briandfoy / cpan-audit Goto Github PK

View Code? Open in Web Editor NEW

17.0 4.0 11.0 4.45 MB

Check CPAN modules for known security vulnerabilities

License: Other

Perl 100.00%

perl perl-module perl-tool cve security security-audit

cpan-audit's Introduction

NAME

cpan-audit - Audit CPAN modules

SYNOPSIS

cpan-audit [command] [options]

Commands:

module         [version range]    audit module with optional version range (all by default)
dist|release   [version range]    audit distribution with optional version range (all by default)
deps           [directory]        audit dependencies from the directory (. by default)
installed                         audit all installed modules
show           [advisory id]      show information about specific advisory

Options:

--ascii               use ascii output
--freshcheck|f        check the database for freshness (CPAN::Audit::FreshnessCheck)
--help|h              show the help message and exit
--no-color            switch off colors
--no-corelist         ignore modules bundled with perl version
--perl                include perl advisories
--quiet               be quiet
--verbose             be verbose
--version             show the version and exit
--exclude <str>       exclude/ignore the specified advisory/cve (multiple)
--exclude-file <file> read exclude/ignore patterns from file
--json <file>         save audit results in JSON format in a file

Examples:

cpan-audit dist Catalyst-Runtime
cpan-audit dist Catalyst-Runtime 7.0
cpan-audit dist Catalyst-Runtime '>5.48'

cpan-audit module Catalyst 7.0

cpan-audit deps .
cpan-audit deps /path/to/distribution

cpan-audit installed
cpan-audit installed local/
cpan-audit installed local/ --exclude CVE-2011-4116
cpan-audit installed local/ --exclude CVE-2011-4116 --exclude CVE-2011-123
cpan-audit installed local/ --exclude-file ignored-cves.txt
cpan-audit installed --json audit.json

cpan-audit show CPANSA-Mojolicious-2018-03

DESCRIPTION

cpan-audit is a command line application that checks the modules or distributions for known vulnerabilities. It is using its internal database that is automatically generated from a hand-picked database https://github.com/briandfoy/cpan-security-advisory.

cpan-audit does not connect to anything, that is why it is important to keep it up to date. Every update of the internal database is released as a new version. Ensure that you have the latest database by updating CPAN::Audit frequently; the database can change daily. You can use enable a warning for a possibly out-of-date database by adding --freshcheck, which warns if the database version is older than a month:

    % cpan-audit --freshcheck ...
    % cpan-audit -f ...

    % env CPAN_AUDIT_FRESH_DAYS=7 cpan-audit -f ...

Finding dependencies

cpan-audit can automatically detect dependencies from the following sources:

Carton

Parses cpanfile.snapshot file and checks the distribution versions.
cpanfile

Parses cpanfile taking into account the required versions.

It is assumed that if the required version of the module is less than a version of a release with a known vulnerability fix, then the module is considered affected.

Exit values

In prior versions, cpan-audit exited with the number of advisories it found. Starting with 1.001, if there are advisories found, cpan-audit exits with 64 added to that number.

0 - normal operation
2 - problem with program invocation, such as bad switches or values
64+n - advisories found. Subtract 64 to get the advisory count

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

cpan-audit's People

Contributors

Stargazers

Watchers

Forkers

schelcj reneeb skaji bleargh45 pkg-perl-tools gregoa sjn garu guest20 vti zakame

cpan-audit's Issues

still seeing in_range issues

I'm still seeing issues with the in_range test. Running the code below in the debugger in perl 5.36 and 5.34 passes but fails in <5.34.

use strict;
use warnings;
use Test::More;
use CPAN::Audit::Version;

END { done_testing(); }

my $version = CPAN::Audit::Version->new();

ok($version->in_range('0.11', '>0'), 'in range');

This can be tested with docker command like docker run -it --entrypoint='' -v $(pwd):/app/ -w /app perl:5.34 perl -d -Ilib/ ./test.p. Here is the same code in 5.32 and 5.34.

$ docker run -it  --entrypoint='' -v $(pwd):/app/ -w /app perl:5.32 perl -d -Ilib/ ./test.pl

Loading DB routines from perl5db.pl version 1.57
Editor support available.

Enter h or 'h h' for help, or 'man perldebug' for more help.

Test2::API::CODE(0x55d6ab422d30)(/usr/local/lib/perl5/5.32.1/Test2/API.pm:71):
71:         INIT { eval 'END { test2_set_is_end() }; 1' or die $@ }
  DB<1> n
Test2::API::CODE(0x55d6ab422d30)((eval 11)[/usr/local/lib/perl5/5.32.1/Test2/API.pm:71]:1):
1:      END { test2_set_is_end() }; 1
  DB<1> 
Test::Builder::CODE(0x55d6ab6e4f90)(/usr/local/lib/perl5/5.32.1/Test/Builder.pm:94):
94:             Test2::API::test2_load() unless Test2::API::test2_in_preload();
  DB<1> 
main::(./test.pl:8):    my $version = CPAN::Audit::Version->new();
  DB<1> 
main::(./test.pl:10):   ok($version->in_range('0.11', '>0'), 'in range');
  DB<1> 
not ok 1 - in range
#   Failed test 'in range'
#   at ./test.pl line 10.
1..1
# Looks like you failed 1 test of 1.
Debugged program terminated.  Use q to quit or R to restart,
use o inhibit_exit to avoid stopping after program termination,
h q, h R or h o to get additional info.
  DB<1> q

$ docker run -it  --entrypoint='' -v $(pwd):/app/ -w /app perl:5.34 perl -d -Ilib/ ./test.pl

Loading DB routines from perl5db.pl version 1.60
Editor support available.

Enter h or 'h h' for help, or 'man perldebug' for more help.

Test2::API::CODE(0x55d3de0ff758)(/usr/local/lib/perl5/5.34.0/Test2/API.pm:71):
71:         INIT { eval 'END { test2_set_is_end() }; 1' or die $@ }
  DB<1> n
Test2::API::CODE(0x55d3de0ff758)((eval 11)[/usr/local/lib/perl5/5.34.0/Test2/API.pm:71]:1):
1:      END { test2_set_is_end() }; 1
  DB<1> 
Test::Builder::CODE(0x55d3de3e1400)(/usr/local/lib/perl5/5.34.0/Test/Builder.pm:134):
134:            Test2::API::test2_load() unless Test2::API::test2_in_preload();
  DB<1> 
main::(./test.pl:8):    my $version = CPAN::Audit::Version->new();
  DB<1> 
main::(./test.pl:10):   ok($version->in_range('0.11', '>0'), 'in range');
  DB<1> 
ok 1 - in range
1..1
Debugged program terminated.  Use q to quit or R to restart,
use o inhibit_exit to avoid stopping after program termination,
h q, h R or h o to get additional info.
  DB<1> q

Test failure (Perl 5.34.0)

t/cli.t ........ ok
t/excludes.t ... ok
t/installed.t .. ok

    #   Failed test at t/json.t line 24.
    #                   ''
    #     doesn't match '(?^:Discovered 1 dependencies)'

    #   Failed test at t/json.t line 25.
    #          got: 'Discovered 1 dependencies
    # '
    #     expected: ''

    #   Failed test at t/json.t line 26.
    #          got: 'HASH(0x3a5d580)'
    #     expected: '1'

    #   Failed test at t/json.t line 29.
    #                   ''
    #     doesn't match '(?^:CPANSATest)'
    # Looks like you failed 4 tests of 4.

#   Failed test 'json file'
#   at t/json.t line 32.
# Looks like you failed 1 test of 1.
t/json.t ....... 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/1 subtests 
t/query.t ...... ok
t/version.t .... ok

Test Summary Report
-------------------
t/json.t     (Wstat: 256 Tests: 1 Failed: 1)
  Failed test:  1
  Non-zero exit status: 1
Files=6, Tests=10,  1 wallclock secs ( 0.02 usr  0.01 sys +  0.67 cusr  0.07 csys =  0.77 CPU)
Result: FAIL
Failed 1/6 test programs. 1/10 subtests failed.
Makefile:928: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255

Allow ignoring/exclusions of certain CPAN security advisories

I'm having a problem that the File::Temp vulnerability (CPANSA-File-Temp-2011-4116) doesn't have a fix, so it will always generate a failure when scanning for vulnerabilities.

Is it possible to add an option to exclude certain named vulnerabilities, or exclude vulnerabilities that have no fixed version?

CPAN::Audit::Version::in_range issues?

I'm stumped by the behavior of the in_range test in CPAN::Audit::Version. I've found some dists will not show some, or all, advisories but I don't understand why yet.

For example the dist App-japerl has a single advisory in the database. However, simple test script below finds none.

$ cat test.pl 
#!/usr/bin/env perl

use strict;
use warnings;
use CPAN::Audit;
use Data::Dumper;

my $dist  = $ARGV[0];
my $audit = CPAN::Audit->new();

print Dumper $audit->{query}->advisories_for($dist), $dist;

$ perl -Ilib/ ./test.pl App-japerl
$VAR1 = 'App-japerl';

Stepping through the debugger for the for another module shows that in_range says that 0.11 is not in range >0.

  CPAN::Audit::Version::in_range(lib/CPAN/Audit/Version.pm:48):
  48:             $result = $ops->{$op}->( version::vcmp($version, $range_version) );
                                                                                                                                                                                                                             
  DB<<34>> CPAN::Audit::Version::in_range(lib/CPAN/Audit/Version.pm:49):
  49:             last if $result == 0;
                                                                                                                                                                                                                             
  DB<<34>> x $result                                                      
  0  ''
                                                                                                                                                                                                                             
  DB<<35>> x version::vcmp($version, $range_version)                      
  0  '-1'
                                                                                                                                                                                                                             
  DB<<36>> x $version                                                     
  0  0.11
                                                                                                                                                                                                                             
  DB<<37>> x $range_version                                               
  0  0
                                                                                                                                                                                                                             
  DB<<38>> x $op                                                          
  0  '>'

I plugged those same versions into the t/version.t test and tests pass. Any idea what might be going on here?

Two different DB generate scripts

There is util/generate in this repo and another util/generate in cpan-security-advisory. I patched the later in my last PR but not the version in this repo. Which is used to generate database for the distribution for CPAN?

missing versions in database generation

There are adivsories defined for modules that will not show up when advistories_for() is called because there is are versions defined in the DB. CPAN::Audit::Query::advisories_for builds the list of advisories from the list of known versions for a given dist. If there there were no versions detected during the database generation then any advisories defined for a dist are never returned. For example, File::Glob has advisories defined but the call to metacpan fastapi is returning nothing. File::Glob is clearly in metacpan so I'm not sure what's going on but there are several instances of this happening with the current database.

outdated info for CVE-2022-48522

from irc #p5p:

12:05 < ether> what's up with CVE-2022-48522? CPAN::Audit lists it as an open vulnerability affecting >=5.34.0, saying "In Perl 5.34.0, function S_find_uninit_var in sv.c has a 
               stack-based crash that can lead to remote code execution or local privilege escalation." and references ...
12:05 < ether> ... https://github.com/Perl/perl5/blob/79a7b254d85a10b65126ad99bf10e70480569d68/sv.c#L16336-L16345
12:05 < ether> but I see no mention of that CVE in any perldeltas
12:05 < ether> is perlsec aware of it?
12:18 < mauke> https://github.com/Perl/perl5/issues/19147 is the only related issue I can find
12:18 < mauke> by which I mean a commit that is in both 5.34.1 and 5.35.5 and touches S_find_uninit_var
12:20 < mauke> https://ubuntu.com/security/CVE-2022-48522 says "This is just an infinite recursion when trying to print a warning message causing the process to run out of stack 
               space, this has a negligible security impact"
12:20 < mauke> and links to the same github issue I found
12:22 < mauke> "affecting >=5.34.0" is definitely wrong. even the advisory at https://security.netapp.com/advisory/ntap-20230915-0008/ (linked as CONFIRM from 
               https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-48522) says it is already fixed in 5.34.1 and 5.35.5
12:25 < mauke> it's not mentioned in any perldelta because the CVE is from 2023-07-23, long after the fix was released

Is there room in this dist for a Test::CPAN::Audit?

Is there room in this dist for some author-test type assertions, a hypothetical no_vulnerable_deps_ok() type thing?

One that looks a bit like this?

package Test::CPAN::Audit;
use warnings; use strict;
our $VERSION = 0.01;
use CPAN::Audit;
use base 'Test::Builder::Module';

sub no_vulnerable_deps_ok {

    my $opts = shift // {};
    my $tb = __PACKAGE__->builder;

# These are the names from the right column in process_options:
    $opts->{'no_corelist'}  //= 0;
    $opts->{'include_perl'} //= 1;

# Turning these on is likely to break the TAP stream:
    $opts->{quiet} //= 1;
    $opts->{verbose} //= 0;

    my $args =shift // ['.'];

    my $audit = CPAN::Audit->new( %$opts );
    my $result = $audit->command( deps => @$args );

#XXX double-discover, so we can get some ok's for my non-vulnerable depends (optimism):
    my @deps = $audit->{discover}->discover($args->[0]);
    my @reports = map { +{ dist => $_, version => $result->{dists}{$_}{version} } }
                  keys %{ $result->{dists} || {} };

    my @discoveries= do {
        my %seen;
        sort { $a->{dist} cmp $b->{dist} }
        grep { not $seen{$_->{dist} }++  }
        @deps, @reports
    };

    for my $dep (@discoveries) {
        my $dist_name = $dep->{dist};
        my $r = $result->{dists}{$dist_name};
        my @advisories = @{ $r->{advisories} || []};

        my $name = sprintf "%s %s vuln check. %s",
                   $dist_name, $r->{version} // $dep->{version},
                   join ', ', map {
                        @{ $_->{cves} //[] } ? @{ $_->{cves} // []} : $_->{id}
                    } @advisories;

        $tb->ok(0==@advisories, $name);

        if ($ENV{TEST_VERBOSE}) {
            for (@advisories) {
                my $long = sprintf "  [%s Affected: %s, Fixed: %s; %s] %s%s",
                        $_->{id},
                        $_->{affected_versions} // 'All',
                        $_->{fixed_versions} // 'None',
                        (join ',', @{ $_->{cves} || []}),
                        $_->{description},
                        ($ENV{TEST_VERBOSE} > 1)
                            ? (join '', map {"    $_\n"} @{ $_->{references} || []})
                            : ''
                        ;
                $tb->diag($long);
            }
        }
    }
}
1

Last Update from Aug 2022? Is CPAN::Audit module dead?

From what I can see at metacpan CPAN::Audit module was last updated in august 2022. As the database is a hardcoded file in this project it looks like this project is dead and --freshcheck has become quite useless? Will there be regular updates in future or should we consider this project as abandoned? Interestingly the database in ghit github projects seems to be still updated but Audit::CPAN is not. Or should we take if from github?

Emit warning if the database is not fresh

Taken from @robrwo's suggestion in Should CPAN::Audit::DB be a separate distro?
.

Bug: incorrect detection of perl version for 'installed' run

There's a bug in 'installed' modules detection. Although $] reports '5.016003' as perl version (I also checked with debug mode) which in fact is '5.16.3', when I ran cpan_audit in the resulting 'deps' perl is listed as '4.2'. So there seems to be some bug which downgrades perl to some wrong version. also when I search for the perl binary on my system it's only found in /usr/bin/perl and perl -v reports:

This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
(with 40 registered patches, see perl -V for more detail)

This should be fixed asap.

validate yml reports coming from cpan-security-advisory

Hey brian! While trying to spot inconsistencies on CPAN::Audit::DB's output format, we created a function that looks at the affected_versions field and warns when something looks wrong.

It seems quite trivial to convert it to a "private" function that checks entries on the fly when populating DB.pm. Would that interest you? It should help prevent typos on the yaml files.

If so, should that verification be here on cpan-audit or on a script under cpan-security-advitory?

Just let me know and I'll happily send you a PR on the proper repository.

Cheers!

Feature: example drop-in cpan-audit.t file

I think it would be great to offer a drop-in cpan-audit.t file for users to drop into their t/ directory, which does an audit and reports any security advisories on whatever is in cpanfile.snapshot, for example.

Installed check fails: Can't locate object method "message" via package "CPAN::Audit"

$ cpan-audit installed --verbose
Collecting all installed modules. This can take a while...
Can't locate object method "message" via package "CPAN::Audit" at ~/perl5/perlbrew/perls/perl-5.34.0/lib/site_perl/5.34.0/CPAN/Audit.pm line 134.

It shows issues for older versions of Perl

I run cpan-audit installed in Perl v5.34 and get reports for older versions of Perl.

Is this due to a big when comparing Perl versions? It reports the perl as "5.034000" instead of "5.34.0"

perl (have 5.034000) has 8 advisories
  * CPANSA-perl-2018-6798
    An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

    Affected range: >=5.22.0,<5.28
    Fixed range: >=5.28

    CVEs: CVE-2018-6798

    References:
    https://www.debian.org/security/2018/dsa-4172
    https://rt.perl.org/Public/Bug/Display.html?id=132063
    http://www.securitytracker.com/id/1040681
    https://access.redhat.com/errata/RHSA-2018:1192
    https://usn.ubuntu.com/3625-1/
    https://security.gentoo.org/glsa/201909-01
    https://www.oracle.com/security-alerts/cpujul2020.html

  * CPANSA-perl-2011-1487
    The (1) lc, (2) lcfirst, (3) uc, and (4) ucfirst functions in Perl 5.10.x, 5.11.x, and 5.12.x through 5.12.3, and 5.13.x through 5.13.11, do not apply the taint attribute to the return value upon processing tainted input, which might allow context-dependent attackers to bypass the taint protection mechanism via a crafted string.

    Affected range: <5.14
    Fixed range: >=5.14

    CVEs: CVE-2011-1487

    References:
    https://bugzilla.redhat.com/show_bug.cgi?id=692844
    http://openwall.com/lists/oss-security/2011/04/01/3
    http://openwall.com/lists/oss-security/2011/04/04/35
    https://bugzilla.redhat.com/show_bug.cgi?id=692898
    http://rt.perl.org/rt3/Public/Bug/Display.html?id=87336
    http://secunia.com/advisories/43921
    http://www.securityfocus.com/bid/47124
    http://perl5.git.perl.org/perl.git/commit/539689e74a3bcb04d29e4cd9396de91a81045b99
    http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057971.html
    http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057891.html
    http://secunia.com/advisories/44168
    http://www.debian.org/security/2011/dsa-2265
    http://www.mandriva.com/security/advisories?name=MDVSA-2011:091
    http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
    https://exchange.xforce.ibmcloud.com/vulnerabilities/66528

  * CPANSA-perl-2011-0761
    Perl 5.10.x allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an ability to inject arguments into a (1) getpeername, (2) readdir, (3) closedir, (4) getsockname, (5) rewinddir, (6) tell, or (7) telldir function call.

    Affected range: >=5.10.0,<5.12
    Fixed range: >=5.12

    CVEs: CVE-2011-0761

    References:
    http://www.securityfocus.com/bid/47766
    http://securitytracker.com/id?1025507
    http://www.toucan-system.com/advisories/tssa-2011-03.txt
    http://securityreason.com/securityalert/8248
    https://exchange.xforce.ibmcloud.com/vulnerabilities/67355
    http://www.securityfocus.com/archive/1/517916/100/0/threaded

  * CPANSA-perl-2013-7422
    Integer underflow in regcomp.c in Perl before 5.20, as used in Apple OS X before 10.10.5 and other products, allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a long digit string associated with an invalid backreference within a regular expression.

    Affected range: <5.20

    CVEs: CVE-2013-7422

    References:
    http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
    https://support.apple.com/kb/HT205031
    http://perl5.git.perl.org/perl.git/commit/0c2990d652e985784f095bba4bc356481a66aa06
    http://www.securityfocus.com/bid/75704
    http://www.ubuntu.com/usn/USN-2916-1
    https://security.gentoo.org/glsa/201507-11

  * CPANSA-perl-2012-5195
    Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.

    Affected range: <5.16
    Fixed range: >=5.16

    CVEs: CVE-2012-5195

    References:
    http://perl5.git.perl.org/perl.git/commit/2709980d5a193ce6f3a16f0d19879a6560dcde44
    http://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193886.html
    http://www.securityfocus.com/bid/56287
    http://www.openwall.com/lists/oss-security/2012/10/27/1
    http://secunia.com/advisories/51457
    http://www.openwall.com/lists/oss-security/2012/10/26/2
    http://www.ubuntu.com/usn/USN-1643-1
    http://www.debian.org/security/2012/dsa-2586
    http://rhn.redhat.com/errata/RHSA-2013-0685.html
    http://secunia.com/advisories/55314
    http://www.mandriva.com/security/advisories?name=MDVSA-2013:113
    https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0352
    http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735
    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10673

  * CPANSA-perl-2005-0155
    The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.

