Codebase Manager

VIP’s Codebase Manager is a service that helps customers keep versions of plugins and themes in their wpcomvip GitHub repository secure and up to date. Codebase Manager’s automated security scanning watches for new vulnerabilities that are published to WPScan.

The WPScan API is leveraged by Codebase Manager to scan a WordPress application’s wpcomvip GitHub repository for known vulnerabilities and available version updates for plugins.

Reports for scan results

Customers can stay informed of known security vulnerabilities that are identified by the scans in several ways:

• The Bot’s Vulnerability and Update Scan: Security vulnerabilities and available version updates for plugin and theme code in pull requests are identified and reported by the VIP Code Analysis Bot.
• VIP Dashboard Plugins panel: Identified security vulnerabilities and available version updates for plugins that are already deployed to application environments are reported in the VIP Dashboard Plugins panel.
• Notifications: Automated messages that are triggered by all levels of identified security vulnerabilities for plugins that are already deployed to application environments. Notifications are opt-in, and can be sent to a webhook URL for Slack, Google Chat, or Microsoft Teams, a general-purpose webhook URL, or an email address.
• Important Alerts: Automated Notifications that are triggered by identified security vulnerabilities rated as high or critical for plugins that are already deployed to application environments. All users with an Org admin role or an App admin role receive Important Alerts by email by default.

WPScan CVSS ratings

Known vulnerabilities are assigned a rating based on the Common Vulnerability Scoring System (CVSS).

None: 0.0
Low: 0.1-3.9
Medium: 4.0-6.9
High: 7.0-8.9
Critical: 9.0-10.0

Preventing false-positive matches

On rare occasions, the naming convention of a plugin or theme directory can cause Codebase Manager to identify a false positive match. A false positive can occur when the directory name for a custom plugin or theme—or third-party plugin or theme from a different source—is identical or similar to the directory name of a WordPress.org plugin or theme.

To prevent false-positive matches, customers should:

• Verify that the (WordPress.org) plugin or theme reported by Codebase manager as having a vulnerability or an available update is an accurate match for the plugin or theme in their application repository or scanned pull request.
• Utilize the Update URI header field in custom plugins and themes to prevent them from being accidentally overwritten by an update of a plugin or theme from the WordPress.org Plugin Directory that has a similar name and slug. In plugins the Update URI header should be added to the header file, and for themes it should be added to the main stylesheet. The Bot’s WPScan Analysis supports the Update URI header for themes, even though it is not supported by WordPress itself.

A plugin or theme will be ignored by Codebase Manager scans if the Update URI header is assigned as false, or assigned a value that does not contain WordPress.org or w.org.