From 28105e525e92aafddf30700baf01f5a5f7551901 Mon Sep 17 00:00:00 2001 From: Douglas Barahona Date: Fri, 19 Jul 2024 12:54:10 -0600 Subject: [PATCH] Initial release --- .github/workflows/build-image.yml | 47 +++++ .../workflows/release-tag-major-version.yml | 39 ++++ .github/workflows/tests.yml | 22 +++ .gitignore | 5 + CHANGELOG.md | 9 + CODE_OF_CONDUCT.md | 76 ++++++++ CONTRIBUTING.md | 23 +++ CREDITS.md | 9 + README.md | 112 ++++++++++++ action.yml | 51 ++++++ image/.dockerignore | 1 + image/Dockerfile | 70 ++++++++ image/entrypoint.sh | 167 ++++++++++++++++++ 13 files changed, 631 insertions(+) create mode 100644 .github/workflows/build-image.yml create mode 100644 .github/workflows/release-tag-major-version.yml create mode 100644 .github/workflows/tests.yml create mode 100644 .gitignore create mode 100644 CHANGELOG.md create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 CREDITS.md create mode 100644 README.md create mode 100644 action.yml create mode 100644 image/.dockerignore create mode 100644 image/Dockerfile create mode 100755 image/entrypoint.sh diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml new file mode 100644 index 0000000..6299bfc --- /dev/null +++ b/.github/workflows/build-image.yml @@ -0,0 +1,47 @@ +--- +name: Build and publish image to Github Packages +on: + release: + types: + - published + workflow_dispatch: + +jobs: + publish-wp-scanner-action-image: + runs-on: ubuntu-latest + + steps: + # Checkout repository + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.ref }} + + - name: Login to Github Packages + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Generate Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + tags: | + type=semver,pattern={{raw}} + type=semver,pattern={{major}} + type=semver,pattern={{version}} + type=sha + type=raw,enable=true,value=latest + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push + uses: docker/build-push-action@v5 + with: + context: image + push: true + tags: ${{ steps.meta.outputs.tags }} \ No newline at end of file diff --git a/.github/workflows/release-tag-major-version.yml b/.github/workflows/release-tag-major-version.yml new file mode 100644 index 0000000..931f8bd --- /dev/null +++ b/.github/workflows/release-tag-major-version.yml @@ -0,0 +1,39 @@ +--- +name: Tag major version on release +on: + release: + types: + - published + +jobs: + tag-release: + runs-on: ubuntu-latest + + steps: + # Checkout repository + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Tag release with vX tag + shell: bash + run: | + RELEASE_NAME="${GITHUB_REF#refs/tags/}" + echo "Release name: ${RELEASE_NAME}" + if [[ "${RELEASE_NAME}" =~ ^(v[0-9]+)[.] ]]; then + RELEASE_TAG_SHORT="${BASH_REMATCH[1]}" + echo "Release tag short: ${RELEASE_TAG_SHORT}" + # Git config + git config --local user.name 10upbot + git config --local user.email 10upbot+github@10up.com + # Create tag locally + git tag -f -a "${RELEASE_TAG_SHORT}" -m "Automated GitHub Actions release: ${RELEASE_TAG_SHORT}" + # Delete remote tag + git push origin :refs/tags/"${RELEASE_TAG_SHORT}" + # Push tag to remote + git push origin "${RELEASE_TAG_SHORT}" + else + echo "Release name does not match vX pattern: ${RELEASE_NAME}" + echo "Nothing to do!" + fi \ No newline at end of file diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 0000000..e028ba0 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,22 @@ +--- +name: Shellcheck test + +on: + push: + branches: + - '**' + - '!trunk' + +jobs: + shellcheck: + runs-on: ubuntu-latest + + steps: + # Checkout repository + - name: Checkout repository + uses: actions/checkout@v3 + with: + ref: ${{ github.ref }} + + - name: shellcheck + uses: ludeeus/action-shellcheck@master \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5c148df --- /dev/null +++ b/.gitignore @@ -0,0 +1,5 @@ +# Ignore temporary OS files +.DS_Store +.DS_Store? +.Spotlight-V100 +.Trashes \ No newline at end of file diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..46b392a --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,9 @@ +# Changelog + +All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/). + +## [v1.0.0] - 2024-07-19 + +### Added + +- Initial action release \ No newline at end of file diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..9fd337e --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,76 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards + +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or + advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic + address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Our Responsibilities + +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope + +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at opensource@10up.com. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see +https://www.contributor-covenant.org/faq \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..fbdcb98 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,23 @@ +# Contributing and Maintaining + +First, thank you for taking the time to contribute! + +The following is a set of guidelines for contributors as well as information and instructions around our maintenance process. The two are closely tied together in terms of how we all work together and set expectations, so while you may not need to know everything in here to submit an issue or pull request, it's best to keep them in the same document. + +## Ways to contribute + +Contributing isn't just writing code - it's anything that improves the project. All contributions are managed right here on GitHub. Here are some ways you can help: + +### Reporting bugs + +If you're running into an issue, please take a look through [existing issues](https://github.com/10up/wp-scanner-action/issues) and [open a new one](https://github.com/10up/wp-scanner-action/issues/new) if needed. If you're able, include steps to reproduce, environment information, and screenshots/screencasts as relevant. + +### Suggesting enhancements + +New features and enhancements are also managed via [issues](https://github.com/10up/wp-scanner-action/issues). + +### Pull requests + +Pull requests represent a proposed solution to a specified problem. They should always reference an issue that describes the problem and contains discussion about the problem itself. Discussion on pull requests should be limited to the pull request itself, i.e. code review. + +For more on how 10up writes and manages code, check out our [10up Engineering Best Practices](https://10up.github.io/Engineering-Best-Practices/). \ No newline at end of file diff --git a/CREDITS.md b/CREDITS.md new file mode 100644 index 0000000..6439e5e --- /dev/null +++ b/CREDITS.md @@ -0,0 +1,9 @@ +# Credits + +The following acknowledges the Maintainers for this repository, those who have Contributed to this repository (via bug reports, code, design, ideas, project management, translation, testing, etc.). + +## Maintainers + +The following individuals are responsible for curating the list of issues, responding to pull requests, and ensuring regular releases happen. + +[Douglas Barahona(@douz)](https://github.com/douz) \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..fe43582 --- /dev/null +++ b/README.md @@ -0,0 +1,112 @@ +# WordPress Scanner Action + +> Performs syntax checks, virus scanning and plugins and themes vulnerability checks for WordPress sites + +[![Support Level](https://img.shields.io/badge/support-active-green.svg)](#support-level) [![Release Version](https://img.shields.io/github/release/10up/wp-scanner-action.svg)](https://github.com/10up/wp-scanner-action/releases/latest) [![GPLv3 