## NEXT VERSION * Add an Advisory report, calling into https://wpvulndb.com/api * Add `strlen` to the list of functions which make variable usage safe ## Version 0.8.1 * (Bugfix): Lines in the error list file are now ignored or not, depending on the option requested ## Version 0.8.0 * Add a parameter (-e) for outputting a vim-compatible error list to a file, in addition to showing normal output on the terminal * Bugfix: Corrected some checks for bad function names which were probably not getting run properly as part of the scan * Bugfix: In the main output: count the total number of issues found, not the number of checks ## Version 0.7.2 * Bugfix: Ignored lines can be hidden in the main issues report * When calling pluginscan from the command line, no arguments is interpreted as meaning "run in the current directory" - even if options are passed * Add -h as a command line flag to show help * Add -v as a command line flag to show the version ## Version 0.7.1 * Bugfix: source lines with colons (:) in them have those colons escaped (otherwise the lines can't be parsed by vim) * Removed the file list printer: it was probably never going to get used ## Version 0.7.0 * The vim-compatable error list output now displays [IGNORE] on lines we're confident are safe, and respects the -g flag (hide ignores) * New Check: Check for use of unreliable indicators of IP addresses - e.g. HTTP\_FORWARDED\_FOR * Add 'unserialize()' to the list of functions which constitute php object injection ## Version 0.6.0 * Allow ignored lines (things which matched but are believed to be safe) to be hidden in the main issues report by passing '-g' on the command line ## Version 0.5.1 * Bugfix: Command line now calls the library correctly ## Version 0.5.0 * New Check: Look for inline JavaScript (script tags without src=) * New Check: Look for inline CSS (style tags) * New Check: Look for HTML event attributes - these can execute JavaScript (e.g. onclick) * New Check: Look for parse_str() and extract() - these extract variables from input * Bugfix: column numbers are now correctly calculated (for the vim error list formatter) ## Version 0.4.0 * Add formatters which can print out the list of files and a vim-compatible error list * Allow the formatter to be selected from the command line * Allow the sloccount and cloc reports to be selectively disabled by passing command line flags (call with -h for full details) * Ignore variables and functions which are on commented lines * Add 'hardening' to the list of trigger words ## Version 0.3.4 * Add 'switch' to the list of functions which make superglobals safe (because they check them rather than use them) ## Version 0.3.3 * Bugfix: '=>' was being treated as a safe infix (it's array assignment) * Bugfix: some infixes were getting double-counted - e.g. '==' and '===' - leading to false negatives * Changes to how database access lines are ignored ## Version 0.3.2 * Handle malformed CSVs ## Version 0.3.1 * Make sure that sloccount and cloc don't prevent execution of the rest of the tool if they blow up ## Version 0.3.0 * Higlighing of matched terms in the output of line checks * Lots of Superglobal false positives are marked as ignores (e.g. when wrapped in an 'isset') * More refactoring * Added some additional functions to SAFE_FUNCTIONS and SAFE_INFIXES to improve ignore coverage ## Version 0.2.0 * Add integration with sloccount and cloc * Thorough test suite and major refactoring ## Version 0.1.2 * Added a proper test suite * Major refactoring * Various minor bugfixes ## Version 0.1.1 * Significant refactoring for the sake of sanity (but without tests!) * Various minor bugfixes ## Version 0.1.0 Initial version