How do you re-scan after you fixed a vulnerability?

  • Resolved fawp

    (@fawp)


    1 year, 5 months ago

    There does not seem to be an option for the plugin to repeat a scan once a vulnerability has been fixed.

    Example:

    • Really Simple SSL says “Critical vulnerability on Plugin xyz with version abc”
    • I perform a plugin update (manually)
    • Really Simple SSL keeps saying “Critical vulnerability on Plugin xyz with version abc” even though I have a new version of the plugin now

    I can’t find a re-scan/repeat scan or equivalent that allows me to resubmit a scan to see if there are more vulnerabilities.

    I couldn’t find anything in the documentation about repeating a scan either.

    I tried to disable and re-enable the plugin. I also deleted the plugin and reinstalled to no avail.

    The page I need help with: [log in to see the link]

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @fawp can you send us the plugin name so we can check if the “fixed in” version data is correct? You can email it to support(at)really-simple-ssl.com

    Thread Starter fawp

    (@fawp)

    Hi @rogierlankhorst – I’m happy to provide it here.

    It’s BuddyPress v. 8.0.0, upgraded to v. 9.2.0.

    Does that mean that your plugin does not need a ‘rescan’ button, because it automatically scans again?

    Thanks.

    • This reply was modified 1 year, 5 months ago by fawp.
    Thread Starter fawp

    (@fawp)

    @rogierlankhorst in answer to your question: I just checked

    1. I have reverted to a snapshot prior to installing Really Simple SSL
    2. I have upgraded BP from 8.0.0 to 9.2.0
    3. I have then installed Really Simple SSL
    4. Really Simple SSL no longer reports the vulnerability in question, as expected
    • This reply was modified 1 year, 5 months ago by Jan Dembowski.
    • This reply was modified 1 year, 5 months ago by fawp.
    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @fawp, Really Simple SSL re-checks on plugin updates, the normal procedure is that after the update the notice is gone.

    You can force the check by re-activating the plugin.

    I’ll run some tests to see if we can reproduce it.

    Thread Starter fawp

    (@fawp)

    @rogierlankhorst could it have to do with the fact that I did not update via the ‘Update’ button provided by your plugin but performed a ‘manual’ update?

    Manual updates are necessary for environments where version control testing is important.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @fawp yes, that’s probably the cause. I’ll think of a way to deal with that scenario as well. A manual re-scan option is a possible solution.

    Thread Starter fawp

    (@fawp)

    Ok, thanks Rogier.

    Plugin Author Rogier Lankhorst

    (@rogierlankhorst)

    @fawp I’ve created a change which allows a user to recheck by adding

    ?rsssl_check_vulnerabilities

    to the URL. You can use it if a similar situation occurs. I expect it to be included in the next release, or the version after that.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘How do you re-scan after you fixed a vulnerability?’ is closed to new replies.