table or porcelain output of command lines for scripting

[ibertrix]

Hi!

I am just trying to spot critical updates for a wordpress installation. I am starting with plugins (although It would be desirable to have it for core critical updates and themes).

I see output of launchcheck plugins can only be html or json. Anyway to show it in porcelain or table format?

I would like also the same for launchcheck secure

Thanks!

[danielbachhuber]

Hey @ibertrix,

Good to hear from you.

I see output of launchcheck plugins can only be html or json. Anyway to show it in porcelain or table format?

This isn't a feature we support right now, unfortunately.

One thing you could do, however, is write your own custom command that:

1. Calls wp launchcheck plugins with WP_CLI::runcommand().
2. Processes the JSON output to render a table instead with WP_CLI\Utils\format_items().

Hope this helps!

[greg-1-anderson]

FYIO: A useful library for supporting multiple output formats uniformly:

https://github.com/consolidation/output-formatters

[ibertrix]

Ok, I will give a try to jq, which I have used in the past to parse json outputs. What kind of output should I look at to try to find a vulnerable plugin? I see the following for instance for wordpress-seo plugin:

{
  "plugins": {
    "alerts": {
      "wordpress-seo": {
        "vulnerable": "None",
        "needs_update": "0",
        "available": "-",
        "installed": "14.0.4",
        "slug": "wordpress-seo"
      },

How does it look when It finds a plugin that is vulnerable? I have listed with this command all entries that have vulnerable with value "None":

wp launchcheck plugins --path=/mypath --format=json | jq .plugins.alerts |jq -c '.[] | select( .vulnerable | contains("None"))' | jq .slug

but I want to find the ones that are vulnerable

[danielbachhuber]

@ibertrix Here are your two options, it looks like:

https://github.com/pantheon-systems/wp_launch_check/blob/97358e78c30e0c57496eab981cb7d40377e75e2e/php/pantheon/checks/plugins.php#L54-L58

When a plugin has a vulnerability, you'll see a URL with 'more info' as the target text.

If you'd like to test it out, you could temporarily install an insecure version of Akismet.

[ibertrix]

@ibertrix Here are your two options, it looks like:

https://github.com/pantheon-systems/wp_launch_check/blob/97358e78c30e0c57496eab981cb7d40377e75e2e/php/pantheon/checks/plugins.php#L54-L58

When a plugin has a vulnerability, you'll see a URL with 'more info' as the target text.

If you'd like to test it out, you could temporarily install an insecure version of Akismet.

I tried your example and change in akismet.php the version number to 3.1.4 which is considered vulnerable. I get the following:

    "akismet": {
      "vulnerable": "None",
      "needs_update": "1",
      "available": "4.1.5",
      "installed": "3.1.4",
      "slug": "akismet"
    },

[danielbachhuber]

@ibertrix That's odd. To confirm, this is in a Pantheon environment?

[ibertrix]

@ibertrix That's odd. To confirm, this is in a Pantheon environment?

Nope, my own server, but it should work anyway, isn´t it?

[danielbachhuber]

@ibertrix Have you purchased an API license from wpvulndb and set the API key to the PANTHEON_WPVULNDB_API_TOKEN environment variable?

[ibertrix]

@ibertrix Have you purchased an API license from wpvulndb and set the API key to the PANTHEON_WPVULNDB_API_TOKEN environment variable?

I do have a free API TOKEN, but i don´t know where I have to put it

[danielbachhuber]

@ibertrix Ok, that must be the missing piece then. You'll need to define the API token in the PANTHEON_WPVULNDB_API_TOKEN environment variable.

[ibertrix]

@ibertrix Ok, that must be the missing piece then. You'll need to define the API token in the PANTHEON_WPVULNDB_API_TOKEN environment variable.

How do I do that? I forgot I did it several weeks ago to make the package work. I defined the variable $wpvulndb_api_token manually so maybe that´s not the issue