Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect Status: Combine multiple vulnerabilities for the same extension into single threat objects #40863

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

Protect Status: Combine multiple vulnerabilities for the same extension into single threat objects #40863

wants to merge 1 commit into from

Conversation

nateweller
Copy link
Contributor

@nateweller nateweller commented Jan 6, 2025
edited
Loading

Updates the protect-status package to group vulnerabilities by extension (i.e. one threat per vulnerable extension).

Proposed changes:

  • Adds Vulnerability_Model class.
  • Adds Threat_Model::$vulnerabilities property.
  • Updates Protect_Status to generate a single Threat_Model per vulnerable extension, with the relevant vulnerabilities included as a property of the threat.
  • Updates tests.
  • Updates composer lock files.

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

peb6dq-3ma-p2

Does this pull request change what data or activity we track or use?

No

Testing instructions:

  • Validate results from jetpack-protect/v1/status with a free plan:
    • Validate the deprecated plugins, themes, and core properties.
    • Validate the threats property.
    • Reference this value in Jetpack Protect using window.jetpackProtectInitialState, or the TanStack Query developer tools.
Screenshot 2025-01-06 at 3 11 05 PM Screenshot 2025-01-15 at 5 08 15 PM

@nateweller nateweller added [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it [Status] In Progress labels Jan 6, 2025
@nateweller nateweller requested a review from a team January 6, 2025 20:58
@nateweller nateweller self-assigned this Jan 6, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 6, 2025
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the protect-status/combine-vulns-into-extension-threat branch.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack protect-status/combine-vulns-into-extension-threat

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 6, 2025
edited
Loading

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add a "[Type]" label (Bug, Enhancement, Janitorial, Task).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Choose a review path based on your changes:
    • A. Team Review: add the "[Status] Needs Team Review" label
      • For most changes, including minor cross-team impacts.
      • Example: Updating a team-specific component or a small change to a shared library.
    • B. Crew Review: add the "[Status] Needs Review" label
      • For significant changes to core functionality.
      • Example: Major updates to a shared library or complex features.
    • C. Both: Start with Team, then request Crew
      • For complex changes or when you need extra confidence.
      • Example: Refactor affecting multiple systems.
  3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen semi-continuously (PCYsg-Jjm-p2).
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly. The next release is scheduled for February 4, 2025 (scheduled code freeze on undefined).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Backup plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Boost plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Search plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Social plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Starter Plugin plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Protect plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

Videopress plugin:

  • Next scheduled release: none scheduled.

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

@nateweller nateweller force-pushed the protect-status/combine-vulns-into-extension-threat branch 2 times, most recently from 8128367 to 51ecb63 Compare January 15, 2025 18:21
@nateweller nateweller marked this pull request as ready for review January 15, 2025 22:27
@nateweller nateweller force-pushed the protect-status/combine-vulns-into-extension-threat branch 3 times, most recently from 5b9c416 to 86e2a9f Compare January 15, 2025 23:26
@github-actions github-actions bot added [Plugin] Backup A plugin that allows users to save every change and get back online quickly with one-click restores. [Plugin] Boost A feature to speed up the site and improve performance. [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Plugin] Protect A plugin with features to protect a site: brute force protection, security scanning, and a WAF. [Plugin] Search A plugin to add an instant search modal to your site to help visitors find content faster. [Plugin] Social Issues about the Jetpack Social plugin [Plugin] Starter Plugin [Plugin] VideoPress A standalone plugin to add high-quality VideoPress videos to your site. labels Jan 15, 2025
@nateweller nateweller force-pushed the protect-status/combine-vulns-into-extension-threat branch from 32064df to fb06d1e Compare January 16, 2025 00:15
@nateweller
Combine multiple vulnerabilities for a single extension into one vuln…
ca8e549 
…erable extension threat

changelog

minor adjustments

changelog

add source to generator

minor adjustments

Add typed params

minor adjustments

use generator for core vulns threat

update tests, minor adjustments

adjust tests

Fix phan issues

add jetpack-redirect dep

fix tests

update lock files

changelog

Update projects/packages/protect-models/changelog/protect-status-combine-vulns-into-extension-threat
@nateweller nateweller force-pushed the protect-status/combine-vulns-into-extension-threat branch from fb06d1e to ca8e549 Compare January 16, 2025 00:19
dkmyta
dkmyta requested changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@dkmyta dkmyta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as described and tests all continue to pass!

One minor change requested for the Vulnerability_Model documentation.

One other thing worth noting, I see that every entry in the new vulnerabilities array has an introduced_in prop that is set to null - seems that the Vulnerability_Model defines this value but we maybe aren't explicitly setting it, that or its just a complete coincidence that each of the vulns for the threat I added don't have that prop set.

projects/packages/protect-models/src/class-vulnerability-model.php
public $id;

/**
* Threat Title.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* Threat Title.
* Vulnerability Title.

I suspect this model was copied over from the Threat_Model, we should update the documentation to reflect the variation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dkmyta dkmyta dkmyta requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@nateweller nateweller

Labels
[Package] Protect Models [Package] Protect Status [Plugin] Backup A plugin that allows users to save every change and get back online quickly with one-click restores. [Plugin] Boost A feature to speed up the site and improve performance. [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Plugin] Protect A plugin with features to protect a site: brute force protection, security scanning, and a WAF. [Plugin] Search A plugin to add an instant search modal to your site to help visitors find content faster. [Plugin] Social Issues about the Jetpack Social plugin [Plugin] Starter Plugin [Plugin] VideoPress A standalone plugin to add high-quality VideoPress videos to your site. [Status] Needs Team Review [Tests] Includes Tests [Type] Enhancement Changes to an existing feature — removing, adding, or changing parts of it
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nateweller @dkmyta