Perl::Critic
Perl Critic checks whether your code complies with best practices based on Damian Conway's “Perl Best Practices”. However, it also contains a few policies relevant to security.
Typical errors found:
- Use of backtick operators
- Unsafe open / select calls
- Unchecked exceptional return values…
Errors missed:
- Calls to system or exec (those are found by RATS)
- Uncleaned/unverified user input (for detecting this, use Perl's taint mode - -T option)
Installation
SLC5 (sorry, not available on SLC4)
# RUN AS ROOT yum install perl-Perl-Critic
Then download the configuration file and put it into your home directory:
# RUN AS REGULAR USER wget -O $HOME/.perlcriticrc http://cern.ch/security/recommendations/en/codetools/dot_perlcriticrc.txt
Other systems
Perl::Critic is available as a CPAN module, so you can use usual installation procedure. For instance:
# RUN AS ROOT perl -MCPAN -e shell cpan> install Perl::Critic
Then download the configuration file and put it into your home directory:
# RUN AS REGULAR USER wget -O $HOME/.perlcriticrc http://cern.ch/security/recommendations/en/codetools/dot_perlcriticrc.txt
More information on the Perl Critic CPAN page.
Usage
perlcritic <directory_or_file>
- –severity <1,2,3,4,5> set the severity level (from 5: gentle to 1: brutal)
- –man for a man page
Additional info
For vim users, vim perlcritic compiler script is available. Additionally, perl-support plugin supports Perl::Critic.
For emacs users, emacsWiki has a script to interface perlcritic.