License](https://img.shields.io/badge/License-GPL%20v3-yellow.svg)](https://github.com/10up/wp-scanner-action/blob/trunk/LICENSE) [![Automated Tests](https://github.com/10up/wp-scanner-action/actions/workflows/test.yml/badge.svg)](https://github.com/10up/wp-scanner-action/actions/workflows/test.yml) + +This Github Action performs standard scanning for WordPress sites which includes PHP syntax checks, virus scanning and plugins and themes vulnerabilities scanning. + +# API Access + +This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/10up/wpcli-vulnerability-scanner) to perform the known vulnerabilities scanning of WordPress plugins and themes. WP-CLI Vulnerability Scanner works with [WPScan](https://wpscan.com), [Patchstack](https://patchstack.com/) and [Wordfence Intelligence](https://www.wordfence.com/threat-intel/) to check reported vulnerabilities; you can choose any one of these three to use. +***Note**: Authentication is optional for the Wordfence Intelligence Vulnerability API.* + +# Inputs + +| Name | Required | Default | Description | +| --- | --- | --- | --- | +| `vuln_api_provider` | True | - | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` | +| `vuln_api_token` | False | - | The API token to authenticate against the vulnerability API provider. This input is optional if `vuln_api_provider` is set to `wordfence` | +| `disable_vuln_scan` | False | `false` | Disable the WordPress plugins and themes vulnerability scanner | +| `virus_scan_update` | False | `true` | Update the ClamAV definitions database before executing the virus scanner (recommended) | +| `disable_virus_scan` | False | `false` | Disable the ClamAV virus scanner | +| `phpsyntax_enable_debug` | False | `false` | The PHP syntax checks could generate a large output depending on the amount of PHP files in the repository, for this reason the output is suppresed by default. Set this input to `true` if you want to visualize the full output. Useful for troubleshooting in case the PHP syntax checks fails | +| `disable_phpsyntax_check` | False | `false` | Disable the PHP syntax checks | +| `content_dir` | False | `$GITHUB_WORKSPACE` | Location of the `wp-content` directory inside the repository. Set this input to `./` if you have a `wp-content` based repository | +| `wp_core_version` | False | `latest` | WordPress core version to use for the plugins and themes vulnerability scanner. Must match the version of your WordPress site for better results | +| `composer_build` | False | `false` | Install the Composer dependencies in your `composer.json` file before executing the WordPress plugins and themes vulnerability scanner. The `composer.json` file must exists in the repository's root directory. Set this input to `true` if you install plugins and themes via Composer in CI. ***Note: This won't affect your final deploy artifact*** | +| `no_fail` | False | `false` | Exits the scanner without failing even if any issues are found | + + +# Examples + +## Install Composer dependencies before scanning + +This example assumes that you have a `wp-content` based repository and uses [Patchstack](https://patchstack.com/) as the API provider. + +```yaml +name: "PHP Syntax Check, virus scanning, and WP Plugins & Themes vulnerability scanning" + +on: + push: + branches: + - '**' + +jobs: + wp-scanner: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: WordPress Scanner + uses: 10up/wp-scanner-action@v1 + with: + vuln_api_provider: 'patchstack' + vuln_api_token: ${{ secrets.PATCHSTACK_TOKEN }} + content_dir: './' + wp_core_version: '6.5.5' + composer_build: 'true' +``` + +## Plugins and Themes under version control + +This example assumes that you have all plugins and themes under version control inside a directory named `wp-content` in the repository. + +```yaml +name: "PHP Syntax