Provided by: libcpansa-db-perl_20250521.001-1_all 
NAME
CPANSA::DB - the CPAN Security Advisory data as a Perl data structure, mostly for CPAN::Audit
SYNOPSIS
This module is primarily used by CPAN::Audit.
use CPANSA::DB;
my $db = CPANSA::DB->db;
DESCRIPTION
The "db" subroutine returns the CPAN Security Advisory (CPANSA) reports as a Perl data structure.
However, anything can use this.
Each release also comes with a .gpg file that has the signature for the file. If you cannot confirm that
the module file has the right signature, it might have been corrupted or modified.
This module is available outside of CPAN as a release on GitHub:
<https://github.com/briandfoy/cpan-security-advisory/releases>. Each release on GitHub includes an
attestation.
There is also a JSON file that provides the same datastructure.
Subroutines
There is exactly one subroutine:
• db
Returns the hashref of all the CPANSA reports.
VERIFYING
This distribution now uses GitHub Attestations <https://github.blog/2024-05-02-introducing-artifact-
attestations-now-in-public-beta/>, which allow you to verify that the archive file you have was made from
the official repo.
You need a GitHub account and the gh tool <https://github.com/larsks/ghcli>.
# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
$ gh auth login
...follow instructions...
$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy
Additionally, each release codes with GPG signature that allows you to verify that this. The key is the
same one used when the database was distributed with CPAN::Audit:
$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
gpg: Signature made Mon Nov 18 11:00:10 2024 EST
gpg: using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]
SEE ALSO
Everything is managed in GitHub:
• <https://github.com/briandfoy/cpan-security-advisory/releases>
perl v5.40.1 2025-05-28 CPANSA::DB(3pm)