Security scanning of Julia code

Hi all,

I was wondering what other people do to keep track of scanning Julia code for security vulnerabilities and if any vulnerabilities get reported to CVE.



I don’t think there are many people that track vulnerabilities in Julia packages, and if they do, they probably do it by manually auditing/fuzz testing packages they use.

1 Like

Thanks. That was kind of my impression too, so I’d also be interested in what kind of fuzz testing others do for Julia.

There is a related discussion:

I don’t think this is something that CVE would track at the moment even if people submitted, see

CVE does not track everything, just what they think is relevant for cybersecurity.

I think the best way to accomplish the same goal of determining which packages have the potential to cause a security incident, is to setup fuzz testing and mutation testing infrastructure for Julia, and apply it regularly to registered packages (maybe per commit or PR as part of CI). I think it’d be really cool to have tools like these, if not for the purposes of security, then for the purposes of reliability from a usage standpoint. The only example I know of (but I haven’t yet used) is: GitHub - vchuravy/ConcolicFuzzer.jl: Prototype of a fuzzer for Julia based on concolic execution

1 Like