Skip to content

Commit

Permalink
feat(julia): Add Julia language analyzer support
Browse files Browse the repository at this point in the history
  • Loading branch information
@Octogonapus
Octogonapus committed Nov 22, 2023
1 parent ad977a4 commit 1024114
Show file tree
Hide file tree
Showing 26 changed files with 816 additions and 3 deletions.
1 change: 1 addition & 0 deletions .github/workflows/semantic-pr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ jobs:
dart
swift
bitnami
julia
os
lang
Expand Down
1 change: 1 addition & 0 deletions docs/community/contribute/pr.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,7 @@ language:
- go
- elixir
- dart
- julia

vuln:

Expand Down
1 change: 1 addition & 0 deletions docs/docs/coverage/language/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ On the other hand, when the target is a post-build artifact, like a container im
| [Dart](dart.md) | pubspec.lock | - | - |||
| [Swift](swift.md) | Podfile.lock | - | - |||
| | Package.resolved | - | - |||
| [Julia](julia.md) | Manifest.toml |||||

The path of these files does not matter.

Expand Down
22 changes: 22 additions & 0 deletions docs/docs/coverage/language/julia.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Rust

## Features

Trivy supports [Pkg.jl](https://pkgdocs.julialang.org/v1/), which is the Julia package manager.
The following table provides an outline of the features Trivy offers.

| Package manager | File | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
| --------------- | ------------- | :---------------------: | :--------------- | :-----: | :--------------: | :------: |
| Pkg.jl | Manifest.toml || Excluded[^1] | - |||

### Pkg.jl

Trivy searches for `Manifest.toml` to detect dependencies.

Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
Since this information is not included in `Manifest.toml`, Trivy parses `Project.toml`, which should be located next to `Project.toml`.
If you want to see the dependency tree, please ensure that `Project.toml` is present.

Scanning `Manifest.toml` and `Project.toml` together also removes developer dependencies.

Dependency extensions are currently ignored.
96 changes: 96 additions & 0 deletions docs/docs/scanner/vulnerability/language/index.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
# Language-specific Packages

`Trivy` automatically detects the following files and scans vulnerabilities in the application dependencies.

## Supported languages

| Language | File | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] | Dev dependencies | Dependency location[^11] |
| -------------------- | ------------------------------------------------------------------------------------------ | :-------: | :--------: | :------------: | :-------------: | ---------------- | :----------------------: |
| Ruby | Gemfile.lock | - | - ||| included | - |
| | gemspec ||| - | - | included | - |
| [Python](python.md) | Pipfile.lock | - | - ||| excluded ||
| | poetry.lock | - | - ||| excluded | - |
| | requirements.txt | - | - ||| included | - |
| | egg package[^1] ||| - | - | excluded | - |
| | wheel package[^2] ||| - | - | excluded | - |
| [PHP](php.md) | composer.lock ||||| excluded ||
| [Node.js](nodejs.md) | package-lock.json | - | - ||| excluded ||
| | yarn.lock | - | - ||| included ||
| | pnpm-lock.yaml | - | - ||| excluded | - |
| | package.json ||| - | - | excluded | - |
| .NET | packages.lock.json ||||| included ||
| | packages.config ||||| excluded | - |
| | .deps.json ||||| excluded ||
| [Java](java.md) | JAR/WAR/PAR/EAR[^3] ||| - | - | included | - |
| | pom.xml[^4] | - | - ||| excluded | - |
| | *gradle.lockfile | - | - ||| excluded | - |
| [Go](golang.md) | Binaries built by Go[^5] ||| - | - | excluded | - |
| | go.mod[^6] | - | - ||| included | - |
| [Rust](rust.md) | Cargo.lock ||||| excluded[^13] ||
| | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) ||| - | - | excluded[^13] | - |
| C/C++ | conan.lock[^12] | - | - ||| excluded[^13] | - |
| Elixir | mix.lock[^12] | - | - ||| excluded ||
| Dart | pubspec.lock ||| - | - | included | - |
| Julia | Manifest.toml ||||| excluded[^14] ||

The path of these files does not matter.

Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)

[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
[^2]: `.dist-info/META-DATA`
[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
[^4]: It requires Internet access when the POM doesn't exist in your local repository
[^5]: UPX-compressed binaries don't work
[^6]: If smaller than go 1.17, go.sum is also required
[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
[^11]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../../configuration/reporting.md#json) and [sarif](../../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
[^12]: To scan a filename other than the default filename use [file-patterns](../../../configuration/others.md#file-patterns)
[^13]: When you scan `Cargo.lock` and `Cargo.toml` together. See about it [here](./rust.md#cargo).
[^14]: When you scan `Project.toml` and `Manifest.toml` together. See about it [here](./julia.md#pkgjl).

