New datasource: Julia package ecosystem advisories

[mbauman]

• Prepare your data - refer to the OSV Schema documentation for information on how to properly format the data so it can be accepted.

• Create a PR to reserve an ID prefix and define a new ecosystem (example). We review the records you start publishing for OSV Schema correctness and quality as part of reviewing and merging this PR.

  • feat: add Julia package ecosystem (JLSEC-*) and linting support ossf/osv-schema#434

• Prepare and publish your records via a Git repository (example). If this method isn’t ideal, we also support publishing records from REST API endpoints or through a GCS bucket(example).

  • Data are being published to the generated/osv branch: https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv

• To support API querying, please create a PR to extend purl_helpers.py and create a new ecosystem in _ecosystems.py. You can refer to existing examples showing how to implement support for Semver and non-Semver ecosystems.

  • I do not believe we need to extend purl_helpers.py; we are generating our OSV records with purls attached, and the proposed purl spec requires the package UUID. It would be possible to look that up in purl_helpers.py through an HTTP GET to a JSON file, but that would represent a new thing that no other ecosystem does. Edit: Purl parsing support added in PR 4135 below
  • feat: add Julia as a Semver ecosystem #4135

• Create a PR to start importing the records you are publishing into our test instance of OSV.dev and validate everything is working as intended there.

  • feat: Add Julia ecosystem to source_test #4282

• After successful import, review the OSV-linter results by querying http://api.test.osv.dev/v1experimental/importfindings/julia to identify and address any important record linting issues (allow up to a 1-day delay).

  • Checked importfindings two days after merging feat: Add Julia ecosystem to source_test #4282, still showing {}. We pass osv-lint as part of our own source CI tests and the records look as I'd expect, including participating well with records marked as upstream.

• Create a PR to start importing the records you are publishing into our production environment

  • feat: import Julia advisories to prod #4316

[jess-lowe]

Hey @mbauman, just thought I'd bump this and see how we're going with this? Happy to help if you have any questions!

[mbauman]

Thanks for the bump! I just opened the source_test PR: #4282.

[mbauman]

And we're live! Exciting to have Julia be a part of this project; thanks everyone for your guidance and assistance in getting this in. Now to tackle our backlog of upstream issues :)