Security Plugin Score and Stats

[davidperezgar]

It would be nice a summary of stats for all checks made. I think that would be useful to show stats about checks done, errors and warning discovered. And we can think as a Health number of the plugin.

[davidperezgar]

I think that we can show:

• Total lines in the plugin
• Total Checks done
• Errors Found (by severity more than 7 and less than 7)
• Warnings Found
• Total score

[davidperezgar]

For the Score, I'm thinking: ERRORS x SEVERITY + ( WARNINGS x SEVERITY - CORRECTOR) and make a score between 0-100.

Or maybe, we could make a security score for each check.

[frantorres]

In terms of scoring, I think we need to change the approach to what is an error, what is a warning and the severity.

Right now the severity technically is more like "how sure we are that it's not a false positive", there are checks with the higher severity that do not really have impact on security.

Meanwhile, some of the main checks with impact on security (sanitization, escaping, nonces) have too many false positives to be able to consider them directly to create a score. In the internal script I'm creating new checks that only show issues it's sure about, but that information is partial and should be completed with the manual check.

I think we can create a score in terms of compatibility for example, as many checks in the compatibility area do not have false positives.

I'm not that sure sure on how to approach security. I guess with what we have now it will be more something informational than a score within a range on how security is for the plugin.