Recently I learned that there is a #PerlCritic policy preventing you from confusing `eq` and `==` 🤯
https://metacpan.org/pod/Perl::Critic::Policy::ValuesAndExpressions::ProhibitMismatchedOperators
I often do have mixed feelings about learnings like this... on the one hand I am really happy that I learned something new and found something incredibly useful, on the other hand I feel seriously bad for not having already known about something this basic...
@Pyrrhlin I like to see the test first when reading from left to right.
Per #perlcritic I reserve postfix controls for program flow control functions like return, last, next, etc. https://metacpan.org/pod/Perl::Critic::Policy::ControlStructures::ProhibitPostfixControls
@tripleo #Perl’s “sharp edges” are mainly early syntax and features that later experience with large and networked #programming found dangerous, but are preserved for backward (and we do mean “backward”) compatibility.
See the details of the `strict` and `warnings` pragmas, and successively missing items in `feature` bundles:
• https://perldoc.perl.org/strict
• https://perldoc.perl.org/warnings
• https://perldoc.perl.org/feature#FEATURE-BUNDLES
And the summary of policies included in #PerlCritic: https://MetaCPAN.org/pod/Perl::Critic::PolicySummary
@aimaz Yes, and many of the #Perl recommendations by #CERT (https://wiki.sei.cmu.edu/confluence/x/wlxMBQ) have corresponding #PerlCritic policies: https://metacpan.org/dist/Perl-Critic/view/lib/Perl/Critic/PolicySummary.pod
Perl app and module #developers can easily incorporate a perlcritic test into their test suite to catch #security and other problems: https://metacpan.org/pod/Test::Perl::Critic
#InfoSec #CyberSecurity #programming #coding #SoftwareEngineering #SoftwareSecurity
@Perl If you were at last year’s #Perl and Raku Conference in Toronto, you might have heard @davorg's talk on #GitHub Actions. He's recently released a set of reusable workflows for you to try in your projects: https://perlhacks.com/2024/01/github-actions-for-perl-development/
Right now you can run your tests on a variety of operating systems, check test coverage, and run #PerlCritic across your code. He's also working on #CPAN release and #DistZilla testing workflows.
You might remember that I’ve been taking an interest in GitHub Actions for the last year or so (I even wrote a book on the subject). And at the Perl Conference in Toronto last summer I gave a talk called “GitHub Actions for Perl Development” (here are the slides and the video). During that talk,… Continue reading GitHub Actions for Perl Development
@nobodyinperson Bliss to write but not to read as tortuous double-negatives pile up with maintenance. The ProhibitUnlessBlocks #PerlCritic policy exists for a reason: https://metacpan.org/pod/Perl::Critic::Policy::ControlStructures::ProhibitUnlessBlocks
This applies to both `unless` and `until`. Congratulations if you've used them in the past: you contributed to #Perl's reputation as a write-only language in the eyes of the person who had to revise your code to deal with more complicated conditions.
@eliasp @ColinTheMathmo BTW #Perl has two well-known tools to encourage and enforce #programming style and best practices, respectively:
• #PerlTidy: https://perltidy.github.io/perltidy
• #PerlCritic: http://perlcritic.com
Your project or team can use their reasonable defaults or further configure them to reflect and maintain the consistent application of your preferences. They also integrate with editors/IDEs, source control management, and author #testing.
@dakkar @Perl `use v5.36;` or later will disable #Perl indirect object syntax.
And the https://MetaCPAN.org/pod/Perl::Critic::Policy::Objects::ProhibitIndirectSyntax policy will catch it.
You mandate things by adding #PerlCritic to your tests or pre-commit hooks, not by relying on your team’s individual vigilance
@ovid and other Perl 
mongers. What, if anything, do you use for code security?
I know that using taint gets you far, but SAST is mostly what I’m thinking (especially for legacy code without taint). Any tips?
Does Perl::Critic do a decent job, and is there a list of what its security policy and 3rd party plug-ins cover?
Other OS SAST I found are: https://github.com/htrgouvea/zarn and this grep-based one: https://github.com/wireghoul/graudit
Are they OK?
Demiguise
Mark Gardner
aegilops