feat(scan): WordPress Vulnerability Scan (core, plugin, theme) (#769)

https://github.com/future-architect/vuls/pull/769
2019-04-08 17:27:44 +09:00
parent 91df593566
commit 99c65eff48
59 changed files with 1284 additions and 602 deletions
--- a/report/slack.go
+++ b/report/slack.go
@@ -30,6 +30,7 @@ import (
 	"github.com/nlopes/slack"
 	"github.com/parnurzeal/gorequest"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/xerrors"
 )

 type field struct {
@@ -155,9 +156,9 @@ func send(msg message) error {
 			if count == retryMax {
 				return nil
 			}
-			return fmt.Errorf(
-				"HTTP POST error: %v, url: %s, resp: %v, body: %s",
-				errs, conf.HookURL, resp, body)
+			return xerrors.Errorf(
+				"HTTP POST error. url: %s, resp: %v, body: %s, err: %w",
+				conf.HookURL, resp, body, errs)
 		}
 		return nil
 	}
@@ -167,10 +168,10 @@ func send(msg message) error {
 	}
 	boff := backoff.NewExponentialBackOff()
 	if err := backoff.RetryNotify(f, boff, notify); err != nil {
-		return fmt.Errorf("HTTP error: %s", err)
+		return xerrors.Errorf("HTTP error: %w", err)
 	}
 	if count == retryMax {
-		return fmt.Errorf("Retry count exceeded")
+		return xerrors.New("Retry count exceeded")
 	}
 	return nil
 }
@@ -202,39 +203,44 @@ func msgText(r models.ScanResult) string {
 func toSlackAttachments(r models.ScanResult) (attaches []slack.Attachment) {
 	vinfos := r.ScannedCves.ToSortedSlice()
 	for _, vinfo := range vinfos {
-		curent := []string{}
+
+		installed, candidate := []string{}, []string{}
 		for _, affected := range vinfo.AffectedPackages {
 			if p, ok := r.Packages[affected.Name]; ok {
-				curent = append(curent,
+				installed = append(installed,
 					fmt.Sprintf("%s-%s", p.Name, p.FormatVer()))
 			} else {
-				curent = append(curent, affected.Name)
+				installed = append(installed, affected.Name)
 			}
-		}
-		for _, n := range vinfo.CpeURIs {
-			curent = append(curent, n)
-		}
-		for _, n := range vinfo.GitHubSecurityAlerts {
-			curent = append(curent, n.PackageName)
-		}

-		new := []string{}
-		for _, affected := range vinfo.AffectedPackages {
 			if p, ok := r.Packages[affected.Name]; ok {
 				if affected.NotFixedYet {
-					new = append(new, "Not Fixed Yet")
+					candidate = append(candidate, "Not Fixed Yet")
 				} else {
-					new = append(new, p.FormatNewVer())
+					candidate = append(candidate, p.FormatNewVer())
 				}
 			} else {
-				new = append(new, "?")
+				candidate = append(candidate, "?")
 			}
 		}
-		for range vinfo.CpeURIs {
-			new = append(new, "?")
+
+		for _, n := range vinfo.CpeURIs {
+			installed = append(installed, n)
+			candidate = append(candidate, "?")
 		}
-		for range vinfo.GitHubSecurityAlerts {
-			new = append(new, "?")
+		for _, n := range vinfo.GitHubSecurityAlerts {
+			installed = append(installed, n.PackageName)
+			candidate = append(candidate, "?")
+		}
+
+		for _, wp := range vinfo.WpPackageFixStats {
+			if p, ok := r.WordPressPackages.Find(wp.Name); ok {
+				installed = append(installed, fmt.Sprintf("%s-%s", wp.Name, p.Version))
+				candidate = append(candidate, wp.FixedIn)
+			} else {
+				installed = append(installed, wp.Name)
+				candidate = append(candidate, "?")
+			}
 		}

 		a := slack.Attachment{
@@ -246,12 +252,12 @@ func toSlackAttachments(r models.ScanResult) (attaches []slack.Attachment) {
 				{
 					// Title: "Current Package/CPE",
 					Title: "Installed",
-					Value: strings.Join(curent, "\n"),
+					Value: strings.Join(installed, "\n"),
 					Short: true,
 				},
 				{
 					Title: "Candidate",
-					Value: strings.Join(new, "\n"),
+					Value: strings.Join(candidate, "\n"),
 					Short: true,
 				},
 			},
@@ -269,7 +275,7 @@ func cvssColor(cvssScore float64) string {
 		return "danger"
 	case 4 <= cvssScore && cvssScore < 7:
 		return "warning"
-	case cvssScore < 0:
+	case cvssScore == 0:
 		return "#C0C0C0"
 	default:
 		return "good"