Skip to content

feat(julia): enable vulnerability scanning for the Julia language ecosystem #9800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DmitriyLewen merged 16 commits into from
Dec 5, 2025
Merged

feat(julia): enable vulnerability scanning for the Julia language ecosystem #9800

DmitriyLewen merged 16 commits into from
Dec 5, 2025

Conversation

@mbauman
Copy link
Contributor

@mbauman mbauman commented Nov 13, 2025
edited
Loading

Description

This is the final step in supporting Julia vulnerability scanning (#9071). It requires the related PRs to first be merged.

Before

2025-08-22T17:22:07Z	INFO	[julia] Detecting vulnerabilities...
2025-08-22T17:22:07Z	WARN	Julia is supported for SBOM, not for vulnerability scanning

Report Summary

┌───────────────┬───────┬─────────────────┬─────────┐
│    Target     │ Type  │ Vulnerabilities │ Secrets │
├───────────────┼───────┼─────────────────┼─────────┤
│ Manifest.toml │ julia │        0        │    -    │
└───────────────┴───────┴─────────────────┴─────────┘

After

2025-11-13T17:04:35Z	INFO	[julia] Detecting vulnerabilities...
2025-11-13T17:04:35Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/dev/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌───────────────┬───────┬─────────────────┬─────────┐
│    Target     │ Type  │ Vulnerabilities │ Secrets │
├───────────────┼───────┼─────────────────┼─────────┤
│ Manifest.toml │ julia │        2        │    -    │
└───────────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


Manifest.toml (julia)

Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ HTTP        │ CVE-2025-61689 │ UNKNOWN  │ fixed  │ 1.10.17           │ 1.10.19       │ Header injection/Response splitting via header construction. │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-61689                   │
├─────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ MbedTLS_jll │ CVE-2025-27810 │ MEDIUM   │        │ 2.28.6+0          │ 2.28.10+0     │ Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases  │
│             │                │          │        │                   │               │ of...                                                        │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27810                   │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Related issues

The discussion in #9071 has not been converted into an issue.

Related PRs

This depends upon:

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • (N/A) I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Nov 13, 2025
@aqua-bot aqua-bot requested a review from a team November 13, 2025 15:58
@mbauman
Copy link
Contributor Author

mbauman commented Nov 13, 2025

This is now working 🎉

$ ./trivy fs --cache-dir ./cache --skip-db-update  ~/tmp
2025-11-13T17:04:35Z	INFO	[vuln] Vulnerability scanning is enabled
2025-11-13T17:04:35Z	INFO	[secret] Secret scanning is enabled
2025-11-13T17:04:35Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-11-13T17:04:35Z	INFO	[secret] Please see https://trivy.dev/dev/docs/scanner/secret#recommendation for faster secret detection
2025-11-13T17:04:35Z	INFO	Number of language-specific files	num=1
2025-11-13T17:04:35Z	INFO	[julia] Detecting vulnerabilities...
2025-11-13T17:04:35Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/dev/docs/scanner/vulnerability#severity-selection for details.

Report Summary

┌───────────────┬───────┬─────────────────┬─────────┐
│    Target     │ Type  │ Vulnerabilities │ Secrets │
├───────────────┼───────┼─────────────────┼─────────┤
│ Manifest.toml │ julia │        2        │    -    │
└───────────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


Manifest.toml (julia)

Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ HTTP        │ CVE-2025-61689 │ UNKNOWN  │ fixed  │ 1.10.17           │ 1.10.19       │ Header injection/Response splitting via header construction. │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-61689                   │
├─────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ MbedTLS_jll │ CVE-2025-27810 │ MEDIUM   │        │ 2.28.6+0          │ 2.28.10+0     │ Mbed TLS before 2.28.10 and 3.x before 3.6.3, in some cases  │
│             │                │          │        │                   │               │ of...                                                        │
│             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27810                   │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@mbauman mbauman changed the title feat(julia): enable vulnerability scanning feat(julia): enable vulnerability scanning for the Julia language ecosystem Nov 13, 2025
@mbauman mbauman mentioned this pull request Nov 14, 2025
Merged
4 tasks
@DmitriyLewen DmitriyLewen removed the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Nov 17, 2025
@DmitriyLewen DmitriyLewen removed the request for review from a team November 17, 2025 07:31
@aquasecurity aquasecurity deleted a comment from github-actions bot Nov 17, 2025
DmitriyLewen
DmitriyLewen reviewed Nov 17, 2025
View reviewed changes
@github-actions github-actions bot added the apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected) label Nov 19, 2025
@aqua-bot aqua-bot requested a review from a team November 19, 2025 16:17
@aquasecurity aquasecurity deleted a comment from github-actions bot Nov 25, 2025
@DmitriyLewen DmitriyLewen removed the request for review from a team November 25, 2025 09:48
DmitriyLewen
DmitriyLewen approved these changes Nov 27, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbauman Thanks for your contribution!

