Hi all,
I was wondering what other people do to keep track of scanning Julia code for security vulnerabilities and if any vulnerabilities get reported to CVE.
Thanks,
Philip
I don’t think there are many people that track vulnerabilities in Julia packages, and if they do, they probably do it by manually auditing/fuzz testing packages they use.
1 Like
Thanks. That was kind of my impression too, so I’d also be interested in what kind of fuzz testing others do for Julia.
There is a related discussion:
I don’t think this is something that CVE would track at the moment even if people submitted, see
https://cve.mitre.org/cve/request_id.html
CVE does not track everything, just what they think is relevant for cybersecurity.
I think the best way to accomplish the same goal of determining which packages have the potential to cause a security incident, is to setup fuzz testing and mutation testing infrastructure for Julia, and apply it regularly to registered packages (maybe per commit or PR as part of CI). I think it’d be really cool to have tools like these, if not for the purposes of security, then for the purposes of reliability from a usage standpoint. The only example I know of (but I haven’t yet used) is: GitHub - vchuravy/ConcolicFuzzer.jl: Prototype of a fuzzer for Julia based on concolic execution
1 Like