VIP’s Codebase Manager is a service that helps customers keep versions of the plugins in their
wpcomvip GitHub repositories secure and up to date.
Automated Security Scanning
Codebase Manager’s Automated Security Scanning watches for new plugin vulnerabilities that are published to WPScan and scans through all wpcomvip GitHub repositories looking for matches. Scan results that indicate plugins with high severity vulnerabilities may trigger pull requests in the branches of wpcomvip repositories where versions of the vulnerable plugins are found.
Information that is included in the pull request description, detailing the affected plugin identified in the customer repository:
- Details: Source URL of the reported vulnerable plugin in the WordPress.org Plugin Directory.
- Installed location: Path to the directory matching the reported vulnerable plugin in the GitHub repository branch.
- Version: The new version of the plugin being updated.
Customers should verify that the (WordPress.org) plugin being updated in the pull request matches the plugin that actually exists within the branch of their repository. Read more about dealing with false-positive plugin matches.
Additional information included in the pull request about the type and severity of the vulnerability:
- Title: The title of the reported vulnerability usually containing the name of the plugin, the affected version(s), and a brief description of the vulnerability.
- Details: A link to the WPScan site where more details specific to the reported vulnerability can be reviewed.
- Severity score: Severity rating of the reported vulnerability based on the Common Vulnerability Scoring System (CVSS).
Responding to pull requests
Customers are expected to test and merge the pull requests created by Automated Security Scanning as soon as possible. Like all plugin updates, thorough testing should be completed on a non-production environment before updating the plugin on production.
If a pull request is closed and not merged, Automated Security Scanning will make no further pull requests for that specific vulnerability. However, new pull requests will still be created by Automated Security Scanning if additional security vulnerabilities are reported for the plugin and version.
Preventing false-positive plugin matches
On rare occasions, the naming convention of a plugin directory can cause a false positive and generate an Automated Security Scanning pull request. A false positive can occur when the directory name for a custom plugin—or third-party plugin from a different source—is identical the directory name of the WordPress.org Plugin identified in the security vulnerability.
Customers should utilize the
Update URI plugin header field in custom plugins to prevent them from being accidentally overwritten by an update of a plugin of a similar name and slug from the WordPress.org Plugin Directory.