Skip to content

Instantly share code, notes, and snippets.

@briandfoy
Last active December 22, 2024 00:26
Show Gist options
  • Save briandfoy/4525877 to your computer and use it in GitHub Desktop.
Save briandfoy/4525877 to your computer and use it in GitHub Desktop.
This is a list of Perl::Critic policies that CERT recommends (https://www.securecoding.cert.org/confluence/display/perl/CERT+Perl+Secure+Coding+Standard)
BuiltinFunctions::ProhibitBooleanGrep
BuiltinFunctions::ProhibitStringyEval
BuiltinFunctions::ProhibitStringySplit
BuiltinFunctions::ProhibitUniversalCan
BuiltinFunctions::ProhibitUniversalIsa
ClassHierarchies::ProhibitExplicitISA
ControlStructures::ProhibitMutatingListFunctions
ControlStructures::ProhibitUnreachableCode
ErrorHandling::RequireCarping
InputOutput::ProhibitBarewordFileHandles
InputOutput::RequireCheckedClose
InputOutput::RequireCheckedOpen
InputOutput::RequireCheckedSyscalls
InputOutput::ProhibitInteractiveTest
InputOutput::ProhibitOneArgSelect
InputOutput::ProhibitTwoArgOpen
Miscellanea::ProhibitFormats
Modules::ProhibitEvilModules
Modules::RequireEndWithOne
Objects::ProhibitIndirectSyntax
Policy::TestingAndDebugging::RequireUseStrict
Policy::TestingAndDebugging::RequireUseWarnings
RegularExpressions::ProhibitCaptureWithoutTest
Subroutines::ProhibitBuiltinHomonyms
Subroutines::ProhibitExplicitReturnUndef
Subroutines::ProhibitReturnSort
Subroutines::ProhibitSubroutinePrototypes
Subroutines::ProhibitUnusedPrivateSubroutines
Subroutines::ProtectPrivateSubs
Subroutines::RequireFinalReturn
TestingAndDebugging::ProhibitNoStrict
TestingAndDebugging::ProhibitProlongedStrictureOverride
TestingAndDebugging::RequireUseStrict
TestingAndDebugging::ProhibitNoWarnings
ValuesAndExpressions::ProhibitCommaSeparatedStatements
ValuesAndExpressions::ProhibitLeadingZeros
ValuesAndExpressions::ProhibitMagicNumbers
ValuesAndExpressions::ProhibitMismatchedOperators
ValuesAndExpressions::ProhibitMixedBooleanOperators
Variables::ProhibitPerl4PackageNames
Variables::ProhibitUnusedVariables
Variables::ProtectPrivateVars
Variables::RequireInitializationForLocalVars
Variables::RequireLexicalLoopIterators
Variables::RequireLocalizedPunctuationVars
@kimmel
Copy link

kimmel commented Jan 14, 2013

Variables::ProhibitUnreachableCode is a mistake from the CERT site. It should be ControlStructures::ProhibitUnreachableCode

Also the following policies are missing:

BuiltinFunctions::ProhibitBooleanGrep
InputOutput::ProhibitTwoArgOpen
InputOutput::RequireCheckedClose
InputOutput::RequireCheckedOpen
InputOutput::RequireCheckedSyscalls

as referenced from:

https://www.securecoding.cert.org/confluence/display/perl/EXP06-PL.+Do+not+use+an+array+in+an+implicit+scalar+context

https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=76775519

https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values

@briandfoy
Copy link
Author

Updated

@gdarcy
Copy link

gdarcy commented Jun 26, 2013

TestingAndDebugging:;ProhibitNoWarnings should be TestingAndDebugging::ProhibitNoWarnings
Policy::TestingAndDebugging::RequireUseStrict and Policy::TestingAndDebugging::RequireUseWarnings are not found; these probably should be TestingAndDebugging::RequireUseStrict (already in the list) and TestingAndDebugging::RequireUseWarnings

@robrwo
Copy link

robrwo commented Dec 18, 2024

Typo line 34: "TestingAndDebugging:;ProhibitNoWarnings"

@briandfoy
Copy link
Author

briandfoy commented Dec 18, 2024

Fixed, thanks for pinging this.

It took me a minute to see the difference between the colon and semicolon typo. I think that means I need to clean my monitor.

@sjn
Copy link

sjn commented Dec 21, 2024

Seems CERT's list has moved since this list was made. They seem to have move some of this to the Back Matter section on Perl::Critic.

Maybe worth updating the URL and expanding a little? 🙂

(With that said, I'd love to refer to this page from the CPANSec website, if that's ok.)

@briandfoy
Copy link
Author

If it's public you can link to it. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment