http://www.perlmonks.org?node_id=127201

Acting on the advice from this node, we have begun the planning process for basic code reviews on scripts listed at the Perl Archive. This code review will aid in categorizing scripts based on its security and basic programming practices. I've used this node as a reference when creating the basic points for code review.

Unless otherwise noted, each script will receive 1 point for compliance, -1 point for non-compliance on each of the following:

  1. Uses warnings
  2. Uses strict
  3. Security (up to 4 points).
    • Uses -T
    • Implements valid checks on all user input for potential security breaches or other damage
    • Does not appear to allow arbitrary commands
    • Using $CGI::POST_MAX or otherwise limiting maximum post size (thanks crazyinsomniac)
  4. Html output - uses CGI, HTML::Template, HTML::Mason, or other suitable alternative
  5. Form parsing - uses CGI, CGI::Lite, or other suitable module-derived alternative
  6. Uses modules where applicable (-1 for using cgi-lib.pl)
  7. Style, based on clarity and modularity (up to 2 points)
  8. Documentation / comments (-2 for no comments; +2 for effective use of commenting)
  9. Use HERE docs for lengthy text (-2 points for multiple print statements and "\"escape syndrome\"")
  10. Checks return value of specific functions (aside from open, close, flock, can you suggest others to be added to this function list?)
  11. Preserve file integrity by correctly using flock when necessary.
  12. Anything else?

Since there will probably be instances when one or more of the points above will not be applicable to a script, a 0 point value will be used. This will equal N/A and will not affect the total score.

I realize that this does not come anywhere close to a comprehensive code review, but the only way we can realisticly implement any sort of code review at all is if we keep it simple (after all, there are ~4k scripts to review). Even this paltry review process can guilt/embarass even a few programmers into revamping their scripts, it will be worth the effort.

It's only fair that the program authors should bear the cost for more intensive code reviews on their own programs. If a program's author wishes to have an in-depth, individualized code review, we will refer them to various programmers who have expressed interest in performing this service (some for a fee, some as volunteers). The reviewer will then let me know the point score of the script. Perhaps there may be some rekindled interest in a code review section here?

Once a script has been reviewed, it will have a "detail" page on the site with the results of the review.

Any suggestions, enhancements, or critiques you can offer on this list would be very helpful :)

Jasmine

Update: Tainting/security point updated based on two replies from wog (1, 2) and a /msg from crazyinsomniac.

Update: Changed "excessive commenting" to "effective use of commenting", based on rchiav's suggestion.

Update: By monk magic, I presume, this node has been relocated to Meditations, where I'm able to edit the root node (thanks!). So, the updated list is back here.