GeneralMetadata.jl: JLL and Artifact Component analysis
I am glad Julia is exploring this route.
The Go ecosystem has achieved something amazing here with govulncheck[0] and I would love to see more programming languages introduce such capabilties. For those who are unaware, govulncheck provides a software component analysis (SCA) and dynamic/static applilcation security test (DAST/SAST) capability. It's directly supported by the Go project and so far I have not found this in any other ecosystem at a comparable level of integration.
Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.
By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths with vulnerabilities already known to the database, not code or other properties of your program. See https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a different database, which must implement the specification at https://go.dev/security/vuln/database.
Unlike Go, Julia is an interpreted language, so their approach to this challenge will be different and worth learning from.
evanjrowley•2mo ago
The Go ecosystem has achieved something amazing here with govulncheck[0] and I would love to see more programming languages introduce such capabilties. For those who are unaware, govulncheck provides a software component analysis (SCA) and dynamic/static applilcation security test (DAST/SAST) capability. It's directly supported by the Go project and so far I have not found this in any other ecosystem at a comparable level of integration.
Unlike Go, Julia is an interpreted language, so their approach to this challenge will be different and worth learning from.[0] https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck