外觀
程式碼掃描
來源:程式碼掃描
需要注意
- 自訂外掛掃描發現 4 個安全漏洞(Vulnerability)
- 自訂外掛發現 117 個程式缺陷(Bug),可能導致非預期行為
- 24 個安全熱點(Security Hotspot)待人工審查,可能存在安全風險
共 3 項 — 1 高 / 2 中
安全漏洞
- 問題:自訂外掛掃描發現 4 個安全漏洞(Vulnerability)
- 原因:外掛程式碼存在已知的安全弱點模式(如 SQL Injection、XSS 等)
- 建議:依 SonarQube 報告逐一修復漏洞,優先處理 CRITICAL 和 BLOCKER 等級
- 影響:此項影響等級:高
- 驗收:Vulnerabilities = 0
程式缺陷
- 問題:自訂外掛發現 117 個程式缺陷(Bug),可能導致非預期行為
- 原因:程式碼邏輯錯誤或未處理的邊界條件
- 建議:依 SonarQube 報告修復 bugs
- 影響:此項影響等級:中
- 驗收:Bugs = 0
安全熱點
- 問題:24 個安全熱點(Security Hotspot)待人工審查,可能存在安全風險
- 原因:程式碼模式符合已知安全風險特徵,需人工確認是否為實際漏洞
- 建議:逐一審查 Security Hotspot,確認風險並修復
- 影響:此項影響等級:中
- 驗收:所有 Security Hotspot 已審查完畢
掃描摘要
| 指標 | 數量 | 處理優先 |
|---|---|---|
| 安全漏洞 (Vulnerability) | 4 | 立即 |
| 程式缺陷 (Bug) | 117 | 短期 |
| 安全熱點 (Security Hotspot) | 24 | 審查 |
| 程式碼異味 (Code Smell) | 4761 | 長期 |
問題明細
cw-tappay(30 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| CRITICAL | php:S4830 | Enable server certificate validation on this SSL/TLS connection. | |
| CRITICAL | php:S5527 | Enable server hostname verification on this SSL/TLS connection. | |
| CRITICAL | javascript:S930 | This function expects no arguments, but 1 was provided. | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Handler" or use it | |
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Puc_v4p10_Autoloader" or use it | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$stdResult". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$stdResult". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$intRenewalTotal". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". |
cw-tappay-2nd(22 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| CRITICAL | php:S4830 | Enable server certificate validation on this SSL/TLS connection. | |
| CRITICAL | php:S5527 | Enable server hostname verification on this SSL/TLS connection. | |
| CRITICAL | javascript:S930 | This function expects no arguments, but 1 was provided. | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Handler" or use it | |
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$stdResult". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$stdResult". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$intRenewalTotal". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". |
cw-linepay(23 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| BLOCKER | php:S5911 | Create class "Exception" in namespace or check correct import of class | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Extend" or use it | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Handler" or use it | |
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Puc_v4p10_Autoloader" or use it | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this method "init_form_fields". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this method "get_icon". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this method "process_payment". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". |
_unknown(15 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| CRITICAL | css:S4657 | Unexpected shorthand "margin" after "margin-top" | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "P_Firewall" or use it | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Safe_Mode" or use it | |
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MAJOR | php:S5850 | Group parts of the regex together to make the intended operator precedence explicit. | |
| MINOR | Web:MouseEventWithoutKeyboardEquivalentCheck | Add a 'onKeyPress|onKeyDown|onKeyUp' attribute to this <div> tag. | |
| MINOR | Web:MouseEventWithoutKeyboardEquivalentCheck | Add a 'onKeyPress|onKeyDown|onKeyUp' attribute to this <span> tag. | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | Web:MouseEventWithoutKeyboardEquivalentCheck | Add a 'onKeyPress|onKeyDown|onKeyUp' attribute to this <span> tag. | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". |
cw-ecpay-ei(19 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "Puc_v4p10_Autoloader" or use it | |
| MAJOR | Web:S5256 | Add "<th>" headers to this "<table>". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S1784 | Explicitly mention the visibility of this constructor "__construct". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "include" with "include_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S2003 | Replace "require" with "require_once". |
ld-content-cloner(8 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| MAJOR | css:S4649 | Unexpected missing generic font family | |
| MAJOR | php:S1656 | Remove or correct this useless self-assignment | |
