docker pull ghcr.io/venantvr-security/python-wpscan-wpvuln-enricher:latestA secureCodeBox hook that enriches WPScan findings with known vulnerability data from the WPVulnerability API.
This hook automatically processes WPScan results and queries the WPVulnerability database to add detailed vulnerability information for each detected WordPress plugin.
flowchart LR
A[WPScan] --> B[Findings JSON]
B --> C[WPVuln Enricher]
C <--> D[(WPVulnerability API)]
C --> E[Enriched Findings]
style A fill:#2d6a4f,color:#fff
style C fill:#f9f,stroke:#333
style D fill:#bbf,stroke:#333
style E fill:#95d5b2,stroke:#333
| Enricher Version | API Version | API Endpoint | Status |
|---|---|---|---|
| 1.0.0 | 2024-01 | www.wpvulnerability.net |
Current |
Deprecation Detection: The enricher performs an API health check at startup. If the API returns
410 Goneor an incompatible response structure, the container will exit with an error message indicating an update is required.
sequenceDiagram
participant SCB as secureCodeBox
participant Hook as WPVuln Enricher
participant API as WPVulnerability API
Hook->>API: Health check (startup)
API-->>Hook: OK / 410 Gone
SCB->>Hook: READ_FILE (findings.json)
Hook->>Hook: Extract plugin slugs
Note over Hook,API: Parallel threads
Hook->>API: GET /plugin/contact-form-7
Hook->>API: GET /plugin/elementor
Hook->>API: GET /plugin/yoast-seo
API-->>Hook: Vulnerabilities data
Hook->>Hook: Convert to secureCodeBox format
Hook->>SCB: WRITE_FILE (enriched findings)
- Minimal dependencies - Only
requestslibrary - Parallel processing - Concurrent API calls using ThreadPoolExecutor
- Automatic retry - 3 retries with 2s delay on network failures
- Distroless image - Multi-stage build producing a secure container
- Severity mapping - Automatic classification based on CVSS severity
- API deprecation detection - Fails fast if API version is incompatible
- Tests in Docker build - Unit tests run during image build
Severity is derived from the CVSS score provided by the WPVulnerability API:
| CVSS Severity | secureCodeBox Severity |
|---|---|
| CRITICAL | HIGH |
| HIGH | HIGH |
| MEDIUM | MEDIUM |
| LOW | LOW |
- Kubernetes cluster with secureCodeBox installed
- WPScan scanner configured
kubectl apply -f hook.yamlThe hook will automatically attach to all scans with the label scanType: wpscan.
| Variable | Description | Default |
|---|---|---|
READ_FILE |
Path to input findings JSON | /tmp/findings.json |
WRITE_FILE |
Path to output enriched findings | /tmp/findings.json |
Default resource configuration in hook.yaml:
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "200m"graph LR
subgraph Kubernetes
A[Scan Controller] -->|Scan Complete| B[Hook Controller]
B -->|Mount findings| C[WPVuln Enricher Pod]
end
C -->|REST API| D[(WPVulnerability API)]
style C fill:#f9f,stroke:#333
style D fill:#bbf,stroke:#333
The hook generates findings in secureCodeBox format:
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "[WPVuln] Contact Form 7 - Reflected XSS",
"description": "The plugin does not sanitize input properly. (fixed in 5.8.4)",
"category": "WordPress Plugin Vulnerability",
"location": "https://example.com",
"osi_layer": "APPLICATION",
"severity": "MEDIUM",
"attributes": {
"plugin_slug": "contact-form-7",
"plugin_name": "Contact Form 7",
"wpvuln_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"fixed_in": "5.8.4",
"cvss_score": "6.1",
"cve": ["CVE-2024-12345"],
"cwe": ["CWE-79"],
"references": ["https://www.cve.org/CVERecord?id=CVE-2024-12345"]
},
"false_positive": false
}pip install -r requirements.txt
pytest -v tests/pip install -r requirements.txt
python main.pyTests are automatically run during the Docker build. If tests fail, the build fails.
docker build -t python-wpscan-wpvuln-enricher:latest .docker inspect python-wpscan-wpvuln-enricher:latest --format='{{json .Config.Labels}}' | jqExpected output includes:
{
"com.wpvulnerability.api-version": "2024-01",
"org.opencontainers.image.version": "1.0.0"
}export READ_FILE=./examples/wpscan-findings.json
export WRITE_FILE=./enriched-findings.json
python main.py# Run a WPScan
kubectl apply -f - <<EOF
apiVersion: execution.securecodebox.io/v1
kind: Scan
metadata:
name: wpscan-example
labels:
scanType: wpscan
spec:
scanType: wpscan
parameters:
- "--url"
- "https://example.com"
EOFThe hook automatically enriches the results after scan completion.
On successful startup:
[INFO] WPVuln Enricher v1.0.0 (API version: 2024-01)
[INFO] Checking WPVulnerability API health...
[INFO] API health check passed
[INFO] Loaded 3 finding(s) from /tmp/findings.json
On API deprecation:
[INFO] WPVuln Enricher v1.0.0 (API version: 2024-01)
[INFO] Checking WPVulnerability API health...
[FATAL] API DEPRECATED: WPVulnerability API returned 410 Gone. This enricher version (1.0.0) is no longer compatible. Please update to a newer version
flowchart TD
A[Input: WPScan Findings] --> B{WordPress Plugin?}
B -->|No| C[Skip]
B -->|Yes| D[Extract slug]
D --> E[(WPVulnerability API)]
E --> F{Found?}
F -->|No| G[Log]
F -->|Yes| H[Create findings]
H --> I[Merge]
C --> I
G --> I
I --> J[Output: Enriched Findings]
style A fill:#fff3b0,stroke:#333
style J fill:#95d5b2,stroke:#333
style E fill:#bbf,stroke:#333
.
├── main.py # Main application code (commented for beginners)
├── requirements.txt # Python dependencies
├── Dockerfile # Multi-stage Docker build (distroless)
├── hook.yaml # secureCodeBox hook manifest
├── README.md # This file
├── docs/
│ └── DOCKER.md # Docker commands cheat sheet
├── tests/
│ ├── test_main.py # Unit tests (15+ tests with pytest)
│ └── test_parser.py # Parser unit tests
├── examples/
│ ├── wpscan-findings.json # Sample WPScan input
│ └── wpvulnerability-api-response.json # Sample API response
└── postman/
└── WPVulnerability-API.postman_collection.json # Postman collection
MIT