Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Junit xml format output #130

Merged
merged 4 commits into from
Jan 23, 2020
Merged

Junit xml format output #130

merged 4 commits into from
Jan 23, 2020

Conversation

DarthHater
Copy link
Member

@DarthHater DarthHater commented Jan 23, 2020
edited
Loading

Quick lil ditty to output things in a JUnit xml format.

Format stolen from: https://stackoverflow.com/questions/4922867/what-is-the-junit-xml-format-specification-that-hudson-supports

Introduces an xmlbuilder library.

Output looks like so when ran against auditjs:

<?xml version="1.0"?>
<testsuite tests="142" timestamp="2020-01-23T16:05:01.503Z" failures="1">
  <testcase classname="pkg:npm/%40cyclonedx/bom@1.0.4" name="pkg:npm/%40cyclonedx/bom@1.0.4"/>
  <testcase classname="pkg:npm/parse-packagejson-name@1.0.1" name="pkg:npm/parse-packagejson-name@1.0.1"/>
  <testcase classname="pkg:npm/prettify-xml@1.2.0" name="pkg:npm/prettify-xml@1.2.0"/>
  <testcase classname="pkg:npm/read-installed@4.0.3" name="pkg:npm/read-installed@4.0.3"/>
  <testcase classname="pkg:npm/debuglog@1.0.1" name="pkg:npm/debuglog@1.0.1"/>
  <testcase classname="pkg:npm/read-package-json@2.1.1" name="pkg:npm/read-package-json@2.1.1"/>
  <testcase classname="pkg:npm/glob@7.1.3" name="pkg:npm/glob@7.1.3"/>
  <testcase classname="pkg:npm/fs.realpath@1.0.0" name="pkg:npm/fs.realpath@1.0.0"/>
  <testcase classname="pkg:npm/inflight@1.0.6" name="pkg:npm/inflight@1.0.6"/>
  <testcase classname="pkg:npm/once@1.4.0" name="pkg:npm/once@1.4.0"/>
  <testcase classname="pkg:npm/wrappy@1.0.2" name="pkg:npm/wrappy@1.0.2"/>
  <testcase classname="pkg:npm/inherits@2.0.4" name="pkg:npm/inherits@2.0.4"/>
  <testcase classname="pkg:npm/minimatch@3.0.4" name="pkg:npm/minimatch@3.0.4"/>
  <testcase classname="pkg:npm/brace-expansion@1.1.11" name="pkg:npm/brace-expansion@1.1.11"/>
  <testcase classname="pkg:npm/balanced-match@1.0.0" name="pkg:npm/balanced-match@1.0.0"/>
  <testcase classname="pkg:npm/concat-map@0.0.1" name="pkg:npm/concat-map@0.0.1"/>
  <testcase classname="pkg:npm/path-is-absolute@1.0.1" name="pkg:npm/path-is-absolute@1.0.1"/>
  <testcase classname="pkg:npm/json-parse-better-errors@1.0.2" name="pkg:npm/json-parse-better-errors@1.0.2"/>
  <testcase classname="pkg:npm/normalize-package-data@2.5.0" name="pkg:npm/normalize-package-data@2.5.0"/>
  <testcase classname="pkg:npm/hosted-git-info@2.8.5" name="pkg:npm/hosted-git-info@2.8.5"/>
  <testcase classname="pkg:npm/resolve@1.14.1" name="pkg:npm/resolve@1.14.1"/>
  <testcase classname="pkg:npm/path-parse@1.0.6" name="pkg:npm/path-parse@1.0.6"/>
  <testcase classname="pkg:npm/semver@5.7.1" name="pkg:npm/semver@5.7.1"/>
  <testcase classname="pkg:npm/validate-npm-package-license@3.0.4" name="pkg:npm/validate-npm-package-license@3.0.4"/>
  <testcase classname="pkg:npm/spdx-correct@3.1.0" name="pkg:npm/spdx-correct@3.1.0"/>
  <testcase classname="pkg:npm/spdx-expression-parse@3.0.0" name="pkg:npm/spdx-expression-parse@3.0.0"/>
  <testcase classname="pkg:npm/spdx-exceptions@2.2.0" name="pkg:npm/spdx-exceptions@2.2.0"/>
  <testcase classname="pkg:npm/spdx-license-ids@3.0.5" name="pkg:npm/spdx-license-ids@3.0.5"/>
  <testcase classname="pkg:npm/npm-normalize-package-bin@1.0.1" name="pkg:npm/npm-normalize-package-bin@1.0.1"/>
  <testcase classname="pkg:npm/readdir-scoped-modules@1.1.0" name="pkg:npm/readdir-scoped-modules@1.1.0"/>
  <testcase classname="pkg:npm/dezalgo@1.0.3" name="pkg:npm/dezalgo@1.0.3"/>
  <testcase classname="pkg:npm/asap@2.0.6" name="pkg:npm/asap@2.0.6"/>
  <testcase classname="pkg:npm/graceful-fs@4.2.3" name="pkg:npm/graceful-fs@4.2.3"/>
  <testcase classname="pkg:npm/slide@1.1.6" name="pkg:npm/slide@1.1.6"/>
  <testcase classname="pkg:npm/util-extend@1.0.3" name="pkg:npm/util-extend@1.0.3"/>
  <testcase classname="pkg:npm/ssri@6.0.1" name="pkg:npm/ssri@6.0.1"/>
  <testcase classname="pkg:npm/figgy-pudding@3.5.1" name="pkg:npm/figgy-pudding@3.5.1"/>
  <testcase classname="pkg:npm/uuid@3.3.3" name="pkg:npm/uuid@3.3.3"/>
  <testcase classname="pkg:npm/%40types/figlet@1.2.0" name="pkg:npm/%40types/figlet@1.2.0"/>
  <testcase classname="pkg:npm/%40types/js-yaml@3.12.1" name="pkg:npm/%40types/js-yaml@3.12.1"/>
  <testcase classname="pkg:npm/%40types/node@12.12.17" name="pkg:npm/%40types/node@12.12.17"/>
  <testcase classname="pkg:npm/%40types/node-fetch@2.5.4" name="pkg:npm/%40types/node-fetch@2.5.4"/>
  <testcase classname="pkg:npm/%40types/node-persist@3.0.0" name="pkg:npm/%40types/node-persist@3.0.0"/>
  <testcase classname="pkg:npm/%40types/yargs@13.0.3" name="pkg:npm/%40types/yargs@13.0.3"/>
  <testcase classname="pkg:npm/%40types/yargs-parser@13.1.0" name="pkg:npm/%40types/yargs-parser@13.1.0"/>
  <testcase classname="pkg:npm/%40types/yarnpkg__lockfile@1.1.3" name="pkg:npm/%40types/yarnpkg__lockfile@1.1.3"/>
  <testcase classname="pkg:npm/%40yarnpkg/lockfile@1.1.0" name="pkg:npm/%40yarnpkg/lockfile@1.1.0"/>
  <testcase classname="pkg:npm/chalk@3.0.0" name="pkg:npm/chalk@3.0.0"/>
  <testcase classname="pkg:npm/ansi-styles@4.2.0" name="pkg:npm/ansi-styles@4.2.0"/>
  <testcase classname="pkg:npm/%40types/color-name@1.1.1" name="pkg:npm/%40types/color-name@1.1.1"/>
  <testcase classname="pkg:npm/color-convert@2.0.1" name="pkg:npm/color-convert@2.0.1"/>
  <testcase classname="pkg:npm/color-name@1.1.4" name="pkg:npm/color-name@1.1.4"/>
  <testcase classname="pkg:npm/supports-color@7.1.0" name="pkg:npm/supports-color@7.1.0"/>
  <testcase classname="pkg:npm/has-flag@4.0.0" name="pkg:npm/has-flag@4.0.0"/>
  <testcase classname="pkg:npm/colors@1.4.0" name="pkg:npm/colors@1.4.0"/>
  <testcase classname="pkg:npm/figlet@1.2.4" name="pkg:npm/figlet@1.2.4"/>
  <testcase classname="pkg:npm/js-yaml@3.13.1" name="pkg:npm/js-yaml@3.13.1"/>
  <testcase classname="pkg:npm/argparse@1.0.10" name="pkg:npm/argparse@1.0.10"/>
  <testcase classname="pkg:npm/sprintf-js@1.0.3" name="pkg:npm/sprintf-js@1.0.3"/>
  <testcase classname="pkg:npm/esprima@4.0.1" name="pkg:npm/esprima@4.0.1"/>
  <testcase classname="pkg:npm/lodash@4.17.5" name="pkg:npm/lodash@4.17.5">
    <failure type="CWE-506: Embedded Malicious Code">Vulnerability Title: CWE-506: Embedded Malicious Code
ID: a86c2790-8c02-4fee-8d77-3366312f926b
Description: The application contains code that appears to be malicious in nature.
CVSS Score: 9.6
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/a86c2790-8c02-4fee-8d77-3366312f926b
</failure>
    <failure type="[NPMJS]Prototype Pollution">Vulnerability Title: [NPMJS]Prototype Pollution
ID: 78a61524-80c5-4371-b6d1-6b32af349043
Description: The component 'Lodash' is vulnerable.

