cpan-security-advisory icon indicating copy to clipboard operation
cpan-security-advisory copied to clipboard

Published 20 hours ago verified publisher icon briandfoy

Ability to flag indeterminate modules

Open robrwo opened this issue 3 years ago • 1 comments
trafficstars

Some modules (including Alien modules) will install the latest version of an external dependency. So it's possible that they may have security issues.

It would be useful to flag the dependency on external libraries, but with unknown versions. These would normally be ignored by the CPAN Audit scanning tool but a flag may be useful to indicate manual action is needed to check.

See https://github.com/briandfoy/cpan-security-advisory/issues/99#issuecomment-1304500025

robrwo avatar Nov 05 '22 11:11 robrwo

Noted. I don't have time to work on this though. The real trick is to figure out what version of the external tool is installed if we are going to warn about a problem. That's going to be something special to every particular library. That's getting a bit far afield of what CPAN::Audit aims to be.

Warning by guessing isn't a great solution either. People have been asking for less output, and if we say something like "there may be a problem", people will learn to always ignore those lines.

But, maybe someone can figure out a way to only warn when there's an actual problem.

briandfoy avatar Nov 07 '22 00:11 briandfoy