-
-
Notifications
You must be signed in to change notification settings - Fork 15
FAQ
This contains Frequently Asked Questions about CPAN Security Advisories (CPANSAs).
Most of this information comes from the distributions' Changes
files.
Other information, especially for embedded external libraries, comes from the NVD and CVE databases.
CPAN::Audit is intended for published security issues.
If this is a new or unpublished security vulnerability with Perl or core Perl modules, then you should report it directly to the Perl security team as per the perl security policy.
If this is a new or unpublished security vulnerability with a CPAN module, then you should report it directly to the module maintainers. If the module documents a procedure for reporting security issues, follow that. Otherwise use the email addresses for the maintainers.
Please avoid reporting new security issues via the module's issue tracker, usually https://rt.cpan.org/ or on the module's source repository.
If this is a new security vulnerability with an external library that is included with a CPAN module, then you should report it directly to the library maintainers (following that library's documented security procedures), as well as the CPAN module authors.
Use the New Issue button in the issue tracker.
You can also submit a pull request. See the CONTRIBUTING documentation.
Note that you do not need to be one of the distribution's authors to submit a new security advisory.
The TODO list in the Wiki contains a list of distributions that need further investigation.
The issue tracker may also list distributions that need further research.
A distribution's Changes file will usually document any security
fixes. It may also note any upgrades to included external libraries:
this is useful for documenting any resolved security issues with those
libraries for older versions of that distribution.
Check any external libraries that are included with the distribution. (This includes compiled libraries such as "zlib" as well as included JavaScript libraries such as "jQuery".) Is the version of that library covered by any security vulnerabilities?
You can search the NVD and CVE databases, as well as the library's change log for a list of known vulnerabilities in older versions of those libraries. (Note that sometimes fixes for security issues are published that are never reported as CVEs.)
If you know of a vulnerability in an external library, then you can also search for other distributions that use those libraries. The easiest way to do that is to check out a copy of the MetaCPAN Extracted Repository and search for files there, for example,
git ls-files | grep -F 'zlib.h'If a newer version of a distribution fixes a reported vulnerability, then you can submit an issue or open a pull request.
Note that you do not need to be one of the distribution's authors to submit a fix report.
Submit an issue.
If the maintainers of this data agree that the issue is incorrect or not applicable, then they will remove it. Otherwise they may add a comment to the issue.
We don't block or remove distributions with security advisories, and the decision to use any code with a security advisory is up to you.
We recommend that you research the issue to determine whether it applies to your use case, or what steps you can take to reduce any risks of using that code.