Check, virus scanning, and WP Plugins & Themes vulnerability scanning" + +on: + push: + branches: + - '**' + +jobs: + wp-scanner: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: WordPress Scanner + uses: 10up/wp-scanner-action@v1 + with: + vuln_api_provider: 'patchstack' + vuln_api_token: ${{ secrets.PATCHSTACK_TOKEN }} + content_dir: './wp-content' + wp_core_version: '6.5.5' +``` + +# Support Level + +**Active:** 10up is actively working on this, and we expect to continue work for the foreseeable. Bug reports, feature requests, questions, and pull requests are welcome. + +# Changelog + +A complete listing of all notable changes to this Github Action are documented in [CHANGELOG.md](https://github.com/10up/wp-scanner-action/blob/trunk/CHANGELOG.md). + +# Contributing + +Please read [CODE_OF_CONDUCT.md](https://github.com/10up/wp-scanner-action/blob/trunk/CODE_OF_CONDUCT.md) for details on our code of conduct, [CONTRIBUTING.md](https://github.com/10up/wp-scanner-action/blob/trunk/CONTRIBUTING.md) for details on the process for submitting pull requests to us, and [CREDITS.md](https://github.com/10up/wp-scanner-action/blob/trunk/CREDITS.md) for a listing of maintainers and contributors. + +# Like what you see? + +

+ +

\ No newline at end of file diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..a3510d7 --- /dev/null +++ b/action.yml @@ -0,0 +1,51 @@ +--- +name: 'WordPress Scanner Action' +description: 'Scan WordPress sites for plugins and themes vulnerabilities, PHP syntax and viruses' +author: 10up +branding: + icon: 'shield' + color: 'blue' +inputs: + vuln_api_provider: + description: 'Vulnerability API provider' + required: true + vuln_api_token: + description: 'Token to authenticate with the vulnerability API provider' + required: false + disable_vuln_scan: + description: 'Disable the Plugin and Themes scanner' + required: false + default: 'false' + virus_scan_update: + description: 'Update the ClamAV definitions database before executing the virus scan' + required: false + default: 'true' + disable_virus_scan: + description: 'Disable the virus scanner' + required: false + default: 'false' + phpsyntax_enable_debug: + description: 'Enable PHP syntax debug output' + required: false + default: 'false' + disable_phpsyntax_check: + description: 'Disable the PHP syntax check' + required: false + default: 'false' + content_dir: + description: 'Location of the wp-content directory inside the repository' + required: false + wp_core_version: + description: 'WordPress Core version to use for the vulnerability scans' + required: false + composer_build: + description: 'Run composer install before scanning' + required: false + default: 'false' + no_fail: + description: 'Exit without failing even if any issues are found' + required: false + default: 'false' +runs: + using: 'docker' + image: 'docker://ghcr.io/10up//wp-scanner-action:latest' \ No newline at end of file diff --git a/image/.dockerignore b/image/.dockerignore new file mode 100644 index 0000000..1d1fe94 --- /dev/null +++ b/image/.dockerignore @@ -0,0 +1 @@ +Dockerfile \ No newline at end of file diff --git a/image/Dockerfile b/image/Dockerfile new file mode 100644 index 0000000..64d4f93 --- /dev/null +++ b/image/Dockerfile @@ -0,0 +1,70 @@ +FROM debian:stable-slim + +ARG PHP_VERSION=8.2 + +LABEL "com.github.actions.name"="WordPress Scanner Action" +LABEL "com.github.actions.description"="Scan WordPress sites for plugins and themes vulnerabilities, PHP syntax and viruses" +LABEL "com.github.actions.icon"="shield" +LABEL "com.github.actions.color"="blue" + +LABEL maintainer="10upbot <10upbot+github@10up.com>" +LABEL version="1.0.0" +LABEL repository="https://github.com/10up/wp-scanner-action" + +RUN apt-get update \ + && apt-get install -y curl \ + apt-transport-https \ + ca-certificates \ + clamav \ + clamav-freshclam \ + git \ + jq \ + lsb-release \ + mariadb-server \ + rsync \ + subversion \ + unzip \ + wget \ + && apt-get clean -y \ + && rm -rf /var/lib/apt/lists/* + +# Install PHP +RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg \ + && echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list \ + && apt update \ + && apt install -y \ + php${PHP_VERSION} \ + php${PHP_VERSION}-bcmath \ + php${PHP_VERSION}-bz2 \ + php${PHP_VERSION}-cli \ + php${PHP_VERSION}-curl \ + php${PHP_VERSION}-gd \ + php${PHP_VERSION}-imagick \ + php${PHP_VERSION}-intl \ + php${PHP_VERSION}-mbstring \ + php${PHP_VERSION}-memcache \ + php${PHP_VERSION}-memcached \ + php${PHP_VERSION}-mysql \ + php${PHP_VERSION}-opcache \ + php${PHP_VERSION}-redis \ + php${PHP_VERSION}-soap \ + php${PHP_VERSION}-xml \ + php${PHP_VERSION}-xmlrpc \ + php${PHP_VERSION}-zip \ + && apt-get clean -y \ + && rm -rf /var/lib/apt/lists/* + +# Install WPCLI +RUN curl -o /usr/local/bin/wp https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar && \ + chmod +x /usr/local/bin/wp + +# Install Composer +RUN curl -o /usr/local/bin/composer https://getcomposer.org/composer-2.phar && \ + chmod +x /usr/local/bin/composer + +## Update clamav definitions ## +RUN /usr/bin/freshclam + +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +ENTRYPOINT ["/entrypoint.sh"] \ No newline at end of file diff --git a/image/entrypoint.sh b/image/entrypoint.sh new file mode 100755 index 0000000..799ffa1 --- /dev/null +++ b/image/entrypoint.sh @@ -0,0 +1,167 @@ +#!/bin/bash + +set -o pipefail + +# Define shell colors +SHELL_END="\033[0m" +SHELL_RED="\033[0;31m" +SHELL_GREEN="\033[0;32m" +# Set wp-content directory location +WP_CONTENT_DIR="${INPUT_CONTENT_DIR:-$GITHUB_WORKSPACE}" +# Set PHP syntax check variables +OUTPUT_REDIRECT="1>/dev/null" +FAILED_MESSAGE_POSTFIX="" +# Set WordPress core version +WORDPRESS_VERSION=${INPUT_WP_CORE_VERSION:-$(curl -s "https://api.wordpress.org/core/version-check/1.7/" | jq -r '[.offers[]|select(.response=="upgrade")][0].version')} + +# Function to print red text +function shell_red { + echo -e "${SHELL_RED}${1}${SHELL_END}" +} + +# Function to print green text +function shell_green { + echo -e "${SHELL_GREEN}${1}${SHELL_END}" +} + +# Function to perform PHP syntax check +function php_syntax_check { + [ "${INPUT_PHPSYNTAX_ENABLE_DEBUG}" = "true" ] && OUTPUT_REDIRECT="" && FAILED_MESSAGE_POSTFIX=" - set the phpsyntax_enable_debug input to true and re-run the scanner to find out all errors" + shell_green "##### Starting PHP syntax check #####" + + # The -P10 option specifies the number of parallel processes (In constrainted CPUs will take approx time for 1 available cpu) + if ! find "${WP_CONTENT_DIR}" -type f -name '*.php' -not -path '*/vendor/*' -print0 | xargs -0 -P10 -I {} bash -c "php -l {} ${OUTPUT_REDIRECT}"; then + shell_red "The PHP syntax check finished with errors${FAILED_MESSAGE_POSTFIX}" + # If no_fail input is set to true, exit without failure even if there are errors + if [ "${INPUT_NO_FAIL}" = "true" ]; then + return 0 + else + return 1 + fi + else + shell_green "The PHP syntax check finished without errors" + fi +} + +# Function to perform virus scan +function virus_scan { + if [ "${INPUT_VIRUS_SCAN_UPDATE}" = "true" ]; then + shell_green "Updating ClamAV definitions database" + freshclam --verbose + fi + + shell_green "##### Starting virus scan #####" + if ! clamscan --exclude-dir ./.composer-cache --exclude-dir ./node_modules_cache -riz "${WP_CONTENT_DIR}"; then + shell_red "**** INFECTED FILE(S) FOUND!!! **** PLEASE SEE REPORT ABOVE ****" + # If no_fail input is set to true, exit without failure even if there are errors + if [ "${INPUT_NO_FAIL}" = "true" ]; then + return 0 + else + return 1 + fi + else + shell_green "Clean - No infected files found" + fi +} + +# Function to setup MariaDB +function setup_mariadb { + echo "Setting up MariaDB" + + # Start MariaDB + /etc/init.d/mariadb start + + # Set a password for the root user + mysqladmin -u root password password + + # Create WordPress database + mysql -u root -e "CREATE DATABASE wordpress;" +} + +# Function to install and configure WordPress +function setup_wordpress { + echo "Setting up WordPress" + + # Install composer dependencies + if [ "${INPUT_COMPOSER_BUILD}" = "true" ]; then + shell_green "Installing composer dependencies" + composer install --no-dev + fi + + # Download WordPress core + curl -O https://wordpress.org/wordpress-"${WORDPRESS_VERSION}".tar.gz + tar -xzf wordpress-"${WORDPRESS_VERSION}".tar.gz + rm -rf wordpress-"${WORDPRESS_VERSION}".tar.gz + rm -rf ./wordpress/wp-content/* + rsync -raxc "${WP_CONTENT_DIR}" ./wordpress/wp-content/ --exclude=wordpress \ + --exclude=wp-config.php \ + --exclude=.git* \ + --exclude=db.php \ + --exclude=object-cache.php \ + --exclude=advanced-cache.php + + # Install WordPress + pushd wordpress || exit 1 + wp --allow-root config create --dbname=wordpress --dbuser=root --dbpass=password --dbhost=127.0.0.1 + wp --allow-root core install --url=10upvulnerabilitytest.net --title='WordPress Vulnerability Test' --admin_user=admin --admin_password=password --admin_email=10upvulnerabilitytest@example.net --skip-email + popd || exit 1 +} + +# function to execute WordPress vulnerability scan +function wp_vuln_scan { + # Check if the vuln_api_token is present for wpscan and patchstack providers + if [ "${INPUT_VULN_API_PROVIDER}" != 'wordfence' ] && [ -z "${INPUT_VULN_API_TOKEN}" ]; then + shell_red "vuln_api_token input is required for ${INPUT_VULN_API_PROVIDER} provider. Please provide the token and re-run the scanner" + exit 1 + fi + + echo "Setting up WordPress vulnerability scan" + + # Install and configure wpcli-vulnerability-scanner package + wp --allow-root package install 10up/wpcli-vulnerability-scanner:dev-trunk + pushd wordpress || exit 1 + wp --allow-root config set VULN_API_PROVIDER "${INPUT_VULN_API_PROVIDER}" + wp --allow-root config set VULN_API_TOKEN "${INPUT_VULN_API_TOKEN}" + + # Run WordPress themes vulnerability scan + shell_green "##### Starting WordPress Themes vulnerability scan #####" + THEMES_SCAN_OUTPUT=$(wp --allow-root vuln theme-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of') + if [ -z "${THEMES_SCAN_OUTPUT}" ]; then + shell_green "No theme vulnerabilities found" + else + wp --allow-root vuln theme-status --reference --format=yaml + shell_red "**** THEME VULNERABILITIES FOUND!!! **** PLEASE SEE REPORT ABOVE ****" + # If no_fail input is set to true, exit without failure even if there are errors + if [ "${INPUT_NO_FAIL}" = "true" ]; then + return 0 + else + return 1 + fi + fi + + # Run WordPress Plugins vulnerability scan + shell_green "##### Starting WordPress Plugins vulnerability scan #####" + PLUGINS_SCAN_OUTPUT=$(wp --allow-root vuln plugin-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of') + if [ -z "${PLUGINS_SCAN_OUTPUT}" ]; then + shell_green "No plugin vulnerabilities found" + else + wp --allow-root vuln plugin-status --reference --format=yaml + shell_red "**** PLUGIN VULNERABILITIES FOUND!!! **** PLEASE SEE REPORT ABOVE ****" + # If no_fail input is set to true, exit without failure even if there are errors + if [ "${INPUT_NO_FAIL}" = "true" ]; then + return 0 + else + return 1 + fi + fi + popd || exit 1 +} + +# Execute PHP syntax check if not disabled +[ "${INPUT_DISABLE_PHPSYNTAX_CHECK}" != "true" ] && php_syntax_check + +# Execute virus scan if not disabled +[ "${INPUT_DISABLE_VIRUS_SCAN}" != "true" ] && virus_scan + +# Execute WordPress vulnerability scan if not disabled +[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && wp_vuln_scan