Hah, changing the subject :)

Test::CVE uses a database with known CPAN vulnerabilities and the versions in where these were fixed. By scanning <cpanfile</c>, Makefile.PL and possible other sources, the module looks for required and use modules/releases and possible declared versions. It will report if the declared version is open to CVE's. The advice from the security group would be to either require the version that fixed the CVE(s) or to make that version a recommendation and document that when using the older version, you are on your own.

As you stated, \p{...} would *not* be picked up by this module.