GeneralMetadata.jl: JLL and Artifact Component analysis
I am glad Julia is exploring this route.
The Go ecosystem has achieved something amazing here with govulncheck[0] and I would love to see more programming languages introduce such capabilties. For those who are unaware, govulncheck provides a software component analysis (SCA) and dynamic/static applilcation security test (DAST/SAST) capability. It's directly supported by the Go project and so far I have not found this in any other ecosystem at a comparable level of integration.
Govulncheck reports known vulnerabilities that affect Go code. It uses static analysis of source code or a binary's symbol table to narrow down reports to only those that could affect the application.
By default, govulncheck makes requests to the Go vulnerability database at https://vuln.go.dev. Requests to the vulnerability database contain only module paths with vulnerabilities already known to the database, not code or other properties of your program. See https://vuln.go.dev/privacy.html for more. Use the -db flag to specify a different database, which must implement the specification at https://go.dev/security/vuln/database.
Unlike Go, Julia is an interpreted language, so their approach to this challenge will be different and worth learning from.
1 comment
[ 3.3 ms ] story [ 370 ms ] threadThe Go ecosystem has achieved something amazing here with govulncheck[0] and I would love to see more programming languages introduce such capabilties. For those who are unaware, govulncheck provides a software component analysis (SCA) and dynamic/static applilcation security test (DAST/SAST) capability. It's directly supported by the Go project and so far I have not found this in any other ecosystem at a comparable level of integration.
Unlike Go, Julia is an interpreted language, so their approach to this challenge will be different and worth learning from.[0] https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck