Skip to content

feat: add Julia package ecosystem (JLSEC-*) and linting support#434

Merged
another-rex merged 12 commits intoossf:mainfrom
JuliaComputing:jlsec
Oct 12, 2025
Merged

feat: add Julia package ecosystem (JLSEC-*) and linting support#434
another-rex merged 12 commits intoossf:mainfrom
JuliaComputing:jlsec

Conversation

@mbauman
Copy link
Contributor

@mbauman mbauman commented Oct 8, 2025

@mbauman
Copy link
Contributor Author

mbauman commented Oct 8, 2025

Note that we should be able to revert 98e42e3 once a new version of Semantic is published that includes Julia support (google/osv-scalibr#1426) is published.

@mbauman mbauman mentioned this pull request Oct 8, 2025
Closed
14 tasks
@mbauman mbauman changed the title feat: add Julia package ecosystem and linting support feat: add Julia package ecosystem (JLSEC-*) and linting support Oct 8, 2025
G-Rath
G-Rath suggested changes Oct 8, 2025
View reviewed changes
Copy link
Contributor

@G-Rath G-Rath left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the OSV libs use each other with pseudo versions so you don't need to wait for a new release, you can just update to point at the latest commit - that should let you start specifying Julia and then I believe switch to using our versionsExistInGeneric function as I'm not seeing any other reason that shouldn't work?

also can you please add some tests for the linter changes 🙂

@mbauman
Copy link
Contributor Author

mbauman commented Oct 8, 2025

I've added tests and bumped semantic. The versions.json file that we're using there isn't a straight array of versions; it's a key-value with information about the registration and "yank" (read: invalidation) dates, so we can't directly use the generic parser. We do have control over that file's schema and nobody else is using it yet — it's new.

@G-Rath
Copy link
Contributor

G-Rath commented Oct 8, 2025
edited
Loading

so we can't directly use the generic parser.

The generic parser extracts an array of versions using a gjson selector which you can customize - in this case @keys should be what you want; for reference, hackage has a similar structure

https://gjson.dev/

image

another-rex
another-rex approved these changes Oct 8, 2025
View reviewed changes
Copy link
Collaborator

@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@another-rex
Copy link
Collaborator

another-rex commented Oct 8, 2025

Can you have a look at the DCO check? Thanks

@mbauman mbauman force-pushed the jlsec branch 2 times, most recently from d953884 to 3139def Compare October 9, 2025 01:10
mbauman added 11 commits October 8, 2025 21:11
@mbauman
osv-linter: add Julia ecosystem support
bae79b2 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
add the Julia ecosystem constants
99060ef 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
go generate ./tools/osv-linter/internal/checks
76c78e5 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
temporarily work around Semantic
b2cb112 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
add JLSEC identifier
35e9b46 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
add JLSEC row to docs
9bc5bf8 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
swap to a JuliaRegistries community resource
6f5fc7f 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
Revert "temporarily work around Semantic"
1f00d5d 
This reverts commit 98e42e3.

Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
add lint tests for Julia
1cd50d0 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
go get github.com/google/osv-scalibr/semantic@0f405599e232f8c44976d3d…
58a5027 
…c10963e8ce9cdc8b6

Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@mbauman
use the generic version check with keys
35a173d 
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
G-Rath
G-Rath reviewed Oct 10, 2025
View reviewed changes
@mbauman @G-Rath
Update tools/osv-linter/internal/pkgchecker/version_check.go
ce60857 
Co-authored-by: Gareth Jones <3151613+G-Rath@users.noreply.github.com>
Signed-off-by: Matt Bauman <mbauman@juliahub.com>
@another-rex another-rex merged commit 434020c into ossf:main Oct 12, 2025
7 checks passed
@mbauman mbauman mentioned this pull request Nov 20, 2025
Merged
another-rex pushed a commit that referenced this pull request Nov 21, 2025
@mbauman
docs: Add Julia Security Advisories to README (#452)
a0b4ac5 
Follow-up to #434

Signed-off-by: Matt Bauman <mbauman@juliahub.com>
progval added a commit to progval/osv that referenced this pull request Dec 19, 2025
@progval
Update from 1.6.7 to 1.7.4
557927d 
Includes:

* 1.6.6: ossf/osv-schema#276
* 1.6.7: nothing
* 1.7.0: ossf/osv-schema#312 ossf/osv-schema#319 ossf/osv-schema#337
* 1.7.1: nothing
* 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358
* 1.7.3: ossf/osv-schema#394
* 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357
progval added a commit to progval/osv that referenced this pull request Dec 19, 2025
@progval
Update from 1.6.7 to 1.7.4
5262ca9 
Includes:

* 1.6.6: ossf/osv-schema#276
* 1.6.7: nothing
* 1.7.0: ossf/osv-schema#312 ossf/osv-schema#319 ossf/osv-schema#337
* 1.7.1: nothing
* 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358
* 1.7.3: ossf/osv-schema#394
* 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357
@progval progval mentioned this pull request Dec 19, 2025
Open
progval added a commit to progval/osv that referenced this pull request Dec 19, 2025
@progval
Update from 1.6.7 to 1.7.4
339f084 
Includes:

* 1.7.0: ossf/osv-schema#312 (`upstream` field) ossf/osv-schema#319 ossf/osv-schema#337 (`Ubuntu` as `severity` score)
* 1.7.1: nothing
* 1.7.2: ossf/osv-schema#351 ossf/osv-schema#347 ossf/osv-schema#358
* 1.7.3: ossf/osv-schema#394
* 1.7.4: ossf/osv-schema#434 ossf/osv-schema#357
progval added a commit to progval/osv that referenced this pull request Dec 19, 2025
@progval
Update from 1.6.7 to 1.7.4
40b567b 
Includes:

* 1.7.0:
  * ossf/osv-schema#312 (`upstream` field)
  * ossf/osv-schema#319
  * ossf/osv-schema#337 (`Ubuntu` as `severity` score)
* 1.7.1: nothing
* 1.7.2:
  * ossf/osv-schema#351
  * ossf/osv-schema#347
  * ossf/osv-schema#358
* 1.7.3:
  * ossf/osv-schema#394
* 1.7.4: ossf/osv-schema#434
  * ossf/osv-schema#357
tiegz pushed a commit to tiegz/osv-schema that referenced this pull request Jan 28, 2026
@mbauman @G-Rath @tiegz
feat: add Julia package ecosystem (JLSEC-*) and linting support (ossf…
7a1cc9a 
…#434)

This is for https://github.com/JuliaLang/SecurityAdvisories.jl

---------

Signed-off-by: Matt Bauman <mbauman@juliahub.com>
Co-authored-by: Gareth Jones <3151613+G-Rath@users.noreply.github.com>
tiegz pushed a commit to tiegz/osv-schema that referenced this pull request Jan 28, 2026
@mbauman @tiegz
docs: Add Julia Security Advisories to README (ossf#452)
1192b7f 
Follow-up to ossf#434

Signed-off-by: Matt Bauman <mbauman@juliahub.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@another-rex another-rex another-rex approved these changes

+1 more reviewer

@G-Rath G-Rath G-Rath requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbauman @G-Rath @another-rex