Suggest Article needed about security checks in perl cpan modules

[kolbma]

I've been away from perl development for many, many years, but I'm wondering if there is really missed any possibility to check installed CPAN modules for reported security problems and update the modules if fixes are applied to an updated module?!

[briandfoy]

I don't know of a way to do this in general. Some operating system package managers might do that though.

[kolbma]

Well there is CVE and in Java/Maven and Node/NPM there is at least one utitlity which checks the versions against reported vulnerabilities in CVE DBs. Also Github has the feature to report repository owners if there is a vulnerable version used in the NPM-based-project-repo.

I've found https://github.com/vti/cpan-security-advisory
But it seems to be some 3rd party closed source service.

What is being done against hacked developer accounts? Are the modules trustworthy? There is no information available.

[ghost]

Hi,
I am here after 2 years, I think it could be done creating an interface to various CVE database sites ( i.e https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=perl, the "keyword" parameter can be modified though input) and, foreach module installed search the url, a practical example would be something like:

foreach ( list_of_modules){
if (is found_link in ("https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=" . $) ){
do_something; # like upgrade the $
}
Maybe I'll write an article on it, I was thinking also about a script which check automatically if every new module on cpan uses the "strict" and "warning" (using the raw "source" link).

Edoardo M.