Security Checks for CPAN Module Authors

localshop has asked for the wisdom of the Perl Monks concerning the following question:

As part of trying to work with CPAN I noticed the CPAN::Audit module in the recently updated list and it looks kinda useful as a general maintenance tool - going through the modules installed on my laptop and updating any that have security issues.

It occurred to me that I should probably ensure that any CPAN modules do not include dependencies with known security issues. Even though these are often pretty trivial, it would seem to make the module more robust if any dependencies have minimum versions specified that resolve the know issues.

Does anybody have advice on whether this is standard practice or whether there are any issues that I may find if I start putting in these minimum version requirements?

Comment on Security Checks for CPAN Module Authors

Replies are listed 'Best First'.
Re: Security Checks for CPAN Module Authors by cavac (Prior) on Oct 22, 2018 at 10:37 UTC
This might not be as trivial as you'd imagine. For example, a module might pull in some unsafe hashing algorithm module (like MD5) dynamically when asked to do so or as fallback option. Depending on a lot of circumstances, this might be a huge security problem (passwords without salt) or it might be OK to do so in support of some nonsecurity-related legacy requirement. And in the case of your application, it might not even load the module, just require it to be installed "just in case". `perl -e 'use MIME::Base64; print decode_base64("4pmsIE5ldmVyIGdvbm5hIGdpdmUgeW91IHVwCiAgTmV2ZXIgZ29ubmEgbGV0IHlvdSBkb3duLi4uIOKZqwo=");'`	[reply] [d/l]
Re^2: Security Checks for CPAN Module Authors by localshop (Monk) on Oct 25, 2018 at 15:44 UTC
I was thinking a little less granular. For example if I run cpan-audit installed I see a warning for PathTools <3.62 so if I use File::Spec I simply enforce minimal version so that the Module user performs an update of this module. Actually that specific module probably not a great example as it's part of Core bundled packages but you get the idea. So wasn't thinking about going down to specific encryption algols etc but just looking at modules with versions that have security advisories that are simple enough to set minimal versions on without forcing a Perl version upgrade.	[reply]