{"id":20342139,"url":"https://github.com/briandfoy/cpan-security-advisory","last_synced_at":"2026-04-02T15:43:01.922Z","repository":{"id":37435567,"uuid":"466292555","full_name":"briandfoy/cpan-security-advisory","owner":"briandfoy","description":"CPAN Security Advisory Database","archived":false,"fork":false,"pushed_at":"2026-03-27T21:51:59.000Z","size":82788,"stargazers_count":25,"open_issues_count":8,"forks_count":16,"subscribers_count":4,"default_branch":"master","last_synced_at":"2026-03-28T04:17:45.519Z","etag":null,"topics":["cve","data-pack","perl","security"],"latest_commit_sha":null,"homepage":"","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"vti/cpan-security-advisory","license":"artistic-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/briandfoy.png","metadata":{"files":{"readme":"README.md","changelog":"Changes","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"briandfoy"}},"created_at":"2022-03-04T22:54:36.000Z","updated_at":"2026-03-27T21:52:02.000Z","dependencies_parsed_at":"2024-01-03T16:46:11.045Z","dependency_job_id":"b01e06cf-44fe-488e-9e38-60bfa2774662","html_url":"https://github.com/briandfoy/cpan-security-advisory","commit_stats":null,"previous_names":[],"tags_count":81,"template":false,"template_full_name":null,"purl":"pkg:github/briandfoy/cpan-security-advisory","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/briandfoy%2Fcpan-security-advisory","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/briandfoy%2Fcpan-security-advisory/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/briandfoy%2Fcpan-security-advisory/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/briandfoy%2Fcpan-security-advisory/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/briandfoy","download_url":"https://codeload.github.com/briandfoy/cpan-security-advisory/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/briandfoy%2Fcpan-security-advisory/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31309228,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T12:59:32.332Z","status":"ssl_error","status_checked_at":"2026-04-02T12:54:48.875Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve","data-pack","perl","security"],"created_at":"2024-11-14T21:31:21.707Z","updated_at":"2026-04-02T15:43:01.884Z","avatar_url":"https://github.com/briandfoy.png","language":"Perl","funding_links":["https://github.com/sponsors/briandfoy"],"categories":[],"sub_categories":[],"readme":"# CPAN Security Advisory Database (CPANSA)\n\nThis is a database of the security advisories for the Perl modules uploaded to CPAN.\n\nThis is a hand-picked database maintained by the Perl community. See [CONTRIBUTING](CONTRIBUTING.md)\nor the [issues](https://github.com/briandfoy/cpan-security-advisory/issues) to see how you might\nhelp.\n\nThe main mirror is [briandfoy/cpan-security-advisory on GitHub](https://github.com/briandfoy/cpan-security-advisory),\nbut there are other copies:\n\n- [https://github.com/briandfoy/cpan-security-advisory](https://github.com/briandfoy/cpan-security-advisory)\n- [https://bitbucket.org/briandfoy/cpan-security-advisory](https://bitbucket.org/briandfoy/cpan-security-advisory)\n- [https://gitlab.com/briandfoy/cpan-security-advisory](https://gitlab.com/briandfoy/cpan-security-advisory)\n\nIf you want to mirror a copy, clone the repo and send me the link. Let's\nmake this more resilient by keeping the data in several places.\n\n## Report new issues to the CPAN Security Group\n\nFor new issues without a CVE report, first [report\nissues](https://security.metacpan.org/docs/report.html) to the [CPAN\nSecurity Group](https://security.metacpan.org), which can analyze an\nissue, collect additional information, and request a CVE. Once a CVE\nis issued, we can add it to the CPAN Security Advisories.