Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/bug fixes #5

Merged
merged 2 commits into from
Oct 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,18 @@

All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).

## [v1.0.1] - 2024-10-10

### Updated

- Removed verbosity from `freshclam` DB update command
- Force trailing slash for `WP_CONTENT_DIR` variable
- Ensure `wp-config.php` file is deleted from `wordpress` dir in `setup_wordpress` function
- Separate vuln scanner into 2 functions, themes and plugins
- Separate vuln scanner setup into its own function
- Use `--porcelain` flag in vuln WPCLI command to avoid using `grep`
- Set the `vuln_api_provider` as not required and set its default value to `wordfence`

## [v1.0.0] - 2024-07-19

### Added
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/

| Name | Required | Default | Description |
| --- | --- | --- | --- |
| `vuln_api_provider` | True | - | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` |
| `vuln_api_provider` | False | `wordfence` | The vulnerability API provider for the WordPress plugins and themes scanning. Supported values: `wordfence`, `patchstack` and `wpscan` |
| `vuln_api_token` | False | - | The API token to authenticate against the vulnerability API provider. This input is optional if `vuln_api_provider` is set to `wordfence` |
| `disable_vuln_scan` | False | `false` | Disable the WordPress plugins and themes vulnerability scanner |
| `virus_scan_update` | False | `true` | Update the ClamAV definitions database before executing the virus scanner (recommended) |
Expand All @@ -30,7 +30,7 @@ This Action leverages our own [WP-CLI Vulnerability Scanner](https://github.com/

# Examples

## Install Composer dependencies before scanning
## Basic example with Composer dependencies

This example assumes that you have a `wp-content` based repository and uses [Patchstack](https://patchstack.com/) as the API provider.

Expand Down
3 changes: 2 additions & 1 deletion action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,8 @@ branding:
inputs:
vuln_api_provider:
description: 'Vulnerability API provider'
required: true
required: false
default: 'wordfence'
vuln_api_token:
description: 'Token to authenticate with the vulnerability API provider'
required: false
Expand Down
2 changes: 1 addition & 1 deletion image/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ LABEL "com.github.actions.icon"="shield"
LABEL "com.github.actions.color"="blue"

LABEL maintainer="10upbot <[email protected]>"
LABEL version="1.0.0"
LABEL version="v1.0.1"
LABEL repository="https://github.com/10up/wp-scanner-action"

RUN apt-get update \
Expand Down
27 changes: 18 additions & 9 deletions image/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ SHELL_RED="\033[0;31m"
SHELL_GREEN="\033[0;32m"
# Set wp-content directory location
WP_CONTENT_DIR="${INPUT_CONTENT_DIR:-$GITHUB_WORKSPACE}"
# if WP_CONTENT_DIR is set to "/" then set it to "./" to avord referencing root directory
[ "${WP_CONTENT_DIR}" = "/" ] && WP_CONTENT_DIR="./"
# Ensure WP_CONTENT_DIR ends with a slash
[[ "${WP_CONTENT_DIR}" != */ ]] && WP_CONTENT_DIR="${WP_CONTENT_DIR}/"
# Set PHP syntax check variables
OUTPUT_REDIRECT="1>/dev/null"
FAILED_MESSAGE_POSTFIX=""
Expand Down Expand Up @@ -47,7 +51,7 @@ function php_syntax_check {
function virus_scan {
if [ "${INPUT_VIRUS_SCAN_UPDATE}" = "true" ]; then
shell_green "Updating ClamAV definitions database"
freshclam --verbose
freshclam
fi

shell_green "##### Starting virus scan #####"
Expand Down Expand Up @@ -102,13 +106,14 @@ function setup_wordpress {

# Install WordPress
pushd wordpress || exit 1
rm -f wp-config.php
wp --allow-root config create --dbname=wordpress --dbuser=root --dbpass=password --dbhost=127.0.0.1
wp --allow-root core install --url=10upvulnerabilitytest.net --title='WordPress Vulnerability Test' --admin_user=admin --admin_password=password [email protected] --skip-email
popd || exit 1
}

# function to execute WordPress vulnerability scan
function wp_vuln_scan {
# Function to setup WPCLI vulnerability scanner
function setup_wpcli_vuln_scanner {
# Check if the vuln_api_token is present for wpscan and patchstack providers
if [ "${INPUT_VULN_API_PROVIDER}" != 'wordfence' ] && [ -z "${INPUT_VULN_API_TOKEN}" ]; then
shell_red "vuln_api_token input is required for ${INPUT_VULN_API_PROVIDER} provider. Please provide the token and re-run the scanner"
Expand All @@ -122,10 +127,13 @@ function wp_vuln_scan {
pushd wordpress || exit 1
wp --allow-root config set VULN_API_PROVIDER "${INPUT_VULN_API_PROVIDER}"
wp --allow-root config set VULN_API_TOKEN "${INPUT_VULN_API_TOKEN}"
popd || exit 1
}

# Run WordPress themes vulnerability scan
# Function to execute WordPress themes vulnerability scan
function wp_themes_vuln_scan {
shell_green "##### Starting WordPress Themes vulnerability scan #####"
THEMES_SCAN_OUTPUT=$(wp --allow-root vuln theme-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of')
THEMES_SCAN_OUTPUT=$(wp --allow-root --path=wordpress/ vuln theme-status --porcelain)
if [ -z "${THEMES_SCAN_OUTPUT}" ]; then
shell_green "No theme vulnerabilities found"
else
Expand All @@ -138,10 +146,12 @@ function wp_vuln_scan {
return 1
fi
fi
}

# Run WordPress Plugins vulnerability scan
# Function to execute WordPress plugins vulnerability scan
function wp_plugins_vuln_scan {
shell_green "##### Starting WordPress Plugins vulnerability scan #####"
PLUGINS_SCAN_OUTPUT=$(wp --allow-root vuln plugin-status | grep -v 'Vulnerability API Provider' | grep -v 'status' | grep -v 'No vulnerabilities reported for this version of')
PLUGINS_SCAN_OUTPUT=$(wp --allow-root --path=wordpress/ vuln plugin-status --porcelain)
if [ -z "${PLUGINS_SCAN_OUTPUT}" ]; then
shell_green "No plugin vulnerabilities found"
else
Expand All @@ -154,7 +164,6 @@ function wp_vuln_scan {
return 1
fi
fi
popd || exit 1
}

# Execute PHP syntax check if not disabled
Expand All @@ -164,4 +173,4 @@ function wp_vuln_scan {
[ "${INPUT_DISABLE_VIRUS_SCAN}" != "true" ] && virus_scan

# Execute WordPress vulnerability scan if not disabled
[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && wp_vuln_scan
[ "${INPUT_DISABLE_WP_VULN_SCAN}" != "true" ] && setup_mariadb && setup_wordpress && setup_wpcli_vuln_scanner && wp_themes_vuln_scan && wp_plugins_vuln_scan
Loading