## Data Sources

| Language | Source | Commercial Use | Delay[^1] |
| -------- | --------------------------------------------------- | :------------: | :-------: |
| PHP | [PHP Security Advisories Database][php] || - |
| | [GitHub Advisory Database (Composer)][php-ghsa] || - |
| Python | [GitHub Advisory Database (pip)][python-ghsa] || - |
| | [Open Source Vulnerabilities (PyPI)][python-osv] || - |
| Ruby | [Ruby Advisory Database][ruby] || - |
| | [GitHub Advisory Database (RubyGems)][ruby-ghsa] || - |
| Node.js | [Ecosystem Security Working Group][nodejs] || - |
| | [GitHub Advisory Database (npm)][nodejs-ghsa] || - |
| Java | [GitLab Advisories Community][gitlab] || 1 month |
| | [GitHub Advisory Database (Maven)][java-ghsa] || - |
| Go | [GitHub Advisory Database (Go)][go-ghsa] || - |
| | [The Go Vulnerability Database][go] || - |
| Rust | [Open Source Vulnerabilities (crates.io)][rust-osv] || - |
| .NET | [GitHub Advisory Database (NuGet)][dotnet-ghsa] || - |
| C/C++ | [GitLab Advisories Community][gitlab] || 1 month |
| Dart | [GitHub Advisory Database (Pub)][pub-ghsa] || - |
| Elixir | [GitHub Advisory Database (Erlang)][erlang-ghsa] || |

[^1]: Intentional delay between vulnerability disclosure and registration in the DB

[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
[ruby-ghsa]: https://github.com/advisories?query=ecosystem%3Arubygems
[nodejs-ghsa]: https://github.com/advisories?query=ecosystem%3Anpm
[java-ghsa]: https://github.com/advisories?query=ecosystem%3Amaven
[dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
[pub-ghsa]: https://github.com/advisories?query=ecosystem%3Apub
[erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang
[go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago

[php]: https://github.com/FriendsOfPHP/security-advisories
[ruby]: https://github.com/rubysec/ruby-advisory-db
[nodejs]: https://github.com/nodejs/security-wg
[gitlab]: https://gitlab.com/gitlab-org/advisories-community
[go]: https://github.com/golang/vulndb

[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ require (
github.com/alicebob/miniredis/v2 v2.30.4
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898
github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf
github.com/aquasecurity/go-dep-parser v0.0.0-20231122010617-fc7f2b470d89
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
Expand Down
4 changes: 2 additions & 2 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,8 +322,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 h1:gu7XQvv2CswgzOdOFHg/AmtR4vBonG35XvGxHHvcIr4=
github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf h1:kweQrNMfarPfjZGI1537GtuujhpzhsuT/MvmW2FwaBE=
github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf/go.mod h1:7+xrs6AWD5+onpmX8f7qIkAhUgkPP0mhUdBjxJBcfas=
github.com/aquasecurity/go-dep-parser v0.0.0-20231122010617-fc7f2b470d89 h1:IssyGUDzAYvTcv28EJMmqYWhQh5sW9HiJwDphEFNSWM=
github.com/aquasecurity/go-dep-parser v0.0.0-20231122010617-fc7f2b470d89/go.mod h1:7+xrs6AWD5+onpmX8f7qIkAhUgkPP0mhUdBjxJBcfas=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
github.com/aquasecurity/go-mock-aws v0.0.0-20230810212901-d6feebd39060 h1:V7nC90NpRDEubNpNEgRDtTfLH3RKQlZeY9/HSqxEze8=
Expand Down
3 changes: 3 additions & 0 deletions pkg/detector/library/driver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,9 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
case ftypes.K8sUpstream:
ecosystem = vulnerability.Kubernetes
comparer = compare.GenericComparer{}
case ftypes.Julia:
log.Logger.Warn("Julia is supported for SBOM, not for vulnerability scanning")
return Driver{}, false
default:
log.Logger.Warnf("The %q library type is not supported for vulnerability scanning", libType)
return Driver{}, false
Expand Down
1 change: 1 addition & 0 deletions pkg/fanal/analyzer/all/import.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/gradle"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pkg"
_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm"
Expand Down
4 changes: 4 additions & 0 deletions pkg/fanal/analyzer/const.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ const (
// Dart
TypePubSpecLock Type = "pubspec-lock"

// Julia
TypeJulia Type = "julia"

// ============
// Non-packaged
// ============
Expand Down Expand Up @@ -184,6 +187,7 @@ var (
TypeSwift,
TypePubSpecLock,
TypeMixLock,
TypeJulia,
}

// TypeLockfiles has all lock file analyzers
Expand Down
Loading

0 comments on commit 1024114

Please sign in to comment.