feat(julia): Add Julia language analyzer support

aquasecurity · Nov 22, 2023 · 1024114 · 1024114
1 parent ad977a4
commit 1024114
Show file tree

Hide file tree

Showing 26 changed files with 816 additions and 3 deletions.
diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
@@ -75,6 +75,7 @@ jobs:
             dart
             swift
             bitnami
+            julia
 
             os
             lang

diff --git a/docs/community/contribute/pr.md b/docs/community/contribute/pr.md
@@ -142,6 +142,7 @@ language:
 - go
 - elixir
 - dart
+- julia
 
 vuln:
 

diff --git a/docs/docs/coverage/language/index.md b/docs/docs/coverage/language/index.md
@@ -46,6 +46,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
+| [Julia](julia.md)    | Manifest.toml                                                                              |     ✅     |     ✅      |       ✅        |       ✅        |
 
 The path of these files does not matter.
 

diff --git a/docs/docs/coverage/language/julia.md b/docs/docs/coverage/language/julia.md
@@ -0,0 +1,22 @@
+# Rust
+
+## Features
+
+Trivy supports [Pkg.jl](https://pkgdocs.julialang.org/v1/), which is the Julia package manager.
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File          | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
+| --------------- | ------------- | :---------------------: | :--------------- | :-----: | :--------------: | :------: |
+| Pkg.jl          | Manifest.toml |            ✅            | Excluded[^1]     |    -    |        ✅         |    ✅     |
+
+### Pkg.jl
+
+Trivy searches for `Manifest.toml` to detect dependencies.
+
+Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
+Since this information is not included in `Manifest.toml`, Trivy parses `Project.toml`, which should be located next to `Project.toml`.
+If you want to see the dependency tree, please ensure that `Project.toml` is present.
+
+Scanning `Manifest.toml` and `Project.toml` together also removes developer dependencies.
+
+Dependency extensions are currently ignored.
diff --git a/docs/docs/scanner/vulnerability/language/index.md b/docs/docs/scanner/vulnerability/language/index.md
@@ -0,0 +1,96 @@
+# Language-specific Packages
+
+`Trivy` automatically detects the following files and scans vulnerabilities in the application dependencies.
+
+## Supported languages
+
+| Language             | File                                                                                       | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] | Dev dependencies | Dependency location[^11] |
+| -------------------- | ------------------------------------------------------------------------------------------ | :-------: | :--------: | :------------: | :-------------: | ---------------- | :----------------------: |
+| Ruby                 | Gemfile.lock                                                                               |     -     |     -      |       ✅        |        ✅        | included         |            -             |
+|                      | gemspec                                                                                    |     ✅     |     ✅      |       -        |        -        | included         |            -             |
+| [Python](python.md)  | Pipfile.lock                                                                               |     -     |     -      |       ✅        |        ✅        | excluded         |            ✅             |
+|                      | poetry.lock                                                                                |     -     |     -      |       ✅        |        ✅        | excluded         |            -             |
+|                      | requirements.txt                                                                           |     -     |     -      |       ✅        |        ✅        | included         |            -             |
+|                      | egg package[^1]                                                                            |     ✅     |     ✅      |       -        |        -        | excluded         |            -             |
+|                      | wheel package[^2]                                                                          |     ✅     |     ✅      |       -        |        -        | excluded         |            -             |
+| [PHP](php.md)        | composer.lock                                                                              |     ✅     |     ✅      |       ✅        |        ✅        | excluded         |            ✅             |
+| [Node.js](nodejs.md) | package-lock.json                                                                          |     -     |     -      |       ✅        |        ✅        | excluded         |            ✅             |
+|                      | yarn.lock                                                                                  |     -     |     -      |       ✅        |        ✅        | included         |            ✅             |
+|                      | pnpm-lock.yaml                                                                             |     -     |     -      |       ✅        |        ✅        | excluded         |            -             |
+|                      | package.json                                                                               |     ✅     |     ✅      |       -        |        -        | excluded         |            -             |
+| .NET                 | packages.lock.json                                                                         |     ✅     |     ✅      |       ✅        |        ✅        | included         |            ✅             |
+|                      | packages.config                                                                            |     ✅     |     ✅      |       ✅        |        ✅        | excluded         |            -             |
+|                      | .deps.json                                                                                 |     ✅     |     ✅      |       ✅        |        ✅        | excluded         |            ✅             |
+| [Java](java.md)      | JAR/WAR/PAR/EAR[^3]                                                                        |     ✅     |     ✅      |       -        |        -        | included         |            -             |
+|                      | pom.xml[^4]                                                                                |     -     |     -      |       ✅        |        ✅        | excluded         |            -             |
+|                      | *gradle.lockfile                                                                           |     -     |     -      |       ✅        |        ✅        | excluded         |            -             |
+| [Go](golang.md)      | Binaries built by Go[^5]                                                                   |     ✅     |     ✅      |       -        |        -        | excluded         |            -             |
+|                      | go.mod[^6]                                                                                 |     -     |     -      |       ✅        |        ✅        | included         |            -             |
+| [Rust](rust.md)      | Cargo.lock                                                                                 |     ✅     |     ✅      |       ✅        |        ✅        | excluded[^13]    |            ✅             |
+|                      | Binaries built with [cargo-auditable](https://github.com/rust-secure-code/cargo-auditable) |     ✅     |     ✅      |       -        |        -        | excluded[^13]    |            -             |
+| C/C++                | conan.lock[^12]                                                                            |     -     |     -      |       ✅        |        ✅        | excluded[^13]    |            -             |
+| Elixir               | mix.lock[^12]                                                                              |     -     |     -      |       ✅        |        ✅        | excluded         |            ✅             |
+| Dart                 | pubspec.lock                                                                               |     ✅     |     ✅      |       -        |        -        | included         |            -             |
+| Julia                | Manifest.toml                                                                              |     ✅     |     ✅      |       ✅        |        ✅        | excluded[^14]    |            ✅             |
+
+The path of these files does not matter.
+
+Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)
+
+[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
+[^2]: `.dist-info/META-DATA`
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: It requires Internet access when the POM doesn't exist in your local repository
+[^5]: UPX-compressed binaries don't work
+[^6]: If smaller than go 1.17, go.sum is also required
+[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning
+[^11]: ✅ means that Trivy detects line numbers where each dependency is declared in the scanned file. Only supported in [json](../../../configuration/reporting.md#json) and [sarif](../../../configuration/reporting.md#sarif) formats. SARIF uses `startline == 1 and endline == 1` for unsupported file types
+[^12]: To scan a filename other than the default filename use [file-patterns](../../../configuration/others.md#file-patterns)
+[^13]: When you scan `Cargo.lock` and `Cargo.toml` together. See about it [here](./rust.md#cargo).
+[^14]: When you scan `Project.toml` and `Manifest.toml` together. See about it [here](./julia.md#pkgjl).
+
+## Data Sources
+
+| Language | Source                                              | Commercial Use | Delay[^1] |
+| -------- | --------------------------------------------------- | :------------: | :-------: |
+| PHP      | [PHP Security Advisories Database][php]             |       ✅        |     -     |
+|          | [GitHub Advisory Database (Composer)][php-ghsa]     |       ✅        |     -     |
+| Python   | [GitHub Advisory Database (pip)][python-ghsa]       |       ✅        |     -     |
+|          | [Open Source Vulnerabilities (PyPI)][python-osv]    |       ✅        |     -     |
+| Ruby     | [Ruby Advisory Database][ruby]                      |       ✅        |     -     |
+|          | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    |       ✅        |     -     |
+| Node.js  | [Ecosystem Security Working Group][nodejs]          |       ✅        |     -     |
+|          | [GitHub Advisory Database (npm)][nodejs-ghsa]       |       ✅        |     -     |
+| Java     | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+|          | [GitHub Advisory Database (Maven)][java-ghsa]       |       ✅        |     -     |
+| Go       | [GitHub Advisory Database (Go)][go-ghsa]            |       ✅        |     -     |
+|          | [The Go Vulnerability Database][go]                 |       ✅        |     -     |
+| Rust     | [Open Source Vulnerabilities (crates.io)][rust-osv] |       ✅        |     -     |
+| .NET     | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     |       ✅        |     -     |
+| C/C++    | [GitLab Advisories Community][gitlab]               |       ✅        |  1 month  |
+| Dart     | [GitHub Advisory Database (Pub)][pub-ghsa]          |       ✅        |     -     |
+| Elixir   | [GitHub Advisory Database (Erlang)][erlang-ghsa]    |       ✅        |           |
+
+[^1]: Intentional delay between vulnerability disclosure and registration in the DB
+
+[php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
+[python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
+[ruby-ghsa]: https://github.com/advisories?query=ecosystem%3Arubygems
+[nodejs-ghsa]: https://github.com/advisories?query=ecosystem%3Anpm
+[java-ghsa]: https://github.com/advisories?query=ecosystem%3Amaven
+[dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
+[pub-ghsa]: https://github.com/advisories?query=ecosystem%3Apub
+[erlang-ghsa]: https://github.com/advisories?query=ecosystem%3Aerlang
+[go-ghsa]: https://github.com/advisories?query=ecosystem%3Ago
+
+[php]: https://github.com/FriendsOfPHP/security-advisories
+[ruby]: https://github.com/rubysec/ruby-advisory-db
+[nodejs]: https://github.com/nodejs/security-wg
+[gitlab]: https://gitlab.com/gitlab-org/advisories-community
+[go]: https://github.com/golang/vulndb
+
+[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
+[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
diff --git a/go.mod b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
 	github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898
-	github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf
+	github.com/aquasecurity/go-dep-parser v0.0.0-20231122010617-fc7f2b470d89
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46

