Catalog wordpress plugins

[westonsteimel]

What would you like to be added:

Add a new cataloger to discover wordpress plugins

Why is this needed:
Wordpress is quite heavily used and there are quite a significant number of vulnerability records related to wordpress plugins, so being able to discover available plugins with syft would allow detection later.

Additional context:
Some information on what the expected metadata looks like: https://developer.wordpress.org/reference/functions/get_plugin_data/

Using the quickstart from https://hub.docker.com/r/bitnami/wordpress/, after execing into the wordpress image I get:

wp plugin list
+--------------------------------+----------+--------+---------+
| name                           | status   | update | version |
+--------------------------------+----------+--------+---------+
| akismet                        | inactive | none   | 5.2     |
| all-in-one-wp-migration        | inactive | none   | 7.76    |
| all-in-one-seo-pack            | inactive | none   | 4.4.0.1 |
| amp                            | inactive | none   | 2.4.1   |
| google-analytics-for-wordpress | inactive | none   | 8.17    |
| hello                          | inactive | none   | 1.7.2   |
| jetpack                        | inactive | none   | 12.2.1  |
| simple-tags                    | inactive | none   | 3.8.0   |
| w3-total-cache                 | inactive | none   | 2.3.3   |
| wp-mail-smtp                   | inactive | none   | 3.8.0   |
+--------------------------------+----------+--------+---------+

The plugins in that image end up under /bitnami/wordpress/wp-content/plugins/. There is information about discovering the plugin directory at https://developer.wordpress.org/plugins/plugin-basics/determining-plugin-and-content-directories/ but possibly something like **/wp-content/plugins/ would suffice

Looking at the (truncated) contents for one specific plugin:

cat /bitnami/wordpress/wp-content/plugins/wp-mail-smtp/wp_mail_smtp.php
<?php
/**
 * Plugin Name: WP Mail SMTP
 * Version: 3.8.0
 * Requires at least: 5.2
 * Requires PHP: 7.2
 * Plugin URI: https://wpmailsmtp.com/
 * Description: Reconfigures the <code>wp_mail()</code> function to use Gmail/Mailgun/SendGrid/SMTP instead of the default <code>mail()</code> and creates an options page to manage the settings.
 * Author: WP Mail SMTP
 * Author URI: https://wpmailsmtp.com/
 * Network: false
 * Text Domain: wp-mail-smtp
 * Domain Path: /assets/languages
 */

/**
 * @author    WPForms
 * @copyright WPForms, 2007-23, All Rights Reserved
 * This code is released under the GPL licence version 3 or later, available here
 * https://www.gnu.org/licenses/gpl.txt
 */

/**
 * Setting options in wp-config.php
 *
 * Specifically aimed at WP Multisite users, you can set the options for this plugin as
 * constants in wp-config.php. Copy the code below into wp-config.php and tweak settings.
 * Values from constants are NOT stripslash()'ed.
 *
 * When enabled, make sure to comment out (at the beginning of the line using //) those constants that you do not need,
 * or remove them completely, so they won't interfere with plugin settings.
 */

/*

[disc]

Hey there! I started working on this feature but found these lines in grype package during debugging why I didn't see vulnerable wordpress packages.

These lines mark wordpress as a "known target" and ignore these vulnerabilities:

// There are some common target software CPE components which are not currently
// supported by syft but are signifcant sources of false positives and should be
// considered known for the purposes of filtering here
known := map[string]bool{
    "wordpress":  true,
    "wordpress_": true,
    "joomla":     true,
    "joomla\\!":  true,
    "drupal":     true,
}

@wagoodman which order of making changes should I follow to deliver/release new wordpress cataloger with minimal impact on false positives?

• Release a new cataloger first in Syft package
• and than Remove wordpress mentions in Grype package