Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

action fails to generate report from xml generated by OWASP scanner that contains vulnerabilities #31

Closed
turing85 opened this issue Feb 25, 2023 · 2 comments · Fixed by #32
Closed

action fails to generate report from xml generated by OWASP scanner that contains vulnerabilities #31

turing85 opened this issue Feb 25, 2023 · 2 comments · Fixed by #32

Comments

@turing85
Copy link
Contributor

turing85 commented Feb 25, 2023
edited
Loading

The action fails to generate a report of an XML file, generated by the owasp dependecy check plugin for gradle, that contains a security vulnerability.

Logs of failed step (debug logging was enabled):

Run phoenix-actions/test-reporting@v10
  with:
    fail-on-error: true
    list-suites: all
    list-tests: all
    name: OWASP Report
    only-summary: false
    path: **/build/reports/owasp/*-junit.xml
    reporter: java-junit
    token: ***
    path-replace-backslashes: false
    max-annotations: 10
    output-to: checks
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.6-10/x64
    JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.6-10/x64
Action was triggered by pull_request: using SHA from head of source branch
Check runs will be created with SHA=f4f66bc9b4c2f44316fe2af2a7b3caba29dcfb5f
::group::Listing all files tracked by git
Listing all files tracked by git
Found 116 files tracked by GitHub
Using test report parser 'java-junit'
::group::Creating test report OWASP Report
Creating test report OWASP Report
  Processing test results from build/reports/owasp/dependency-check-junit.xml
  Creating check run OWASP Report
  Creating report summary
  Generating check run summary
  ::endgroup::
Error: Cannot read properties of undefined (reading 'split')

The artifact containing the XML report that was processed is attached.

owasp-report.zip
@turing85 turing85 mentioned this issue Feb 25, 2023
Closed
@turing85
Copy link
Contributor Author

turing85 commented Feb 25, 2023
edited
Loading

It is definitively related to this part in the report:

<testsuite failures="1" errors="0" time="0" id="22" name="/home/runner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.14.2/f804090e6399ce0cf78242db086017512dd71fcc/jackson-core-2.14.2.jar" package="jackson-core-2.14.2.jar" skipped="0" tests="1" timestamp="2023-02-25T11:42:13.009952518">
    <testcase classname="CVE-2022-45688" name="pkg:maven/com.fasterxml.jackson.core/[email protected]">
        <failure message="cvssV3: HIGH, score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)"/>
        <system-out>A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.</system-out>
        <system-err>location: /home/runner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.14.2/f804090e6399ce0cf78242db086017512dd71fcc/jackson-core-2.14.2.jar, project-references: [ chameleon:compileClasspath, chameleon:runtimeClasspath, chameleon:productionRuntimeClasspath ]</system-err>
    </testcase>
</testsuite>

I think it is related to the fact that the failure does not have a text. The text is extracted as details here and then passed along to method exceptionThrowSource(...). If details is undefined, then it might cause the error observed by calling split(....) here.

turing85 added a commit to turing85/test-reporting that referenced this issue Feb 28, 2023
@turing85
phoenix-actions#31: Make failure text optional
8d99ae1 
- Made failure text optional
- removed unnecessary variable, inlined return
- Updated packages (npm audit fix)
turing85 added a commit to turing85/publish-report that referenced this issue Feb 28, 2023
@turing85
Testing fix for #13 (aka. phoenix-actions/test-reporting#31)
f3bdeaa
@turing85 turing85 mentioned this issue Feb 28, 2023
Merged
turing85 added a commit to turing85/publish-report that referenced this issue Feb 28, 2023
@turing85
Testing fix for #13 (aka. phoenix-actions/test-reporting#31)
d69d25b 
Also fixed if-condition of "Update PR status comment on failure"
turing85 added a commit to turing85/publish-report that referenced this issue Feb 28, 2023
@turing85
Testing fix for #13 (aka. phoenix-actions/test-reporting#31)
f23520f 
Also fixed if-condition of "Update PR status comment on failure"
turing85 added a commit to turing85/publish-report that referenced this issue Feb 28, 2023
@turing85
Bug fixes
4217f2f 
- Temporary fix for #13 until phoenix-actions/test-reporting#31 is merged
- Fixed if-condition of "Update PR status comment on failure" (#14)
- Fixed variable name in Cancel Workflow (#15)
- Fixed default for comment-message-failure (#16)
turing85 added a commit to turing85/publish-report that referenced this issue Feb 28, 2023
@turing85
Testing fix for #13 (aka. phoenix-actions/test-reporting#31)
d003374 
Also fixed if-condition of "Update PR status comment on failure"
turing85 added a commit to turing85/publish-report that referenced this issue Feb 28, 2023
@turing85
Bug fixes
3692684 
- Temporary fix for #13 until phoenix-actions/test-reporting#31 is merged
- Fixed if-condition of "Update PR status comment on failure" (#14)
- Fixed variable name in Cancel Workflow (#15)
- Fixed default for comment-message-failure (#16)
IanMoroney pushed a commit that referenced this issue Apr 4, 2023
@turing85
#31: Make failure text optional (#32)
8af4e4d 
- Made failure text optional
- removed unnecessary variable, inlined return
- Updated packages (npm audit fix)
@IanMoroney
Copy link
Contributor

Fixed in https://github.com/phoenix-actions/test-reporting/releases/tag/v11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make failure text in JUnit report optional turing85/test-reporting
2 participants
@IanMoroney @turing85