Add support for WPScan API scanning

[gudmdharalds]

This patch will introduce WPScan API support to vip-go-ci as an optional feature. With the feature set up and enabled, new or altered plugins and themes submitted in pull requests will be scanned for security vulnerabilities using the WPScan API.

TODO:

• Specify options parameters to make WPScan API support configurable.
  • Parameter to enable or disable WPScan API support (--wpscan-api).
  • Parameter to enable or disable WPScan API dry-run mode (--wpscan-api-dry-mode).
  • Parameter to specify directories to scan (--wpscan-api-paths).
  • Parameter to specify directories to skip (--wpscan-api-skip-folders).
  • Parameter to specify WPScan API URL (--wpscan-api-url).
  • Parameter to specify WPScan API access-token (--wpscan-api-token).
  • Add test for vipgoci_run_init_options_wpscan().
• Logic to find plugins/themes, determine slugs, and collect vulnerable/obsolete plugins or themes via WPScan API:
  • Logic to determine directories to scan using parameters (vipgoci_wpscan_find_addon_dirs_altered()).
    • Add integration test for function
      • Check for themes.
      • Ensure added plugins/themes are included in results.
      • Ensure updated plugins/themes are included in results.
      • Ensure deleted plugins/themes are not included in results.
  • Determine slug of plugins or themes altered and get additional data using functionality from WordPress Core (using logic in wp-core-misc.php), check for security problems via WPScan API (using logic implemented in wpscan-api.php), filter security problems that are not applicable (logic from same file). Make a distinction between vulnerable plugins and obsolete ones (vipgoci_wpscan_scan_dirs_altered()).
    • Add integration test for function
      • Add check for themes
  • Save results of WPScan API scanning in results structure (vipgoci_wpscan_scan_save_for_submission())
    • Look for label so end-users can request skip scanning (skip-wpscan-scan)
    • Different severity level for obsolete addons (7) and vulnerable ones (10).
    • Add integration test for function
    • Add test for themes
  • Add function wrapper for a) finding plugins/themes to scan, b) to scan these via WPScan API, c) and save results for submission (vipgoci_wpscan_scan_commit()).
    • Add integration test for function
    • Add test for themes
• WPScan result submission logic:
  • Make reporting of generic comments modular, depending on result type (PHP lint or WPScan).
  • Function to output beginning of PHP lint report comment (vipgoci_lint_report_comment_start())
  • Function to output main body of PHP lint report comment based on results (vipgoci_lint_report_comment_format_result())
  • Report WPScan API results to IRC only if dry-run is enabled.
  • Function to output beginning of WPScan report comment (vipgoci_wpscan_report_start())
    • Integrate into vipgoci_report_submit_pr_generic_comment_from_results()
    • Make a distinction between submitting plugin or theme results
    • Add test for function
  • Function to output end of WPScan report comment (vipgoci_wpscan_report_end()
    • Make a distinction between submitting plugin or theme results
    • Integrate into vipgoci_report_submit_pr_generic_comment_from_results()
    • Add test for function
  • Function that outputs CVSS ranking in human readable form (vipgoci_wpscan_report_format_cvss_score())
    • Implement function, ensure it is called from result formatting function
    • Add unit test for function
  • Function that outputs main body of WPScan report comment based on results (vipgoci_wpscan_report_comment_format_result())
    • Make a distinction between submitting plugin or theme results
    • Integrate into vipgoci_report_submit_pr_generic_comment_from_results()
    • Add test for function
• WPScan API scanning support:
  • Function to ask WPScan API for information about individual plugins/themes.
    • Test for vipgoci_wpscan_do_scan_via_api()
  • Function to filter away vulnerabilities that do not affect the current plugin/theme version.
    • Test for vipgoci_wpscan_filter_fixed_vulnerabilities()
• WordPress Core functionality:
