone (@frankiebordone)](https://github.com/frankiebordone), [t2d (@t2d)](https://github.com/t2d), [Prasath Nadarajah (@nprasath002)](https://github.com/nprasath002), [Alexander Dimitrov (@randstring)](https://github.com/randstring), [Andrew Minion (@andrewminion-luminfire)](https://github.com/andrewminion-luminfire), [Russell F (@rfair404)](https://github.com/rfair404), [Sean Dietrich (@sean-e-dietrich)](https://github.com/sean-e-dietrich), [André Durão (@andredurao)](https://github.com/andredurao), [Ben Greeley (@bengreeley)](https://github.com/bengreeley), [Amit Singh (@thecancerus)](https://github.com/thecancerus), [Igor Radovanov (@igorradovanov)](https://github.com/igorradovanov), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [Mohammed Razzaq (@MARQAS)](https://github.com/MARQAS), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Peter Wilson (@peterwilsoncc)](https://github.com/peterwilsoncc), [Charles Sweethill (@wordfence)](https://github.com/wordfence), [Matt Barry (@barmat)](https://github.com/barmat), [Viktor Szépe (@szepeviktor)](https://github.com/szepeviktor), [Siddharth Thevaril (@Sidsector9)](https://github.com/Sidsector9), [Ben Marshall (@bmarshall511)](https://github.com/bmarshall511), [Ravinder Kumar (@ravinderk)](https://github.com/ravinderk), [Faisal Alvi (@faisal-alvi)](https://github.com/faisal-alvi), [Burhan Nasir (@burhandodhy)](https://github.com/burhandodhy), [Shahzaib Mushtaq (@shahzaib10up)](https://github.com/shahzaib10up), [Brooke Campbell](https://www.linkedin.com/in/brookecampbelldesign/).
 
 ## Libraries
 

features/vuln-patchstack.feature

@@ -20,8 +20,9 @@ Feature: Test WP-CLI Features with Patchstack API.
     Then STDOUT should end with a table containing rows:
       | name          | installed version | status                                                      | fixed in                | severity      |
       | wppizza       | 0                 | WordPress WPPizza Plugin <= 2.11.8.0 - Cross Site Scripting | 2.11.8.18 | n/a           |
-      | wordpress-seo | 0                 | WordPress SEO by Yoast Plugin 1.7.3.3 - Blind SQL Injection | 1.7.3.4 | n/a           |
-
+      |               | 0                 | WordPress WPPizza – A Restaurant Plugin plugin <= 3.17.1 - Reflected Cross Site Scripting (XSS) vulnerability  | 3.17.2    | High 7.1/10   |
+      |               | 0                 | WordPress WPPizza plugin <= 3.18.2 - Reflected Cross Site Scripting (XSS) vulnerability                        | 3.18.3    | High 7.1/10   |
+      | wordpress-seo | 0                 | WordPress SEO by Yoast Plugin 1.7.3.3 - Blind SQL Injection | 1.7.3.4 | High 8.8/10 |
 
   Scenario: Get plugin status (wp vuln plugin-status)
     When I run `wp plugin uninstall akismet hello`
@@ -55,13 +56,13 @@ Feature: Test WP-CLI Features with Patchstack API.
     When I run `wp plugin uninstall akismet hello`
     Then STDOUT should not be empty
 
-    When I run `wp plugin install restricted-site-access --version=7.3.2 --force`
+    When I run `wp plugin install restricted-site-access --version=7.5.0 --force`
     Then STDOUT should not be empty
 
     When I run `wp vuln plugin-status --no-color`
     Then STDOUT should end with a table containing rows:
       | name                   | installed version | status                                                                 | introduced in | fixed in | severity |
-      | restricted-site-access | 7.3.2             | No vulnerabilities reported for this version of restricted-site-access | n/a           | n/a | n/a      |
+      | restricted-site-access | 7.5.0             | No vulnerabilities reported for this version of restricted-site-access | n/a           | n/a | n/a      |
 
     When I run `wp vuln plugin-status --porcelain`
     Then STDOUT should be empty

includes/class-vuln-patchstack-service.php

@@ -390,6 +390,18 @@ private function format_vulnerability_data( $vulnerabilities, $version ) {
 		$report = array();
 
 		foreach ( $vulnerabilities as $vuln ) {
+			/**
+			 * Filter whether to skip the vulnerability check.
+			 *
+			 * @since 1.2.1
+			 * @hook vuln_skip_vulnerability_check
+			 * @param {bool} $skip True to skip.
+			 * @param {object} $vuln Vulnerability object.
+			 */
+			if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+				continue;
+			}
+
 			// API has records for affected_in ?
 			$affected_in = $this->obj_has_non_empty_prop( 'affected_in', $vuln );
 			// Check for fix version.

includes/class-vuln-wordfence-service.php

@@ -248,6 +248,18 @@ private function format_vulnerability_data( $vulnerabilities, $slug, $version )
 		$report = array();
 
 		foreach ( $vulnerabilities as $vuln ) {
+			/**
+			 * Filter whether to skip the vulnerability check.
+			 *
+			 * @since 1.2.1
+			 * @hook vuln_skip_vulnerability_check
+			 * @param {bool} $skip True to skip.
+			 * @param {object} $vuln Vulnerability object.
+			 */
+			if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+				continue;
+			}
+
 			$fixed         = false;
 			$fixed_version = '';
 			$severity      = 'n/a';

includes/class-vuln-wpscan-service.php

@@ -80,6 +80,17 @@ public function check_wordpress() {
 
 				if ( is_array( $vulnerabilities ) ) {
 					foreach ( $vulnerabilities as $k => $vuln ) {
+						/**
+						 * Filter whether to skip the vulnerability check.
+						 *
+						 * @since 1.2.1
+						 * @hook vuln_skip_vulnerability_check
+						 * @param {bool} $skip True to skip.
+						 * @param {object} $vuln Vulnerability object.
+						 */
+						if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+							continue;
+						}
 
 						// API has records for when was introduced ?
 						$reported_since = $this->obj_has_non_empty_prop( 'introduced_in', $vuln );
@@ -251,6 +262,18 @@ public function check_status( $slug, $version, $type ) {
 
 			if ( is_array( $vulnerabilities ) && ! empty( $vulnerabilities ) ) {
 				foreach ( $vulnerabilities as $k => $vuln ) {
+					/**
+					 * Filter whether to skip the vulnerability check.
+					 *
+					 * @since 1.2.1
+					 * @hook vuln_skip_vulnerability_check
+					 * @param {bool} $skip True to skip.
+					 * @param {object} $vuln Vulnerability object.
+					 */
+					if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+						continue;
+					}
+
 					// API has records for when was introduced ?
 					$reported_since = $this->obj_has_non_empty_prop( 'introduced_in', $vuln );
 					// Check for fix version.

wpcli-vulnerability-scanner.php

@@ -3,7 +3,7 @@
  * Plugin Name:       10up WP-CLI Vulnerability Scanner
  * Plugin URI:        https://github.com/10up/wpcli-vulnerability-scanner
  * Description:       WP-CLI command only. Check WordPress code, installed plugins and themes for vulnerabilities.
- * Version:           1.2.0
+ * Version:           1.2.1
  * Requires at least: 5.7
  * Requires PHP:      7.0
  * Tested up to:      6.1