feat: Add Julia language analyzer support (#5635)

Author: Octogonapus

.github/workflows/semantic-pr.yaml

@@ -77,6 +77,7 @@ jobs:
             swift
             bitnami
             conda
+            julia
 
             os
             lang

docs/community/contribute/pr.md

@@ -143,6 +143,7 @@ language:
 - go
 - elixir
 - dart
+- julia
 
 vuln:
 

docs/docs/coverage/language/index.md

@@ -47,6 +47,7 @@ On the other hand, when the target is a post-build artifact, like a container im
 | [Dart](dart.md)      | pubspec.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 | [Swift](swift.md)    | Podfile.lock                                                                               |     -     |     -      |       ✅        |       ✅        |
 |                      | Package.resolved                                                                           |     -     |     -      |       ✅        |       ✅        |
+| [Julia](julia.md)    | Manifest.toml                                                                              |     ✅     |     ✅      |       ✅        |       ✅        |
 
 The path of these files does not matter.
 

docs/docs/coverage/language/julia.md

@@ -0,0 +1,24 @@
+# Julia
+
+## Features
+
+Trivy supports [Pkg.jl](https://pkgdocs.julialang.org/v1/), which is the Julia package manager.
+The following table provides an outline of the features Trivy offers.
+
+| Package manager | File          | Transitive dependencies | Dev dependencies | License | Dependency graph | Position |
+| --------------- | ------------- | :---------------------: | :--------------- | :-----: | :--------------: | :------: |
+| Pkg.jl          | Manifest.toml |            ✅            | Excluded[^1]     |    -    |        ✅         |    ✅     |
+
+### Pkg.jl
+
+Trivy searches for `Manifest.toml` to detect dependencies.
+
+Trivy also supports dependency trees; however, to display an accurate tree, it needs to know whether each package is a direct dependency of the project.
+Since this information is not included in `Manifest.toml`, Trivy parses `Project.toml`, which should be located next to `Project.toml`.
+If you want to see the dependency tree, please ensure that `Project.toml` is present.
+
+Scanning `Manifest.toml` and `Project.toml` together also removes developer dependencies.
+
+Dependency extensions are currently ignored.
+
+[^1]: When you scan `Manifest.toml` and `Project.toml` together.

integration/repo_test.go

@@ -397,6 +397,15 @@ func TestRepository(t *testing.T) {
 				want.ArtifactType = artifact.TypeFilesystem
 			},
 		},
+		{
+			name: "julia generating SPDX SBOM",
+			args: args{
+				command: "rootfs",
+				format:  "spdx-json",
+				input:   "testdata/fixtures/repo/julia",
+			},
+			golden: "testdata/julia-spdx.json.golden",
+		},
 	}
 
 	// Set up testing DB

integration/testdata/fixtures/repo/julia/Manifest.toml

@@ -0,0 +1,16 @@
+# This file is machine-generated - editing it directly is not advised
+
+julia_version = "1.9.0"
+manifest_format = "2.0"
+project_hash = "f0a796fb78285c02ad123fec6e14c8bac09a2ccc"
+
+[[deps.A]]
+uuid = "ead4f63c-334e-11e9-00e6-e7f0a5f21b60"
+
+    [deps.A.deps]
+    B = "f41f7b98-334e-11e9-1257-49272045fb24"
+
+[[deps.B]]
+uuid = "f41f7b98-334e-11e9-1257-49272045fb24"
+[[deps.B]]
+uuid = "edca9bc6-334e-11e9-3554-9595dbb4349c"

integration/testdata/fixtures/repo/julia/Project.toml

@@ -0,0 +1,7 @@
+name = "packageName"
+uuid = "1c653b0a-0b5a-4cff-b25a-92f0db012773"
+version = "0.1.0"
+
+[deps]
+A = "ead4f63c-334e-11e9-00e6-e7f0a5f21b60"
+B = "edca9bc6-334e-11e9-3554-9595dbb4349c"

