List Perl as an environment about advisory-database HOT 8 OPEN

Hi all, thanks for opening this issue! And wow that is a lot of 👍 interest!

We have opened an issue internally to look into this and see what we would need to do to support it.

from advisory-database.

We had a good meeting with @taladrane and part of her team today. I have some homework to pull together various things about how Perl modules work and so on so GitHub can see how that would fit into their workflow. This is progressing satisfactorily, and neither side is making any promises about anything. We're a long way from actual support, but I'm very happy that I even got the meeting and that they had lots of good questions. :)

from advisory-database.

@KateCatlin @taladrane Hi! I'm one of the members of the CPAN Security Group (@CPAN-Security), and I'd like to support the initiative by @briandfoy to add Perl as an environment in your advisory database.

Some of our goals are to help triage vulnerabilities with the Perl and CPAN community, secure the CPAN supply chain and help with the development of security related tooling. You can find more information about our efforts on https://security.metacpan.org/ or contact us on [email protected]

from advisory-database.

This looks like the same request for C/C++ in #2963 and #3266.

from advisory-database.

Fully support this

from advisory-database.

Thanks for offering, Brian! We'd love to have this conversation!

I'm actually going to pass this over to @taladrane who is the leader of our Advisory Database Curation team, the team that would be most involved in taking on a new ecosystem to support. I'll let you two follow up and connect from here!

from advisory-database.

I support this!

from advisory-database.

@KateCatlin - I didn't see another way to get in touch with you, but as one of the people who maintains some of the Perl tools that do security audits for Perl projects, I'd be happy to talk to you about how the Perl community could help the GitHub Advisory Database. I'm happy to help as a volunteer in any way that I can be useful. If you want to take it offline, my email is on https://briandfoy.github.io .

For example, I maintain the CPAN Security Advisory, which is a secondary source of information that collates a bunch of different sources for our tools. Currently I'm adding the GitHub Advisory ID to anything we are tracking. As part of that, I've collected a bunch of information on affected versions, fixed versions, and a few other things for Perl advisories. It's something I've been doing for awhile. There are a lot of people that help, so we have a lot of information that can improve the GitHub reports.

from advisory-database.