-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(license): add license handling to JUnit template #7409
fix(license): add license handling to JUnit template #7409
Conversation
Preliminaries
I've created a Java project to produce a suitable SBOM specimen (see psibre/java-app-vuln-license-sbom-mwe@df7dc92), which I'll attach here for convenience: Vulnerability scannerTable format
JUnit XML format
<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuite tests="14" failures="14" name="Java" errors="0" skipped="0" time="">
<properties>
<property name="type" value="jar"></property>
</properties>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2021-22569" time="">
<failure message="protobuf-java: potential DoS in the parsing procedure for binary data" type="description">An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2021-22570" time="">
<failure message="protobuf: Incorrect parsing of nullchar in the proto symbol leads to Nullptr dereference" type="description">Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2022-3509" time="">
<failure message="protobuf-java: Textformat parsing issue leads to DoS" type="description">A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[HIGH] CVE-2022-3510" time="">
<failure message="protobuf-java: Message-Type Extensions parsing issue leads to DoS" type="description">A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

</failure>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java-3.11.4" name="[MEDIUM] CVE-2022-3171" time="">
<failure message="protobuf-java: timeout in parser leads to DoS" type="description">A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.</failure>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp-4.3.2" name="[CRITICAL] CVE-2021-44550" time="">
<failure message="Access Control vulnerability within CoreNLP" type="description">An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via the classifier in NERServlet.java (lines 158 and 159).</failure>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp-4.3.2" name="[CRITICAL] CVE-2022-0239" time="">
<failure message="corenlp is vulnerable to Improper Restriction of XML External Entity Reference" type="description">corenlp is vulnerable to Improper Restriction of XML External Entity Reference</failure>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp-4.3.2" name="[MEDIUM] CVE-2022-0198" time="">
<failure message="XML External Entity Reference in edu.stanford.nlp:stanford-corenlp" type="description">corenlp is vulnerable to Improper Restriction of XML External Entity Reference</failure>
</testcase>
<testcase classname="xalan:xalan-2.7.2" name="[HIGH] CVE-2022-34169" time="">
<failure message="OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)" type="description">The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[HIGH] CVE-2012-0881" time="">
<failure message="xml: xerces-j2 hash table collisions CPU usage DoS (oCERT-2011-003)" type="description">Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[HIGH] CVE-2013-4002" time="">
<failure message="OpenJDK: XML parsing Denial of Service (JAXP, 8017298)" type="description">XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[MEDIUM] CVE-2009-2625" time="">
<failure message="JDK: XML parsing Denial-Of-Service (6845701)" type="description">XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[MEDIUM] CVE-2020-14338" time="">
<failure message="wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl" type="description">A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.</failure>
</testcase>
<testcase classname="xerces:xercesImpl-2.8.0" name="[MEDIUM] CVE-2022-23437" time="">
<failure message="xerces-j2: infinite loop when handling specially crafted XML document payloads" type="description">There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.</failure>
</testcase>
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
<properties>
<property name="type" value="jar"></property>
</properties>
</testsuite>
</testsuites> License scannerTable format
JUnit XML format (before)
<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
</testsuites> JUnit XML format (after)
<?xml version="1.0" ?>
<testsuites name="trivy">
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="30" failures="30" name="Java" time="0">
<testcase classname="com.apple:AppleJavaExtensions" name="[UNKNOWN] Apple License">
<failure/>
</testcase>
<testcase classname="com.google.code.findbugs:jsr305" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="com.google.protobuf:protobuf-java" name="[LOW] BSD-3-Clause">
<failure/>
</testcase>
<testcase classname="com.sun.xml.bind:jaxb-core" name="[MEDIUM] CDDL-1.1">
<failure/>
</testcase>
<testcase classname="com.sun.xml.bind:jaxb-impl" name="[MEDIUM] CDDL-1.1">
<failure/>
</testcase>
<testcase classname="de.jollyday:jollyday" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="edu.stanford.nlp:stanford-corenlp" name="[UNKNOWN] GNU General Public License Version 3">
<failure/>
</testcase>
<testcase classname="javax.xml.bind:jaxb-api" name="[MEDIUM] CDDL-1.1">
<failure/>
</testcase>
<testcase classname="javax.xml.bind:jaxb-api" name="[HIGH] GPL-2.0-with-classpath-exception">
<failure/>
</testcase>
<testcase classname="joda-time:joda-time" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.commons:commons-lang3" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-analyzers-common" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-core" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-queries" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-queryparser" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.apache.lucene:lucene-sandbox" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-cdense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-core" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-ddense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-dsparse" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-fdense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-fsparse" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-simple" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.ejml:ejml-zdense" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="org.slf4j:slf4j-api" name="[LOW] MIT">
<failure/>
</testcase>
<testcase classname="xalan:serializer" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xalan:xalan" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xerces:xercesImpl" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xml-apis:xml-apis" name="[LOW] Apache-2.0">
<failure/>
</testcase>
<testcase classname="xom:xom" name="[UNKNOWN] The GNU Lesser General Public License, Version 2.1">
<failure/>
</testcase>
</testsuite>
<testsuite tests="0" failures="0" name="Java" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
<testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
</testsuite>
</testsuites> |
Perhaps it would be even more useful to add the |
@afdesk Can you please take a look? |
@psibre thanks a lot for your contribution! it's really nice. Should |
I based this pattern on the one already present in the Vulnerabilities portion of the template. Specifically, in junit.tpl#L12, there is
Since that name attribute is typically part of the summary (e.g., in a GitLab test report), I think it's consistent with expected behavior of Trivy-generated JUnit XML reports to maintain that pattern for the licenses. |
i understand it. thanks! |
Description
Related issues
Checklist