integration/testdata/julia-spdx.json.golden

@@ -0,0 +1,138 @@
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "testdata/fixtures/repo/julia",
+  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/julia-3ff14136-e09f-4df9-80ea-000000000006",
+  "creationInfo": {
+    "creators": [
+      "Organization: aquasecurity",
+      "Tool: trivy-dev"
+    ],
+    "created": "2021-08-25T12:20:30Z"
+  },
+  "packages": [
+    {
+      "name": "Manifest.toml",
+      "SPDXID": "SPDXRef-Application-18fc3597717a3e56",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "attributionTexts": [
+        "Class: lang-pkgs",
+        "Type: julia"
+      ],
+      "primaryPackagePurpose": "APPLICATION"
+    },
+    {
+      "name": "A",
+      "SPDXID": "SPDXRef-Package-2a46714189f3b9de",
+      "versionInfo": "1.9.0",
+      "supplier": "NOASSERTION",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "sourceInfo": "package found in: Manifest.toml",
+      "licenseConcluded": "NONE",
+      "licenseDeclared": "NONE",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:julia/[email protected]?uuid=ead4f63c-334e-11e9-00e6-e7f0a5f21b60"
+        }
+      ],
+      "attributionTexts": [
+        "PkgID: ead4f63c-334e-11e9-00e6-e7f0a5f21b60",
+        "PkgType: julia"
+      ],
+      "primaryPackagePurpose": "LIBRARY"
+    },
+    {
+      "name": "B",
+      "SPDXID": "SPDXRef-Package-4a8e351c4c9b7318",
+      "versionInfo": "1.9.0",
+      "supplier": "NOASSERTION",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "sourceInfo": "package found in: Manifest.toml",
+      "licenseConcluded": "NONE",
+      "licenseDeclared": "NONE",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:julia/[email protected]?uuid=edca9bc6-334e-11e9-3554-9595dbb4349c"
+        }
+      ],
+      "attributionTexts": [
+        "PkgID: edca9bc6-334e-11e9-3554-9595dbb4349c",
+        "PkgType: julia"
+      ],
+      "primaryPackagePurpose": "LIBRARY"
+    },
+    {
+      "name": "B",
+      "SPDXID": "SPDXRef-Package-d10d5e4a30a43fff",
+      "versionInfo": "1.9.0",
+      "supplier": "NOASSERTION",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "sourceInfo": "package found in: Manifest.toml",
+      "licenseConcluded": "NONE",
+      "licenseDeclared": "NONE",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:julia/[email protected]?uuid=f41f7b98-334e-11e9-1257-49272045fb24"
+        }
+      ],
+      "attributionTexts": [
+        "PkgID: f41f7b98-334e-11e9-1257-49272045fb24",
+        "PkgType: julia"
+      ],
+      "primaryPackagePurpose": "LIBRARY"
+    },
+    {
+      "name": "testdata/fixtures/repo/julia",
+      "SPDXID": "SPDXRef-Filesystem-1be792dd0077c431",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "attributionTexts": [
+        "SchemaVersion: 2"
+      ],
+      "primaryPackagePurpose": "SOURCE"
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
+      "relatedSpdxElement": "SPDXRef-Package-2a46714189f3b9de",
+      "relationshipType": "CONTAINS"
+    },
+    {
+      "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
+      "relatedSpdxElement": "SPDXRef-Package-4a8e351c4c9b7318",
+      "relationshipType": "CONTAINS"
+    },
+    {
+      "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
+      "relatedSpdxElement": "SPDXRef-Package-d10d5e4a30a43fff",
+      "relationshipType": "CONTAINS"
+    },
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-Filesystem-1be792dd0077c431",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-Filesystem-1be792dd0077c431",
+      "relatedSpdxElement": "SPDXRef-Application-18fc3597717a3e56",
+      "relationshipType": "CONTAINS"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-2a46714189f3b9de",
+      "relatedSpdxElement": "SPDXRef-Package-d10d5e4a30a43fff",
+      "relationshipType": "DEPENDS_ON"
+    }
+  ]
+}

