action fails to generate report from xml generated by OWASP scanner that contains vulnerabilities

[turing85]

The action fails to generate a report of an XML file, generated by the owasp dependecy check plugin for gradle, that contains a security vulnerability.

Logs of failed step (debug logging was enabled):

Run phoenix-actions/test-reporting@v10
  with:
    fail-on-error: true
    list-suites: all
    list-tests: all
    name: OWASP Report
    only-summary: false
    path: **/build/reports/owasp/*-junit.xml
    reporter: java-junit
    token: ***
    path-replace-backslashes: false
    max-annotations: 10
    output-to: checks
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.6-10/x64
    JAVA_HOME_17_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.6-10/x64
Action was triggered by pull_request: using SHA from head of source branch
Check runs will be created with SHA=f4f66bc9b4c2f44316fe2af2a7b3caba29dcfb5f
::group::Listing all files tracked by git
Listing all files tracked by git
Found 116 files tracked by GitHub
Using test report parser 'java-junit'
::group::Creating test report OWASP Report
Creating test report OWASP Report
  Processing test results from build/reports/owasp/dependency-check-junit.xml
  Creating check run OWASP Report
  Creating report summary
  Generating check run summary
  ::endgroup::
Error: Cannot read properties of undefined (reading 'split')

The artifact containing the XML report that was processed is attached.

owasp-report.zip

[turing85]

It is definitively related to this part in the report:

<testsuite failures="1" errors="0" time="0" id="22" name="/home/runner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.14.2/f804090e6399ce0cf78242db086017512dd71fcc/jackson-core-2.14.2.jar" package="jackson-core-2.14.2.jar" skipped="0" tests="1" timestamp="2023-02-25T11:42:13.009952518">
    <testcase classname="CVE-2022-45688" name="pkg:maven/com.fasterxml.jackson.core/jackson-core@2.14.2">
        <failure message="cvssV3: HIGH, score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)"/>
        <system-out>A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.</system-out>
        <system-err>location: /home/runner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.14.2/f804090e6399ce0cf78242db086017512dd71fcc/jackson-core-2.14.2.jar, project-references: [ chameleon:compileClasspath, chameleon:runtimeClasspath, chameleon:productionRuntimeClasspath ]</system-err>
    </testcase>
</testsuite>

I think it is related to the fact that the failure does not have a text. The text is extracted as details here and then passed along to method exceptionThrowSource(...). If details is undefined, then it might cause the error observed by calling split(....) here.

[IanMoroney]

Fixed in https://github.com/phoenix-actions/test-reporting/releases/tag/v11