Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: junit template use CDATA block to prevent XML parse errors #3019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
willmurphyscode merged 2 commits into from
Nov 14, 2025
Merged

fix: junit template use CDATA block to prevent XML parse errors #3019

willmurphyscode merged 2 commits into from
Nov 14, 2025

Conversation

@nvtkaszpir
Copy link
Contributor

@nvtkaszpir nvtkaszpir commented Oct 28, 2025
edited
Loading

Sometimes CVE descriptions contain chars that end up in being an error in XML parser, for example < and >.
Adding description in CDATA block prevents processing of such content and thus no more errors.

ref https://en.wikipedia.org/wiki/CDATA

willmurphyscode
willmurphyscode reviewed Oct 29, 2025
View reviewed changes
templates/junit.tmpl Outdated
<![CDATA[
{{ html .Vulnerability.Description }}
{{ .Artifact.CPEs }}
Copy link
Contributor

@willmurphyscode willmurphyscode Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to loop over the CPEs and put a newline? Right now it looks like this:

        </testcase>
        <testcase classname="libcrypto3-3.5.0-r0 (apk)" name="[Medium] CVE-2025-4575">
            <failure message="libcrypto3: CVE-2025-4575" type="description">
<![CDATA[


[cpe:2.3:a:libcrypto3:libcrypto3:3.5.0-r0:*:*:*:*:*:*:* cpe:2.3:a:libcrypto3:libcrypto:3.5.0-r0:*:*:*:*:*:*:* cpe:2.3:a:libcrypto:libcrypto3:3.5.0-r0:*:*:*:*:*:*:* cpe:2.3:a:libcrypto:libcrypto:3.5.0-r0:*:*:*:*:*:*:*]

https://security.alpinelinux.org/vuln/CVE-2025-4575

]]></failure>
        </testcase>

which makes the CPEs a little hard to read.

Copy link
Contributor Author

@nvtkaszpir nvtkaszpir Oct 30, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh right, good catch, fixed in the next commit. If it looks good, then please resolve the conversation.

@willmurphyscode willmurphyscode self-assigned this Oct 29, 2025
@michal-sochon-ingenix
feat: junit.xml iterate over artifact CPEs
f1fd417 
Example output:
```text
There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

CPEs:
cpe:2.3:a:python_software_foundation:python:3.11.13:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.11.13:*:*:*:*:*:*:*

DataSource:
https://nvd.nist.gov/vuln/detail/CVE-2025-8194
```

Signed-off-by: Michał Sochoń <[email protected]>
@willmurphyscode willmurphyscode enabled auto-merge (squash) November 14, 2025 13:44
@willmurphyscode willmurphyscode merged commit ab2159d into anchore:main Nov 14, 2025
12 checks passed
@github-project-automation github-project-automation bot moved this to Done in OSS Nov 14, 2025
@BrewTestBot BrewTestBot mentioned this pull request Nov 17, 2025
Merged
spiffcs added a commit to joonas/grype that referenced this pull request Nov 20, 2025
@spiffcs
Merge branch 'main' into chore/replace-archiver-with-archives
f76df12 
* main:
  chore(deps): update tools to latest versions (anchore#3051)
  chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 (anchore#3059)
  chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (anchore#3060)
  chore(deps): bump github/codeql-action from 4.31.2 to 4.31.4 (anchore#3061)
  chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (anchore#3063)
  chore(deps): bump actions/setup-go in /.github/actions/bootstrap (anchore#3064)
  chore(deps): update anchore dependencies (anchore#3055)
  test: update quality gate db to latest version (anchore#3053)
  fix: normalize java runtime qualifiers in maven version comparisons (anchore#3034)
  chore(deps): update tools to latest versions (anchore#3045)
  fix: junit template use CDATA block to prevent XML parse errors (anchore#3019)
  feat: add basic VEX support for SBOM and other sources
  chore(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 (anchore#3046)
  chore(deps): bump github.com/opencontainers/selinux (anchore#3044)
  chore(deps): bump github.com/olekukonko/tablewriter from 1.1.0 to 1.1.1 (anchore#3039)
  keep nested loggers labeled (anchore#3040)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willmurphyscode willmurphyscode willmurphyscode approved these changes

Assignees

@willmurphyscode willmurphyscode

Labels

None yet

Projects

OSS
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nvtkaszpir @willmurphyscode @michal-sochon-ingenix