mkdocs.yml

@@ -102,6 +102,7 @@ nav:
               - Ruby: docs/coverage/language/ruby.md
               - Rust: docs/coverage/language/rust.md
               - Swift: docs/coverage/language/swift.md
+              - Julia: docs/coverage/language/julia.md
           - IaC:
               - Overview: docs/coverage/iac/index.md
               - Azure ARM Template: docs/coverage/iac/azure-arm.md

pkg/dependency/parser/julia/manifest/parse.go

@@ -36,8 +36,9 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 	var primMan primitiveManifest
 	var manMetadata toml.MetaData
 	decoder := toml.NewDecoder(r)
-	// Try to read the old Manifest format. If that fails, try the new format.
-	if _, err := decoder.Decode(&oldDeps); err != nil {
+	// Try to read the old Manifest format. This can also read the v1.0 Manifest format, which we parse out later.
+	var err error
+	if manMetadata, err = decoder.Decode(&oldDeps); err != nil {
 		if _, err = r.Seek(0, io.SeekStart); err != nil {
 			return nil, nil, xerrors.Errorf("seek error: %w", err)
 		}

pkg/dependency/parser/julia/manifest/parse_test.go

@@ -54,6 +54,12 @@ func TestParse(t *testing.T) {
 			want:     juliaV1_9ShadowedDepPkgs,
 			wantDeps: juliaV1_9ShadowedDepDeps,
 		},
+		{
+			name:     "julia v1.0 format",
+			file:     "testdata/julia_v1.0_format/Manifest.toml",
+			want:     juliaV10FormatPkgs,
+			wantDeps: juliaV10FormatDeps,
+		},
 	}
 
 	for _, tt := range tests {

pkg/dependency/parser/julia/manifest/parse_testcase.go

@@ -74,4 +74,19 @@ var (
 	juliaV1_9ShadowedDepDeps = []ftypes.Dependency{
 		{ID: "ead4f63c-334e-11e9-00e6-e7f0a5f21b60", DependsOn: []string{"f41f7b98-334e-11e9-1257-49272045fb24"}},
 	}
+
+	juliaV10FormatPkgs = []ftypes.Package{
+		{ID: "767738be-2f1f-45a9-b806-0234f3164144", Name: "Foo", Version: "unknown", Locations: []ftypes.Location{{StartLine: 1, EndLine: 5}}},
+		{ID: "6f418443-bd2e-4783-b551-cdbac608adf2", Name: "Foo", Version: "unknown", Locations: []ftypes.Location{{StartLine: 7, EndLine: 10}}},
+		{ID: "2a550a13-6bab-4a91-a4ee-dff34d6b99d0", Name: "Bar", Version: "unknown", Locations: []ftypes.Location{{StartLine: 12, EndLine: 14}}},
+		{ID: "6801f525-dc68-44e8-a4e8-cabd286279e7", Name: "Baz", Version: "unknown", Locations: []ftypes.Location{{StartLine: 19, EndLine: 21}}},
+		{ID: "b5ec9b9c-e354-47fd-b367-a348bdc8f909", Name: "Qux", Version: "unknown", Locations: []ftypes.Location{{StartLine: 26, EndLine: 28}}},
+	}
+
+	juliaV10FormatDeps = []ftypes.Dependency{
+		{ID: "767738be-2f1f-45a9-b806-0234f3164144", DependsOn: []string{"2a550a13-6bab-4a91-a4ee-dff34d6b99d0", "6801f525-dc68-44e8-a4e8-cabd286279e7", "b5ec9b9c-e354-47fd-b367-a348bdc8f909"}},
+		{ID: "6f418443-bd2e-4783-b551-cdbac608adf2", DependsOn: []string{"b5ec9b9c-e354-47fd-b367-a348bdc8f909"}},
+		{ID: "2a550a13-6bab-4a91-a4ee-dff34d6b99d0", DependsOn: []string{"6801f525-dc68-44e8-a4e8-cabd286279e7", "6f418443-bd2e-4783-b551-cdbac608adf2"}},
+		{ID: "6801f525-dc68-44e8-a4e8-cabd286279e7", DependsOn: []string{"6f418443-bd2e-4783-b551-cdbac608adf2", "b5ec9b9c-e354-47fd-b367-a348bdc8f909"}},
+	}
 )

