{"id":29575546,"url":"https://github.com/lesis-lat/bunkai","last_synced_at":"2026-04-01T22:25:52.775Z","repository":{"id":303476395,"uuid":"958917696","full_name":"lesis-lat/bunkai","owner":"lesis-lat","description":"A dependency-aware Software Composition Analysis (SCA) tool for Perl.","archived":false,"fork":false,"pushed_at":"2026-03-21T23:38:16.000Z","size":251,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-22T12:23:16.502Z","etag":null,"topics":["perl","sca"],"latest_commit_sha":null,"homepage":"https://blog.lesis.lat/blog/Strengthening-the-software-supply-chain-of-Perl-projects-using-Bunkai/","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lesis-lat.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-02T01:17:39.000Z","updated_at":"2026-03-21T23:38:20.000Z","dependencies_parsed_at":"2026-03-14T23:03:03.187Z","dependency_job_id":null,"html_url":"https://github.com/lesis-lat/bunkai","commit_stats":null,"previous_names":["lesis-lat/bunkai"],"tags_count":21,"template":false,"template_full_name":"lesis-lat/perl-boilerplate","purl":"pkg:github/lesis-lat/bunkai","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lesis-lat%2Fbunkai","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lesis-lat%2Fbunkai/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lesis-lat%2Fbunkai/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lesis-lat%2Fbunkai/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lesis-lat","download_url":"https://codeload.github.com/lesis-lat/bunkai/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lesis-lat%2Fbunkai/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292639,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["perl","sca"],"created_at":"2025-07-19T11:01:07.574Z","updated_at":"2026-04-01T22:25:52.765Z","avatar_url":"https://github.com/lesis-lat.png","language":"Perl","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ch3 align=\"center\"\u003e\u003cb\u003eBunkai (分解)\u003c/b\u003e\u003c/h3\u003e\n  \u003cp align=\"center\"\u003eA minimalist, dependency-aware Software Composition Analysis (SCA) tool for Perl.\u003c/p\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/lesis-lat/bunkai/blob/main/LICENSE.md\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/license-MIT-blue.svg\"\u003e\n    \u003c/a\u003e\n     \u003ca href=\"https://github.com/lesis-lat/bunkai/releases\"\u003e\n      \u003cimg src=\"https://img.shields.io/badge/version-0.9.2-blue.svg\"\u003e\n    \u003c/a\u003e\n  \u003c/p\u003e\n\u003c/p\u003e\n\n---\n\n### Summary\n\nBunkai (分解, \"analysis/to break down\") is a simple, deterministic Software Composition Analysis (SCA) tool for Perl projects. It operates entirely by parsing a project's `cpanfile` to identify dependencies and their specified versions.\n\nDesigned with the principles of Flow-Based Programming, Bunkai provides multi-faceted dependency analysis including:\n* Identifying all modules and their versions.\n* Warning when version specifications are missing, which can lead to build instability and supply chain risks.\n* Detecting outdated module versions by comparing them to the latest available versions.\n* Identifying known security vulnerabilities in dependencies, including CVE details and remediation suggestions.\n\nBunkai aims to improve the security and reproducibility of Perl builds by addressing common risks in dependency management.\n\n---\n\n### Prerequisites\n\n-   Perl 5.034+\n-   `cpanm` (to install dependencies)\n\n---\n\n### Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/lesis-lat/bunkai.git \u0026\u0026 cd bunkai\n\n# Install dependencies\ncpanm --installdeps . --mirror https://cpan.metacpan.org --mirror-only -n\n```\n\n---\n\n### Usage\n\nBunkai is a command-line tool that accepts the path to your project directory and an optional SARIF output file.\n\n```bash\n$ perl bunkai.pl --path /path/to/project\n$ perl bunkai.pl --path /path/to/project --sarif /path/to/output.sarif\n$ perl bunkai.pl --path /path/to/project --plan-updates /path/to/bunkai-updates.json\n$ perl bunkai.pl --path /path/to/project --apply-update-id vulnerability-fix-foo-bar-cve-2026-1234\n$ perl bunkai.pl --path /path/to/project --update-cpanfile\n```\n```bash\n$ perl bunkai.pl --help\n\nBunkai v0.9.2\nSCA for Perl Projects\n=====================\n    Command          Description\n    -------          -----------\n    -p, --path=PATH      Path to the project containing a cpanfile\n    -s, --sarif[=FILE]   Output results to a SARIF file (default: bunkai_results.sarif)\n    -u, --update-cpanfile   Update cpanfile with latest or fixed dependency versions\n    -P, --plan-updates[=FILE]   Write issue-scoped cpanfile updates to JSON (default: bunkai_updates.json)\n        --apply-update-id=ID    Apply a single issue-scoped update by ID\n    -h, --help           Display this help menu\n```\n\n---\n\n### GitHub Actions\n\nYou can run Bunkai from the GitHub Marketplace action and upload SARIF results to GitHub Advanced Security.