|
|
|
|
|
|
by fullspectrumdev
685 days ago
|
|
|
> 280 9.0+ vulnerabilities in seventy thousand plugins, the long tail of which have maybe dozens of activations at most. This actually is a great point. A few years ago when working on a code analysis tool, we mirrored every single WP plugin and let it chew on them for a while. It used a mixture of static and dynamic analysis, and “kinda worked” to some extent. It found more issues than we could reasonably handle, and a lot of them were in plugins with maybe two installs ever and that hadn’t been activated in years. We ran out of beans before implementing a proper triage system that would score the findings based on popularity or “last updated” data. I may revisit this sometime though, as my ideas on static and dynamic analysis have come a long way since then! |
|
|