Add support for WPScan API scanning

defines.php

@@ -19,10 +19,15 @@
 define( 'VIPGOCI_PHP_VERSION_MINIMUM', '7.3.0' );
 
 /*
- * Client-ID for curl-requests, etc.
+ * Client-ID for HTTP requests.
  */
 define( 'VIPGOCI_CLIENT_ID', 'automattic-vip-go-ci' );
+
+/*
+ * Strings for generic messages.
+ */
 define( 'VIPGOCI_SYNTAX_ERROR_STR', 'PHP Syntax Errors Found' );
+define( 'VIPGOCI_WPSCAN_API_ERROR', 'Automated Addon Security Scanning' );
 define( 'VIPGOCI_GITHUB_ERROR_STR', 'GitHub API communication error. Please contact a human.' );
 
 /*
@@ -35,6 +40,11 @@
 	define( 'VIPGOCI_GITHUB_BASE_URL', 'https://api.github.com' );
 }
 
+/*
+ * Defines for various sizes, such as KB.
+ */
+define( 'VIPGOCI_KB_IN_BYTES', 1024 );
+
 /*
  * Timeout constant for HTTP APIs.
  */
@@ -158,15 +168,21 @@
  * arguments passed to the program (e.g., --phpcs)
  * -- altering these is not recommended.
  */
-
 define( 'VIPGOCI_STATS_PHPCS', 'phpcs' );
 define( 'VIPGOCI_STATS_LINT', 'lint' );
 define( 'VIPGOCI_STATS_HASHES_API', 'hashes-api' );
+define( 'VIPGOCI_STATS_WPSCAN_API', 'wpscan-api' );
 
 /*
- * Define auto-approval types
+ * Define error/warning/info constants.
  */
+define( 'VIPGOCI_ISSUE_TYPE_INFO', 'info' );
+define( 'VIPGOCI_ISSUE_TYPE_WARNING', 'warning' );
+define( 'VIPGOCI_ISSUE_TYPE_ERROR', 'error' );
 
+/*
+ * Define auto-approval types
+ */
 define( 'VIPGOCI_APPROVAL_AUTOAPPROVE', 'auto-approval' );
 define( 'VIPGOCI_APPROVAL_HASHES_API', 'hashes-api' );
 
@@ -228,3 +244,22 @@
 );
 
 define( 'VIPGOCI_VALIDATION_MAXIMUM_DETAIL_MSG', 'Note that the above file(s) were not analyzed due to their length.' );
+
+/*
+ * Defines for WPScan API support.
+ */
+define( 'VIPGOCI_WPSCAN_PLUGIN', 'vipgoci-wpscan-plugin' );
+define( 'VIPGOCI_WPSCAN_THEME', 'vipgoci-wpscan-theme' );
+define( 'VIPGOCI_WPSCAN_BASE_URL', 'https://wpscan.com' );
+define( 'VIPGOCI_WPSCAN_API_BASE_URL', VIPGOCI_WPSCAN_BASE_URL . '/api/v3' );
+
+define( 'VIPGOCI_WPSCAN_VULNERABLE', 'vulnerable' );
+define( 'VIPGOCI_WPSCAN_OBSOLETE', 'obsolete' );
+
+define( 'VIPGOCI_WPSCAN_SEVERITY_UNKNOWN', -1 );
+define( 'VIPGOCI_WPSCAN_SEVERITY_NONE', 0.0 );
+define( 'VIPGOCI_WPSCAN_SEVERITY_LOW', 3.9 ); // 0.1-3.9.
+define( 'VIPGOCI_WPSCAN_SEVERITY_MEDIUM', 6.9 ); // 4.0-6.9.
+define( 'VIPGOCI_WPSCAN_SEVERITY_HIGH', 8.9 ); // 7.0-8.9.
+define( 'VIPGOCI_WPSCAN_SEVERITY_CRITICAL', 10.0 ); // 9.0-10.
+

