feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
2025-12-05 20:40:16 -08:00 · 2025-12-05 05:15:16 -05:00
parent 9275e1532b
commit c2f82add3a
17 changed files with 69 additions and 12 deletions
--- a/docs/guide/coverage/language/julia.md
+++ b/docs/guide/coverage/language/julia.md
@@ -7,7 +7,7 @@ The following scanners are supported.

 | Package manager | SBOM | Vulnerability | License |
 |-----------------|:----:|:-------------:|:-------:|
-| Pkg.jl          |  ✓   |       -       |    -    |
+| Pkg.jl          |  ✓   |       ✓       |    -    |

 The following table provides an outline of the features Trivy offers.

--- a/docs/guide/references/configuration/cli/trivy_filesystem.md
+++ b/docs/guide/references/configuration/cli/trivy_filesystem.md
@@ -171,6 +171,7 @@ trivy filesystem [flags] PATH
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_image.md
+++ b/docs/guide/references/configuration/cli/trivy_image.md
@@ -192,6 +192,7 @@ trivy image [flags] IMAGE_NAME
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_kubernetes.md
+++ b/docs/guide/references/configuration/cli/trivy_kubernetes.md
@@ -180,6 +180,7 @@ trivy kubernetes [flags] [CONTEXT]
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_repository.md
+++ b/docs/guide/references/configuration/cli/trivy_repository.md
@@ -170,6 +170,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_rootfs.md
+++ b/docs/guide/references/configuration/cli/trivy_rootfs.md
@@ -172,6 +172,7 @@ trivy rootfs [flags] ROOTDIR
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/references/configuration/cli/trivy_sbom.md
+++ b/docs/guide/references/configuration/cli/trivy_sbom.md
@@ -137,6 +137,7 @@ trivy sbom [flags] SBOM_PATH
                                         - chainguard
                                         - bitnami
                                         - govulndb
+                                         - julia
                                         - echo
                                         - minimos
                                         - rootio
--- a/docs/guide/references/configuration/cli/trivy_vm.md
+++ b/docs/guide/references/configuration/cli/trivy_vm.md
@@ -156,6 +156,7 @@ trivy vm [flags] VM_IMAGE
                                            - chainguard
                                            - bitnami
                                            - govulndb
+                                            - julia
                                            - echo
                                            - minimos
                                            - rootio
--- a/docs/guide/scanner/vulnerability.md
+++ b/docs/guide/scanner/vulnerability.md
@@ -137,6 +137,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 | Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
 | Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |     -     |
 | Swift    | [GitHub Advisory Database (Swift)][swift-ghsa]      |       ✅        |     -     |
+| Julia    | [Open Source Vulnerabilities (Julia)][julia-osv]    |       ✅        |     -     |

 [^1]: Intentional delay between vulnerability disclosure and registration in the DB

@@ -426,13 +427,14 @@ Example logic for the following vendor severity levels when scanning an Alpine i

 [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
+[julia-osv]: https://osv.dev/list?q=&ecosystem=Julia

 [nvd]: https://nvd.nist.gov/vuln

 [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/

 [CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681
-[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 
+[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520
 [ghsa]: https://github.com/advisories
 [requests]: https://pypi.org/project/requests/
 [precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
-	github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a
+	github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.9.1
 	github.com/aws/aws-sdk-go-v2 v1.40.0
@@ -475,7 +475,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	google.golang.org/grpc v1.76.0 // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -222,8 +222,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
-github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM=
-github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
+github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727 h1:LawBOgOh1qrwcVTPPfZPwZkuRBIfl4IyCitnmdAjwe8=
+github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727/go.mod h1:KL/C38wFKTREFgKSShT3DEmjNYSNXoYQ96wtQXRbnM8=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ=
@@ -1520,8 +1520,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
-gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -99,13 +99,13 @@ nav:
              - Elixir: guide/coverage/language/elixir.md
              - Go: guide/coverage/language/golang.md
              - Java: guide/coverage/language/java.md
+              - Julia: guide/coverage/language/julia.md
              - Node.js: guide/coverage/language/nodejs.md
              - PHP: guide/coverage/language/php.md
              - Python: guide/coverage/language/python.md
              - Ruby: guide/coverage/language/ruby.md
              - Rust: guide/coverage/language/rust.md
              - Swift: guide/coverage/language/swift.md
-              - Julia: guide/coverage/language/julia.md
          - IaC:
              - Overview: guide/coverage/iac/index.md
              - Ansible: guide/coverage/iac/ansible.md
--- a/pkg/detector/library/driver.go
+++ b/pkg/detector/library/driver.go
@@ -83,8 +83,8 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
 		eco = ecosystem.Kubernetes
 		comparer = compare.GenericComparer{}
 	case ftypes.Julia:
-		log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
-		return Driver{}, false
+		eco = ecosystem.Julia
+		comparer = compare.GenericComparer{}
 	default:
 		log.Warn("The library type is not supported for vulnerability scanning",
 			log.String("type", string(libType)))
@@ -129,6 +129,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D

 		vuln := types.DetectedVulnerability{
 			VulnerabilityID:  adv.VulnerabilityID,
+			VendorIDs:        adv.VendorIDs, // Any vendors have specific IDs, e.g. GHSA, JLSEC
 			PkgID:            pkgID,
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
--- a/pkg/detector/library/driver_test.go
+++ b/pkg/detector/library/driver_test.go
@@ -66,7 +66,10 @@ func TestDriver_Detect(t *testing.T) {
 			},
 			want: []types.DetectedVulnerability{
 				{
-					VulnerabilityID:  "CVE-2022-21235",
+					VulnerabilityID: "CVE-2022-21235",
+					VendorIDs: []string{
+						"GHSA-6635-c626-vj4r",
+					},
 					PkgName:          "github.com/Masterminds/vcs",
 					InstalledVersion: "v1.13.1",
 					FixedVersion:     "v1.13.2",
@@ -78,6 +81,34 @@ func TestDriver_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "julia package",
+			fixtures: []string{
+				"testdata/fixtures/julia.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.Julia,
+			args: args{
+				pkgName: "HTTP",
+				pkgVer:  "1.10.16",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2025-52479",
+					PkgName:          "HTTP",
+					InstalledVersion: "1.10.16",
+					FixedVersion:     "1.10.17",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.Julia,
+						Name: "Julia Ecosystem Security Advisories",
+						URL:  "https://github.com/JuliaLang/SecurityAdvisories.jl",
+					},
+					VendorIDs: []string{
+						"JLSEC-2025-1",
+					},
+				},
+			},
+		},
 		{
 			name:     "non-prefixed buckets",
 			fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},
--- a/pkg/detector/library/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -30,3 +30,8 @@
        ID: "ghsa"
        Name: "GitHub Security Advisory Go"
        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
+    - key: "julia::Julia Ecosystem Security Advisories"
+      value:
+        ID: "julia"
+        Name: "Julia Ecosystem Security Advisories"
+        URL: "https://github.com/JuliaLang/SecurityAdvisories.jl"
--- a/pkg/detector/library/testdata/fixtures/go.yaml
+++ b/pkg/detector/library/testdata/fixtures/go.yaml
@@ -8,3 +8,5 @@
              - v1.13.2
            VulnerableVersions:
              - "<v1.13.2"
+            VendorIDs:
+              - "GHSA-6635-c626-vj4r"
--- a/pkg/detector/library/testdata/fixtures/julia.yaml
+++ b/pkg/detector/library/testdata/fixtures/julia.yaml
@@ -0,0 +1,12 @@
+- bucket: "julia::Julia Ecosystem Security Advisories"
+  pairs:
+    - bucket: HTTP
+      pairs:
+        - key: CVE-2025-52479
+          value:
+            PatchedVersions:
+              - 1.10.17
+            VulnerableVersions:
+              - "<1.10.17"
+            VendorIDs:
+              - "JLSEC-2025-1"