Perl::Critic

Perl Critic checks whether your code complies with best practices based on Damian Conway's “Perl Best Practices”. However, it also contains a few policies relevant to security.

Typical errors found:

  • Use of backtick operators
  • Unsafe open / select calls
  • Unchecked exceptional return values…

Errors missed:

  • Calls to system or exec (those are found by RATS)
  • Uncleaned/unverified user input (for detecting this, use Perl's taint mode - -T option)

Installation

SLC5 (sorry, not available on SLC4)
# RUN AS ROOT
yum install perl-Perl-Critic

Then download the configuration file and put it into your home directory:

# RUN AS REGULAR USER
wget -O $HOME/.perlcriticrc http://cern.ch/security/recommendations/en/codetools/dot_perlcriticrc
Other systems

Perl::Critic is available as a CPAN module, so you can use usual installation procedure. For instance:

# RUN AS ROOT
perl -MCPAN -e shell
 
cpan> install Perl::Critic

Then download the configuration file and put it into your home directory:

# RUN AS REGULAR USER
wget -O $HOME/.perlcriticrc http://cern.ch/security/recommendations/en/codetools/dot_perlcriticrc

More information on the Perl Critic CPAN page.

Usage

perlcritic <directory_or_file>
  • –severity <1,2,3,4,5> set the severity level (from 5: gentle to 1: brutal)
  • –man for a man page

Additional info

For vim users, vim perlcritic compiler script is available. Additionally, perl-support plugin supports Perl::Critic.

For emacs users, emacsWiki has a script to interface perlcritic.