feat(julia): Support vulnerability scanning

[Octogonapus]

Description

This is a feature request to support vulnerability scanning for Julia packages. Julia CVEs are published as GitHub Security Advisories. For example: GHSA-3mj7-qxh9-6q4p

Currently, Julia does not have its own CNA, so GHSA does not review these advisories. I hope that is not a deal-breaker.

I am happy to help work on this feature if that is welcomed.

cc @aviks

Target

Filesystem

Scanner

Vulnerability

[knqyf263]

Thanks for your suggestion. How do you collect those advisories?

[Octogonapus]

The Julia community could maintain a database similar to the Ruby Advisory Database. Trivy could scan this database to identify relevant advisories.

If you have an existing format that you feel works well, please let me know. This is a new effort within the Julia community so there is plenty of space to change things around.
In the longer term, we hope GitHub will support Julia as a reviewed ecosystem github/advisory-database#1689

[knqyf263]

Since OSV has recently been used in many ecosystems, including GitHub, it’s generally easier for us to consume advisories in this format. However, Trivy can handle other formats as well, so there’s no problem if you have a reason to use your own custom format.

[Octogonapus]

Great, thanks. I will bring this back to the Julia team.

[mbauman]

The Julia community could maintain a database similar to the Ruby Advisory Database. Trivy could scan this database to identify relevant advisories.

Big update here — we're now doing this! We've launched Julia's official SecurityAdvisories.jl, and we are beginning to populate it with JLSEC advisories. It is publishing valid (well, v1.7.4-prerelease) OSV schema JSONs to the generated/osv branch.

[DmitriyLewen]

That’s very good news!
Recently, we’ve improved our package for processing osv advisories in trivy-db.
So the integration should be as smooth as possible.

[knqyf263]

I hope this guide will help.
#9667

[mbauman]

That's great. We're trying to incorporate into osv.dev, which I think should make this even simpler, no? Once that occurs, we'd just need a line like this (and probably an ecosystem definition), yeah?

https://github.com/aquasecurity/vuln-list-update/blob/3dee684dd519e019265950a0c7d0f992e649cd96/osvdev/osvdev.go#L36-L39

[DmitriyLewen]

yeah, that would be simpler, but it’s not required.
For example, we use a separate package for seal - https://github.com/aquasecurity/vuln-list-update/blob/232a23e2bd7330a53001a0a27ab081aefe268039/seal/seal.go

[knqyf263]

Yes, as you said, it’s easier for us because all we have to do is add the ecosystem.