| MAJOR | php:S1656 | Remove or correct this useless self-assignment | |
| MAJOR | php:S1656 | Remove or correct this useless self-assignment | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "\Licensing\WdmLicense" or use it | |
| MAJOR | Web:S5256 | Add "<th>" headers to this "<table>". | |
| MINOR | php:S2003 | Replace "require" with "require_once". | |
| MINOR | php:S1226 | Introduce a new variable instead of reusing the parameter "$licenseStatus". |
social-login-system(3 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| MAJOR | php:S3923 | Remove this conditional structure or edit its code blocks so that they're not all the same. | |
| MAJOR | Web:S5256 | Add "<th>" headers to this "<table>". | |
| MAJOR | php:S1848 | Either remove this useless object instantiation of class "SocialLoginSystem" or use it |
wc-chailease-payment(1 個問題)
| 嚴重度 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| MINOR | php:S2003 | Replace "include" with "include_once". |
Security Hotspots(24)
| 風險 | 規則 | 訊息 | 檔案 |
|---|---|---|---|
| HIGH | php:S6418 | 'SECRET' detected in this expression, review this potentially hard-coded secret. | wp-content/mu-plugins/academy-sso-provider.php:13 |
| HIGH | php:S6418 | 'SECRET' detected in this expression, review this potentially hard-coded secret. | wp-content/mu-plugins/academy-user-cart-api.php:21 |
| HIGH | php:S2068 | Detected 'password' in this variable name, review this potentially hardcoded credential. | wp-content/mu-plugins/academy-product-card-admin.bak.20260422_065036/inc/class-academy-apc-admin.php:26 |
| MEDIUM | javascript:S5852 | Make sure the regex used here, which is vulnerable to super-linear runtime due to backtracking, cannot lead to denial of service. | wp-content/plugins/cw-tappay-2nd/js/cw-tappay.js:287 |
| MEDIUM | javascript:S5852 | Make sure the regex used here, which is vulnerable to super-linear runtime due to backtracking, cannot lead to denial of service. | wp-content/plugins/cw-tappay/js/cw-tappay.js:275 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/cw-ecpay-ei/plugin-update-checker/Puc/v4p10/OAuthSignature.php:93 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/cw-ecpay-ei/plugin-update-checker/Puc/v4p10/Scheduler.php:56 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/cw-linepay/plugin-update-checker/Puc/v4p10/OAuthSignature.php:93 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/cw-linepay/plugin-update-checker/Puc/v4p10/Scheduler.php:56 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/cw-tappay/plugin-update-checker/Puc/v4p10/OAuthSignature.php:93 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/cw-tappay/plugin-update-checker/Puc/v4p10/Scheduler.php:56 |
| MEDIUM | php:S2245 | Make sure that using this pseudorandom number generator is safe here. | wp-content/plugins/wc-chailease-payment/includes/class-wc-chailease-payment-gateway-base.php:57 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/mu-plugins/academy-user-cart-api.php:135 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/mu-plugins/academy-user-cart-api.php:166 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/cw-ecpay-ei/plugin-update-checker/Puc/v4p10/OAuthSignature.php:96 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/cw-linepay/plugin-update-checker/Puc/v4p10/OAuthSignature.php:96 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/cw-tappay/plugin-update-checker/Puc/v4p10/OAuthSignature.php:96 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/ld-content-cloner/licensing/class-wdm-plugin-updater.php:48 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/ld-content-cloner/licensing/class-wdm-plugin-updater.php:156 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/social-login-system/social-login-system.php:1453 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/social-login-system/social-login-system.php:1469 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/social-login-system/social-login-system.php:1482 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/social-login-system/social-login-system.php:1506 |
| LOW | php:S4790 | Make sure this weak hash algorithm is not used in a sensitive context here. | wp-content/plugins/wc-chailease-payment/includes/class-wc-chailease-payment-gateway-base.php:57 |
處理建議方向
| 步驟 | 動作 | 負責 |
|---|---|---|
| 1 | 依上表逐檔修復 CRITICAL/BLOCKER | 開發 |
| 2 | 修復 MAJOR Bug | 開發 |
| 3 | 審查 Security Hotspot 確認是否為實際漏洞 | 開發 |
| 4 | 重跑 SonarQube 驗證 | 維運 |
驗收
重跑 SonarQube 掃描,Vulnerabilities = 0,Bugs 持續下降。