trivy config junit output missing location information

[internetstaff]

Description

We're trying to migrate from tfsec to trivy. We're on Gitlab, and have it parsing tfsec's junit output as test failures to fail pipelines.

This works great: we get a description of the problem and a source location (filename + line number).

Using trivy config with the junit output, we get the failures and a description, but the failure element is missing any location information - it just has a description of the problem instead.

Example with tfsec:

<failure message="IAM policy document uses sensitive action &#39;ec2:CancelSpotInstanceRequests&#39; on wildcarded resource &#39;*&#39;" type="">path/path/iam.tf:160&#xA;&#xA;    resources = [&#34;*&#34;]&#xA;&#xA;&#xA;See https://aquasecurity.github.io/tfsec/v1.28.1/checks/aws/iam/no-policy-wildcards/</failure>

Example with trivy:

<failure message="IAM Pass Role Filtering" type="description">Ensures any IAM pass role attched to roles are flagged and warned.</failure>

We're currently working around this by adding the gitlab-codequality template, which does include specific locations that are parsed by Gitlab. We have to rely on the junit output to fail the pipeline, and the codequality output to provide useful output. :)

Desired Behavior

Junit failures contain specific location information parseable by Gitlab

Actual Behavior

Junit failures only have a description.

Reproduction Steps

1.trivy config . --format template  --template "@/usr/local/share/trivy/templates/junit.tpl" --output "trivy-junit.xml"
2.
3.
...

Target

Filesystem

Scanner

Misconfiguration

Output Format

Template

Mode

Standalone

Debug Output

This is massive, and I suspect not helpful. I can isolate a case if needed.

Operating System

Fedora Linux

Version

Version: 0.61.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-24 12:18:07.65173366 +0000 UTC
  NextUpdate: 2024-10-25 12:18:07.651733519 +0000 UTC
  DownloadedAt: 2024-10-24 14:06:22.591494706 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-10-03 02:32:34.633277595 +0000 UTC
  NextUpdate: 2024-10-06 02:32:34.633277484 +0000 UTC
  DownloadedAt: 0001-01-01 00:00:00 +0000 UTC
Check Bundle:
  Digest: sha256:40facaecbac0958cc77e7081820f92b9a2d8c0ce2d0310a120f3275aae046863
  DownloadedAt: 2025-04-23 21:24:51.259648429 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @internetstaff !

I'll take a look.

[nikpivkin]

@aquasecurity/trivy Do you know which JUnit standard our template is based on? I tried to find the schema in the official documentation in hopes of finding attribute support for specifying the location of the issue, but was unsuccessful. I found several issues in the junit repository with schema definition requests junit-team/junit5#2625 junit-team/junit5#373. Should we just add the location information to the message as was done in tfsec, and users can write an output plugin to support some standard?

[knqyf263]

I wasn’t aware that there isn’t an official specification—instead, various tools have defined multiple de facto standards. When we added the JUnit template, I referred to CircleCI’s format, and it appears that CircleCI uses the Apache Ant JUnit XML format.

What is JUnit XML? … it outputs its results in the Apache Ant JUnit XML format.

https://circleci.com/blog/how-to-output-junit-tests-through-circleci-2-0-for-expanded-insights/

However, since we were not explicitly developing to adhere to the Apache Ant JUnit format, the current output may not conform to any of the standards.

[simar7]

Should we just add the location information to the message as was done in tfsec

We can start with this at first - given we don't conform to any standards today to me that's a separate discussion if we should or not.

[nikpivkin]

Track #8790