The CPANSA::DB module
**Report Perl security problems to [CPAN Security Group](https://security.metacpan.org), not here**. This is not a primary source of security information.
This is the README for the CPANSA::DB Perl module. This is the database that CPAN::Audit uses to do its work. The module was previously known as CPAN::Audit::DB
but moved to its own repo and distribution so you can update the database seperately.
You're probably looking at this because you don't know where else to find what you're looking for. Read this once and you might never have to read one again for any Perl module.
Documentation
This module is a data pack for other modules, such as CPAN::Audit, that need access to the digested form of the CPAN Security Advisories database. There's not much you need to read, but you can look at the data structure.
To read about CPANSA::DB, look at the embedded documentation in the module itself. Inside the distribution, you can format it with perldoc:
% perldoc lib/CPANSA/DB.pm
If you have already installed the module, you can specify the module name instead of the file location:
% perldoc CPANSA::DB
You can read the documentation and inspect the meta data on MetaCPAN.
The standard module documentation has example uses in the SYNOPSIS section, but you can also look in the examples/ directory (if it's there), or look at the test files in t/.
Installation
You can install this module with a CPAN client, which will resolve and install the dependencies:
% cpan CPANSA::DB
% cpanm CPANSA::DB
You can also install directly from the distribution directory, which will also install the dependencies:
% cpan .
% cpanm .
You could install just this module manually:
% perl Makefile.PL
% make
% make test
% make install
You probably don't want to do that unless you're fiddling with the module and only want to run the tests without installing anything.
Source location
The meta data, such as the source repository and bug tracker, is in Makefile.PL or the META.* files it creates. You can find that on those CPAN web interfaces, but you can also look at files directly in the source repository: https://github.com/briandfoy/cpan-security-advisory
If you find a problem, file a ticket in the issue tracker.
There are also backup repositories hosted on other services. These reflect the state of the main repo and exist only for redundancy:
GitHub Attestations
This distribution now uses GitHub Attestations, which allow you to verify that the archive file you have was made from the official repo.
You need a GitHub account and the gh tool.
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to verify that this. The key is the same one used when the database was distributed with CPAN::Audit:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
Getting help
Although I'm happy to hear from module users in private email, that's the best way for me to forget to do something.
Besides the issue trackers, you can find help at Perlmonks or Stackoverflow, both of which have many competent Perlers who can answer your question, almost in real time. They might not know the particulars of this module, but they can help you diagnose your problem.
You might like to read brian's Guide to Solving Any Perl Problem.
Copyright and License
You should have received a LICENSE file, but the license is also noted in the module files. About the only thing you can't do is pretend that you wrote code that you didn't.
Good luck!
Enjoy,
brian d foy, briandfoy@pobox.com