[SITE-1500] Remove wpscan and "secure" command (#161)

Co-authored-by: Chris Reynolds <chris@jazzsequence.com>

.github/workflows/release.yml

@@ -9,7 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     env:
       # GITHUB_CONTEXT: ${{ toJson(github) }}
-      PANTHEON_WPVULNDB_API_TOKEN: ${{ secrets.PANTHEON_WPVULNDB_API_TOKEN }}
       WP_CLI_BIN_DIR: /tmp/wp-cli-phar
       DB_NAME: pantheon
       DB_USER: pantheon

.github/workflows/validate.yml

@@ -12,7 +12,6 @@ jobs:
 
     env:
       # GITHUB_CONTEXT: ${{ toJson(github) }}
-      PANTHEON_WPVULNDB_API_TOKEN: ${{ secrets.PANTHEON_WPVULNDB_API_TOKEN }}
       WP_CLI_BIN_DIR: /tmp/wp-cli-phar
       DB_NAME: pantheon
       DB_USER: pantheon

CHECKS.md

@@ -41,12 +41,6 @@ The message method receives a [\Pantheon\Messsenger](php/pantheon/messenger.php)
 **Check:** \Pantheon\Checks\Sessions;
 This check does a ```preg_match``` on each file passed to the run() method for the regex ```.*(session_start|SESSION).*```
 
-### Secure
-**Check:** [\Pantheon\Check\Insecure](php/pantheon/checks/insecure.php)
-This check looks for insecure code by running ````preg_match("#.*(eval|base64_decode)\(.*#:", $filecontent)```. This regex can be improved but the theory here is that ```eval``` and ```base64_decode``` are insecure because the first is discouraged even by PHP because it executes arbitrary code. The second isn't necessarily insecure by itself but is often combined with eploits to obfuscate the malicious code. ```base64_decode``` can also sometimes lead to php segfaults [ **This check is not currently used in the Pantheon dashboard ** ]
-
-**Check:** [\Pantheon\Check\Exploited](php/pantheon/checks/exploited.php) This check attempts to find actual exploits by running ```'.*eval\(.*base64_decode\(.*';```. The goal here is to find instance of ```eval``` operating on decoded base64, which is almost certainly a bad idea. This regex should be refined because now it technically could alert when it finds the two functions on the same page but not necessary in the right order, leading to a false positive.
-
 ## Regular Checkers
 
 ### General
@@ -68,16 +62,16 @@ This check runs the following db checks
 
 ### Cron
 **Cron:** [\Pantheon\Checks\Cron](php/commands/checks/cron.php)
-This check simple examines whether ```DISABLE_WP_CRON``` evaluates ```true``` to see if cron has been disabled. ( We should probably also curl the ```wp-cron.php?doing_wp_cron``` and ensure we get a 200 ). Some hosts disable the default WP_Cron functionality, substituting a system cron, because the HTTP base WP_Cron can sometimes have race conditions develop causing what might be referred to as "runaway cron", in which HTTP multiple requests trigger the cron a small amount of time causing a spike in PHP/MySQL resource consumption. This check also dumps the scheduled tasks into a table using ```get_option('cron')```. 
+This check simple examines whether ```DISABLE_WP_CRON``` evaluates ```true``` to see if cron has been disabled. ( We should probably also curl the ```wp-cron.php?doing_wp_cron``` and ensure we get a 200 ). Some hosts disable the default WP_Cron functionality, substituting a system cron, because the HTTP base WP_Cron can sometimes have race conditions develop causing what might be referred to as "runaway cron", in which HTTP multiple requests trigger the cron a small amount of time causing a spike in PHP/MySQL resource consumption. This check also dumps the scheduled tasks into a table using ```get_option('cron')```.
 
 ### object-cache
 **objectcache** [\Pantheon\Checks\Cron](php/commands/checks/objectcache.php)
 Checks is the ```wp-content/object-cache.php``` exists to determine whether object caching is in use. Checks that the ```global $redis_server``` variable is not empty to determine whether redis is being used.
 
 ### Plugins
 **plugins** [\Pantheon\Checks\Plugins](php/commands/checks/plugins.php)
-Checks all plugins against the wpscan.com database we license. Alerts 'error' if a vulnerability is found and links to the wpvulndb.com page for more info. Also checks for available updates and alerts 'warning' if plugins needing an update are found.
+Checks for available updates and alerts 'warning' if plugins needing an update are found.
 
