BuddyPress: issues with custom CLI commands, false positive?!

[renatonascalves]

I think I found an odd behavior, and I'd like to clarify if this is expected behavior. I run the plugin with the BuddyPress plugin, and our custom CLI commands (which are bundled with BuddyPress core) are on the list of issues:

I'd argue that the only people that can run CLI commands are folks with access to the server, so escaping issues would be the least of one’s concern by then. Also, those commands are not user-facing.

Similarly, WP core doesn't escape similar commands. See here.

[renatonascalves]

Maybe this plugin should try to identify if the plugin is using custom CLI commands and not report false positive issues for those files. Since it uses a different WPCS ruleset.

[renatonascalves]

Just a note that those issues were already fixed in our custom commands: https://github.com/buddypress/wp-cli-buddypress/releases/tag/3.0.0 But we have not released it yet.

[swissspidy]

Heya, yeah those are false positives.

It's impossible for a static analysis tool like PHPCS to reliably detect such use cases, so I'd suggest simply ignoring such false positives.

[renatonascalves]

Sounds good. Those issues were resolved in v3 of our API. So I'll resolve this issue.