VIP Dashboard Plugins panel
The Plugins panel in the VIP Dashboard displays a list of plugins that are located in the /plugins
directory of a WordPress environment’s wpcomvip GitHub repository branch.
For each plugin scanned by Codebase Manager, the Plugins panel will indicate if version updates are available, or if the scan has identified a known security vulnerability for a plugin. A pull request to update a plugin can be initiated from within the VIP Dashboard Plugins panel.
Note
Customers can also stay informed of known security vulnerabilities that are identified by the scans with automated messages:
- Notifications: Automated messages that are triggered by all levels of identified security vulnerabilities for plugins that are already deployed to application environments. Notifications are opt-in, and can be sent to a webhook URL for Slack, Google Chat, or Microsoft Teams, a general-purpose webhook URL, or an email address.
- Important Alerts: Automated Notifications that are triggered by identified security vulnerabilities rated as high or critical for plugins that are already deployed to application environments. All users with an Org admin role or an App admin role receive Important Alerts by email by default.
Limitations
- Only plugins that are located within an application’s
/plugins
directory are scanned. - WP-CLI and cron must be in a healthy, functioning state on a WordPress environment in order for plugins associated with that environment to appear as expected on the Plugins panel.
- Typically, only plugins that can be downloaded from the WordPress.org Plugin Directory can be scanned. In some cases it is possible for a plugin downloaded from a source other than the WordPress.org Plugin Directory to be scanned if the plugin has a valid license activated.
- Only plugins with a valid WordPress plugin slug are eligible for an option to create a pull request. For a plugin downloaded from a source other than the WordPress.org Plugin Directory, the slug might only be detectable if the plugin is activated, and might also require a valid license to be activated.
- For plugins managed by composer, pull requests that are created from within the Plugins panel will only be successful if the plugin is resourced from the
wpackagist
composer repository. - After merging a pull request that updates the version of a plugin, the plugin’s version and related security warnings might not update on the Plugins panel for up to 15 minutes.
Access
Prerequisites
- To view an environment’s Plugins panel, a user must have at minimum an Org member role or an App write role for that application.
- To view and select pull request options in the Actions column, a user must have at minimum an Org member role or an App write role for that application.
To access the Plugins panel:
- Navigate to the VIP Dashboard for an application.
- The Plugins panel is environment-specific (e.g., Production, Develop). Select an environment from the dropdown located at the upper left of the VIP Dashboard application view.
- Select “Code” from the sidebar navigation at the left of the screen.
- Select “Plugins” from the submenu.
Filter options
The list can be filtered by:
- Update Available: Only display plugins for which an updated version is available.
- Security Issues: Only display plugins for which a vulnerability has been identified.
Information displayed
By default, all plugins located within the /plugins
directory of an environment’s wpcomvip repository branch that have been scanned by Codebase Manager are displayed in the Plugins panel.
Plugins are listed in alphabetical order by name. Depending on availability, information about each plugin will also include:
- NAME: The name of the plugin, and a relative path to the plugin’s directory in the environment’s GitHub repository branch.
- VERSION: The version of the plugin located in the environment’s GitHub repository branch. If a more recent version of the plugin is identified and available, that version will also be displayed with the label “Available”.
- SECURITY ISSUES: When applicable, linked notices stating the severity level of a known vulnerability will display for the version of the scanned plugin. The notice will link to the WPScan site where more details specific to the reported vulnerability can be reviewed.
- ACTION: If a more recent version of a scanned plugin is available and able to be automatically provided by Codebase Manager, a selectable button will be displayed that allows a user to:
- Create pull request: Create a pull request in the branch of the wpcomvip repository where the plugin is located. The pull request will update the plugin to the most recent available version.
- View pull request: View an already created pull request that is not yet merged. Only users with existing access to the application’s GitHub repository will have permission to view the pull request.
Create a pull request
Prerequisites
- To view and select pull request options in the Actions column, a user must have at minimum an Org member role or an App write role for that application.
- To merge a pull request, a user must have a GitHub user account with with
write
access permissions or greater for an application’s GitHub repository. - The option to select a button labeled “Create Pull Request” is only available for environments that have Default Deployment enabled.
If a Codebase Manager scan has identified a known security vulnerability or an available version update for a plugin, a button labeled “Create Pull Request” will be available in the “Action” column. Selecting the button will trigger a pull request containing the most recent version of the plugin to be created. The pull request will be made against the GitHub branch that deploys to the environment currently being viewed in the VIP Dashboard.
For security reasons, plugin updates should be made as soon as possible. It is recommended to test the updated version of the plugin on a non-production environment before updating the plugin on production.
If a newer version of a plugin becomes available before a created pull request has been merged, a “Create Pull Request” button will reappear for the plugin in the Plugins panel. Select the button to create a new pull request with the most recent version of the plugin.
Information included in pull requests
Pull requests that are initiated from the VIP Dashboard Plugins panel will include the following information in the pull request description field:
- Details: Source URL of the reported vulnerable plugin in the WordPress.org Plugin Directory.
- Installed location: Path to the directory in the GitHub repository branch matching the reported vulnerable plugin.
- Version: The new version of the plugin that is being updated.
Code review for pull requests
By default, the VIP Code Analysis Bot will not analyze pull requests that are initiated from the VIP Dashboard Plugins panel. This configuration is designed to enable plugin updates to be made as quickly and simply as possible.
Customer’s can optionally run the same PHPCS scan as the Bot locally against the updated version of the plugin. Maintaining plugins at their most up to date versions is a best practice for WordPress applications. An important part of this best practice is to also locally review the code of the updated version with PHPCS, act on any feedback as needed, and complete testing for the updated plugin on a non-production environment before updating the plugin on production. Following this process enables developers to more confidently merge the pull requests generated by Codebase Manager.
Last updated: September 30, 2024