NonceVerification: use separate errorcodes for warning vs error

While cleaning up a plugin, I noticed that the issue count for the `WordPress.Security.NonceVerification.NoNonceVerification` error code was different if I ran phpcs with the `-n` flag (no warnings).

Error codes should be unique. Having the same error code for something which is mandatory (`error`) and recommended (`warning`) is bad practice and does not properly allow for modular disabling of notices.

This PR fixes this.

As the error code is changing anyhow, I figured it made sense to also remove the duplication of the sniff name from the code.

This is a breaking change as `<exclude>`s for the old errorcode currently in custom rulesets will be invalidated by it, so this PR should go into WPCS 2.0.0.

N.B.: The ruleset change is necessary until the deprecated sniffs have been removed.

WordPress/Sniffs/Security/NonceVerificationSniff.php

@@ -155,12 +155,17 @@ public function process_token( $stackPtr ) {
 			return;
 		}
 
+		$error_code = 'Missing';
+		if ( false === $this->superglobals[ $instance['content'] ] ) {
+			$error_code = 'Recommended';
+		}
+
 		// If we're still here, no nonce-verification function was found.
 		$this->addMessage(
 			'Processing form data without nonce verification.',
 			$stackPtr,
 			$this->superglobals[ $instance['content'] ],
-			'NoNonceVerification'
+			$error_code
 		);
 	}
 

WordPress/ruleset.xml

@@ -41,7 +41,10 @@
 	</rule>
 
 	<!-- Prevent duplicate messages from deprecated sniff. -->
-	<rule ref="WordPress.CSRF.NonceVerification.NoNonceVerification">
+	<rule ref="WordPress.CSRF.NonceVerification.Missing">
+		<severity>0</severity>
+	</rule>
+	<rule ref="WordPress.CSRF.NonceVerification.Recommended">
 		<severity>0</severity>
 	</rule>