\n\n## Sources\n\n- metacpan.org - modules Changes files with security fixes\n- CVE databases\n    - https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml\n- OS distributions security advisory feeds:\n    - Debian https://www.debian.org/security/dsa\n    - FreeBSD http://vuxml.freebsd.org/freebsd/rss.xml\n    - Gentoo https://security.gentoo.org/glsa/feed.rss\n    - Ubuntu https://usn.ubuntu.com/rss.xml\n\n## Setup your environment\n\nTo run the various programs, you'll need some Perl modules. Install\n[cpanminus](https://github.com/miyagawa/cpanminus/tree/devel/App-cpanminus)\nif you don't already have it:\n\n\t$ make -f Makefile.repo setup\n\n## Finding a record\n\n\t$ perl util/find_record CVE-2022-1234\n\n## Making a new record\n\nThere's a utility to make a record for you from a CVE report:\n\n\t$ perl util/make_record CVE-2022-1234\n\nThis tool tries to guess the distribution name, but sometimes it can't. If\nit doesn't guess the distribution name, simply run it again with the\nthe distribution name you want:\n\n\t$ perl util/make_record CVE-2022-1234 Some-Package\n\n### Record format\n\nId format: `CPANSA-\u003cdist-name\u003e-\u003cyear\u003e-\u003csequence\u003e`\n\n* `dist-name` is the main module name, not necessarily the affected module in the distribution\n* `year` is the year of the report or discovery, not necessarily the year the problem was introduced\n* `sequence` is some integer. For single CVE reports, like CVE-2011-1589, use the same sequence number for easier maintenance\n\nDatabase is in YAML format with a simple structure.\n\n```yaml\n---\nadvisories:\n  - affected_versions:\n      - \u003c9.31\n    cves: []\n    description: \"Mojo::DOM did not correctly parse \u003cscript\u003e tags.\\n\"\n    fixed_versions:\n      - '\u003e=9.31'\n    github_security_advisory: []\n    id: CPANSA-Mojolicious-2022-03\n    references:\n      - https://github.com/mojolicious/mojo/commit/6f195d85db6756022d3599f7d2634975688c9550\n      - https://github.com/mojolicious/mojo/issues/2014\n      - https://github.com/mojolicious/mojo/issues/2015\n    reported: 2022-12-10\n    severity: ~\ncpansa_version: 2\ndistribution: Mojolicious\nlast_checked: 1747589679\nlatest_version: 9.40\nmetacpan: https://metacpan.org/pod/Mojolicious\nrepo: https://github.com/mojolicious/mojo\n```\n\nThere may be an additional `comments` key with more information about\nthe advisory, especially if the `description` comes from an external\nsource, such as a CVE report.\n\n## Check the results\n\nCheck all the files for basic YAML:\n\n\t$ make -f Makefile.repo test_all\n\nChecking all the files can take a minute, so you can also just check\nthe files that have changed:\n\n\t$ make -f Makefile.repo test_new\n\nRun the `lint` target to check all of the report files:\n\n\t$ make -f Makefile.repo lint\n\n## Command-line checks\n\nFor command line checks take a look at [CPAN-Audit](https://metacpan.org/release/CPAN-Audit) module, or the\n[cpan-audit repo](https://github.com/briandfoy/cpan-audit).\n\n    $ cpan-audit module Catalyst '\u003e7.0'\n\nTo see your new report, you'll have to regenerate the `CPANSA::DB` database since\n`CPAN::Audit` does everything locally. That happens in the [cpan-audit repo](https://github.com/briandfoy/cpan-audit),\nwhere this repo is a submodule.\n\n## Maintainer\n\nbrian d foy (briandfoy@pobox.com). If you'd like to help, just let me\nknow by opening as issue. I'm happy to add people as committers on this repo. See\n[CONTRIBUTING.md] for more info.\n\n## Credits\n\n* The original author and maintainer was [Viacheslav Tykhanovskyi](https://github.com/vti).\n* [Takumi Akiyama](https://github.com/akiym)\n* [Takafumi Onaka](https://github.com/onk)\n* [Mala](https://github.com/mala)\n* [Robert Rothenberg](https://metacpan.org/author/RRWO)\n\n## Contribution\n\nIf you know of a security vulnerability that is not present in our\ndatabase, feel free to contribute with a Pull Request. Let's make it\nas complete as possible!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbriandfoy%2Fcpan-security-advisory","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbriandfoy%2Fcpan-security-advisory","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbriandfoy%2Fcpan-security-advisory/lists"}