feat(julia): enable vulnerability scanning for the Julia language ecosystem (#9800)

mbauman · DmitriyLewen · web-flow · commit c2f82add3a59 · 2025-12-05T10:15:16.000Z
Co-authored-by: DmitriyLewen &lt;dmitriy.lewen@smartforce.io&gt;
diff --git a/docs/guide/coverage/language/julia.md b/docs/guide/coverage/language/julia.md
@@ -7,7 +7,7 @@ The following scanners are supported.
 
 | Package manager | SBOM | Vulnerability | License |
 |-----------------|:----:|:-------------:|:-------:|
-| Pkg.jl          |  ✓   |       -       |    -    |
+| Pkg.jl          |  ✓   |       ✓       |    -    |
 
 The following table provides an outline of the features Trivy offers.
 
diff --git a/docs/guide/references/configuration/cli/trivy_filesystem.md b/docs/guide/references/configuration/cli/trivy_filesystem.md
@@ -171,6 +171,7 @@ trivy filesystem [flags] PATH
                                             - chainguard
                                             - bitnami
                                             - govulndb
+                                            - julia
                                             - echo
                                             - minimos
                                             - rootio
diff --git a/docs/guide/references/configuration/cli/trivy_image.md b/docs/guide/references/configuration/cli/trivy_image.md
@@ -192,6 +192,7 @@ trivy image [flags] IMAGE_NAME
                                             - chainguard
                                             - bitnami
                                             - govulndb
+                                            - julia
                                             - echo
                                             - minimos
                                             - rootio
diff --git a/docs/guide/references/configuration/cli/trivy_kubernetes.md b/docs/guide/references/configuration/cli/trivy_kubernetes.md
@@ -180,6 +180,7 @@ trivy kubernetes [flags] [CONTEXT]
                                             - chainguard
                                             - bitnami
                                             - govulndb
+                                            - julia
                                             - echo
                                             - minimos
                                             - rootio
diff --git a/docs/guide/references/configuration/cli/trivy_repository.md b/docs/guide/references/configuration/cli/trivy_repository.md
@@ -170,6 +170,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
                                             - chainguard
                                             - bitnami
                                             - govulndb
+                                            - julia
                                             - echo
                                             - minimos
                                             - rootio
diff --git a/docs/guide/references/configuration/cli/trivy_rootfs.md b/docs/guide/references/configuration/cli/trivy_rootfs.md
@@ -172,6 +172,7 @@ trivy rootfs [flags] ROOTDIR
                                             - chainguard
                                             - bitnami
                                             - govulndb
+                                            - julia
                                             - echo
                                             - minimos
                                             - rootio
diff --git a/docs/guide/references/configuration/cli/trivy_sbom.md b/docs/guide/references/configuration/cli/trivy_sbom.md
@@ -137,6 +137,7 @@ trivy sbom [flags] SBOM_PATH
                                          - chainguard
                                          - bitnami
                                          - govulndb
+                                         - julia
                                          - echo
                                          - minimos
                                          - rootio
diff --git a/docs/guide/references/configuration/cli/trivy_vm.md b/docs/guide/references/configuration/cli/trivy_vm.md
@@ -156,6 +156,7 @@ trivy vm [flags] VM_IMAGE
                                             - chainguard
                                             - bitnami
                                             - govulndb
+                                            - julia
                                             - echo
                                             - minimos
                                             - rootio
diff --git a/docs/guide/scanner/vulnerability.md b/docs/guide/scanner/vulnerability.md
@@ -137,6 +137,7 @@ See [here](../coverage/language/index.md#supported-languages) for the supported
 | Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
 | Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |     -     |
 | Swift    | [GitHub Advisory Database (Swift)][swift-ghsa]      |       ✅        |     -     |
+| Julia    | [Open Source Vulnerabilities (Julia)][julia-osv]    |       ✅        |     -     |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -426,13 +427,14 @@ Example logic for the following vendor severity levels when scanning an Alpine i
 
 [python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
 [rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
+[julia-osv]: https://osv.dev/list?q=&ecosystem=Julia
 
 [nvd]: https://nvd.nist.gov/vuln
 
 [k8s-cve]: https://kubernetes.io/docs/reference/issues-security/official-cve-feed/
 
