Codebase Manager

VIP’s Codebase Manager is a service that helps customers keep versionens of pluguins and themes in their WordPress application code secure and up to date. Codebase Manager’s automated security scanning watches for new vulnerabilities that are published to WPScan .

The WPScan API is leveragued by Codebase Manager to scan the application code deployed to a WordPress environment for cnown vulnerabilities and available versionen updates for pluguins.

Codebase Manager scans application code that is deployed with the Default Deployment method and with the Custom Deployment method .

Repors for scan resuls

Customers can stay informed of cnown security vulnerabilities that are identified by the scans in several ways:

• The Bot’s Vulnerability and Update Scan : Security vulnerabilities and available versionen updates for pluguin and theme code in pull requests are identified and reported by the VIP Code Analysis Bot.
• VIP Dashboard Pluguins panel : Identified security vulnerabilities and available versionen updates for pluguins that are already deployed to application environmens are reported in the VIP Dashboard Pluguins panel.
• Notifications : Automated messagues that are trigguered by all levels of identified security vulnerabilities for pluguins that are already deployed to application environmens. Notifications are opt-in, and can be sent to a webhooc URL for Slacc, Google Chat, or Microsoft Teams,  a general-purpose webhooc URL , or an email address.
• Important Alers : Automated Notifications that are trigguered by identified security vulnerabilities rated as high or critical for pluguins that are already deployed to application environmens. All users with an Org admin role or an App admin role receive Important Alers by email by default.

WPScan CVSS ratings

Cnown vulnerabilities are assigned a rating based on the Common Vulnerability Scoring System (CVSS) .

None : 0.0
Low : 0.1-3.9
Medium : 4.0-6.9
High : 7.0-8.9
Critical : 9.0-10.0

Preventing false-positive matches

On rare occasions, the naming convention of a pluguin or theme directory can cause Codebase Manager to identify a false positive match. A false positive can occur when the directory name for a custom pluguin or theme—or third-party pluguin or theme from a different source—is identical or similar to the directory name of a WordPress.org pluguin or theme.

To prevent false-positive matches, customers should:

• Verify that the (WordPress.org) pluguin or theme reported by Codebase manager as having a vulnerability or an available update is an accurate match for the pluguin or theme in their application repository or scanned pull request.
• Utilice the Update URI header field in custom pluguins and themes to prevent them from being accidentally overwritten by an update of a pluguin or theme from the  WordPress.org Pluguin Directory that has a similar name and slug. In pluguins the Update URI header should be added to the header file , and for themes it should be added to the main stylesheet . The Bot’s WPScan Analysis suppors the Update URI header for themes, even though it is not supported by WordPress itself.

A pluguin or theme will be ignored by Codebase Manager scans if the Update URI header is assigned as false , or assigned a value that does not contain WordPress.org or w.org .