fix version compare

fix: using to_inclusive to adjust version compare, fix: add all vulnerable versions in the clean data file, added: jellix version compare

Author: herbie4

.gitattributes

@@ -1,5 +1,6 @@
 {
     "require": {
-        "halaxa/json-machine": "^1.1"
+        "halaxa/json-machine": "^1.1",
+        "jelix/version": "^2.0"
     }
 }

LICENSE

@@ -3,7 +3,7 @@
  * Plugin Name: Check Plugins Vulnerability
  * Plugin URI: https://haha.nl
  * Description: Check the installed website plugins for vulnerability use the wordfence vulnerability data feed api.
- * Version: 1.0.5
+ * Version: 1.0.6
  * Author: herbert hoekstra - haha!
  * Author URI: https://haha.nl
  * Documentation URI: https://haha.nl/wordpress-plug-in-op-maat/
@@ -100,6 +100,8 @@ function settings() {
      // ------------------------
      function activate_this_plugin() {
 
+       require_once __DIR__.'/vendor/autoload.php';
+
        //Checking if the MainWP plugin is enabled. This filter will return true if the main plugin is activated.
        $this->mainwpMainActivated = apply_filters('mainwp_activated_check', $this->mainwpMainActivated);
 
@@ -169,11 +171,16 @@ public function hhdev_get_file_date(){
      }
 
      // check version compare
+     // if A < B -> -1
+     // if A == B -> 0
+     // if A > B -> 1
      // ----------------------
-     //  By default, version_compare() returns -1 if the first version is lower than the second, 0 if they are equal, and 1 if the second is lower.
-     public function hhdev_plugin_needs_update($plugin_version, $data_version){
+     public function hhdev_plugin_needs_update($plugin_version, $data_version, $compare){
+
+       $result = \Jelix\Version\VersionComparator::compareVersion($plugin_version, $data_version);
 
-       if( version_compare($plugin_version,$data_version) <=  0) return true;
+       if($compare == '<' && $result == -1) return true;
+       if($compare == '<=' && $result == 0) return true;
 
        return false;
      }
@@ -202,10 +209,6 @@ public function hhdev_get_version_from_array($array) {
     // -----------------------------
     public function hhdev_make_adapted_file() {
 
-      require_once __DIR__.'/vendor/autoload.php';
-
-      // get updated last month
-
       // get the current date
       date_default_timezone_set(get_option( 'timezone_string' ));
       $cur_date = date('Y-m-d');
@@ -228,7 +231,8 @@ public function hhdev_make_adapted_file() {
         if($plugin->updated > $date) {
           // write to new array
           // check if type is plugin
-          if($plugin->software[0]->type === 'plugin' && !array_key_exists($plugin->software[0]->slug, $file)) $file[$plugin->software[0]->slug] = array(
+          if($plugin->software[0]->type === 'plugin') $file[] = array(
+            'slug' => $plugin->software[0]->slug,
             'title' => $plugin->title,
             'name' => $plugin->software[0]->name,
             'affected_versions' => json_decode(json_encode($plugin->software[0]->affected_versions),true),
@@ -241,7 +245,7 @@ public function hhdev_make_adapted_file() {
 
       }
 
-      //print_r($file['litespeed-cache']);
+    //  print_r($file);
 
       //echo wp_sprintf( '<p>', __('Records saved: %s','hhdev-mwpcpv'), count($file),'</p>');
 
@@ -252,7 +256,6 @@ public function hhdev_make_adapted_file() {
 
     }
 
-
  }
 
  global $MainWPCheckPluginVulnerabilityActivator;
@@ -358,8 +361,9 @@ public function hhdev_make_adapted_file() {
 
  /*
 change log:
-- 1.0.5 fixed missing entries in cleaned data file
-- 1.0.4 removed gitignore from /vendor/
+- 1.0.6 fix: using to_inclusive to adjust version compare, fix: add all vulnerable versions in the clean data file, added: jellix version compare
+- 1.0.5 fix: missing entries in cleaned data file
+- 1.0.4 removed: gitignore from /vendor/
 - 1.0.3 changed adapted file to hold only plugin data
 - 1.0.2 split the file up into 2 files, plugin and dashboard
 - 1.0.1 initial set up

README.md

@@ -151,20 +151,29 @@ public static function hhdev_mwpcpv_render_page() {
                             $plugin_slug = explode('/', $plugin['slug']);
                             $slug = $plugin_slug[0];
 
-                            // load file data before foreach loops
-
                             foreach ( $file as $key => $plugin_data) {
 
-                              if($key === $slug) {
+                              if($plugin_data['slug'] == $slug) {
+
+                                $vuln_notice = false;
 
                                 // is patched?
                                 $patched = wp_sprintf( __('No','hhdev-mwpcpv'));
                                 if($plugin_data['patched']) $patched = wp_sprintf( __('Yes','hhdev-mwpcpv'));
 
                                 // get the vuln version
+                                $vuln_version = '';
                                 $vuln_version = $MainWPCheckPluginVulnerabilityActivator->hhdev_get_version_from_array($plugin_data['affected_versions'])['to_version'];
 
-                                if($MainWPCheckPluginVulnerabilityActivator->hhdev_plugin_needs_update($plugin['version'],$vuln_version)) {
+                                // get the compare operator
+                                $to_inclusive = $MainWPCheckPluginVulnerabilityActivator->hhdev_get_version_from_array($plugin_data['affected_versions'])['to_inclusive'];
+
+                                $compare = '<';
+                                if($to_inclusive) $compare = '<=';
+
+                              //  if ($slug == 'wp-mail-logging') echo '<p>vuln version: '.$vuln_version.' -> plugin: '.$plugin['version'].'-> '.$plugin_data['title'].'</p>';
+
+                                if($MainWPCheckPluginVulnerabilityActivator->hhdev_plugin_needs_update($plugin['version'],$vuln_version,$compare)) {
 
                                   echo '<h3>'.$plugin['name'].'</h3>';
                                   echo wp_sprintf( __('Website plugin version: %s','hhdev-mwpcpv'), $plugin['version']);
@@ -181,7 +190,6 @@ public static function hhdev_mwpcpv_render_page() {
 
                                   // set vuln plugin notice to true
                                   $vuln_notice = true;
-
                                 }
 
                               } // end if