pkg/dependency/parser/julia/manifest/testdata/julia_v1.0_format/Manifest.toml

@@ -0,0 +1,28 @@
+[[Foo]]
+deps = ["Bar", "Baz", "Qux"]
+uuid = "767738be-2f1f-45a9-b806-0234f3164144"
+git-tree-sha1 = "7c626031568a5e432112a74009c3763f9b851e3e"
+path = "deps/Foo1"
+
+[[Foo]]
+deps = ["Qux"]
+uuid = "6f418443-bd2e-4783-b551-cdbac608adf2"
+path = "deps/Foo2.jl"
+
+[[Bar]]
+uuid = "2a550a13-6bab-4a91-a4ee-dff34d6b99d0"
+path = "deps/Bar"
+[Bar.deps]
+Baz = "6801f525-dc68-44e8-a4e8-cabd286279e7"
+Foo = "6f418443-bd2e-4783-b551-cdbac608adf2"
+
+[[Baz]]
+uuid = "6801f525-dc68-44e8-a4e8-cabd286279e7"
+git-tree-sha1 = "efc7e24c53d6a328011975294a2c75fed2f9800a"
+[Baz.deps]
+Foo = "6f418443-bd2e-4783-b551-cdbac608adf2"
+Qux = "b5ec9b9c-e354-47fd-b367-a348bdc8f909"
+
+[[Qux]]
+uuid = "b5ec9b9c-e354-47fd-b367-a348bdc8f909"
+path = "deps/Qux.jl"

pkg/dependency/parser/julia/manifest/testdata/julia_v1.0_format/Project.toml

@@ -0,0 +1,6 @@
+name = "TestProject"
+uuid = "84c38c17-0c6f-4d12-a694-d20b69c16777"
+
+[deps]
+Foo = "767738be-2f1f-45a9-b806-0234f3164144"
+Bar = "2a550a13-6bab-4a91-a4ee-dff34d6b99d0"

pkg/detector/library/driver.go

@@ -81,6 +81,9 @@ func NewDriver(libType ftypes.LangType) (Driver, bool) {
 	case ftypes.K8sUpstream:
 		ecosystem = vulnerability.Kubernetes
 		comparer = compare.GenericComparer{}
+	case ftypes.Julia:
+		log.Warn("Julia is supported for SBOM, not for vulnerability scanning")
+		return Driver{}, false
 	default:
 		log.Warn("The library type is not supported for vulnerability scanning",
 			log.String("type", string(libType)))

pkg/fanal/analyzer/all/import.go

@@ -20,6 +20,7 @@ import (
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/gradle"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/jar"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/java/pom"
+	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/julia/pkg"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/npm"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pkg"
 	_ "github.com/aquasecurity/trivy/pkg/fanal/analyzer/language/nodejs/pnpm"

pkg/fanal/analyzer/const.go

@@ -94,6 +94,9 @@ const (
 	// Dart
 	TypePubSpecLock Type = "pubspec-lock"
 
+	// Julia
+	TypeJulia Type = "julia"
+
 	// ============
 	// Non-packaged
 	// ============
@@ -191,6 +194,7 @@ var (
 		TypeSwift,
 		TypePubSpecLock,
 		TypeMixLock,
+		TypeJulia,
 	}
 
 	// TypeLockfiles has all lock file analyzers