  • Function to retrieve WordPress plugin/theme headers (vipgoci_wpcore_misc_get_file_wp_headers())
    • Add test for vipgoci_wpcore_misc_get_file_wp_headers()
    • Function to clean up headers (vipgoci_wpcore_misc_cleanup_header_comment()).
      • Add test for vipgoci_wpcore_misc_cleanup_header_comment()
  • Function to determine if a file belongs to a theme or a plugin and retrieve headers (vipgoci_wpcore_misc_get_addon_headers_and_type()).
    • Add test for vipgoci_wpcore_misc_get_addon_headers_and_type()
  • Function to retrieve list of plugins or themes found in a particular directory (vipgoci_wpcore_misc_scan_directory_for_addons())
    • Add test for vipgoci_wpcore_misc_scan_directory_for_addons()
    • If UpdateURI header found is outside of valid WordPress.org URIs, skip addon.
  • Function to determine slugs for plugins or themes (vipgoci_wpcore_api_determine_slug_and_other_for_addons())
    • Add test for vipgoci_wpcore_api_determine_slug_and_other_for_addons()
    • Use HTTP 1.1 for requests.
    • Add theme to integration test.
  • Function to merge fields from WordPress.org API response into array of addons found, plus verification of essential fields (vipgoci_wpcore_misc_assign_addon_fields()).
    • Add test for function.
  • Function to get plugin and theme header data, and determine slugs for the plugins/themes and get other information using the WordPress.org API (vipgoci_wpcore_misc_get_addon_data_and_slugs_for_directory())
    • Add test for vipgoci_wpcore_misc_get_addon_data_and_slugs_for_directory()
      • Test theme as well.
• Functions that need refining:
  • Refine vipgoci_http_api_fetch_url():
    • Add support for WPScan API access tokens
  • Refine vipgoci_http_api_post_url():
    • Support encoding HTTP POST request postfields using URL-encoded query-strings.
    • Support setting which HTTP protocol version to use for requests.
    • Make access token an optional parameter.
    • Allow callers to specify HTTP Content-Type header.
    • Support returning content from API backend.
  • Refine vipgoci_scandir_git_repo():
    • Parameter to disable subdirectory scanning
      • Update integration test so that this parameter is tested.
• Support functions:
  • vipgoci_preview_string(): Function to shorten strings, especially useful for logging API responses.
    • Test for vipgoci_preview_string()
  • vipgoci_array_push_uniquely() Function add items to array, only if they are not in the array already.
    • Test for vipgoci_array_push_uniquely()
  • vipgoci_directory_path_get_dir_and_include_base(): Function to get "base" path of target directory along with the directory-name itself, skip any sub-directories.
    • Test for vipgoci_directory_path_get_dir_and_include_base()
  • vipgoci_github_files_affected_by_commit(): Function to get files affected by each pull request implicated by the commit.
    • Test for vipgoci_github_files_affected_by_commit().
  • vipgoci_directory_found_in_file_list(): Function to check if a particular directory path is found in array of file paths.
    • Test for vipgoci_directory_found_in_file_list()
  • vipgoci_string_found_in_substrings_array(): Check if any of the strings in a given array are a substring of comparison string.
    • Test for vipgoci_string_found_in_substrings_array()
  • vipgoci_output_sanitize_url(): Function to escape URLs.
    • Add unit test.
  • vipgoci_output_markdown_escape(): Function to escape Markdown characters.
    • Add unit test.
• Auto-approval changes:
  • Do not auto-approve if WPScan API finds issues (only when dry-run is disabled).
    • Add integration test for when WPScan indicates issues and when it does not.
• Verify all tests have been added or updated -- both unit and integrated
• Add section about WPScan API support to --help message.
• Add section about WPScan API support to README file.
• Add details about WPScan API to Scan run detail
  • Add tests also (unit/tests/ReportCreateScanDetailsWpscanConfigurationTest.php)
• Add WPScan API TODO item to .github/PULL_REQUEST_TEMPLATE
• Changelog entry [ Changelog for version 1.3.0 #286 ]
• Check status of automated tests

