refactor: move WordPress module to another repository (#2329)

* refactor: remove go.mod/sum from example

* move a wordpress example out

docs/docs/advanced/modules.md

@@ -123,6 +123,13 @@ In the following tutorial, it creates a WordPress module that detects a WordPres
     You can use logging functions such as `Debug` and `Info` for debugging.
     See [examples](#examples) for the detail.
 
+#### Initialize your module
+Replace the repository name with yours.
+
+```
+$ go mod init github.com/aquasecurity/trivy-module-wordpress
+```
+
 #### Module interface
 `Version()` returns your module version and should be incremented after updates.
 `Name()` returns your module name.
@@ -345,7 +352,7 @@ Digest: sha256:6416d0199d66ce52ced19f01d75454b22692ff3aa7737e45f7a189880840424f
 [wazero]: https://github.com/tetratelabs/wazero
 
 [trivy-module-spring4shell]: https://github.com/aquasecurity/trivy/tree/main/examples/module/spring4shell
-[trivy-module-wordpress]: https://github.com/aquasecurity/trivy/tree/main/examples/module/wordpress
+[trivy-module-wordpress]: https://github.com/aquasecurity/trivy-module-wordpress
 
 [tinygo-installation]: https://tinygo.org/getting-started/install/
 [oras]: https://oras.land/cli/

examples/module/spring4shell/go.mod

@@ -1,18 +0,0 @@
-module github.com/aquasecurity/trivy-module-spring4shell
-
-go 1.18
-
-// It points to local Trivy for testing. Normal WASM modules don't need the replace directive.
-replace github.com/aquasecurity/trivy => ../../../
-
-require github.com/aquasecurity/trivy v0.0.0-00010101000000-000000000000
-
-require (
-	github.com/aquasecurity/fanal v0.0.0-20220614123434-09d6aced4205 // indirect
-	github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07 // indirect
-	github.com/caarlos0/env/v6 v6.9.3 // indirect
-	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-)

examples/module/wordpress/README.md

@@ -1,31 +0,0 @@
-# WoredPress module
-
-This module provides a more in-depth investigation of Wordpress detection.
-
-## Set up
-
-```
-$ tinygo build -o wordpress.wasm -scheduler=none -target=wasi --no-debug wordpress.go 
-$ mkdir -p ~/.trivy/modules
-$ cp wordpress.wasm ~/.trivy/modules
-```
-
-It is also available in [GHCR][trivy-module-wordpress].
-You can install it via `trivy module install`.
-
-```bash
-$ trivy module install ghcr.io/aquasecurity/trivy-module-wordpress
-2022-06-13T15:32:21.972+0300    INFO    Installing the module from ghcr.io/aquasecurity/trivy-module-wordpress...
-```
-
-## Run Trivy
-
-```
-$ trivy image wordpress:5.7.1
-2022-05-29T22:35:04.873+0300    INFO    Loading wordpress.wasm...
-2022-05-29T22:35:05.348+0300    INFO    Registering WASM module: wordpress@v1
-```
-
-In the above example, CVE-2020-36326 and CVE-2018-19296 will be detected if the WordPress version is vulnerable.
-
-[trivy-module-wordpress]: https://github.com/orgs/aquasecurity/packages/container/package/trivy-module-wordpress

examples/module/wordpress/go.mod

@@ -1,21 +0,0 @@
-module github.com/aquasecurity/trivy-module-spring4shell
-
-go 1.18
-
-// It points to local Trivy for testing. Normal WASM modules don't need the replace directive.
-replace github.com/aquasecurity/trivy => ../../../
-
-require (
-	github.com/aquasecurity/trivy v0.0.0-00010101000000-000000000000
-	github.com/aquasecurity/trivy-db v0.0.0-20220602091213-39d8a6798e07
-	github.com/hashicorp/go-version v1.4.0
-)
-
-require (
-	github.com/aquasecurity/fanal v0.0.0-20220614123434-09d6aced4205 // indirect
-	github.com/caarlos0/env/v6 v6.9.3 // indirect
-	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475 // indirect
-	github.com/josharian/intern v1.0.0 // indirect
-	github.com/mailru/easyjson v0.7.6 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-)