diff --git a/go.sum b/go.sum
@@ -322,8 +322,8 @@ github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
 github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 h1:gu7XQvv2CswgzOdOFHg/AmtR4vBonG35XvGxHHvcIr4=
 github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
-github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf h1:kweQrNMfarPfjZGI1537GtuujhpzhsuT/MvmW2FwaBE=
-github.com/aquasecurity/go-dep-parser v0.0.0-20231120074854-8322cc2242bf/go.mod h1:7+xrs6AWD5+onpmX8f7qIkAhUgkPP0mhUdBjxJBcfas=
+github.com/aquasecurity/go-dep-parser v0.0.0-20231122010617-fc7f2b470d89 h1:IssyGUDzAYvTcv28EJMmqYWhQh5sW9HiJwDphEFNSWM=
+github.com/aquasecurity/go-dep-parser v0.0.0-20231122010617-fc7f2b470d89/go.mod h1:7+xrs6AWD5+onpmX8f7qIkAhUgkPP0mhUdBjxJBcfas=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-mock-aws v0.0.0-20230810212901-d6feebd39060 h1:V7nC90NpRDEubNpNEgRDtTfLH3RKQlZeY9/HSqxEze8=

diff --git a/pkg/detector/library/driver.go b/pkg/detector/library/driver.go
@@ -79,6 +79,9 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
 	case ftypes.K8sUpstream:
 		ecosystem = vulnerability.Kubernetes
 		comparer = compare.GenericComparer{}
+	case ftypes.Julia:
+		log.Logger.Warn("Julia is supported for SBOM, not for vulnerability scanning")
+		return Driver{}, false
 	default:
 		log.Logger.Warnf("The %q library type is not supported for vulnerability scanning", libType)
 		return Driver{}, false

diff --git a/pkg/fanal/analyzer/all/import.go b/pkg/fanal/analyzer/all/import.go
@@ -18,6 +18,7 @@ import (
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/gradle"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
+	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pkg"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm"

diff --git a/pkg/fanal/analyzer/const.go b/pkg/fanal/analyzer/const.go
@@ -90,6 +90,9 @@ const (
 	// Dart
 	TypePubSpecLock Type = "pubspec-lock"
 
+	// Julia
+	TypeJulia Type = "julia"
+
 	// ============
 	// Non-packaged
 	// ============
@@ -184,6 +187,7 @@ var (
 		TypeSwift,
 		TypePubSpecLock,
 		TypeMixLock,
+		TypeJulia,
 	}
 
 	// TypeLockfiles has all lock file analyzers
-Original file line number
+Diff line change
@@ Expand Up / @@ -75,6 +75,7 @@ jobs: @@
                 dart
                 swift
                 bitnami
+                julia
                 os
                 lang
@@ Expand Down @@