null

[For all versions before 4.17.11.]
CVSS Score: 8.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE: undefined
Reference: https://ossindex.sonatype.org/vuln/78a61524-80c5-4371-b6d1-6b32af349043
</failure>
  </testcase>
  <testcase classname="pkg:npm/node-fetch@2.6.0" name="pkg:npm/node-fetch@2.6.0"/>
  <testcase classname="pkg:npm/node-persist@3.0.5" name="pkg:npm/node-persist@3.0.5"/>
  <testcase classname="pkg:npm/mkdirp@0.5.1" name="pkg:npm/mkdirp@0.5.1"/>
  <testcase classname="pkg:npm/minimist@0.0.8" name="pkg:npm/minimist@0.0.8"/>
  <testcase classname="pkg:npm/ora@4.0.3" name="pkg:npm/ora@4.0.3"/>
  <testcase classname="pkg:npm/cli-cursor@3.1.0" name="pkg:npm/cli-cursor@3.1.0"/>
  <testcase classname="pkg:npm/restore-cursor@3.1.0" name="pkg:npm/restore-cursor@3.1.0"/>
  <testcase classname="pkg:npm/onetime@5.1.0" name="pkg:npm/onetime@5.1.0"/>
  <testcase classname="pkg:npm/mimic-fn@2.1.0" name="pkg:npm/mimic-fn@2.1.0"/>
  <testcase classname="pkg:npm/signal-exit@3.0.2" name="pkg:npm/signal-exit@3.0.2"/>
  <testcase classname="pkg:npm/cli-spinners@2.2.0" name="pkg:npm/cli-spinners@2.2.0"/>
  <testcase classname="pkg:npm/is-interactive@1.0.0" name="pkg:npm/is-interactive@1.0.0"/>
  <testcase classname="pkg:npm/log-symbols@3.0.0" name="pkg:npm/log-symbols@3.0.0"/>
  <testcase classname="pkg:npm/chalk@2.4.2" name="pkg:npm/chalk@2.4.2"/>
  <testcase classname="pkg:npm/ansi-styles@3.2.1" name="pkg:npm/ansi-styles@3.2.1"/>
  <testcase classname="pkg:npm/color-convert@1.9.3" name="pkg:npm/color-convert@1.9.3"/>
  <testcase classname="pkg:npm/color-name@1.1.3" name="pkg:npm/color-name@1.1.3"/>
  <testcase classname="pkg:npm/escape-string-regexp@1.0.5" name="pkg:npm/escape-string-regexp@1.0.5"/>
  <testcase classname="pkg:npm/supports-color@5.5.0" name="pkg:npm/supports-color@5.5.0"/>
  <testcase classname="pkg:npm/has-flag@3.0.0" name="pkg:npm/has-flag@3.0.0"/>
  <testcase classname="pkg:npm/mute-stream@0.0.8" name="pkg:npm/mute-stream@0.0.8"/>
  <testcase classname="pkg:npm/strip-ansi@6.0.0" name="pkg:npm/strip-ansi@6.0.0"/>
  <testcase classname="pkg:npm/ansi-regex@5.0.0" name="pkg:npm/ansi-regex@5.0.0"/>
  <testcase classname="pkg:npm/wcwidth@1.0.1" name="pkg:npm/wcwidth@1.0.1"/>
  <testcase classname="pkg:npm/defaults@1.0.3" name="pkg:npm/defaults@1.0.3"/>
  <testcase classname="pkg:npm/clone@1.0.4" name="pkg:npm/clone@1.0.4"/>
  <testcase classname="pkg:npm/winston@3.2.1" name="pkg:npm/winston@3.2.1"/>
  <testcase classname="pkg:npm/async@2.6.3" name="pkg:npm/async@2.6.3"/>
  <testcase classname="pkg:npm/lodash@4.17.15" name="pkg:npm/lodash@4.17.15"/>
  <testcase classname="pkg:npm/diagnostics@1.1.1" name="pkg:npm/diagnostics@1.1.1"/>
  <testcase classname="pkg:npm/colorspace@1.1.2" name="pkg:npm/colorspace@1.1.2"/>
  <testcase classname="pkg:npm/color@3.0.0" name="pkg:npm/color@3.0.0"/>
  <testcase classname="pkg:npm/color-string@1.5.3" name="pkg:npm/color-string@1.5.3"/>
  <testcase classname="pkg:npm/simple-swizzle@0.2.2" name="pkg:npm/simple-swizzle@0.2.2"/>
  <testcase classname="pkg:npm/is-arrayish@0.3.2" name="pkg:npm/is-arrayish@0.3.2"/>
  <testcase classname="pkg:npm/text-hex@1.0.0" name="pkg:npm/text-hex@1.0.0"/>
  <testcase classname="pkg:npm/enabled@1.0.2" name="pkg:npm/enabled@1.0.2"/>
  <testcase classname="pkg:npm/env-variable@0.0.5" name="pkg:npm/env-variable@0.0.5"/>
  <testcase classname="pkg:npm/kuler@1.0.1" name="pkg:npm/kuler@1.0.1"/>
  <testcase classname="pkg:npm/colornames@1.1.1" name="pkg:npm/colornames@1.1.1"/>
