Make WordPress Core

Opened 9 years ago

Last modified 3 years ago

#35318 new enhancement

Automate anti-virus scanning of WordPress zips

Reported by: jorbin's profile jorbin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords:
Focuses: Cc:

Description

In WordPress 4.4, some files were marked as malware by antivirus vendors. This sucks for users. I think we should automate scanning of WordPress packages so that we can alert antivirus vendors as soon as possible that they are miss flagging WordPress files.

one api that could work is https://www.virustotal.com/en/documentation/public-api/ , but we should investigate that and other possible options.

Change History (3)

#1 @netweb
9 years ago

Related: #25117 <- We can build the zips via the Grunt task/s in that ticket

There's a couple of NPM modules that use the VirusTotal API, though no Grunt wrappers for these modules.

Thinking about and addressing how the WordPress project would be treated as the canonical/authoritative source for these packages to ensure someone else could not impersonate the WordPress project to override/replace the hash/signatures with malware/compromised packages will make for an interesting ticket here :)

#2 @desrosj
4 years ago

This could easily be set up using a GitHub Action workflow configured to run on tags if there's a feeling this is still needed. I honestly have no idea if this has re-occurred recently.

It looks like there are a few actions on the marketplace for this.

#3 @Clorith
3 years ago

Hasn't happened recently, but I know it's happened more than that one time previously.

I'm think this would be a good safeguard that just helps with quality assurance before a release, but perhaps not something that needs to run all the time. The most ideal scenario would be having this check as part of the RC1 procedure, that's when no changes are expected to happen afterwards, and still gives time to report any false positive to vendors in order to have it resolved prior to launch.

Note: See TracTickets for help on using tickets.