view release on metacpan or  search on metacpan

lib/CPANSA/DB.pm  view on Meta::CPAN

L<https://github.com/briandfoy/cpan-security-advisory/releases>.
Each release on GitHub includes an attestation.

There is also a JSON file that provides the same datastructure.

=head2 Subroutines

There is exactly one subroutine:

=over 4

=item * db

Returns the hashref of all the CPANSA reports.

=back

=head1 VERIFYING

This distribution now uses
L<GitHub Attestations|https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/>,
which allow you to verify that the archive file you have was made from
the official repo.

You need a GitHub account and the L<gh tool|https://github.com/larsks/ghcli>.

	# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
	$ gh auth login
	...follow instructions...
	$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy

Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:

	$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
	gpg: Signature made Mon Nov 18 11:00:10 2024 EST
	gpg:                using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
	gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]

=head1 SEE ALSO

Everything is managed in GitHub:

=over 4

=item * L<https://github.com/briandfoy/cpan-security-advisory/releases>

=back

=cut

package CPANSA::DB;

use strict;
use warnings;

our $VERSION = '20260419.002';

sub db {
	{"dists" => {"ActivePerl" => {"advisories" => [{"affected_versions" => ["==5.16.1.1601"],"cves" => ["CVE-2012-5377"],"description" => "Untrusted search path vulnerability in the installation functionality in ActivePerl 5.16.1.1601, when installed in...
}

__PACKAGE__;