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 5 errors

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.6 PHP runtime for linting: PHP 8.1: 8.1.6 PHP runtime version for PHPCS: 7.4.29 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.29 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.6 PHP runtime for linting: PHP 8.1: 8.1.6 PHP runtime version for PHPCS: 7.4.29 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.29 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.6 PHP runtime for linting: PHP 8.1: 8.1.6 PHP runtime version for PHPCS: 7.4.29 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.29 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

Dismissing review as all inline comments are obsolete by now

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.6 PHP runtime for linting: PHP 8.1: 8.1.6 PHP runtime version for PHPCS: 7.4.29 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.29 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[iamchughmayank]

I wonder if the "VIP Code Analysis Bot" checks can be performed as a pre-push step to ensure it passes in the pipeline as well?

[gudmdharalds]

I wonder if the "VIP Code Analysis Bot" checks can be performed as a pre-push step to ensure it passes in the pipeline as well?

I think that should be possible. Let's discuss during our next team meeting.

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.6 PHP runtime for linting: PHP 8.1: 8.1.6 PHP runtime version for PHPCS: 7.4.29 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.29 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

Dismissing review as all inline comments are obsolete by now

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

⚠️ 3 warnings

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.7 PHP runtime for linting: PHP 8.1: 8.1.7 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.7 PHP runtime for linting: PHP 8.1: 8.1.7 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

Dismissing review as all inline comments are obsolete by now

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

⚠️ 1 warning

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.7 PHP runtime for linting: PHP 8.1: 8.1.7 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[wpcomvip-vipgoci-bot]

⚠️ Warning( severity 5 ): Unused variable $problem_addon_file_names (VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable).

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.7 PHP runtime for linting: PHP 8.1: 8.1.7 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

Dismissing review as all inline comments are obsolete by now

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

⚠️ 3 warnings

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.7 PHP runtime for linting: PHP 8.1: 8.1.7 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.3 PHP runtime version for vip-go-ci: 8.1.7 PHP runtime for linting: PHP 8.1: 8.1.7 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.6.2 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes hashes-api Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approval DB enabled: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

Dismissing review as all inline comments are obsolete by now

[nickdaugherty]

@gudmdharalds the changes all look good, but do you know if the Markdown escaping is going to come through with a \ in the GH comments? Not all characters always need escaping...the position of them is relevant in Markdown.

An asterisk in the middle of a sentence won't have any effect, but if it starts a line and is followed by a space, it would get turned into a bullet item, for example.

I guess we can see how it works in practice and tweak it if needed.

[wpcomvip-vipgoci-bot]

phpcs scanning turned up:

🚫 1 error

---

This bot provides automated PHP linting and PHPCS scanning. For more information about the bot and available customizations, see our documentation.

---

Scan run detail

Software versions vip-go-ci version: 1.2.6 PHP runtime version for vip-go-ci: 8.1.10 PHP runtime for linting: PHP 8.1: 8.1.10 PHP runtime version for PHPCS: 7.4.30 PHPCS version: 3.7.1 PHP runtime version for SVG scanner: 7.4.30 Options file (.vipgoci_options) Options file enabled: true Configurable options: skip-execution skip-draft-prs lint-modified-files-only phpcs phpcs-severity phpcs-sniffs-include phpcs-sniffs-exclude report-no-issues-found review-comments-sort review-comments-include-severity post-generic-pr-support-comments review-comments-sort scan-details-msg-include svg-checks autoapprove autoapprove-php-nonfunctional-changes Options altered: phpcs-severityset to1 phpcs-sniffs-includeset toGeneric.PHP.DisallowShortOpenTag, Squiz.PHP.CommentedOutCode phpcs-sniffs-excludeset toWordPress.Security.EscapeOutput, WordPress.PHP.DevelopmentFunctions, WordPress.WP.AlternativeFunctions, WordPress.PHP.DiscouragedPHPFunctions, WordPress.Files.FileName, Squiz.Commenting.FileComment, Generic.PHP.Syntax skip-draft-prsset to

PHP lint options PHP lint files enabled: true Lint modified files only: true Directories not PHP linted: None SVG configuration SVG scanning enabled: true Auto-approval configuration Auto-approvals enabled: true Non-functional changes auto-approved: true Auto-approved file-types: css csv eot gif gz ico ini jpeg jpg json less map md mdown mo mp4 otf pcss pdf po pot png sass scss styl ttf txt woff woff2 yml

PHPCS configuration PHPCS scanning enabled: true PHPCS severity level: 1 Standard(s) used: PHPCompatibility PHPCompatibilityParagonieRandomCompat PHPCompatibilityParagonieSodiumCompat VariableAnalysis WordPress Runtime set: testVersion 8.1- Custom sniffs included: Generic.PHP.DisallowShortOpenTag Squiz.PHP.CommentedOutCode Custom sniffs excluded: WordPress.Security.EscapeOutput WordPress.PHP.DevelopmentFunctions WordPress.WP.AlternativeFunctions WordPress.PHP.DiscouragedPHPFunctions WordPress.Files.FileName Squiz.Commenting.FileComment Generic.PHP.Syntax Directories not PHPCS scanned: tests/unit

[wpcomvip-vipgoci-bot]

🚫 Error( severity 5 ): You must use "/**" style comments for a function comment (Squiz.Commenting.FunctionComment.WrongStyle).