  <testcase classname="pkg:npm/is-stream@1.1.0" name="pkg:npm/is-stream@1.1.0"/>
  <testcase classname="pkg:npm/logform@2.1.2" name="pkg:npm/logform@2.1.2"/>
  <testcase classname="pkg:npm/fast-safe-stringify@2.0.7" name="pkg:npm/fast-safe-stringify@2.0.7"/>
  <testcase classname="pkg:npm/fecha@2.3.3" name="pkg:npm/fecha@2.3.3"/>
  <testcase classname="pkg:npm/ms@2.1.2" name="pkg:npm/ms@2.1.2"/>
  <testcase classname="pkg:npm/triple-beam@1.3.0" name="pkg:npm/triple-beam@1.3.0"/>
  <testcase classname="pkg:npm/one-time@0.0.4" name="pkg:npm/one-time@0.0.4"/>
  <testcase classname="pkg:npm/readable-stream@3.4.0" name="pkg:npm/readable-stream@3.4.0"/>
  <testcase classname="pkg:npm/string_decoder@1.3.0" name="pkg:npm/string_decoder@1.3.0"/>
  <testcase classname="pkg:npm/safe-buffer@5.2.0" name="pkg:npm/safe-buffer@5.2.0"/>
  <testcase classname="pkg:npm/util-deprecate@1.0.2" name="pkg:npm/util-deprecate@1.0.2"/>
  <testcase classname="pkg:npm/stack-trace@0.0.10" name="pkg:npm/stack-trace@0.0.10"/>
  <testcase classname="pkg:npm/winston-transport@4.3.0" name="pkg:npm/winston-transport@4.3.0"/>
  <testcase classname="pkg:npm/readable-stream@2.3.6" name="pkg:npm/readable-stream@2.3.6"/>
  <testcase classname="pkg:npm/core-util-is@1.0.2" name="pkg:npm/core-util-is@1.0.2"/>
  <testcase classname="pkg:npm/isarray@1.0.0" name="pkg:npm/isarray@1.0.0"/>
  <testcase classname="pkg:npm/process-nextick-args@2.0.1" name="pkg:npm/process-nextick-args@2.0.1"/>
  <testcase classname="pkg:npm/safe-buffer@5.1.2" name="pkg:npm/safe-buffer@5.1.2"/>
  <testcase classname="pkg:npm/string_decoder@1.1.1" name="pkg:npm/string_decoder@1.1.1"/>
  <testcase classname="pkg:npm/xmlbuilder@13.0.2" name="pkg:npm/xmlbuilder@13.0.2"/>
  <testcase classname="pkg:npm/yargs@15.0.2" name="pkg:npm/yargs@15.0.2"/>
  <testcase classname="pkg:npm/cliui@6.0.0" name="pkg:npm/cliui@6.0.0"/>
  <testcase classname="pkg:npm/string-width@4.2.0" name="pkg:npm/string-width@4.2.0"/>
  <testcase classname="pkg:npm/emoji-regex@8.0.0" name="pkg:npm/emoji-regex@8.0.0"/>
  <testcase classname="pkg:npm/is-fullwidth-code-point@3.0.0" name="pkg:npm/is-fullwidth-code-point@3.0.0"/>
  <testcase classname="pkg:npm/wrap-ansi@6.2.0" name="pkg:npm/wrap-ansi@6.2.0"/>
  <testcase classname="pkg:npm/decamelize@1.2.0" name="pkg:npm/decamelize@1.2.0"/>
  <testcase classname="pkg:npm/find-up@4.1.0" name="pkg:npm/find-up@4.1.0"/>
  <testcase classname="pkg:npm/locate-path@5.0.0" name="pkg:npm/locate-path@5.0.0"/>
  <testcase classname="pkg:npm/p-locate@4.1.0" name="pkg:npm/p-locate@4.1.0"/>
  <testcase classname="pkg:npm/p-limit@2.2.1" name="pkg:npm/p-limit@2.2.1"/>
  <testcase classname="pkg:npm/p-try@2.2.0" name="pkg:npm/p-try@2.2.0"/>
  <testcase classname="pkg:npm/path-exists@4.0.0" name="pkg:npm/path-exists@4.0.0"/>
  <testcase classname="pkg:npm/get-caller-file@2.0.5" name="pkg:npm/get-caller-file@2.0.5"/>
  <testcase classname="pkg:npm/require-directory@2.1.1" name="pkg:npm/require-directory@2.1.1"/>
  <testcase classname="pkg:npm/require-main-filename@2.0.0" name="pkg:npm/require-main-filename@2.0.0"/>
  <testcase classname="pkg:npm/set-blocking@2.0.0" name="pkg:npm/set-blocking@2.0.0"/>
  <testcase classname="pkg:npm/which-module@2.0.0" name="pkg:npm/which-module@2.0.0"/>
  <testcase classname="pkg:npm/y18n@4.0.0" name="pkg:npm/y18n@4.0.0"/>
  <testcase classname="pkg:npm/yargs-parser@16.1.0" name="pkg:npm/yargs-parser@16.1.0"/>
  <testcase classname="pkg:npm/camelcase@5.3.1" name="pkg:npm/camelcase@5.3.1"/>
</testsuite>

