Security scanning of Julia code

security
#1

Hi all,

I was wondering what other people do to keep track of scanning Julia code for security vulnerabilities and if any vulnerabilities get reported to CVE.

Thanks,

Philip

#2

I don’t think there are many people that track vulnerabilities in Julia packages, and if they do, they probably do it by manually auditing/fuzz testing packages they use.

1 Like
#3

Thanks. That was kind of my impression too, so I’d also be interested in what kind of fuzz testing others do for Julia.

#4

There is a related discussion:

#5

I don’t think this is something that CVE would track at the moment even if people submitted, see

https://cve.mitre.org/cve/request_id.html

CVE does not track everything, just what they think is relevant for cybersecurity.

#6

I think the best way to accomplish the same goal of determining which packages have the potential to cause a security incident, is to setup fuzz testing and mutation testing infrastructure for Julia, and apply it regularly to registered packages (maybe per commit or PR as part of CI). I think it’d be really cool to have tools like these, if not for the purposes of security, then for the purposes of reliability from a usage standpoint. The only example I know of (but I haven’t yet used) is: https://github.com/vchuravy/ConcolicFuzzer.jl

1 Like