    Affected range: 5.8.0

    CVEs: CVE-2005-0155

    References:
    http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
    http://www.redhat.com/support/errata/RHSA-2005-103.html
    http://www.redhat.com/support/errata/RHSA-2005-105.html
    http://www.trustix.org/errata/2005/0003/
    http://www.securityfocus.com/bid/12426
    http://secunia.com/advisories/14120
    http://fedoranews.org/updates/FEDORA--.shtml
    http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=001056
    http://support.avaya.com/elmodocs2/security/ASA-2006-163.htm
    http://secunia.com/advisories/21646
    http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
    http://marc.info/?l=bugtraq&m=110737149402683&w=2
    http://marc.info/?l=full-disclosure&m=110779723332339&w=2
    https://exchange.xforce.ibmcloud.com/vulnerabilities/19207
    https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10404
    http://www.digitalmunition.com/DMA[2005-0131a].txt

  * CPANSA-perl-2003-0900
    Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers.

    Affected range: 5.8.1

    CVEs: CVE-2003-0900

    References:
    https://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=108711

  * CPANSA-perl-2005-0156
    Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.

    Affected range: 5.8.0

    CVEs: CVE-2005-0156

    References:
    http://www.gentoo.org/security/en/glsa/glsa-200502-13.xml
    http://www.redhat.com/support/errata/RHSA-2005-103.html
    http://www.redhat.com/support/errata/RHSA-2005-105.html
    http://www.trustix.org/errata/2005/0003/
    http://www.securityfocus.com/bid/12426
    http://secunia.com/advisories/14120
    http://fedoranews.org/updates/FEDORA--.shtml
    http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=001056
    http://www.mandriva.com/security/advisories?name=MDKSA-2005:031
    http://secunia.com/advisories/55314
    http://marc.info/?l=bugtraq&m=110737149402683&w=2
    http://marc.info/?l=full-disclosure&m=110779721503111&w=2
    https://exchange.xforce.ibmcloud.com/vulnerabilities/19208
    https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10803
    http://www.digitalmunition.com/DMA[2005-0131b].txt

Mojolicious not listed as a dependency

Hi brian! Hope you're doing well :D

When trying to run util/generate, I bumped into this error:

▶ perl util/generate
Can't locate Mojo/Util.pm in @INC

And, of course, installing Mojolicious fixed it. But I haven't written a PR for Makefile.PL because I'm not sure whether util/generate's dependencies should be considered or not.

Cheers!

RFC: "Pluggable" Discover modules

Hi,

currently CPAN::Audit ships discover modules for cpanfiles and cpanfile.snapshots. It would be great to have some kind of plugin mechanism. That way one could write e.g. a parser for dist.ini files (Dist::Zilla)...

What do you think? Any ideas, suggestions? If you agree, I would implement something in the next week...

Not indexed on CPAN

It looks like the latest release has disappeared from 02packages. Maybe this dist needs a re-index? https://cpanmeta.grinnz.com/packages?module=CPAN%3A%3AAudit&match_mode=exact

Check command-line examples for unintended shell special characters

I noticed a few places in the docs that there are some

 % cpan-audit dist Catalyst::Runtime >5

That should be quoted unless you want a file named 5:

 % cpan-audit dist Catalyst::Runtime ">5"

I only figured out why the first wasn't working after I ran ls for a different reason. And yes, I have used unix before :)

cpan-audit warns for perls older than the one it's using

We're on 5.26.1. I don't want to hear about problems in 5.8.8.

Why is 'db' an allowed key (CPAN/Audit.pm)

Hi brian,

is there a reason why 'db' is an allowed key?

sub new {
	my( $class, %params ) = @_;

	my @allowed_keys = qw(ascii db exclude exclude_file include_perl interactive no_corelist quiet verbose version);

	my %args = map { $_, $params{$_} } @allowed_keys;
	my $self = bless \%args, $class;

	$self->_handle_exclude_file if $self->{exclude_file};

	$self->{db}       = CPAN::Audit::DB->db;

	$self->{filter}   = CPAN::Audit::Filter->new( exclude => $args{exclude} );
	$self->{query}    = CPAN::Audit::Query->new( db => $self->{db} );
	$self->{discover} = CPAN::Audit::Discover->new( db => $self->{db} );

	return $self;
}

$self->{db} is set no matter if a param db was passed to new or not and _handle_exclude_file does not use the value either.

Docs should note that you need to update frequently