Vulnerability Analysis in JuliaHub

Vulnerability analysis in JuliaHub allows you to automatically detect known security issues in your projects, dependencies, and execution environments. This process helps identify publicly disclosed vulnerabilities, including CVEs, in Julia packages and system libraries.

Using Trivy as the scanning engine, JuliaHub provides standardized, actionable insights that enable developers to prioritize and remediate security risks early in the development lifecycle.

What is Vulnerability Analysis?

It is the process of identifying, evaluating, and prioritizing security weaknesses in a software system, application, or codebase. The goal is to detect potential flaws that could be exploited by attackers or lead to system failures. Vulnerability analysis emphasizes security risks and their potential impact.

Benefits

  • Enhanced Security and Risk Management: Identifies critical weaknesses early, allowing teams to prioritize and address the most impactful vulnerabilities before they can be exploited.

  • Cost Efficiency and Compliance: Reduces costs by preventing expensive post-deployment fixes and helps meet regulatory standards.

Integrating vulnerability analysis into development workflows ensures that security is not an afterthought but a core aspect of software quality and maintenance.

Trivy in JuliaHub

Trivy is a vulnerability scanner integrated into JuliaHub to help developers detect security issues in Julia projects. It scans project dependencies, including both direct and transitive packages, for known vulnerabilities listed in public databases and Julia‑specific security advisories.

How Trivy is Used in JuliaHub

Trivy is integrated into JuliaHub in two key ways to provide comprehensive analysis:

  • On-demand for Projects: As a developer, you have the flexibility to initiate a Vulnerability scan on your project code whenever you need to check its quality and security.

  • Periodically for Packages: Trivy automatically runs on packages served on JuliaHub, ensuring continuous monitoring and maintenance of code quality for the broader Julia ecosystem.

Issue Severity Levels

Trivy reports issues at different levels of severity to help you prioritize your attention:

  • High: Indicates a serious problem, requiring immediate attention.

  • Medium: Signals a notable problem, suggesting an area for improvement.

  • Low: Points out a minor problem or an opportunity to enhance your code.

Comprehensive Ruleset

Trivy refers to a robust set of security advisories for its vulnerability analysis, designed to cover a broad spectrum of potential issues. It also supports the Julia Security (JLSEC) advisory database to identify Julia-specific vulnerabilities in packages and dependencies.

You can explore the advisory by visiting: https://github.com/JuliaLang/SecurityAdvisories.jl/tree/main/advisories/published/2025

Tutorial

Vulnerability Analysis of Projects

Let's start by creating a simple project.

Go to Projects.

Click on Create Project -> Generic Project -> "Hello Scan" -> Next -> Create.

Launch the project in the VSCode IDE.

In the REPL, go into package mode by pressing ] and then run activate ., followed by instantiate.

Launching a project and adding package

This will activate the local project environment for you to add dependencies. We will first add HTTP.jl's v1.9.0 which is known to have some vulnerabilities. To do that, in the package mode run add HTTP@1.9.0.

After the package has been added, you will see in the file explorer a Project.toml and Manifest.toml file has been created. These are synced automatically so you can just go to the Project page in JuliaHub and you will be able to view the files.

Project Page in JuliaHub with files synced up and Vulnerability tab

In the project page, click on the Vulnerability tab and then click on the Start Scan button to initiate and queue the scan.

Starting a Vulnerability scan

After the scan is finished, you should be able to see the scan results. As per the report, we have several issues; specifically, there are twoLow severity CVEs found in HTTP v1.9.0 and as one can see they were fixed in v1.10.17 and v1.10.19 respectively.

Vulnerability Scan results

We also scan peer dependencies also, so if a package is using something with reported vulnerabilities you will also see those in the report.(In our case it is, MbedTLS_jll).

Note: Users can run a scan of projects only if they are either Owner or Editor.

Vulnerability Analysis of Packages

The scan for packages happens automatically during the sync process.

If you go into the Package details page, you will see a new tab named Vulnerabilities with a badge indicating the count.

Vulnerabilities tab with badge indicating the count

Inside the tab, you will see a list of all vulnerabilities which were found for the respective Package.

Vulnerabilities list for a Package

Each entry in the list provides an overview by displaying the advisory ID, a short summary, if the current selected version is affected or not, and the last modified date for the vulnerability.

Clicking on an entry will open up a detailed view, which can contain many other things including but not limited to the published date, introduced and fixed versions, aliases, detailed description and much more.

Detailed view of a vulnerability entry