fix: junit template use CDATA block to prevent XML parse errors#3019
Merged
willmurphyscode merged 2 commits intoanchore:mainfrom Nov 14, 2025
Merged
fix: junit template use CDATA block to prevent XML parse errors#3019willmurphyscode merged 2 commits intoanchore:mainfrom
willmurphyscode merged 2 commits intoanchore:mainfrom
Conversation
Signed-off-by: Michał Sochoń <michal.sochon@ingenix.ai>
nvtkaszpir
force-pushed
the
fix-template-junit
branch
from
af26c3b to
ea5ff9c
Compare
| <
There was a problem hiding this comment.
Does it make sense to loop over the CPEs and put a newline? Right now it looks like this:
</testcase>
<testcase classname="libcrypto3-3.5.0-r0 (apk)" name="[Medium] CVE-2025-4575">
<failure message="libcrypto3: CVE-2025-4575" type="description">
<![CDATA[
[cpe:2.3:a:libcrypto3:libcrypto3:3.5.0-r0:*:*:*:*:*:*:* cpe:2.3:a:libcrypto3:libcrypto:3.5.0-r0:*:*:*:*:*:*:* cpe:2.3:a:libcrypto:libcrypto3:3.5.0-r0:*:*:*:*:*:*:* cpe:2.3:a:libcrypto:libcrypto:3.5.0-r0:*:*:*:*:*:*:*]
https://security.alpinelinux.org/vuln/CVE-2025-4575
]]></failure>
</testcase>which makes the CPEs a little hard to read.
Contributor
Author
There was a problem hiding this comment.
Oh right, good catch, fixed in the next commit. If it looks good, then please resolve the conversation.
Example output: ```text There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 CPEs: cpe:2.3:a:python_software_foundation:python:3.11.13:*:*:*:*:*:*:* cpe:2.3:a:python:python:3.11.13:*:*:*:*:*:*:* DataSource: https://nvd.nist.gov/vuln/detail/CVE-2025-8194 ``` Signed-off-by: Michał Sochoń <michal.sochon@ingenix.ai>
willmurphyscode
approved these changes
Nov 14, 2025
spiffcs
added a commit
to joonas/grype
that referenced
this pull request
Nov 20, 2025
* main: chore(deps): update tools to latest versions (anchore#3051) chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 (anchore#3059) chore(deps): bump anchore/sbom-action from 0.20.9 to 0.20.10 (anchore#3060) chore(deps): bump github/codeql-action from 4.31.2 to 4.31.4 (anchore#3061) chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 (anchore#3063) chore(deps): bump actions/setup-go in /.github/actions/bootstrap (anchore#3064) chore(deps): update anchore dependencies (anchore#3055) test: update quality gate db to latest version (anchore#3053) fix: normalize java runtime qualifiers in maven version comparisons (anchore#3034) chore(deps): update tools to latest versions (anchore#3045) fix: junit template use CDATA block to prevent XML parse errors (anchore#3019) feat: add basic VEX support for SBOM and other sources chore(deps): bump golang.org/x/tools from 0.38.0 to 0.39.0 (anchore#3046) chore(deps): bump github.com/opencontainers/selinux (anchore#3044) chore(deps): bump github.com/olekukonko/tablewriter from 1.1.0 to 1.1.1 (anchore#3039) keep nested loggers labeled (anchore#3040)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Sometimes CVE descriptions contain chars that end up in being an error in XML parser, for example
<and>.Adding description in CDATA block prevents processing of such content and thus no more errors.
ref https://en.wikipedia.org/wiki/CDATA