WordPress.org
Get WordPress

Making WordPress.org

Opened 5 months ago

Closed 4 weeks ago

Last modified 4 days ago

#8018 closed enhancement (fixed)

Replace WP Scanner for Plugin Check Plugin

Reported by: davidperez's profile davidperez Owned by: dd32's profile dd32
Milestone: Priority: high
Component: Plugin Directory Keywords: has-patch
Cc:

Description

We are currently running a plugin scanner using the WPORG Code Analysis tool:
https://github.com/wordpress/wporg-code-analysis

The Plugins Team has been working on the Plugin Check Plugin (PCP), and we’re continuously refining it. The tool supports severity levels, which allows us to block a plugin from being approved when we’re confident the issues are not false positives.

My proposal is to replace the current plugin with PCP in update mode.
This will add checks not only related to security, but also to readme standards and WPCS compliance, including deprecated functions.

Finally, I believe we should send the scanner report to plugin authors so they can proactively improve their plugins. Once this change is implemented, we could move forward with the notification system already proposed here: https://meta.trac.wordpress.org/ticket/5637

Change History (7)

This ticket was mentioned in PR #515 on WordPress/wordpress.org by @davidperez.
4 weeks ago #1

  • Keywords has-patch added

In Plugins Team were agreed to run PCP on plugin updates. I've seen how WPORG Code Analysis uses a hook and I've tried to simulate and started to make for PCP. If we make the merge, the plugin have to be deactivated.

#2 @dd32
4 weeks ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 14565:

Plugin Directory: Run Plugin Check over new plugin releases.

Props davidperez, dd32.
Closes https://github.com/WordPress/wordpress.org/pull/515
See #6108, #5637, #5868.
Fixes #8018.

#3 @dd32
4 weeks ago

In 14566:

Plugin Directory: Enable the --mode parameter to Plugin Check.

See #8018, [14565].

#4 @dd32
4 weeks ago

In 14567:

Plugin Directory: Use the correct variables after the code was moved around in [14565].

See #8018.

#5 @dd32
3 weeks ago

In 14574:

Plugin Directory: Fix displaying the errors encountered during attempted upload.

See [14565].
See #8018.

#6 @dd32
5 days ago

To follow up on this ticket:

Plugin authors aren't being alerted at present to the scanner output. This was not implemented because the PR contained no reasonable text, documentation, and PCP didn't seem to be outputting anything useful other than error codes.

As such, this needs, before it can be closed:

  • Text written to be used in an email to inform plugin authors of the failures / alerts / etc of PCP
  • Possibly the PCP output tweaked / updated so that it can return the context of the alert

#7 @davidperez
4 days ago

Ok, we will prepare it.

Note: See TracTickets for help on using tickets.