mondoohq · czunker · Dec 17, 2024 · Dec 17, 2024
diff --git a/cli/reporter/junit.go b/cli/reporter/junit.go
@@ -8,11 +8,9 @@ import (
 	"fmt"
 	"strconv"
 
-	mapstructure "github.com/go-viper/mapstructure/v2"
 	"github.com/jstemmer/go-junit-report/v2/junit"
 	"go.mondoo.com/cnquery/v11/explorer"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
-	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
 	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 )
@@ -164,17 +162,11 @@ func assetPolicyTests(r *policy.ReportCollection, assetMrn string, assetObj *inv
 // assetPolicyTests converts asset vulnerability results to Junit test cases
 func assetMvdTests(r *policy.ReportCollection, assetMrn string, assetObj *inventory.Asset) *junit.Testsuite {
 	// check if we have a vulnerability report
-	results, ok := r.Reports[assetMrn]
+	vulnReport, ok := r.VulnReports[assetMrn]
 	if !ok {
 		return nil
 	}
 
-	rawResults := results.RawResults()
-	value, _ := getVulnReport(rawResults)
-	if value == nil || value.Data == nil {
-		return nil
-	}
-
 	ts := &junit.Testsuite{
 		Name:      "Vulnerability Report for " + assetObj.Name,
 		Tests:     0,
@@ -183,36 +175,6 @@ func assetMvdTests(r *policy.ReportCollection, assetMrn string, assetObj *invent
 		Testcases: []junit.Testcase{},
 	}
 
-	if value.Data.Error != nil {
-		ts.Errors++
-		ts.Testcases = append(ts.Testcases, junit.Testcase{
-			Failure: &junit.Result{
-				Message: "could not load the vulnerability report: " + value.Data.Error.Error(),
-				Type:    "fail",
-			},
-		})
-		return ts
-	}
-
-	// parse the vulnerability report
-	rawData := value.Data.Value
-	var vulnReport mvd.VulnReport
-	cfg := &mapstructure.DecoderConfig{
-		Metadata: nil,
-		Result:   &vulnReport,
-		TagName:  "json",
-	}
-	decoder, _ := mapstructure.NewDecoder(cfg)
-	if err := decoder.Decode(rawData); err != nil {
-		ts.Errors++
-		ts.Testcases = append(ts.Testcases, junit.Testcase{
-			Failure: &junit.Result{
-				Message: "could not decode advisory report",
-				Type:    "fail",
-			},
-		})
-	}
-
 	// packages advisories
 	if vulnReport.Stats != nil && vulnReport.Stats.Packages != nil && vulnReport.Stats.Packages.Affected > 0 {
 		ts.Tests = len(vulnReport.Packages)
@@ -252,7 +214,7 @@ func assetMvdTests(r *policy.ReportCollection, assetMrn string, assetObj *invent
 				ts.Failures++
 
 				var content string
-				content += pkg.Name + "with version" + pkg.Version + " has known vulnerabilities"
+				content += pkg.Name + " with version" + pkg.Version + " has known vulnerabilities"
 				if pkg.Score > 0 {
 					content += " (score " + fmt.Sprintf("%v", float32(pkg.Score)/10) + ")"
 				}

diff --git a/cli/reporter/junit_test.go b/cli/reporter/junit_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.mondoo.com/cnquery/v11/explorer"
 	"go.mondoo.com/cnquery/v11/providers-sdk/v1/inventory"
+	"go.mondoo.com/cnquery/v11/providers-sdk/v1/upstream/mvd"
 	"go.mondoo.com/cnquery/v11/utils/iox"
 	"go.mondoo.com/cnspec/v11/policy"
 )
@@ -73,11 +74,11 @@ func sampleReportCollection() *policy.ReportCollection {
 				},
 				// add passed, failed and skipped test
 				Scores: map[string]*policy.Score{
-					"+u6doYoYG5E=": &policy.Score{
+					"+u6doYoYG5E=": {
 						Type:  2, // result
 						Value: 100,
 					},
-					"057itYF8s30=": &policy.Score{
+					"057itYF8s30=": {
 						Type:  4, // error
 						Value: 0,
 					},
@@ -88,6 +89,26 @@ func sampleReportCollection() *policy.ReportCollection {
 				},
 			},
 		},
+		VulnReports: map[string]*mvd.VulnReport{
+			"//assets.api.mondoo.app/spaces/dazzling-golick-767384/assets/2DRZ1cCWFyTYCArycAXHwvn1oU2": {
+				Packages: []*mvd.Package{
+					{
+						Name:      "libssl1.1",
+						Version:   "1.1.1f-3ubuntu2.19",
+						Affected:  true,
+						Score:     100,
+						Available: "1.1.1f-3ubuntu2.20",
+					},
+				},
+				Stats: &mvd.ReportStats{
+					Packages: &mvd.ReportStatsPackages{
+						Total:    1,
+						Critical: 1,
+						Affected: 1,
+					},
+				},
+			},
+		},
 	}
 }
 
@@ -103,6 +124,11 @@ func TestJunitConverter(t *testing.T) {
 	assert.Contains(t, junitReport, "<testcase name=\"Ensure SNMP server is stopped and not enabled\" classname=\"score\"></testcase>")
 	assert.Contains(t, junitReport, "<testcase name=\"Configure kubelet to capture all event creation\" classname=\"score\">\n\t\t\t<failure message=\"\" type=\"error\"></failure>\n\t\t</testcase>")
 	assert.Contains(t, junitReport, "<testcase name=\"Set secure file permissions on the scheduler.conf file\" classname=\"score\">\n\t\t\t<skipped message=\"skipped\"></skipped>\n\t\t</testcase>")
+	assert.Contains(t, junitReport, "<testsuite name=\"Vulnerability Report for")
+	assert.Contains(t, junitReport, "<property name=\"report.packages.total\" value=\"1\"></property>")
+	assert.Contains(t, junitReport, "<property name=\"report.packages.critical\" value=\"1\"></property>")
+	assert.Contains(t, junitReport, "<testcase name=\"libssl1.1\" classname=\"vulnerability\">")
+	assert.Contains(t, junitReport, "<failure message=\"Update libssl1.1 to 1.1.1f-3ubuntu2.20\"><![CDATA[libssl1.1 with version1.1.1f-3ubuntu2.19 has known vulnerabilities (score 10)]]></failure>")
 }
 
 func TestJunitNilReport(t *testing.T) {