github-misc.php

@@ -312,3 +312,128 @@ function vipgoci_github_prs_urls_get(
 
 	return $prs_urls;
 }
+
+/**
+ * Construct array of files affected -- altered, added, deleted -- by
+ * each pull request implicated by the commit. Will also include list
+ * of all files affected.
+ *
+ * @param array  $options               Options array for the program.
+ * @param string $commit_id             Commit-ID of current commit.
+ * @param array  $commit_skipped_files  Information about skipped files (reference).
+ * @param array  $skip_folders          Directories not to scan.
+ *
+ * @return array Returns associative array with key as pull request number and value as array of affected files. Includes special key 'all' which includes all files altered by all pull requests. Example:
+ *  Array(
+ *    [all] => Array(
+ *      [0] => folder1/test.php
+ *      [1] => folder2/test2.php
+ *      [2] => testing/file.php
+ *    ),
+ *    [17] => Array(
+ *      [0] => folder1/test.php
+ *      [1] => testing/file.php
+ *    ),
+ *    [20] => Array(
+ *      [0] => folder1/test.php
+ *      [1] => folder2/test2.php
+ *    )
+ *  )
+ */
+function vipgoci_github_files_affected_by_commit(
+	array $options,
+	string $commit_id,
+	array &$commit_skipped_files,
+	array $skip_folders
+) :array {
+	vipgoci_log(
+		'Fetching list of all files affected by each pull request ' .
+			'implicated by the commit',
+		array(
+			'repo_owner' => $options['repo-owner'],
+			'repo_name'  => $options['repo-name'],
+			'commit_id'  => $options['commit'],
+		)
+	);
+
+	// Fetch list of all pull requests which the commit is a part of.
+	$prs_implicated = vipgoci_github_prs_implicated(
+		$options['repo-owner'],
+		$options['repo-name'],
+		$commit_id,
+		$options['token'],
+		$options['branches-ignore'],
+		$options['skip-draft-prs']
+	);
+
+	$pr_item_files_changed = array(
+		'all' => array(),
+	);
+
+	foreach ( $prs_implicated as $pr_item ) {
+		/*
+		 * Make sure that the PR is defined in the array.
+		 */
+		if ( ! isset( $pr_item_files_changed[ $pr_item->number ] ) ) {
+			$pr_item_files_changed[ $pr_item->number ] = array();
+		}
+
+		/*
+		 * Get list of all files changed
+		 * in this pull request.
+		 */
+		$pr_item_files_tmp = vipgoci_git_diffs_fetch(
+			$options['local-git-repo'],
+			$options['repo-owner'],
+			$options['repo-name'],
+			$options['token'],
+			$pr_item->base->sha,
+			$options['commit'],
+			false, // Exclude renamed files.
+			false, // Exclude removed files.
+			false, // Exclude permission changes.
+			array(
+				'file_extensions' => array( 'php' ),
+				'skip_folders'    => $skip_folders,
+			)
+		);
+
+		foreach (
+			array_keys( $pr_item_files_tmp['files'] ) as
+				$pr_item_file_name
+		) {
+			/*
+			 * Check for too long file.
+			 */
+			if (
+				( isset(
+					$commit_skipped_files[ $pr_item->number ]['issues'][ VIPGOCI_VALIDATION_MAXIMUM_LINES ]
+				) )
+				&&
+				( true === in_array(
+					$pr_item_file_name,
+					$commit_skipped_files[ $pr_item->number ]['issues'][ VIPGOCI_VALIDATION_MAXIMUM_LINES ],
+					true
+				) )
+			) {
+				continue;
+			}
+
+			/*
+			 * Add file to arrays, if not already there.
+			 */
+			vipgoci_array_push_uniquely(
+				$pr_item_files_changed['all'],
+				$pr_item_file_name
+			);
+
+			vipgoci_array_push_uniquely(
+				$pr_item_files_changed[ $pr_item->number ],
+				$pr_item_file_name
+			);
+		}
+	}
+
+	return $pr_item_files_changed;
+}
+

http-functions.php

@@ -586,6 +586,15 @@ function vipgoci_http_api_fetch_url(
 							$http_api_auth_header,
 					)
 				);
+			} elseif ( isset( $http_api_token['wpscan_token'] ) ) {
+				curl_setopt(
+					$ch,
+					CURLOPT_HTTPHEADER,
+					array(
+						'Authorization: Token token=' .
+							$http_api_token['wpscan_token'],
+					)
+				);
 			}
 		}
 