examples/module/wordpress/wordpress.go

@@ -1,165 +0,0 @@
-//go:build tinygo.wasm
-
-package main
-
-import (
-	"bufio"
-	"fmt"
-	"os"
-	"strings"
-
-	"github.com/hashicorp/go-version"
-
-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
-	"github.com/aquasecurity/trivy/pkg/module/api"
-	"github.com/aquasecurity/trivy/pkg/module/serialize"
-	"github.com/aquasecurity/trivy/pkg/module/wasm"
-	"github.com/aquasecurity/trivy/pkg/types"
-)
-
-const (
-	moduleVersion = 1
-	moduleName    = "wordpress"
-	typeWPVersion = "wordpress-version"
-)
-
-// main is required for TinyGo to compile to Wasm.
-func main() {
-	wasm.RegisterModule(WordpressModule{})
-}
-
-type WordpressModule struct {
-	// Cannot define fields as modules can't keep state.
-}
-
-func (WordpressModule) Version() int {
-	return moduleVersion
-}
-
-func (WordpressModule) Name() string {
-	return moduleName
-}
-
-func (WordpressModule) RequiredFiles() []string {
-	return []string{
-		`wp-includes\/version.php`,
-	}
-}
-
-func (s WordpressModule) Analyze(filePath string) (*serialize.AnalysisResult, error) {
-	f, err := os.Open(filePath) // e.g. filePath: /usr/src/wordpress/wp-includes/version.php
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	var wpVersion string
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if !strings.HasPrefix(line, "$wp_version") {
-			continue
-		}
-
-		ss := strings.Split(line, "=")
-		if len(ss) != 2 {
-			return nil, fmt.Errorf("invalid wordpress version: %s", line)
-		}
-
-		// NOTE: it is an example; you actually need to handle comments, etc
-		ss[1] = strings.TrimSpace(ss[1])
-		wpVersion = strings.Trim(ss[1], `''";`)
-		wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
-	}
-
-	if err = scanner.Err(); err != nil {
-		return nil, err
-	}
-
-	return &serialize.AnalysisResult{
-		CustomResources: []serialize.CustomResource{
-			{
-				Type:     typeWPVersion,
-				FilePath: filePath,
-				Data:     wpVersion,
-			},
-		},
-	}, nil
-}
-
-func (WordpressModule) PostScanSpec() serialize.PostScanSpec {
-	return serialize.PostScanSpec{
-		Action: api.ActionInsert, // Add new vulnerabilities
-	}
-}
-
-func (WordpressModule) PostScan(results serialize.Results) (serialize.Results, error) {
-	wasm.Info("post scan")
-
-	// https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
-	affectedVersion, err := version.NewConstraint(">=5.7, <5.7.2")
-	if err != nil {
-		return nil, err
-	}
-
-	var (
-		vulnerable        bool
-		wpPath, wpVersion string
-	)
-	for _, result := range results {
-		if result.Class != types.ClassCustom {
-			continue
-		}
-
-		for _, c := range result.CustomResources {
-			if c.Type != typeWPVersion {
-				continue
-			}
-			wpPath = c.FilePath
-			wpVersion = c.Data.(string)
-			wasm.Info(fmt.Sprintf("WordPress Version: %s", wpVersion))
-
-			ver, err := version.NewVersion(wpVersion)
-			if err != nil {
-				return nil, err
-			}
-			if affectedVersion.Check(ver) {
-				vulnerable = true
-			}
-			break
-		}
-	}
-
-	if vulnerable {
-		// Add CVE-2020-36326 and CVE-2018-19296
-		results = append(results, serialize.Result{
-			Target: wpPath,
-			Class:  types.ClassLangPkg,
-			Type:   "wordpress",
-			Vulnerabilities: []types.DetectedVulnerability{
-				{
-					VulnerabilityID:  "CVE-2020-36326",
-					PkgName:          "wordpress",
-					InstalledVersion: wpVersion,
-					FixedVersion:     "5.7.2",
-					Vulnerability: dbTypes.Vulnerability{
-						Title:    "PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.",
-						Severity: "CRITICAL",
-					},
-				},
-				{
-					VulnerabilityID:  "CVE-2018-19296",
-					PkgName:          "wordpress",
-					InstalledVersion: wpVersion,
-					FixedVersion:     "5.7.2",
-					Vulnerability: dbTypes.Vulnerability{
-						Title:    "PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack.",
-						Severity: "HIGH",
-					},
-				},
-			},
-		})
-	}
-
-	return results, nil
-}