\n\n#### Marketplace action with SARIF upload + one PR per issue\n\nCreate `.github/workflows/bunkai.yml` in each repository:\n\n```yaml\nname: Bunkai SCA\n\non:\n  pull_request:\n  push:\n    branches:\n      - main\n  schedule:\n    - cron: '0 3 * * *'\n  workflow_dispatch:\n\npermissions:\n  actions: read\n  contents: read\n\njobs:\n  bunkai:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: write\n      pull-requests: write\n      security-events: write\n    steps:\n      - name: Checkout repository\n        uses: actions/checkout@v6\n\n      - name: Run Bunkai\n        uses: lesis-lat/bunkai@0.9.2\n        with:\n          project-path: .\n          mode: orchestrate\n          install-project-deps: false\n          sarif-output: bunkai-results.sarif\n          github-token: ${{ secrets.BUNKAI_GITHUB_TOKEN || github.token }}\n          create-prs: ${{ github.event_name != 'pull_request' }}\n          close-resolved-prs: ${{ github.event_name != 'pull_request' }}\n          dedupe-updates: true\n\n      - name: Upload SARIF to GitHub\n        uses: github/codeql-action/upload-sarif@v4\n        with:\n          sarif_file: bunkai-results.sarif\n          category: bunkai-sca\n```\n\nThis workflow uploads SARIF to the Security tab and runs automated dependency-fix PR management in one action step. `orchestrate` mode plans issue updates, deduplicates same-target updates, opens/updates one PR per issue, and closes resolved `bunkai/*` PRs not present in the latest plan.\nFor production repositories, pin the action to a released tag.\n\n`install-project-deps` is optional and defaults to `false`. Enable it only when your workflow also needs to install and run repository-specific Perl tooling inside the action container.\n\n#### Orchestrate mode notes\n\nThe orchestrated PR flow includes guardrails to keep PRs actionable and stable:\n\n- Single-issue update application only mutates the targeted dependency line in `cpanfile`.\n- Duplicate updates that target the same `module + target_version` are deduplicated (prefers `vulnerability_fix`).\n- Concurrent branch update races are handled with a safe retry path when `--force-with-lease` reports stale ref info.\n- PR lifecycle operations use GitHub REST API calls (via `gh api`) to avoid GraphQL field deprecation issues.\n- Dependencies reported by MetaCPAN as belonging to distribution `perl` are not auto-updated in `cpanfile`.\n  Use `requires 'perl', 'x.yyyzzz'` for interpreter pinning, and only pin core-module versions when you need a specific module API level.\n\n### Example\n\nGiven a project directory with the following `cpanfile`:\n\n```perl\nrequires \"CryptX\",                          \"0.086\";\nrequires \"Net::CIDR::Set\",                  \"0.13\";\n```\n\nRunning Bunkai will produce the following output:\n\n```bash\n$ perl bunkai.pl --path ./path/to/project\n\nCryptX                                   0.086\nWARNING: Module 'CryptX' is outdated. Specified: 0.086, Latest: 0.087\nSUGGEST: Upgrade to version 0.087 or later.\nSECURITY: Module 'CryptX' has vulnerability CVE-2023-36328:\nCryptX (requires 0.086) has 1 advisory\n  * CPANSA-CryptX-2025-40914\n    Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow.  CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.\n    Affected range: \u003c0.087\n    Fixed range:    \u003e=0.087\n\n    CVEs: CVE-2025-40914, CVE-2023-36328\n\n    References:\n    https://github.com/advisories/GHSA-j3xv-6967-cv88\n    https://github.com/libtom/libtommath/pull/546\n    https://metacpan.org/release/MIK/CryptX-0.086/source/src/ltm/bn_mp_grow.c\n    https://www.cve.org/CVERecord?id=CVE-2023-36328\n\n\nNet::CIDR::Set                           0.13\nWARNING: Module 'Net::CIDR::Set' is outdated. Specified: 0.13, Latest: 0.16\nSUGGEST: Upgrade to version 0.16 or later.\nSECURITY: Module 'Net::CIDR::Set' has vulnerability CVE-2021-47154:\nNet-CIDR-Set (requires 0.13) has 1 advisory\n  * CPANSA-Net-CIDR-Set-2025-40911\n    Net::CIDR::Set versions 0.10 through 0.13 for Perl does not properly handle leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses.  Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation.  Net::CIDR::Set used code from Net::CIDR::Lite, which had a similar vulnerability CVE-2021-47154.\n    Affected range: \u003e=0.10,\u003c=0.13\n    Fixed range:    \u003e=0.14\n\n    CVEs: CVE-2025-40911\n\n    References:\n    https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/\n    https://github.com/robrwo/perl-Net-CIDR-Set/commit/be7d91e8446ad8013b08b4be313d666dab003a8a.patch\n    https://metacpan.org/release/RRWO/Net-CIDR-Set-0.14/changes\n```\n\nThe tool will exit with a non-zero status code if any warnings are issued, except when generating SARIF output.\n\n---\n\n### Contribution\n\nYour contributions and suggestions are heartily ♥ welcome. Please, report bugs via the project's issues page and see the security policy for vulnerability disclosures. (✿ ◕‿◕)\n\n---\n\n### License\n\nThis work is licensed under the [MIT License](/LICENSE.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flesis-lat%2Fbunkai","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flesis-lat%2Fbunkai","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flesis-lat%2Fbunkai/lists"}