Add SECURITY.md

Author: Tux

ChangeLog

@@ -5,6 +5,7 @@
     * It's 2024
     * Tested with perl-5.40.0
     * It's 2025
+    * Add SECURITY.md
 
 0.60	- 2023-01-06, H.Merijn Brand
     * It's 2023

MANIFEST

@@ -2,6 +2,7 @@ ChangeLog
 MANIFEST
 Makefile.PL
 CONTRIBUTING.md
+SECURITY.md
 cpanfile
 README
 lib/Bundle/DBD/CSV.pm

SECURITY.md

@@ -0,0 +1,101 @@
+# Security Policy for the DBD::CSV distribution.
+
+Report issues via email at: Jochen Wiedmann.
+
+
+This is the Security Policy for the Perl DBD::CSV distribution.
+
+The latest version of the Security Policy can be found in the
+[git repository for DBD::CSV](https://github.com/perl5-dbi/DBD-CSV).
+
+This text is based on the CPAN Security Group's Guidelines for Adding
+a Security Policy to Perl Distributions (version 1.0.0)
+https://security.metacpan.org/docs/guides/security-policy-for-authors.html
+
+# How to Report a Security Vulnerability
+
+Security vulnerabilities can be reported by e-mail to the current
+project maintainers at Jochen Wiedmann.
+
+Please include as many details as possible, including code samples
+or test cases, so that we can reproduce the issue.  Check that your
+report does not expose any sensitive data, such as passwords,
+tokens, or personal information.
+
+If you would like any help with triaging the issue, or if the issue
+is being actively exploited, please copy the report to the CPAN
+Security Group (CPANSec) at <[email protected]>.
+
+Please *do not* use the public issue reporting system on RT or
+GitHub issues for reporting security vulnerabilities.
+
+Please do not disclose the security vulnerability in public forums
+until past any proposed date for public disclosure, or it has been
+made public by the maintainers or CPANSec.  That includes patches or
+pull requests.
+
+For more information, see
+[Report a Security Issue](https://security.metacpan.org/docs/report.html)
+on the CPANSec website.
+
+## Response to Reports
+
+The maintainer(s) aim to acknowledge your security report as soon as
+possible.  However, this project is maintained by a single person in
+their spare time, and they cannot guarantee a rapid response.  If you
+have not received a response from them within 10 days, then
+please send a reminder to them and copy the report to CPANSec at
+<[email protected]>.
+
+Please note that the initial response to your report will be an
+acknowledgement, with a possible query for more information.  It
+will not necessarily include any fixes for the issue.
+
+The project maintainer(s) may forward this issue to the security
+contacts for other projects where we believe it is relevant.  This
+may include embedded libraries, system libraries, prerequisite
+modules or downstream software that uses this software.
+
+They may also forward this issue to CPANSec.
+
+# Which Software This Policy Applies To
+
+Any security vulnerabilities in DBD::CSV are covered by this policy.
+
+Security vulnerabilities are considered anything that allows users
+to execute unauthorised code, access unauthorised resources, or to
+have an adverse impact on accessibility or performance of a system.
+
+Security vulnerabilities in upstream software (embedded libraries,
+prerequisite modules or system libraries, or in Perl), are not
+covered by this policy unless they affect DBD::CSV, or DBD::CSV can
+be used to exploit vulnerabilities in them.
+
+Security vulnerabilities in downstream software (any software that
+uses DBD::CSV, or plugins to it that are not included with the
+DBD::CSV distribution) are not covered by this policy.
+
+## Supported Versions of DBD::CSV
+
+The maintainer(s) will only commit to releasing security fixes for
+the latest version of DBD::CSV.
+
+Note that the DBD::CSV project only supports major versions of Perl
+released in the past 5 years, even though DBD::CSV will run on
+older versions of Perl.  If a security fix requires us to increase
+the minimum version of Perl that is supported, then we may do so.
+
+# Installation and Usage Issues
+
+The distribution metadata specifies minimum versions of
+prerequisites that are required for DBD::CSV to work.  However, some
+of these prerequisites may have security vulnerabilities, and you
+should ensure that you are using up-to-date versions of these
+prerequisites.
+
+Where security vulnerabilities are known, the metadata may indicate
+newer versions as recommended.
+
+## Usage
+
+Please see the software documentation for further information.

sandbox/genMETA.pl

@@ -3,7 +3,7 @@
 use 5.014001;
 use warnings;
 