LGTM

@knqyf263 can you take a look?

@stemann
Copy link

stemann commented Dec 1, 2025

@mbauman Thanks for this - excellent with Julia vuln. support in Trivy!

I gave a build of this PR a spin with just a Manifest.toml and was surprised that the Project.toml is also required?

@mbauman
Copy link
Contributor Author

mbauman commented Dec 1, 2025
edited
Loading

Yeah, Julia itself doesn't really do anything with just a bare Manifest. In fact, when you load such an environment, Julia reports an "empty Project" and you are unable to import any of the packages in the Manifest. You can take an extra step to instantiate such an environment, and it'll work backwards to create the corresponding Project.toml file with all the manifest dependencies recorded as top-level requirements. Only at that point will you be able to import any of the packages.

The moment you have Julia do any work with packages, you'll always have the pair of both files.

knqyf263
knqyf263 reviewed Dec 3, 2025
View reviewed changes
pkg/detector/library/driver.go
log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
return Driver{}, false
eco = ecosystem.Julia
comparer = compare.GenericComparer{}
Copy link
Collaborator

@knqyf263 knqyf263 Dec 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to other package managers, the Julia package manager respects semantic versioning (semver)

https://pkgdocs.julialang.org/v1/compatibility/

Does the Julia package versioning not follow semver? In the examples, versions such as 1.6 or 0.5 are specified, which are not allowed under semver.

Copy link
Contributor Author

@mbauman mbauman Dec 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are compat specifiers. The version numbers themselves are definitively semver syntax, and the Package manager applies semver's semantics to its upgrade/resolution behaviors. The compat specifiers are a more complicated version range syntax that allows folks to concisely describe ranges of real semver versions.

@stemann
Copy link

stemann commented Dec 3, 2025
edited
Loading

Yeah, Julia itself doesn't really do anything with just a bare Manifest. In fact, when you load such an environment, Julia reports an "empty Project" and you are unable to import any of the packages in the Manifest. You can take an extra step to instantiate such an environment, and it'll work backwards to create the corresponding Project.toml file with all the manifest dependencies recorded as top-level requirements. Only at that point will you be able to import any of the packages.

The moment you have Julia do any work with packages, you'll always have the pair of both files.

Yeah, I know. Just hit this when I lazily provided only the Manifest.toml for a corresponding custom sysimage.

And wondered whether the Project.toml was required for trivy to operate. Not sure if, e.g., the cargo or conan implementations require more than the lock file?

Edit: But this might also be unrelated to this PR.

knqyf263
knqyf263 approved these changes Dec 4, 2025
View reviewed changes
Copy link
Collaborator

@knqyf263 knqyf263 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@DmitriyLewen DmitriyLewen marked this pull request as ready for review December 5, 2025 09:50
@DmitriyLewen DmitriyLewen added this pull request to the merge queue Dec 5, 2025
Merged via the queue into aquasecurity:main with commit c2f82ad Dec 5, 2025
19 checks passed
@aqua-bot aqua-bot mentioned this pull request Dec 5, 2025
Open
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Dec 5, 2025

Thanks @mbauman for your perfect work!

@mbauman
Copy link
Contributor Author

mbauman commented Dec 5, 2025

Thank you for getting it in! It's exciting to get this support here.

@mbauman mbauman deleted the jlsec branch December 5, 2025 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 knqyf263 approved these changes

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

No one assigned

Labels

apidiff Indicates Go API changes relevant to library consumers (CLI compatibility may be unaffected)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mbauman @stemann @DmitriyLewen @knqyf263