Merge pull request #3531 from metacpan/fix-3513

oalders · web-flow · commit 03ec78c21fe3 · 2026-02-24T18:29:00.000-05:00
Make CVEs available in the UI
diff --git a/lib/MetaCPAN/Web/Model/API/CVE.pm b/lib/MetaCPAN/Web/Model/API/CVE.pm
@@ -0,0 +1,14 @@
+package MetaCPAN::Web::Model::API::CVE;
+use Moose;
+extends 'MetaCPAN::Web::Model::API';
+
+sub get {
+    my ( $self, $author, $release ) = @_;
+    $self->request("/cve/release/$author/$release")->then( sub {
+        my $data = shift;
+        Future->done( { cves => $data->{cve} || [] } );
+    } );
+}
+
+__PACKAGE__->meta->make_immutable;
+1;
diff --git a/lib/MetaCPAN/Web/Model/ReleaseInfo.pm b/lib/MetaCPAN/Web/Model/ReleaseInfo.pm
@@ -21,6 +21,7 @@ my %models = (
     _changes      => 'API::Changes',
     _favorite     => 'API::Favorite',
     _permission   => 'API::Permission',
+    _cve          => 'API::CVE',
 );
 
 has [ keys %models ] => ( is => 'ro' );
@@ -69,6 +70,9 @@ sub _fetch {
                 [
                     coverage => $self->_release->coverage( $author, $release )
                 ],
+                [
+                    cves => $self->_cve->get( $author, $release )
+                ],
             );
         },
     )->with_dist(
diff --git a/perlimports.toml b/perlimports.toml
@@ -10,7 +10,7 @@
 # preserve_unused disabled.
 
 cache                           = false # setting this to true is currently discouraged
-ignore_modules                  = ["Catalyst::Runtime","namespace::clean", "Test::More", "Type::Library", "With::Roles"]
+ignore_modules                  = ["Catalyst::Runtime","namespace::clean", "Test::More", "Test2::V0", "Type::Library", "With::Roles"]
 ignore_modules_filename         = ""
 ignore_modules_pattern          = "" # regex like "^(Foo|Foo::Bar)"
 ignore_modules_pattern_filename = ""
diff --git a/root/base/release.tx b/root/base/release.tx
@@ -232,6 +232,7 @@
 %%  }
 %%  override content -> {
 
+  %%  include inc::cve_banner;
   %%  include inc::notification;
 
   %%  block page_content -> { }
diff --git a/root/inc/cve_banner.tx b/root/inc/cve_banner.tx
@@ -0,0 +1,35 @@
+%%  if $cves && $cves.size() {
+<details class="cve-banner">
+    <summary class="cve-summary">
+        <i class="fa fa-shield" aria-hidden="true"></i>
+        <strong>Security Advisories ([% $cves.size() %])</strong>
+    </summary>
+    <div class="cve-body">
+        %%  for $cves -> $cve {
+        <div class="cve-entry">
+            <div class="cve-header">
+                <strong>
+                %%  if $cve.cves.size() {
+                    [% $cve.cves.join(', ') %]
+                %%  }
+                %%  else {
+                    [% $cve.cpansa_id %]
+                %%  }
+                </strong>
+                %%  if $cve.reported {
+                ([% $cve.reported %])
+                %%  }
+            </div>
+            <p>[% $cve.description %]</p>
+            %%  if $cve.references.size() {
+            <ul class="cve-references">
+                %%  for $cve.references -> $ref {
+                <li><a rel="noopener nofollow" href="[% $ref %]">[% $ref %]</a></li>
+                %%  }
+            </ul>
+            %%  }
+        </div>
+        %%  }
+    </div>
+</details>
+%%  }
diff --git a/root/static/less/notification.less b/root/static/less/notification.less
@@ -48,3 +48,36 @@ label.remove-notification {
 .notify-MODULE_DEPRECATED {
     background: #f8d7da;
 }
+
+.cve-banner {
+    border: 1px solid @alert-danger-border;
+    border-radius: 4px;
+    margin-bottom: 15px;
+}
+
+.cve-summary {
+    display: list-item;
+    background: @alert-danger-bg;
+    color: @alert-danger-text;
+    padding: 8px 12px;
+    cursor: pointer;
+}
+
+.cve-body {
+    padding: 10px 12px;
+}
+
+.cve-entry + .cve-entry {
+    border-top: 1px solid #eee;
+    padding-top: 8px;
+    margin-top: 8px;
+}
+
+ul.cve-references {
+    margin-bottom: 0;
+    list-style: disc;
+}
+
+ul.cve-references a {
+    word-break: break-all;
+}
diff --git a/t/model/api/cve.t b/t/model/api/cve.t
@@ -0,0 +1,26 @@
+use strict;
+use warnings;
+use lib 't/lib';
+
+use MetaCPAN::Web ();
+use Test::More;
+
+my $model = MetaCPAN::Web->model('API::CVE');
+
+subtest 'has cves' => sub {
+    my $result = $model->get( 'SRI', 'Mojolicious-9.30' )->get;
+    my $cve    = $result->{cves}[1];
+    ok( $cve->{cpansa_id},   'cpansa_id' );
+    ok( $cve->{cves},        'cves' );
+    ok( $cve->{description}, 'description' );
+    is( $cve->{severity}, undef, 'undef severity' );
+    ok( $cve->{reported},   'reported date' );
+    ok( $cve->{references}, 'references' );
+};
+
+subtest 'no cves' => sub {
+    my $empty = $model->get( 'OALDERS', 'HTML-Restrict-3.0.2' )->get;
+    is_deeply( $empty->{cves}, [], 'cve list is empty' );
+};
+
+done_testing;
