List Perl as an environment

[briandfoy]

I'd like to improve several reports related to the Perl language and ecosystem, I cannot submit the form because the improvement form has the ecosystem as a required field, and there is not entry for "Other" or some such.

I suggest some combination of these:

• Do not require an environment value to improve a report. The allows someone to improve a report even without a listed ecosystem.
• Use an "Unknown" or "Other" value for the ecosystem, which could either be a virtual ecosystem or simply uses no value (the current state) but still allows the form field to be required but have a null value.
• Add Perl as an ecosystem. There are plenty of people who would help categorize the backlog of over 200,000 uncategorized reports.
• Even without a "Perl" ecosystem, I'd still like to improve the values in the ecosystem section of the improvement form to note the versions affected, package name, and so on. In general, any improvement, even if incomplete, is valuable.

[briandfoy]

This looks like the same request for C/C++ in #2963 and #3266.

[delgreco]

Fully support this

[rawleyfowler]

I support this!

[KateCatlin]

Hi all, thanks for opening this issue! And wow that is a lot of 👍 interest!

We have opened an issue internally to look into this and see what we would need to do to support it.

[briandfoy]

@KateCatlin - I didn't see another way to get in touch with you, but as one of the people who maintains some of the Perl tools that do security audits for Perl projects, I'd be happy to talk to you about how the Perl community could help the GitHub Advisory Database. I'm happy to help as a volunteer in any way that I can be useful. If you want to take it offline, my email is on https://briandfoy.github.io .

For example, I maintain the CPAN Security Advisory, which is a secondary source of information that collates a bunch of different sources for our tools. Currently I'm adding the GitHub Advisory ID to anything we are tracking. As part of that, I've collected a bunch of information on affected versions, fixed versions, and a few other things for Perl advisories. It's something I've been doing for awhile. There are a lot of people that help, so we have a lot of information that can improve the GitHub reports.

[KateCatlin]

Thanks for offering, Brian! We'd love to have this conversation!

I'm actually going to pass this over to @taladrane who is the leader of our Advisory Database Curation team, the team that would be most involved in taking on a new ecosystem to support. I'll let you two follow up and connect from here!

[stigtsp]

@KateCatlin @taladrane Hi! I'm one of the members of the CPAN Security Group (@CPAN-Security), and I'd like to support the initiative by @briandfoy to add Perl as an environment in your advisory database.

Some of our goals are to help triage vulnerabilities with the Perl and CPAN community, secure the CPAN supply chain and help with the development of security related tooling. You can find more information about our efforts on https://security.metacpan.org/ or contact us on cpan-security@perl.org

[briandfoy]

We had a good meeting with @taladrane and part of her team today. I have some homework to pull together various things about how Perl modules work and so on so GitHub can see how that would fit into their workflow. This is progressing satisfactorily, and neither side is making any promises about anything. We're a long way from actual support, but I'm very happy that I even got the meeting and that they had lots of good questions. :)