automation - Githubissues

LeTraceurSnork / WordPress-Security-Advisories

WordPress Security Advisories. Add this package to prevent vulnerable WordPress packages from being installed.

https://php.watch/articles/WordPress-Security-Advisories

3 stars 0 forks source link

automation #48

Open 8ctopus opened 1 week ago

8ctopus commented 1 week ago

Hello there,

Thank you for the work you're doing.

Are you using any form of automation to add Wordfence vulnerabilities to the composer.json in this repository?

If not, I think it's not that hard to create a bot that will automatically create pull requests based on the new vulnerabilities added to the feed: https://www.wordfence.com/help/wordfence-intelligence/v2-accessing-and-consuming-the-vulnerability-data-feed/

On the github side, this can be used https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#create-a-pull-request

LeTraceurSnork commented 5 days ago

I've been waiting for your Issue here :-)

Well, yeah, I agree with you on that, and no, no automation yet presented :-(

Since I don't have as much free time as I would like, automation may take a while. In a meantime, feel free to pull a PR with such functionality, if you please

8ctopus commented 5 days ago

Let me think a bit and I will get back to you.

LeTraceurSnork commented 4 days ago

I've looked throught Wordfence API - its responses is 770k+ lines (~39 Mb) and 1200k+ lines (1.2 millions, ~74 Mb) for routes /api/intelligence/v2/vulnerabilities/scanner/ and /api/intelligence/v2/vulnerabilities/production/ respectively. Well, i guess, we can connect some cron-based bot to CI, but we shall test its performance first on some fork, cause I'm not sure GitHub will allow us that much of runner resources. Also, as mentioned here https://docs.github.com/en/actions/administering-github-actions/usage-limits-billing-and-administration it will only allow us 1000 API calls (i guess, creating a PR is one API call), so we can't open all the PRs at one run

8ctopus commented 4 days ago

Maybe have a demo script running on local machine first to test it:

get list
parse list
iterate through list
for each list item, check if already covered in composer.json
if not, create a local branch
add vulnerability to composer.json
commit to branch
push branch to github
on github, for starters, you could manually approve the pull requests.

what do you think?

LeTraceurSnork commented 4 days ago

I'll try it out somewhere on local, maybe with Python and ChatGPT. If I won't report about results before New Year - that means I'm stuck/out of time and need help with that

8ctopus commented 4 days ago

I will write you if I have time to work on it myself.

LeTraceurSnork commented 2 days ago

I'm trying something here https://github.com/LeTraceurSnork/WordPress-Security-Advisories-Renovator/pull/1 Take a look when you got time