2022 twenty-four merry days of Perl Feed

Find known, reported vulnerabilities in the modules you use

CPAN::Audit - 2022-12-19

How do you know that you are up-to-date on security advisories for perl and CPAN modules? CPAN::Audit and its cpan-audit program can do that for you:

    % cpan CPAN::Audit
    % cpan-audit installed

You end up with a list of reports of known vulnerabilities for everything in your @INC. Fix some of those by upgrading modules, using a more modern replacement, or, even better fix the problem and send that upstream.

These reports come mostly from MITRE and its library of Common Vulnerabilities and Exposures, or just CVE, that it's developed since 1999. All of this is pre-digested and arranged into CPAN::Audit::DB, which comes with the CPAN::Audit distribution.

Check a module

If you are interested in a particular module, you can check that too. For example, DBI has had several reports over its history:

        % cpan-audit module DBI

          * CPANSA-DBI-2014-01
                DBD::File drivers open files from folders other than
                specifically passed using the f_dir attribute.

                Affected range: <1.632
                Fixed range: >=1.632


          * CPANSA-DBI-2020-01
                A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A
                local attacker who is able to supply a string longer than 300
                characters could cause an out-of-bounds write, affecting the
                availability of the service or integrity of data.

                Affected range: <1.643
                Fixed range: >=1.643

                CVEs: CVE-2020-14393


        ... many more advisories ...

        Total advisories found: 9

Those are the advisories for DBI for the entire history of the Universe, and all of those have been patched already and you don't care about them.

Specify a version to see advisories the apply to just that version. The current version of DBI, 1.643 as I write this, so try that. There are no open (known) vulnerabilities:

        % cpan-audit module DBI 1.643
        No advisories found

That second argument can also be a range, such as >1.600. Ensure that you quote the range since > and < are shell metacharacters:

        % cpan-audit module DBI '>1.600'
        ... eight advisories ...
        Total advisories found: 8

Command-line use is nice, but you're more likely to use this in some automated program to continuously check your installation. The exit code tells you what cpan-audit found. If you get 0, there were no advisories found. If you get a number larger than 64, subtract 64 to get the number of advisories:

        % cpan-audit module DBI '>1.600'
        ... eight advisories ...
        Total advisories found: 8
        % echo $?

How it works

Вячеслав Тихановский (vti on CPAN) created CPAN::Audit to collate information from MITRE (the repository of CVEs), namespace mappings from PAUSE, and version data from MetaCPAN. He put that all together so he could present to you the vulnerabilities in a useful way.

The advisory data are actually kept in a separate repository, cpan-security-advisory. Each advisory references some vulnerability, notes the affected version, and tracks some other information. These are kept in YAML files for each distribution.

CPAN::Audit digests those YAML files to create CPAN::Audit::DB so that each release contains all of the vulnerability data. Once you install CPAN::Audit, perhaps on an isolated machine with no network access, you have everything you need. There's no extra networking, downloading, and so on.

When you run cpan-audit, it selects from that database just the information appropriate for you.


A small group of people are revitalizing CPAN::Audit, and there's always room for more. There's work appropriate for all skill levels.

This project only useful if it has up-to-date and correct data. A large part of the effort involves keeping up-to-date with vulnerabilities, and a lot of that is boring, manual work. Bite off some small chunks to earn some of those [GitHub badges](https://github.com/Schweinepriester/github-profile- achievements). The CONTRIBUTING docs are a good place to start.

We're also looking to revamp how we collate the data to make it easier to work with. We've started tracking vulnerabilities in external libraries, such as bootstrap, that some distributions include. That's not quite ready, but it's getting close.

Finally, you can just use cpan-audit and let us know how it works for you, what else you need to accomplish your task, and how else we can help you track this information. The Discussions section of CPAN::Audit's repo is a good way to give non-issue feedback.

Gravatar Image This article contributed by: brian d foy <briandfoy@pobox.com>