Skip to content

ARCHIVED: Scans your composer.lock file to find vulnerable WordPress plugins and themes using the https://wpvulndb.com API

License

Notifications You must be signed in to change notification settings

10up/composer-scan

Repository files navigation

WordPress Composer Scan

Scans your composer.lock file to find vulnerable WordPress plugins and themes using the WPScan Vulnerability Database API

Support Level MIT License

Requirements

  • API key from the WPScan Vulnerability Database
  • Supports most major Python versions since 2.7, see tox.ini for tested versions
  • Required Python packages (will automatically be installed by setup.py):
requests
click

Installation

Clone this repo and install with pip:

git clone https://github.com/10up/composer-scan.git composer-scan
cd composer-scan
pip install .   ## installs the python package in the current directory

Usage

> composer-scan --help
Usage: composer-scan [OPTIONS]

  Console script for composer_scan.

Options:
  -f PATH       composer.lock file to scan, defaults to file in current
                directory
  -v            Verbose output, show status of all plugins, if not set only
                outputs found vulnerabilities
  --no-fail     even if vulnerabilities are found, exit 0 (emergency option to
                not fail CI pipelines)
  --token TEXT  WPVulnDB API token or set as envrionment variable:
                WPVULNDB_API_TOKEN  [required]
  --help        Show this message and exit.

The WPScan Vulnerability Database API key can be specified on the command line in an envrionment variable WPVULNDB_API_TOKEN. -f can be used to specify the file to scan, if not used composer.lock in the currnet directory will be used.

> export WPVULNDB_API_TOKEN="api_token"
> composer-scan -f ~/wp-local-docker-sites/mysite/wordpress/wp-content/composer.lock

Support Level

Stable: 10up is not planning to develop any new features for this, but will still respond to bug reports and security concerns. We welcome PRs, but any that include new features should be small and easy to integrate and should not include breaking changes. We otherwise intend to keep this tested up to the most recent version of WordPress.

Contributing

Please read CODE_OF_CONDUCT.md for details on our code of conduct and CONTRIBUTING.md for details on the process for submitting pull requests to us.

Like what you see?

Work with us at 10up

About

ARCHIVED: Scans your composer.lock file to find vulnerable WordPress plugins and themes using the https://wpvulndb.com API

Topics

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Contributors 4

  •  
  •  
  •  
  •  

Languages