Newbie here. I hope this is the right place to ask my question. If not, let me know where I should move this and I will!
My organization uses HP Fortify and OWASP dependency checker to scan all code before pushing to production. However, neither of these support Julia. Does anybody know of any security scanning tools that do support Julia? Or maybe there’s a way to transpile Julia to C or something?
Thanks in advance.
Transpiling to C is probably a no-go, but I’m sure a core dev would know if there’s a way to do that.
Regarding dependency scanning, I’m not aware of any pre-existing tooling (and if there is, I doubt it already supports the new Pkg3 way of doing things). What exactly do you need to know about your dependencies? Are you whitelisting/blacklisting specific deps based on some criteria?
Thanks for the reply.
The purpose of the dependency checker is to find known vulnerabilities in any dependencies (libs, etc) your code uses. If there are too many findings, alarms go off, and your code can’t go into production until you fix the issues.
All of our “dependencies” are just julia packages.
It’s a similar idea with Fortify, as I understand it. It checks the code you wrote, flags “bad” code, and offers suggestions as to how to improve it. Again, if there are too many findings, you can’t go to production.
These are hurdles my organization has in place to help ensure code quality. It’s basically just a box we need to check before we can get our product to the users.
AFAIK Julia has no list of “known vulnerabilities” (apart from the open issues, some of which I guess could be exploited), so this may be difficult conceptually.
That’s what I thought, but I wanted to come here and ask before I made a hasty conclusion. Due diligence, etc. etc. Thanks for the info!
For what it’s worth - Julia support in these kinds of tools will probably make adoption of Julia easier for teams that have these kinds of processes and policies in place. In my particular situation, if we can’t find a way around this issue, we will have to rewrite our code in something like Python. This would effectively relegate Julia to the role of a prototyping language unsuitable for production (in our use case).
Not trying to be critical here, just offering some constructive feedback. Hopefully as Julia comes into more widespread use, tools like Fortify support it!
I am not sure that static code analysis is much more useful for Python, besides picking up some low-hanging fruits. But I understand that some companies, especially in regulated industries, insist on it. There are similar tools for Julia, the one which seems to be active is
https://github.com/ZacLN/StaticLint.jl
but it appears to be WIP. Perhaps you can convince the company which sells Fortify to support Julia.