Merge pull request #101 from 10up/fix/100

Add filter to skip vulnerability check.
10up · Feb 22, 2024 · ac00960 · ac00960
2 parents 0938ee8 + cf13d12
commit ac00960
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 4 deletions.
diff --git a/features/vuln-patchstack.feature b/features/vuln-patchstack.feature
@@ -20,8 +20,9 @@ Feature: Test WP-CLI Features with Patchstack API.
     Then STDOUT should end with a table containing rows:
       | name          | installed version | status                                                      | fixed in                | severity      |
       | wppizza       | 0                 | WordPress WPPizza Plugin <= 2.11.8.0 - Cross Site Scripting | 2.11.8.18 | n/a           |
-      | wordpress-seo | 0                 | WordPress SEO by Yoast Plugin 1.7.3.3 - Blind SQL Injection | 1.7.3.4 | n/a           |
-
+      |               | 0                 | WordPress WPPizza – A Restaurant Plugin plugin <= 3.17.1 - Reflected Cross Site Scripting (XSS) vulnerability  | 3.17.2    | High 7.1/10   |
+      |               | 0                 | WordPress WPPizza plugin <= 3.18.2 - Reflected Cross Site Scripting (XSS) vulnerability                        | 3.18.3    | High 7.1/10   |
+      | wordpress-seo | 0                 | WordPress SEO by Yoast Plugin 1.7.3.3 - Blind SQL Injection | 1.7.3.4 | High 8.8/10 |
 
   Scenario: Get plugin status (wp vuln plugin-status)
     When I run `wp plugin uninstall akismet hello`
@@ -55,13 +56,13 @@ Feature: Test WP-CLI Features with Patchstack API.
     When I run `wp plugin uninstall akismet hello`
     Then STDOUT should not be empty
 
-    When I run `wp plugin install restricted-site-access --version=7.3.2 --force`
+    When I run `wp plugin install restricted-site-access --version=7.5.0 --force`
     Then STDOUT should not be empty
 
     When I run `wp vuln plugin-status --no-color`
     Then STDOUT should end with a table containing rows:
       | name                   | installed version | status                                                                 | introduced in | fixed in | severity |
-      | restricted-site-access | 7.3.2             | No vulnerabilities reported for this version of restricted-site-access | n/a           | n/a | n/a      |
+      | restricted-site-access | 7.5.0             | No vulnerabilities reported for this version of restricted-site-access | n/a           | n/a | n/a      |
 
     When I run `wp vuln plugin-status --porcelain`
     Then STDOUT should be empty

diff --git a/includes/class-vuln-patchstack-service.php b/includes/class-vuln-patchstack-service.php
@@ -390,6 +390,18 @@ private function format_vulnerability_data( $vulnerabilities, $version ) {
 		$report = array();
 
 		foreach ( $vulnerabilities as $vuln ) {
+			/**
+			 * Filter whether to skip the vulnerability check.
+			 *
+			 * @since 1.3.0
+			 * @hook vuln_skip_vulnerability_check
+			 * @param {bool} $skip True to skip.
+			 * @param {object} $vuln Vulnerability object.
+			 */
+			if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+				continue;
+			}
+
 			// API has records for affected_in ?
 			$affected_in = $this->obj_has_non_empty_prop( 'affected_in', $vuln );
 			// Check for fix version.

diff --git a/includes/class-vuln-wordfence-service.php b/includes/class-vuln-wordfence-service.php
@@ -248,6 +248,18 @@ private function format_vulnerability_data( $vulnerabilities, $slug, $version )
 		$report = array();
 
 		foreach ( $vulnerabilities as $vuln ) {
+			/**
+			 * Filter whether to skip the vulnerability check.
+			 *
+			 * @since 1.3.0
+			 * @hook vuln_skip_vulnerability_check
+			 * @param {bool} $skip True to skip.
+			 * @param {object} $vuln Vulnerability object.
+			 */
+			if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+				continue;
+			}
+
 			$fixed         = false;
 			$fixed_version = '';
 			$severity      = 'n/a';

diff --git a/includes/class-vuln-wpscan-service.php b/includes/class-vuln-wpscan-service.php
@@ -80,6 +80,17 @@ public function check_wordpress() {
 
 				if ( is_array( $vulnerabilities ) ) {
 					foreach ( $vulnerabilities as $k => $vuln ) {
+						/**
+						 * Filter whether to skip the vulnerability check.
+						 *
+						 * @since 1.3.0
+						 * @hook vuln_skip_vulnerability_check
+						 * @param {bool} $skip True to skip.
+						 * @param {object} $vuln Vulnerability object.
+						 */
+						if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+							continue;
+						}
 
 						// API has records for when was introduced ?
 						$reported_since = $this->obj_has_non_empty_prop( 'introduced_in', $vuln );
@@ -251,6 +262,18 @@ public function check_status( $slug, $version, $type ) {
 
 			if ( is_array( $vulnerabilities ) && ! empty( $vulnerabilities ) ) {
 				foreach ( $vulnerabilities as $k => $vuln ) {
+					/**
+					 * Filter whether to skip the vulnerability check.
+					 *
+					 * @since 1.3.0
+					 * @hook vuln_skip_vulnerability_check
+					 * @param {bool} $skip True to skip.
+					 * @param {object} $vuln Vulnerability object.
+					 */
+					if ( apply_filters( 'vuln_skip_vulnerability_check', false, $vuln ) ) {
+						continue;
+					}
+
 					// API has records for when was introduced ?
 					$reported_since = $this->obj_has_non_empty_prop( 'introduced_in', $vuln );
 					// Check for fix version.