Package Governance Tools on JuliaHub: Private Registries, Analytics and Policies

The Julia language was designed from the ground-up to take the best parts of other languages; their development best practices and concepts and improve upon those capabilities. Many of the ecosystem tools that are growing as part of the Julia language are meant to accelerate the methodology of languages created decades ago. Consequently, our package ecosystem, package management methods, private registries, security, policies, and analytics were all designed with this in mind.

The Julia package ecosystem and all open source packages can be found here: https://juliahub.com/ui/Search

Julia Package Manager

The start of this Julia story is the built-in package manager. The package manager helps manage package registries, package dependencies and versions. 

The package manager keeps synchronized copies of the registries available in your JuiaHub instance for each of your projects. When you add a package to a project, the package manager performs a graph search to resolve the package versions your project has access to. Then it attempts to download the packages and all their dependencies from your JuliaHub instance.

JuliaHub double-checks that you are a member of the project and that your project has access to each of the requested packages. If these checks succeed, the package manager downloads those packages from JuliaHub. You can let the package manager know if you need to install different versions of the packages than the ones it chooses by default in your current environment.

Julia Packages

Each Julia package consists of:

src/package_name.jl
license.txt
Project.toml
Manifest.oml

There are a few things that make the Julia package manager special. The first is the Package.toml file and the Manifest.toml file that accompanies each Julia package. Let’s take a look at what those files do.

Manifest.toml

Each julia package automatically generates a Manifest.toml file and includes entries such as dependencies. An entry might look like this:

julia_version = "1.8.2"
manifest_format = "2.0"
project_hash = "4d9d5b552a1236d3c1171abf88d59da3aaac328a"

The manifest’s full entries may include:

• uuid

  : the UUID for the dependency, for example

  uuid = "7876af07-990d-54b4-ab0e-23690620f79a".

• version

  : a version number, for example version

  = "1.2.6"

  .

• path

  : a file path to the source code, for example path

  = /home/user/Example

  .

• repo-url

  : a URL to the repository where the source code was found, for example

  repo-url = "https://github.com/JuliaLang/Example.jl.git"

  .

• repo-rev:

  a git revision, for example a branch repo-rev = "master" or a commit

  repo-rev = "66607a62a83cb07ab18c0b35c038fcd62987c9b1"

• git-tree-sha1:

  a content hash of the source tree, for example

  git-tree-sha1 = "ca3820cc4e66f473467d912c4b2b3ae5dc968444".

Software Bill of Materials

The information in the manifest file naturally lends itself to becoming a software bill of materials since it provides the user full traceability of all package dependencies and versions.

Project.toml

Additionally, Julia packages also have a project.toml file that lists the project’s dependencies and compatibility constraints. 

An example:

name = "HelloWorld"
uuid = "b4cd1eb8-1e24-11e8-3319-93036a3eb9f3"
version = "0.1.0"
authors = ["Some One <someone@email.com>"]
[deps]

You can learn more about Julia packages on the documentation here and if you want to learn how to build and register your own Julia package by watching this tutorial.

Using Private Package Registries on JuliaHub

If your team develops Julia functionality and wants to keep that code private, JuliaHub provides the package authors the ability to register and store that code in a private registry. All enterprise-level subscriptions include this feature and admins can create as many private registries as they wish. Then, users can register packages to this private registry using any git-based source. These registries have their own access controls so that your organization can limit who has access to which private registry. This comes in handy should your organization only want certain team members to access certain proprietary code.

Admins can set the registry owner of a private registry to any user. Users can click the “My Registries” button on the Packages page to see their permissions on all of the registries they have access to.

Registry owners can go to the sharing tab to give other users access to their registries or remove that access.

Package Usage Analytics

JuliaHub also provides admins with enterprise-level accounts an analytics screen that provides data around packages used from each private registry. The analytics focus on the top packages used and which users are accessing those packages. You can find out information such as: How many packages are being used overall? Which users are using which packages ? Which packages (and versions) are the top 5 most used?

Here is what it looks like for the General Registry:

Complete Package information can be found from the analytics screen to the traceability dashboard and has:

• Date of use
• Status (installed or not)
• Package UUID
• Usage count
• The registry from which the package was served
• User name 
• Package name 

Julia Package Compliance Features

Package Policies

One compliance-related feature that we have recently built is the ability to create “rules' ' that govern the usage of Julia packages in your JuliaHub projects. This rules engine can be used to assign key:value pairs that if true create a list of packages that are allowed or disallowed. For example, if you’d like to guide your organization to only allow packages that meet certain open source license requirements, you can create a rule that allows only those licenses and allows packages that do not meet that license requirement. 

You can use this feature to create a curated list of compliant packages for your organization. JuliaHub allows you to maintain a set of policies for different types or levels of compliance that different projects can reuse.

Static Code Analysis

JuliaHub also includes tools to make sure that your Julia packages are following best practices. We’ve partnered with Semgrep to build 100 rules that can be used to scan your Julia code and let you know if your code might be exposing itself to common weaknesses (CWEs) as well as other security-related issues. Learn more about our semgrep tools here.

Conclusion

JuliaHub takes the beauty of the Julia language and its package management capabilities and makes these tools available in the context of the enterprise. It helps organizations with an unlimited number of team members keep proprietary code safe using private registries, let certain users access certain packages using registry access controls, allows admins to administer rules to guide the usage of packages that meet certain criteria, and has static code analysis tools to keep your organization’s software secure. The following features are all available to enterprise organizations:

• Julia Package Manager
• Private Registries for Julia Packages
• Package Analytics
• Package Policies
• Static Code Analysis

In addition to the information about Julia package governance tools in this blog, check out the comparison of dependency management in Julia vs other languages in the Scientific Coder blog.

To try JuliaHub for free sign in here and Contact Sales to learn more about our advanced package registry, security, and analytics features.