Skip to content

Commit

Permalink
Merge pull request #5 from 10up/fix/bug-fixes
Browse files Browse the repository at this point in the history
Fix/bug fixes
  • Loading branch information
douz authored Oct 11, 2024
2 parents 2eab3bc + fab97c6 commit 8aeb30e
Show file tree
Hide file tree
Showing 5 changed files with 35 additions and 13 deletions.
12 changes: 12 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@

All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).

## [v1.0.1] - 2024-10-10

### Updated

- Removed verbosity from `freshclam` DB update command
- Force trailing slash for `WP_CONTENT_DIR` variable
- Ensure `wp-config.php` file is deleted from `wordpress` dir in `setup_wordpress` function
- Separate vuln scanner into 2 functions, themes and plugins
- Separate vuln scanner setup into its own function
- Use `--porcelain` flag in vuln WPCLI command to avoid using `grep`
- Set the `vuln_api_provider` as not required and set its default value to `wordfence`

## [v1.0.0] - 2024-07-19

### Added
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/

| Name | Required | Default | Description |
| --- | --- | --- | --- |
| `vuln_api_provider` | True | - | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` |
| `vuln_api_provider` | False | `wordfence` | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` |
| `vuln_api_token` | False | - | The API token to authenticate against the vulnerability API provider. This input is optional if `vuln_api_provider` is set to `wordfence` |
| `disable_vuln_scan` | False | `false` | Disable the WordPress plugins and themes vulnerability scanner |
| `virus_scan_update` | False | `true` | Update the ClamAV definitions database before executing the virus scanner (recommended) |
Expand All @@ -30,7 +30,7 @@ This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/

# Examples

## Install Composer dependencies before scanning
## Basic example with Composer dependencies

This example assumes that you have a `wp-content` based repository and uses [Patchstack](https://patchstack.com/) as the API provider.

Expand Down
3 changes: 2 additions & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ branding:
inputs:
vuln_api_provider:
description: 'Vulnerability API provider'
required: true
required: false
default: 'wordfence'
vuln_api_token:
description: 'Token to authenticate with the vulnerability API provider'
required: false
Expand Down
2 changes: 1 addition & 1 deletion image/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ LABEL "com.github.actions.icon"="shield"
LABEL "com.github.actions.color"="blue"

LABEL maintainer="10upbot <[email protected]>"
LABEL version="1.0.0"
LABEL version="v1.0.1"
LABEL repository="https://github.com/10up/wp-scanner-action"

RUN apt-get update \
Expand Down
27 changes: 18 additions & 9 deletions image/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ SHELL_RED="\033[0;31m"
SHELL_GREEN="\033[0;32m"
# Set wp-content directory location
WP_CONTENT_DIR="${INPUT_CONTENT_DIR:-$GITHUB_WORKSPACE}"
# if WP_CONTENT_DIR is set to "/" then set it to "./" to avord referencing root directory
[ "${WP_CONTENT_DIR}" = "/" ] && WP_CONTENT_DIR="./"
# Ensure WP_CONTENT_DIR ends with a slash
[[ "${WP_CONTENT_DIR}" != */ ]] && WP_CONTENT_DIR="${WP_CONTENT_DIR}/"
# Set PHP syntax check variables
OUTPUT_REDIRECT="1>/dev/null"
FAILED_MESSAGE_POSTFIX=""
Expand Down Expand Up @@ -47,7 +51,7 @@ function php_syntax_check {
function virus_scan {
if [ "${INPUT_VIRUS_SCAN_UPDATE}" = "true" ]; then
shell_green "Updating ClamAV definitions database"
freshclam --verbose
freshclam
fi

shell_green "##### Starting virus scan #####"
Expand Down Expand Up @@ -102,13 +106,14 @@ function setup_wordpress {

# Install WordPress
pushd wordpress || exit 1
rm -f wp-config.php
wp --allow-root config create --dbname=wordpress --dbuser=root --dbpass=password --dbhost=127.0.0.1
wp --allow-root core install --url=10upvulnerabilitytest.net --title='WordPress Vulnerability Test' --admin_user=admin --admin_password=password [email protected] --skip-email
popd || exit 1
}

# function to execute WordPress vulnerability scan
function wp_vuln_scan {
# Function to setup WPCLI vulnerability scanner
function setup_wpcli_vuln_scanner {
# Check if the vuln_api_token is present for wpscan and patchstack providers
if [ "${INPUT_VULN_API_PROVIDER}" != 'wordfence' ] && [ -z "${INPUT_VULN_API_TOKEN}" ]; then
shell_red "vuln_api_token input is required for ${INPUT_VULN_API_PROVIDER} provider. Please provide the token and re-run the scanner"
Expand All @@ -122,10 +127,13 @@ function wp_vuln_scan {
pushd wordpress || exit 1
wp --allow-root config set VULN_API_PROVIDER "${INPUT_VULN_API_PROVIDER}"
wp --allow-root config set VULN_API_TOKEN "${INPUT_VULN_API_TOKEN}"
popd || exit 1
}

# Run WordPress themes vulnerability scan
# Function to execute WordPress themes vulnerability scan
function wp_themes_vuln_scan {
shell_green "##### Starting WordPress Themes vulnerability scan #####"
THEMES_SCAN_OUTPUT=$(wp --allow-root vuln theme-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of')
THEMES_SCAN_OUTPUT=$(wp --allow-root --path=wordpress/ vuln theme-status --porcelain)
if [ -z "${THEMES_SCAN_OUTPUT}" ]; then
shell_green "No theme vulnerabilities found"
else
Expand All @@ -138,10 +146,12 @@ function wp_vuln_scan {
return 1
fi
fi
}

# Run WordPress Plugins vulnerability scan
# Function to execute WordPress plugins vulnerability scan
function wp_plugins_vuln_scan {
shell_green "##### Starting WordPress Plugins vulnerability scan #####"
PLUGINS_SCAN_OUTPUT=$(wp --allow-root vuln plugin-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of')
PLUGINS_SCAN_OUTPUT=$(wp --allow-root --path=wordpress/ vuln plugin-status --porcelain)
if [ -z "${PLUGINS_SCAN_OUTPUT}" ]; then
shell_green "No plugin vulnerabilities found"
else
Expand All @@ -154,7 +164,6 @@ function wp_vuln_scan {
return 1
fi
fi
popd || exit 1
}

# Execute PHP syntax check if not disabled
Expand All @@ -164,4 +173,4 @@ function wp_vuln_scan {
[ "${INPUT_DISABLE_VIRUS_SCAN}" != "true" ] && virus_scan

# Execute WordPress vulnerability scan if not disabled
[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && wp_vuln_scan
[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && setup_wpcli_vuln_scanner && wp_themes_vuln_scan && wp_plugins_vuln_scan

0 comments on commit 8aeb30e

Please sign in to comment.