The Perl Toolchain Summit 2025 Needs You: You can help 🙏 Learn more

HMBRAND / Test-CVE-0.09 / scripts / cpan-cve.pl 

            

              
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

              
#!/usr/bin/env perl
use 5.014002;
use warnings;
our $VERSION = "0.10 - 20240428";
our $CMD = $0 =~ s{.*/}{}r;
sub usage {
    my $err = shift and select STDERR;
    say "usage: $CMD [options] [file | module | dir ...]";
    say "    -d    --deps         Report on current deps too";
    say "    -m    --minimum      Report based on minimum (default recommended)";
    say "    -j F  --json=F       Use downloaded JSON instead of fetching";
    say "    -p    --perl         Report CVE's on required perl (default OFF)";
    say "    -c    --corelist     Replace 0 versions w*ith CORE version";
    say "    -v[#] --verbose[=#]  Set verbosity level";
    say "    -J F  --json-out=F   Output in JSON file F (- = STDOUT)";
    say "";
    say "For CVE's in the perl core, please use --perl and/or CPAN::Audit";
    say "Documentation should still be written";
    exit $err;
    } # usage
use Test::CVE;
use JSON::MaybeXS;
use Module::CoreList;
use Cwd          qw( getcwd abs_path);
use Getopt::Long qw(:config bundling noignorecase);
GetOptions (
    "help|?"            => sub { usage (0); },
    "V|version"         => sub { say "$CMD [$VERSION]"; exit 0; },
    "d|deps!"           => \ my $opt_d,
    "m|minimum!"        => \ my $opt_m,
    "j|json=s"          => \ my $opt_j,
    "J|json-out=s"      => \ my $opt_J,
    "p|perl!"           => \ my $opt_p,
    "c|cl|corelist!"    => \ my $opt_c,
    "v|verbose:1"       => \(my $opt_v = 0),
    ) or usage (1);
@ARGV or push @ARGV => ".";
my $tld = abs_path (getcwd);
my %rpt;
foreach my $module (@ARGV) {
    my $cve = Test::CVE->new (
        deps    => $opt_d,
        perl    => $opt_p // 0,
        core    => $opt_c // 0,
        minimum => $opt_m,
        cpansa  => $opt_j,
        verbose => $opt_v,
        );
    # NEW! https://fastapi.metacpan.org/cve/CPANSA-YAML-LibYAML-2012-1152
    #      https://fastapi.metacpan.org/cve/release/YAML-1.20_001
    chdir $tld;
    if (-d $module) {
        chdir $module;
        }
    elsif (-s $module and open my $fh, "<", $module) {
        # prevent reading Makefile and cpanfile, but extract "use" and "require"
        my %mod;
        my $pl = do { local $/; <$fh> } =~ s/^\s*#.*;//gmr;
        my $v  = $pl =~ m/\$\s*VERSION\s*=\s*["']?(\S+?)['"]?\s*;/ ? $1 : "-";
        $cve->set_meta ($module, $v);
        while ($pl =~ m{\b (?: use | require ) [\s\r\n]+
                           ([\w:]+)
                           ([\s\r\n]+[.\w]+)?
                           (?: [\s\r\n]+ (?: "[^;]+" | '[^;]+' | qw[^;]+ ))?
                           [\s\r\n]*;
                           }gx) {
            my ($m, $v) = ($1, $2 // 0);
            $m =~ m/^(?: v?5 | warnings | strict )$/x and next;
            $cve->want ($m, $v);
            }
        }
    else {
        usage (1);
        }
    unless ($opt_J) {
        $cve->test->report;
        next;
        }
    my @err;
    local $SIG{__WARN__} = sub {
        push @err => map {
            s/[\s\r\n]+\z//r =~ s{[\s\r\n]+at\s+\S+\s+line\s+[0-9]+}{}r
            } @_;
        };
    say $module;
    eval {   $rpt{$module} = [ $cve->test->cve ]; };
    @err and $rpt{$module} = [{ error => [ @err ] }];
    }
chdir $tld;
if ($opt_J) {
    if ($opt_J eq "-") {
        say     encode_json (\%rpt);
        }
    else {
        open my $fh, ">:encoding(utf-8)", $opt_J or die "$opt_J: $!\n";
        say $fh encode_json (\%rpt);
        close $fh;
        }
    }