scan finds changes to readme files

  • Resolved Ambyomoron

    (@josiah-s-carberry)


    8 years, 9 months ago

    I have started to get a lot of hits from scan which, after investigation, turn out to be false positives. I have found three issues, all of which concern how a plugin developer manages his or her versions:

    1) The plugin developer makes a changes to files in the repository but does not update the version number
    As a result of this scan quite correctly detects a difference that needs to be investigated, only to find that there is no real risk. Sometimes, the update is as simple as changing the readme file to say that the plugin has now been tested against a newer version of wordpress. I can understand why the developer would not want to bump the version number for that. In fact, such meta data does not really belong in the installation files, in my view, but there is clearly no other place to keep it. I have found this to be a common issue.

    2) Apparently, a plugin can be in different repositories that are not all updated at the same time or otherwise in an incoherent state.
    The result is that scan might compare files from one repository to somewhat different files from another repository. Scan detects a hit, but it is really the versions that are not under control. This is perhaps a relatively rare problem.

    3) A developer does not distinguish the version numbers between a beta version of a plugin and the final released version, which has the same version number, but different code. Naturally, this generates a hit in scan, if the site has the beta version.

    So, these are not really issues with scan. But if wordfence can figure out a clever way to handle them, it could save the site owner a lot of wasted time.

    https://www.ads-software.com/plugins/wordfence/

  • The topic ‘scan finds changes to readme files’ is closed to new replies.