 [CVE-2023-32681]: https://nvd.nist.gov/vuln/detail/CVE-2023-32681
-[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520 
+[RHSA-2023:4520]: https://access.redhat.com/errata/RHSA-2023:4520
 [ghsa]: https://github.com/advisories
 [requests]: https://pypi.org/project/requests/
 [precision-recall]: https://developers.google.com/machine-learning/crash-course/classification/precision-and-recall
diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
-	github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a
+	github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.9.1
 	github.com/aws/aws-sdk-go-v2 v1.40.0
@@ -475,7 +475,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20250825161204-c5933d9347a5 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	google.golang.org/grpc v1.76.0 // indirect
-	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
diff --git a/go.sum b/go.sum
@@ -222,8 +222,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
-github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a h1:Wmvjq3zQGsZ8Wlqh75zvujh7LZNTXU4YoEf8tyL1LoM=
-github.com/aquasecurity/trivy-db v0.0.0-20250929072116-eba1ced2340a/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
+github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727 h1:LawBOgOh1qrwcVTPPfZPwZkuRBIfl4IyCitnmdAjwe8=
+github.com/aquasecurity/trivy-db v0.0.0-20251205093947-925515d35727/go.mod h1:KL/C38wFKTREFgKSShT3DEmjNYSNXoYQ96wtQXRbnM8=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.9.1 h1:bSErQcavKXDh7XMwbGX7Vy//jR5+xhe/bOgfn9G+9lQ=
@@ -1520,8 +1520,6 @@ gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
-gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
 gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -99,13 +99,13 @@ nav:
               - Elixir: guide/coverage/language/elixir.md
               - Go: guide/coverage/language/golang.md
               - Java: guide/coverage/language/java.md
+              - Julia: guide/coverage/language/julia.md
               - Node.js: guide/coverage/language/nodejs.md
               - PHP: guide/coverage/language/php.md
               - Python: guide/coverage/language/python.md
               - Ruby: guide/coverage/language/ruby.md
               - Rust: guide/coverage/language/rust.md
               - Swift: guide/coverage/language/swift.md
-              - Julia: guide/coverage/language/julia.md
           - IaC:
               - Overview: guide/coverage/iac/index.md
               - Ansible: guide/coverage/iac/ansible.md
diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
@@ -83,8 +83,8 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
 		eco = ecosystem.Kubernetes
 		comparer = compare.GenericComparer{}
 	case ftypes.Julia:
-		log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
-		return Driver{}, false
+		eco = ecosystem.Julia
+		comparer = compare.GenericComparer{}
 	default:
 		log.Warn("The library type is not supported for vulnerability scanning",
 			log.String("type", string(libType)))
@@ -129,6 +129,7 @@ func (d *Driver) DetectVulnerabilities(pkgID, pkgName, pkgVer string) ([]types.D
 
 		vuln := types.DetectedVulnerability{
 			VulnerabilityID:  adv.VulnerabilityID,
+			VendorIDs:        adv.VendorIDs, // Any vendors have specific IDs, e.g. GHSA, JLSEC
 			PkgID:            pkgID,
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
diff --git a/pkg/detector/library/driver_test.go b/pkg/detector/library/driver_test.go
@@ -66,7 +66,10 @@ func TestDriver_Detect(t *testing.T) {
 			},
 			want: []types.DetectedVulnerability{
 				{
-					VulnerabilityID:  "CVE-2022-21235",
+					VulnerabilityID: "CVE-2022-21235",
+					VendorIDs: []string{
+						"GHSA-6635-c626-vj4r",
+					},
 					PkgName:          "github.com/Masterminds/vcs",
 					InstalledVersion: "v1.13.1",
 					FixedVersion:     "v1.13.2",
@@ -78,6 +81,34 @@ func TestDriver_Detect(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "julia package",
+			fixtures: []string{
+				"testdata/fixtures/julia.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.Julia,
+			args: args{
+				pkgName: "HTTP",
+				pkgVer:  "1.10.16",
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2025-52479",
+					PkgName:          "HTTP",
+					InstalledVersion: "1.10.16",
+					FixedVersion:     "1.10.17",
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.Julia,
+						Name: "Julia Ecosystem Security Advisories",
+						URL:  "https://github.com/JuliaLang/SecurityAdvisories.jl",
+					},
+					VendorIDs: []string{
+						"JLSEC-2025-1",
+					},
+				},
+			},
+		},
 		{
 			name:     "non-prefixed buckets",
 			fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},
diff --git a/pkg/detector/library/testdata/fixtures/data-source.yaml b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -30,3 +30,8 @@
         ID: "ghsa"
         Name: "GitHub Security Advisory Go"
         URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
+    - key: "julia::Julia Ecosystem Security Advisories"
+      value:
+        ID: "julia"
+        Name: "Julia Ecosystem Security Advisories"
+        URL: "https://github.com/JuliaLang/SecurityAdvisories.jl"
diff --git a/pkg/detector/library/testdata/fixtures/go.yaml b/pkg/detector/library/testdata/fixtures/go.yaml
@@ -8,3 +8,5 @@
               - v1.13.2
             VulnerableVersions:
               - "<v1.13.2"
+            VendorIDs:
+              - "GHSA-6635-c626-vj4r"
diff --git a/pkg/detector/library/testdata/fixtures/julia.yaml b/pkg/detector/library/testdata/fixtures/julia.yaml
@@ -0,0 +1,12 @@
+- bucket: "julia::Julia Ecosystem Security Advisories"
+  pairs:
+    - bucket: HTTP
+      pairs:
+        - key: CVE-2025-52479
+          value:
+            PatchedVersions:
+              - 1.10.17
+            VulnerableVersions:
+              - "<1.10.17"
+            VendorIDs:
+              - "JLSEC-2025-1"
