Opened 4 years ago
Last modified 11 months ago
#35318 new enhancement
Automate anti-virus scanning of WordPress zips
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Build/Test Tools | Keywords: | |
| Focuses: | Cc: | ||
| PR Number: |
Description
In WordPress 4.4, some files were marked as malware by antivirus vendors. This sucks for users. I think we should automate scanning of WordPress packages so that we can alert antivirus vendors as soon as possible that they are miss flagging WordPress files.
one api that could work is https://www.virustotal.com/en/documentation/public-api/ , but we should investigate that and other possible options.
Note: See
TracTickets for help on using
tickets.
Related: #25117 <- We can build the zips via the Grunt task/s in that ticket
There's a couple of NPM modules that use the VirusTotal API, though no Grunt wrappers for these modules.
Thinking about and addressing how the WordPress project would be treated as the canonical/authoritative source for these packages to ensure someone else could not impersonate the WordPress project to override/replace the hash/signatures with malware/compromised packages will make for an interesting ticket here :)