view release on metacpan or  search on metacpan

lib/Test/CVE.pm  view on Meta::CPAN

		av  => [ @vsn ],
		dsc => $dsc,
		};
	    #die DDumper { c => $c, cv => $cv, cve => $self->{CVE}{$m}, vsn => \@vsn };
	    }
	}
    $self;
    } # test

sub report {
    my $self = shift;

    $self->{j} or return;

    @_ % 2 and croak "Uneven number of arguments";
    my %args = @_;

    local $Text::Wrap::columns = ($args{width} || $self->{width}) - 4;

    my $n;
    foreach my $m (@{$self->{want}}) {
	my $C = $self->{CVE}{$m} or next;
	my @c = @{$C->{cve}}     or next;
	say "$m: ", $C->{min} // "-";
	foreach my $c (@c) {
	    my $cve = "@{$c->{cve}}" || $c->{cid};
	    printf "  %-10s %-12s %-12s %s\n",
		$c->{dte}, "@{$c->{av}}", $c->{sev} // "-", $cve;
	    print s/^/       /gmr for wrap ("", "", $c->{dsc});
	    $n++;
	    }
	}
    $n or say "There heve been no CVE detections in this process";
    } # report

sub cve {
    my $self = shift;

    $self->{j} or return;

    @_ % 2 and croak "Uneven number of arguments";
    my %args = @_;

    local $Text::Wrap::columns = $args{width} || $self->{width};

    my @cve;
    foreach my $m (@{$self->{want}}) {
	my $C = $self->{CVE}{$m} or next;
	my @c = @{$C->{cve}}     or next;
	push @cve => { release => $m, vsn => $C->{min}, cve => [ @c ] };
	}
    @cve;
    } # cve

sub has_no_cves {
    my %attr = @_;
    my $tb = __PACKAGE__->builder;

    # By default skip this test is not in a development env
    if (!exists $attr{author} and
	 ((caller)[1] =~ m{(?:^|/)xt/[^/]+\.t$} or
	  $ENV{AUTHOR_TESTING}                  or
	  -d ".git" && $^X =~ m{/perl$})) {
	$attr{author}++;
	}
    unless ($attr{author}) {
	$tb->ok (1, "CVE tests skipped: no author environment");
	return;
	}

    $attr{perl} //= 0;

    my $cve = Test::CVE->new (@_);
    $cve->test;
    my @cve = $cve->cve;
    if (@cve) {
	$tb->ok (0, "This release found open CVEs");
	foreach my $r (@cve) {
	    my ($m, $v) = ($r->{release}, $r->{vsn});
	    foreach my $c (@{$r->{cve}}) {
		my $cve = join ", "  => @{$c->{cve}};
		my $av  = join " & " => @{$c->{av}};
		$tb->diag (0, "$m-$v : $cve for $av");
		}
	    }
	}
    else {
	$tb->ok (1, "This release found no open CVEs");
	}
    } # has_no_cves

1;

__END__

=head1 INCENTIVE

On the Perl Toolchain Summit 2023, the CPAN Security Working Group (CPAN-SEC)
was established to receive and handle reports of undisclosed vulnerabilities
for CPAN releases and to assist the community in dealing with those.

The resources available enabled passive checks to existing releases and single
files against the database with known vulnerabilities.

The goal of this module is to be able to check if known vulnerabilities exist
before the release would be uploaded to CPAN.

The analysis is based on declarations and/or actual use and supports three
levels: C<requires>, C<recommends>, and C<suggests>. C<suggests> is unused in
giving advice.

The functionality explicitly limits to passive analysis: the is no active
scanning of source code to find security vulnerabilities.

=head1 DESCRIPTION

Test::CVE provides functionality to test a (CPAN)release or a single (perl)
script against known CVE's

It enables checking the current release only or include its prereqs too.