julia package analyzer

[zhenya1998]

Hello!
I would like to know if there are analyzers similar to oysteR for R that can check dependencies and vulnerabilities of packages in Julia?
thank you in advance for your help!

[PallHaraldsson]

I'm not familiar with any similar tool too oysteR for R, nor is the Julia package ecosystem covered by the OSS Index, nor any similar that I know of.

You can see dependencies of Julia packages in the Project.toml file, and you can see those direct, plus indirect dependencies of packages for individual packages at juliahub.com.

Julia packages most often do not rely on unsafe languages like C (as Python does) and C++ (many R packages rely on), since Julia is as fast as C and C++. You can still call those and other languages to reuse code, and that would be done usually with JLL packages, so keep that in mind if you see them in the package dependency tree, or you Manifest.toml file.

Julia checks by default for out-of-bounds checks, unlike C and C++ (it may though do in some cases), however it's often overridden locally, for speed by @inbounds. You can disregard those declarations by running julia with --check-bounds=yes then julia will always check for this (probably) most common security pitfall (except when you call another language like C, that doesn't, the same as the default in Java).

You could ask about such a tool, or about the need for, and security best practises in general at discourse.julialang.org. Most discussion are to be had there (and some other official places, and reddit and stackoverflow). It seems at least out of scope here. I (or others) could expand on it more there. You could link to this answer so that people will not repeat.