Right now I've created a testcase for every dependency, and version via the purl, and then added failures with the results of what failed (title and description for now). This will show as a lot of testcases (dependent on your project), and show vulnerable deps as failed test cases.

To test: auditjs ossi --xml > file.xml and that file.xml could be saved as testresults in Jenkins

auditjs output to XML worked slightly differently, I think I dig this way more? Would love to hear others feedback.

Fixes #115

CC @ajurgenson55 @allenhsieh @ken-duck

@DarthHater DarthHater requested a review from allenhsieh January 23, 2020 03:37
@DarthHater DarthHater mentioned this pull request Jan 23, 2020
Closed
@allenhsieh
Copy link
Contributor

LGTM!
image

@allenhsieh
Copy link
Contributor

allenhsieh commented Jan 23, 2020
edited
Loading

LGTM! piping correctly too -- discussed lines 2 and 3 on slack (should not show up when run normally i.e. without npm run ossi -- --xml) :
image

@allenhsieh allenhsieh requested a review from ButterB0wl January 23, 2020 16:20
@DarthHater
Copy link
Member Author

One note, this will not work properly if you run the application using npm run start, since it adds all it's own noise etc...

I am coming around to writing a file (still don't want to do it, but I can't control totally how auditjs is executed), any input?

@DarthHater
Copy link
Member Author

@ajurgenson55 gave this a quick once over in Jenkins and it appears to work. Merging and then I'll handle any issues that come up in the future.

@DarthHater DarthHater merged commit 2a10a77 into alpha Jan 23, 2020
@DarthHater DarthHater deleted the JunitXMLFormat branch January 23, 2020 18:43
DarthHater added a commit that referenced this pull request Jan 23, 2020
@DarthHater
fix: Junit xml format output (#130)
7e26c6c 
💥
DarthHater pushed a commit that referenced this pull request Jan 23, 2020
chore(release): 4.0.1-beta.11 [skip ci]
7370bb0 
## [4.0.1-beta.11](v4.0.1-beta.10...v4.0.1-beta.11) (2020-01-23)

### Bug Fixes

* Junit xml format output ([#130](#130)) ([7e26c6c](7e26c6c))
DarthHater pushed a commit that referenced this pull request Jan 23, 2020
chore(release): 4.0.1-alpha.15 [skip ci]
db96ac8 
## [4.0.1-alpha.15](v4.0.1-alpha.14...v4.0.1-alpha.15) (2020-01-23)

### Bug Fixes

* add logging ([50654b7](50654b7))
* got out of whack, fixing releaserc ([58b5945](58b5945))
* Junit xml format output ([#130](#130)) ([2a10a77](2a10a77))
* muncher validation ([#133](#133)) ([0686b61](0686b61))
* note node version supported ([0f13acc](0f13acc))
* straight to alpha, address running without commands ([e1a9fc5](e1a9fc5))
* uppercase fix ([4c65ebd](4c65ebd))
@DarthHater
Copy link
Member Author

🎉 This PR is included in version 4.0.1-alpha.15 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@allenhsieh allenhsieh allenhsieh approved these changes

@ButterB0wl ButterB0wl Awaiting requested review from ButterB0wl

Assignees
No one assigned
Labels
released on @alpha
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DarthHater @allenhsieh