@@ -720,21 +729,27 @@ function vipgoci_http_api_fetch_url(
  * Note that the '$http_delete' parameter will determine
  * if a POST or DELETE request will be sent.
  *
- * @param string $http_api_url        HTTP request URL.
- * @param array  $http_api_postfields HTTP request fields.
- * @param string $http_api_token      Access token to use.
- * @param bool   $http_delete         If to perform HTTP DELETE instead of POST.
+ * @param string      $http_api_url        HTTP request URL.
+ * @param array       $http_api_postfields HTTP request postfields.
+ * @param null|string $http_api_token      Access token to use as string, null to skip.
+ * @param bool        $http_delete         When true, performs HTTP DELETE instead of POST.
+ * @param bool        $json_encode         If true, will JSON encode $http_api_postfields using json_encode()
+ *                                         before sending request, else uses http_build_query() to
+ *                                         generate URL-encoded query-string from $http_api_postfields.
+ * @param string      $http_content_type   The HTTP Content-Type header value to use. 'application/json' is the default.
  *
- * @return int Zero (0) on success, -1 on failure. Failures will be logged.
+ * @return string|int Request body as string on success, -1 on failure. Failures will be logged.
  *
  * @codeCoverageIgnore
  */
 function vipgoci_http_api_post_url(
 	string $http_api_url,
 	array $http_api_postfields,
-	string $http_api_token,
-	bool $http_delete = false
-) :null|int {
+	null|string $http_api_token,
+	bool $http_delete = false,
+	bool $json_encode = true,
+	string $http_content_type = 'application/json'
+) :string|int {
 	/*
 	 * Actually send a request to HTTP API -- make sure
 	 * to retry if something fails.
@@ -796,10 +811,21 @@ function vipgoci_http_api_post_url(
 			);
 		}
 
+		// Encode postfields as JSON if requested, else generate URL-encoded query string.
+		if ( true === $json_encode ) {
+			$tmp_postfields = json_encode(
+				$http_api_postfields
+			);
+		} else {
+			$tmp_postfields = http_build_query(
+				$http_api_postfields
+			);
+		}
+
 		curl_setopt(
 			$ch,
 			CURLOPT_POSTFIELDS,
-			json_encode( $http_api_postfields )
+			$tmp_postfields
 		);
 
 		curl_setopt(
@@ -808,11 +834,29 @@ function vipgoci_http_api_post_url(
 			'vipgoci_curl_headers'
 		);
 
-		curl_setopt(
-			$ch,
-			CURLOPT_HTTPHEADER,
-			array( 'Authorization: token ' . $http_api_token )
-		);
+		// Construct HTTP headers to send with the request.
+		$tmp_http_headers_arr = array();
+
+		if (
+			( is_string( $http_api_token ) ) &&
+			( strlen( $http_api_token ) > 0 )
+		) {
+			$tmp_http_headers_arr[] = 'Authorization: token ' . $http_api_token;
+		}
+
+		if ( strlen( $http_content_type ) > 0 ) {
+			$tmp_http_headers_arr[] = 'Content-Type: ' . $http_content_type;
+		}
+
+		if ( ! empty( $tmp_http_headers_arr ) ) {
+			curl_setopt(
+				$ch,
+				CURLOPT_HTTPHEADER,
+				$tmp_http_headers_arr
+			);
+		}
+
+		unset( $tmp_http_headers_arr );
 
 		vipgoci_curl_set_security_options(
 			$ch
@@ -922,6 +966,7 @@ function vipgoci_http_api_post_url(
 			}
 		}
 
+		// On failure, log message.
 		if ( -1 === $ret_val ) {
 			vipgoci_log(
 				( false === $resp_data ?
@@ -973,7 +1018,11 @@ function vipgoci_http_api_post_url(
 		( $retry_cnt++ < $retry_max )
 	);
 
-	return $ret_val;
+	if ( 0 === $ret_val ) {
+		return $resp_data;
+	} else {
+		return $ret_val;
+	}
 }
 
 /**