NAME¶

CPAN::Audit::DB - the CPAN Security Advisory data as a Perl data structure, mostly for CPAN::Audit

SYNOPSIS¶

This module is primarily used by CPAN::Audit.

        use CPAN::Audit::DB;
        my $db = CPAN::Audit::DB->db;

DESCRIPTION¶

The "db" subroutine returns the CPAN Security Advisory (CPANSA) reports as a Perl data structure. However, anything can use this.

Each release also comes with a .gpg file that has the signature for the file. If you cannot confirm that the module file has the right signature, it might have been corrupted or modified.

This module is available outside of CPAN as a release on GitHub: <https://github.com/briandfoy/cpan-security-advisory/releases>. Each release on GitHub includes an attestation.

There is also a JSON file that provides the same datastructure.

VERIFYING¶

This distribution now uses GitHub Attestations <https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/>, which allow you to verify that the archive file you have was made from the official repo.

You need a GitHub account and the gh tool <https://github.com/larsks/ghcli>.

        # download the distro file from GitHub, MetaCPAN, or a CPAN mirror
        $ gh auth login
        ...follow instructions...
        $ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy

Additionally, each release codes with GPG signature that allows you to verify that this. The key is the same one used when the database was distributed with CPAN::Audit:

        $ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
        gpg: Signature made Mon Nov 18 11:00:10 2024 EST
        gpg:                using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
        gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]

SEE ALSO¶

Everything is managed in GitHub:

•

<https://github.com/briandfoy/cpan-security-advisory/releases>