Add JUnit report support for license scanning

[psibre]

Description

Similar to #7264 and #7374, the JUnit template only processes vulnerabilities and misconfigurations, but should also handle licenses.

Desired Behavior

Running Trivy with the JUnit template on an SBOM file that contains license information should produce an XML report with testcases and failures (that can be processed to handle license policy violations, e.g., in GitLab CI/CD).

The report info should be consistent with the existing, default table report, e.g.,

$ trivy sbom --scanners license sbom.json 
2024-08-27T18:16:12+02:00       INFO    [license] License scanning is enabled
2024-08-27T18:16:12+02:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-08-27T18:16:12+02:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2024-08-27T18:16:12+02:00       WARN    Recommend using Trivy to generate SBOMs

Python (license)

Total: 16 (UNKNOWN: 10, LOW: 6, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌──────────────┬────────────────────────────────────────────────────┬────────────────┬──────────┐
│   Package    │                      License                       │ Classification │ Severity │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ Jinja2       │ BSD-3-Clause                                       │ Notice         │ LOW      │
│              ├────────────────────────────────────────────────────┼────────────────┼──────────┤
│              │ License :: OSI Approved :: BSD License             │ Non Standard   │ UNKNOWN  │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ MarkupSafe   │ BSD-3-Clause                                       │ Notice         │ LOW      │
│              ├────────────────────────────────────────────────────┼────────────────┼──────────┤
│              │ License :: OSI Approved :: BSD License             │ Non Standard   │ UNKNOWN  │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ PyYAML       │ MIT                                                │ Notice         │ LOW      │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ ansible-core │ GPL-3.0-or-later                                   │ Non Standard   │ UNKNOWN  │
│              ├────────────────────────────────────────────────────┤                │          │
│              │ declared license of 'ansible-core'                 │                │          │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ cffi         │ MIT                                                │ Notice         │ LOW      │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ cryptography │ Apache-2.0 OR BSD-3-Clause                         │ Non Standard   │ UNKNOWN  │
├──────────────┼────────────────────────────────────────────────────┤                │          │
│ packaging    │ License :: OSI Approved :: Apache Software License │                │          │
│              ├────────────────────────────────────────────────────┤                │          │
│              │ License :: OSI Approved :: BSD License             │                │          │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ pip          │ MIT                                                │ Notice         │ LOW      │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ pycparser    │ License :: OSI Approved :: BSD License             │ Non Standard   │ UNKNOWN  │
│              ├────────────────────────────────────────────────────┤                │          │
│              │ declared license of 'pycparser'                    │                │          │
├──────────────┼────────────────────────────────────────────────────┼────────────────┼──────────┤
│ resolvelib   │ ISC                                                │ Notice         │ LOW      │
│              ├────────────────────────────────────────────────────┼────────────────┼──────────┤
│              │ declared license of 'resolvelib'                   │ Non Standard   │ UNKNOWN  │
└──────────────┴────────────────────────────────────────────────────┴────────────────┴──────────┘

Actual Behavior

Licenses in the SBOM are ignored; the license scanner with the JUnit template produces a report that contains no license testcases.

I've attached a toy SBOM generated from a Python environment via CycloneDX Python SBOM Generation Tool:

• sbom.json

Reproduction Steps

1. Create an SBOM file that contains license information
2. Run `trivy sbom --scanners license --format template --template @${PATH_TO_JUNIT_TPL} ${SBOM_FILE}`
3. Observe JUnit XML report with no license information.

Target

SBOM

Scanner

License

Output Format

Template

Mode

Standalone

Debug Output

$ trivy sbom --debug --scanners license --format template --template @/usr/local/share/trivy/templates/junit.tpl sbom.json
2024-08-27T18:04:52+02:00       DEBUG   Cache dir       dir="/home/bob/.cache/trivy"
2024-08-27T18:04:52+02:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-08-27T18:04:52+02:00       DEBUG   Ignore statuses statuses=[]
2024-08-27T18:04:52+02:00       INFO    [license] License scanning is enabled
2024-08-27T18:04:52+02:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2024-08-27T18:04:52+02:00       DEBUG   Initializing scan cache...      type="memory"
2024-08-27T18:04:52+02:00       INFO    Detected SBOM format    format="cyclonedx-json"
2024-08-27T18:04:52+02:00       DEBUG   Unmarshalling CycloneDX JSON...
2024-08-27T18:04:52+02:00       WARN    Third-party SBOM may lead to inaccurate vulnerability detection
2024-08-27T18:04:52+02:00       WARN    Recommend using Trivy to generate SBOMs
2024-08-27T18:04:52+02:00       DEBUG   [sbom] Skipping a component with an unsupported type    file_path="sbom.json" name="awesome-python-app" version="0.1.0.dev0" type=""
2024-08-27T18:04:52+02:00       DEBUG   OS is not detected.
2024-08-27T18:04:52+02:00       DEBUG   [vex] VEX filtering is disabled
<?xml version="1.0" ?>
<testsuites name="trivy">
    <testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
    </testsuite>
    <testsuite tests="0" failures="0" name="OS Packages" errors="0" skipped="0" time="">
    </testsuite>
    <testsuite tests="0" failures="0" name="Python" errors="0" skipped="0" time="">
    </testsuite>
    <testsuite tests="0" failures="0" name="Python" errors="0" skipped="0" time="">
    </testsuite>
    <testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
    </testsuite>
    <testsuite tests="0" failures="0" name="Loose File License(s)" errors="0" skipped="0" time="">
    </testsuite>
</testsuites>

Operating System

Ubuntu 22.04

Version

$ trivy --version
Version: 0.54.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @psibre
Thanks for your report!

Can you share examples of license usage in JUnit reports?

Regards, Dmitriy

[psibre]

There's nothing special about licenses in JUnit reports, just like there's nothing special about vulnerabilities. It's just a bunch of testcases (and failures as appropriate). I've added a description in #7409 (comment) that should illustrate the benefit.

But the nice thing about having licenses in a JUnit XML report in this way is that it's possible to, e.g., show those in a Merge Request in GitLab... especially when combined with severity filtering, custom exit codes, and allowed failures. So some GitLab CI/CD pipeline logic along the lines of...

scan:
  stage: test
  image:
    name: ghcr.io/aquasecurity/trivy:0.54.1
    entrypoint: [ '' ]
  variables:
    TRIVY_SCANNERS: license
    TRIVY_FORMAT: template
    TRIVY_TEMPLATE: "@/contrib/junit.tpl"
    TRIVY_OUTPUT: trivy.xml
  parallel:
    matrix:
    - TRIVY_SEVERITY: MEDIUM,LOW
    - TRIVY_SEVERITY: CRITICAL,HIGH,UNKNOWN
      TRIVY_EXIT_CODE: 2
  script: trivy sbom sbom.json
  artifacts:
    reports:
      junit:
      - $TRIVY_OUTPUT
  allow_failure:
    exit_codes: 2

...can result in:

Obviously there are many other workflows that can turn a JUnit XML report with testcases (and failures) based on license scans into useful insights.

With some extra effort (improving the "unknown" license classification -- if need be by manually adding them to the Trivy config), this can become very useful for automated license policy checks as part of the software development lifecycle.

[DmitriyLewen]

v0.55.0 contains fix for that - #7440