-our $VERSION = "1.20 - 20160520";
+our $VERSION = "1.21 - 20250113";
 
 sub usage {
     my $err = shift and select STDERR;
@@ -12,14 +12,14 @@ sub usage {
     } # usage
 
 use Getopt::Long qw(:config bundling nopermute);
-my $opt_v = 0;
 GetOptions (
     "help|?"		=> sub { usage (0); },
     "V|version"		=> sub { say $0 =~ s{.*/}{}r, " [$VERSION]"; exit 0; },
 
-    "c|check!"		=> \my $check,
-    "w|write:s"		=> \my $write,
-    "v|verbose:1"	=>    \$opt_v,
+    "c|check!"		=> \ my $check,
+    "w|write:s"		=> \ my $write,
+    "u|update!"		=> \ my $update,
+    "v|verbose:1"	=> \(my $opt_v = 0),
     ) or usage (1);
 
 use lib "sandbox";
@@ -31,6 +31,7 @@ sub usage {
 
 $meta->quiet (defined $write);
 $meta->from_data (<DATA>);
+$meta->security_md ($update);
 $meta->gen_cpanfile ();
 
 if ($check) {

sandbox/genMETA.pm

@@ -2,26 +2,27 @@
 
 package genMETA;
 
-our $VERSION = "1.16-20240903";
+our $VERSION = "1.18-20250113";
 
 use 5.014001;
 use warnings;
 use Carp;
 
-use List::Util qw( first );
+use CPAN::Meta::Converter;
+use CPAN::Meta::Validator;
+use Data::Peek;
+use Date::Calc qw( Delta_Days );
 use Encode qw( encode decode );
+use File::Find;
+use JSON::PP;
+use List::Util qw( first );
+use Parse::CPAN::Meta;
+use Software::Security::Policy::Individual;
 use Term::ANSIColor qw(:constants);
-use Date::Calc qw( Delta_Days );
 use Test::CPAN::Meta::YAML::Version;
-use CPAN::Meta::Validator;
-use CPAN::Meta::Converter;
 use Test::More ();
-use Parse::CPAN::Meta;
-use File::Find;
-use YAML::Syck;
-use Data::Peek;
 use Text::Diff;
-use JSON::PP;
+use YAML::Syck;
 
 sub new {
     my $package = shift;
@@ -576,7 +577,7 @@ sub gen_cpanfile {
     if (my $of = $jsn->{optional_features}) {
 	foreach my $f (sort keys %$of) {
 	    my $fs = $of->{$f};
-	    say $fh qq/\nfeature "$f", "$fs->{description}" => sub {/;
+	    say $fh qq/\nfeature "$f", "$fs->{description}" => sub {/;#}
 	    say $fh _cpfd ($self, $fs, "", 1) =~ s/^(?=\S)/    /gmr;
 	    }
 	}
@@ -593,4 +594,54 @@ sub gen_cpanfile {
 	}
     } # gen_cpanfile
 
+sub security_md {
+    my ($self, $update) = @_;
+
+    my $sfn = "SECURITY.md";
+    my $policy = Software::Security::Policy::Individual->new ({
+        maintainer         => $self->{h}{author}[0],
+        program            => $self->{name},
+        timeframe          => "10 days",
+        url                => $self->{h}{resources}{repository},
+        perl_support_years => 5,
+        });
+
+    my $smd = $policy->fulltext;
+
+    unless (-s $sfn) {
+	open my $fh, ">:encoding(utf-8)", $sfn or die "$sfn: $! \n";
+	print   $fh $smd;
+	close   $fh;
+
+	if (open $fh, "<", "MANIFEST") {
+	    my @m = <$fh>;
+	    close $fh;
+	    unless (grep m/^$sfn(?:\s|$)/ => @m) {
+		open  $fh, ">>", "MANIFEST" or die "MANIFEST: $!\n";
+		say   $fh "$sfn\t\tGuide for reporting security issues";
+		close $fh;
+		}
+	    }
+	say "$sfn added";
+	}
+
+    open my $fh, "<:encoding(utf-8)", $sfn or die "$sfn: $!\n";
+    my $old = do { local $/; <$fh> };
+    close $fh;
+
+    $old eq $smd and return;
+
+    if ($update) {
+	open my $fh, ">:encoding(utf-8)", $sfn or die "$sfn: $!\n";
+	print   $fh $smd;
+	close   $fh;
+	say "$sfn updated";
+	}
+    else {
+	say "$sfn required updates:";
+	say diff \$old, \$smd;
+	say "to apply, use $0 --check --update";
+	}
+    } # gen_security
+
 1;