From 05da6da8124cdc3daff051de2184d5133e209283 Mon Sep 17 00:00:00 2001 From: Douglas Barahona Date: Thu, 10 Oct 2024 18:43:12 -0600 Subject: [PATCH 1/2] Remove verbosity from freshclam DB update command Force trailing slash for WP_CONTENT_DIR variable Ensure wp-config.php file is deleted from wordpress dir in setup_wordpress function Separate vuln scanner into 2 functions, themes and plugins Separate vuln scanner setup into its own function Use --porcelain flag in vuln WPCLI command to avoid using grep Set the vuln_api_provider as not required and set its default value to wordfence Documentation updates --- README.md | 4 ++-- action.yml | 3 ++- image/Dockerfile | 2 +- image/entrypoint.sh | 27 ++++++++++++++++++--------- 4 files changed, 23 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 2ebaa34..0b3d8c9 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/ | Name | Required | Default | Description | | --- | --- | --- | --- | -| `vuln_api_provider` | True | - | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` | +| `vuln_api_provider` | False | `wordfence` | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` | | `vuln_api_token` | False | - | The API token to authenticate against the vulnerability API provider. This input is optional if `vuln_api_provider` is set to `wordfence` | | `disable_vuln_scan` | False | `false` | Disable the WordPress plugins and themes vulnerability scanner | | `virus_scan_update` | False | `true` | Update the ClamAV definitions database before executing the virus scanner (recommended) | @@ -30,7 +30,7 @@ This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/ # Examples -## Install Composer dependencies before scanning +## Basic example with Composer dependencies This example assumes that you have a `wp-content` based repository and uses [Patchstack](https://patchstack.com/) as the API provider. diff --git a/action.yml b/action.yml index 40ff587..514a01e 100644 --- a/action.yml +++ b/action.yml @@ -8,7 +8,8 @@ branding: inputs: vuln_api_provider: description: 'Vulnerability API provider' - required: true + required: false + default: 'wordfence' vuln_api_token: description: 'Token to authenticate with the vulnerability API provider' required: false diff --git a/image/Dockerfile b/image/Dockerfile index 64d4f93..7678360 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -8,7 +8,7 @@ LABEL "com.github.actions.icon"="shield" LABEL "com.github.actions.color"="blue" LABEL maintainer="10upbot <10upbot+github@10up.com>" -LABEL version="1.0.0" +LABEL version="v1.0.1" LABEL repository="https://github.com/10up/wp-scanner-action" RUN apt-get update \ diff --git a/image/entrypoint.sh b/image/entrypoint.sh index 799ffa1..17f5f95 100755 --- a/image/entrypoint.sh +++ b/image/entrypoint.sh @@ -8,6 +8,10 @@ SHELL_RED="\033[0;31m" SHELL_GREEN="\033[0;32m" # Set wp-content directory location WP_CONTENT_DIR="${INPUT_CONTENT_DIR:-$GITHUB_WORKSPACE}" +# if WP_CONTENT_DIR is set to "/" then set it to "./" to avord referencing root directory +[ "${WP_CONTENT_DIR}" = "/" ] && WP_CONTENT_DIR="./" +# Ensure WP_CONTENT_DIR ends with a slash +[[ "${WP_CONTENT_DIR}" != */ ]] && WP_CONTENT_DIR="${WP_CONTENT_DIR}/" # Set PHP syntax check variables OUTPUT_REDIRECT="1>/dev/null" FAILED_MESSAGE_POSTFIX="" @@ -47,7 +51,7 @@ function php_syntax_check { function virus_scan { if [ "${INPUT_VIRUS_SCAN_UPDATE}" = "true" ]; then shell_green "Updating ClamAV definitions database" - freshclam --verbose + freshclam fi shell_green "##### Starting virus scan #####" @@ -102,13 +106,14 @@ function setup_wordpress { # Install WordPress pushd wordpress || exit 1 + rm -f wp-config.php wp --allow-root config create --dbname=wordpress --dbuser=root --dbpass=password --dbhost=127.0.0.1 wp --allow-root core install --url=10upvulnerabilitytest.net --title='WordPress Vulnerability Test' --admin_user=admin --admin_password=password --admin_email=10upvulnerabilitytest@example.net --skip-email popd || exit 1 } -# function to execute WordPress vulnerability scan -function wp_vuln_scan { +# Function to setup WPCLI vulnerability scanner +function setup_wpcli_vuln_scanner { # Check if the vuln_api_token is present for wpscan and patchstack providers if [ "${INPUT_VULN_API_PROVIDER}" != 'wordfence' ] && [ -z "${INPUT_VULN_API_TOKEN}" ]; then shell_red "vuln_api_token input is required for ${INPUT_VULN_API_PROVIDER} provider. Please provide the token and re-run the scanner" @@ -122,10 +127,13 @@ function wp_vuln_scan { pushd wordpress || exit 1 wp --allow-root config set VULN_API_PROVIDER "${INPUT_VULN_API_PROVIDER}" wp --allow-root config set VULN_API_TOKEN "${INPUT_VULN_API_TOKEN}" + popd || exit 1 +} - # Run WordPress themes vulnerability scan +# Function to execute WordPress themes vulnerability scan +function wp_themes_vuln_scan { shell_green "##### Starting WordPress Themes vulnerability scan #####" - THEMES_SCAN_OUTPUT=$(wp --allow-root vuln theme-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of') + THEMES_SCAN_OUTPUT=$(wp --allow-root --path=wordpress/ vuln theme-status --porcelain) if [ -z "${THEMES_SCAN_OUTPUT}" ]; then shell_green "No theme vulnerabilities found" else @@ -138,10 +146,12 @@ function wp_vuln_scan { return 1 fi fi +} - # Run WordPress Plugins vulnerability scan +# Function to execute WordPress plugins vulnerability scan +function wp_plugins_vuln_scan { shell_green "##### Starting WordPress Plugins vulnerability scan #####" - PLUGINS_SCAN_OUTPUT=$(wp --allow-root vuln plugin-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of') + PLUGINS_SCAN_OUTPUT=$(wp --allow-root --path=wordpress/ vuln plugin-status --porcelain) if [ -z "${PLUGINS_SCAN_OUTPUT}" ]; then shell_green "No plugin vulnerabilities found" else @@ -154,7 +164,6 @@ function wp_vuln_scan { return 1 fi fi - popd || exit 1 } # Execute PHP syntax check if not disabled @@ -164,4 +173,4 @@ function wp_vuln_scan { [ "${INPUT_DISABLE_VIRUS_SCAN}" != "true" ] && virus_scan # Execute WordPress vulnerability scan if not disabled -[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && wp_vuln_scan +[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && setup_wpcli_vuln_scanner && wp_themes_vuln_scan && wp_plugins_vuln_scan From fab97c6fc6ab89edfb3583215df355cf7a1b03ca Mon Sep 17 00:00:00 2001 From: Douglas Barahona Date: Thu, 10 Oct 2024 18:54:16 -0600 Subject: [PATCH 2/2] Changelog updates --- CHANGELOG.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 46b392a..f5ba80f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/). +## [v1.0.1] - 2024-10-10 + +### Updated + +- Removed verbosity from `freshclam` DB update command +- Force trailing slash for `WP_CONTENT_DIR` variable +- Ensure `wp-config.php` file is deleted from `wordpress` dir in `setup_wordpress` function +- Separate vuln scanner into 2 functions, themes and plugins +- Separate vuln scanner setup into its own function +- Use `--porcelain` flag in vuln WPCLI command to avoid using `grep` +- Set the `vuln_api_provider` as not required and set its default value to `wordfence` + ## [v1.0.0] - 2024-07-19 ### Added