 ### Themes
 **themes** [\Pantheon\Checks\Themes](php/commands/checks/themes.php)
-Checks all themes against the wpscan.com database we license. Alerts 'error' if a vulnerability is found and links to the wpvulndb.com page for more info. Also checks for available updates and alerts 'warning' if themes needing an update are found.
+Checks for available updates and alerts 'warning' if themes needing an update are found.

README.md

@@ -13,8 +13,6 @@ To use WP Launch Check simply run the ```wp launchcheck <subcommand>``` command
 
 For more information about WP-CLI you can visit [their github page](https://github.com/wp-cli/wp-cli).
 
-WP Launch Check should be considered in "BETA". Many of the checks have still not been tested in the wild. If you experience a problem please open an issue.
-
 ## Installing
 
 Installing this package requires WP-CLI v0.23.0 or greater. Update to the latest stable release with `wp cli update`.
@@ -30,9 +28,8 @@ Below is a summary of the available commands. *Full technical description of eac
   * **wp launchcheck database**: Checks related to the databases.
   * **wp launchcheck object_cache**: Checks whether object caching is enabled and if on Pantheon whether redis is enabled.
   * **wp launchcheck sessions**: Checks for plugins referring to the php session_start() function or the superglobal ```$SESSION``` variable. In either case, if you are on a cloud/distributed platform you will need additional configuration achieve the expected functionality
-  * **wp launchcheck secure**: Does some rudimentary security checks
-  * **wp launchcheck plugins**: Checks plugins for updates and known vulnerabilities
-  * **wp launchcheck themes**: Checks themes for updates and known vulnerabilities
+  * **wp launchcheck plugins**: Checks plugins for updates
+  * **wp launchcheck themes**: Checks themes for updates
 
 
 

features/bootstrap/FeatureContext.php

@@ -77,9 +77,6 @@ private static function get_process_env_variables() {
 		if ( $config_path = getenv( 'WP_CLI_CONFIG_PATH' ) ) {
 			$env['WP_CLI_CONFIG_PATH'] = $config_path;
 		}
-		if ( $wpvulndb_api_token = getenv( 'PANTHEON_WPVULNDB_API_TOKEN' ) ) {
-			$env['PANTHEON_WPVULNDB_API_TOKEN'] = $wpvulndb_api_token;
-		}
 		return $env;
 	}
 

php/commands/launchcheck.php

@@ -35,8 +35,6 @@ public function all($args, $assoc_args) {
 		// WordPress is now loaded, so other checks can run
 		$searcher = new \Pantheon\Filesearcher( WP_CONTENT_DIR );
 		$searcher->register( new \Pantheon\Checks\Sessions() );
-		$searcher->register( new \Pantheon\Checks\Insecure() );
-		$searcher->register( new \Pantheon\Checks\Exploited() );
 		$searcher->execute();
 		$checker->register( new \Pantheon\Checks\Plugins(TRUE));
 		$checker->register( new \Pantheon\Checks\Themes(TRUE));
@@ -158,33 +156,7 @@ public function object_cache($args, $assoc_args) {
 	}
 
 	/**
-	 * Checks files for insecure code and checks the wpscan.com/api for known vulnerabilities
-	 *
-	 * ## OPTIONS
-	 *
-	 * [--skip=<regex>]
-	 * : a regular expression matching directories to skip
-	 *
-	 * [--format=<format>]
-	 * : output as json
-	 *
-	 * ## EXAMPLES
-	 *
-	 *   wp launchcheck secure --skip=wp-content/themes
-	 *
-	 */
-	public function secure($args, $assoc_args) {
-		$searcher = new \Pantheon\Filesearcher( WP_CONTENT_DIR );
-		$searcher->register( new \Pantheon\Checks\Insecure() );
-		$searcher->register( new \Pantheon\Checks\Exploited() );
-		$searcher->execute();
-		$format = isset($assoc_args['format']) ? $assoc_args['format'] : 'raw';
-		\Pantheon\Messenger::emit($format);
-	}
-
-	/**
-	 * Checks plugins for vulnerabilities using the wpscan vulnerability DB
-	 * - https://wpscan.com/api
+	 * Checks plugins for available updates
 	 *
 	 * ## OPTIONS
 	 *
@@ -208,8 +180,7 @@ public function plugins($args, $assoc_args) {
 	}
 
 	/**
-	 * Checks themes for vulnerabilities using the wpscan vulnerability DB
-	 * - https://wpscan.com/api
+	 * Checks themes for available updates
 	 *
 	 * ## OPTIONS
 	 *