feat(os-pkg): add data sources (#1636)

2025-12-22 07:10:41 -08:00 · 2022-01-29 00:41:40 +06:00
parent d2827cba06
commit 420f8ab13e
57 changed files with 1611 additions and 1111 deletions
--- a/integration/testdata/almalinux-8.json.golden
+++ b/integration/testdata/almalinux-8.json.golden
@@ -61,6 +61,10 @@
          },
          "SeveritySource": "alma",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
+          "DataSource": {
+            "Name": "AlmaLinux Product Errata",
+            "URL": "https://errata.almalinux.org/"
+          },
          "Title": "openssl: Read buffer overruns processing ASN.1 strings",
          "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
          "Severity": "MEDIUM",
--- a/integration/testdata/alpine-310-registry.json.golden
+++ b/integration/testdata/alpine-310-registry.json.golden
@@ -70,6 +70,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -123,6 +127,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -186,6 +194,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -239,6 +251,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
--- a/integration/testdata/alpine-310.json.golden
+++ b/integration/testdata/alpine-310.json.golden
@@ -63,6 +63,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -115,6 +119,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -177,6 +185,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -229,6 +241,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
--- a/integration/testdata/alpine-39-high-critical.json.golden
+++ b/integration/testdata/alpine-39-high-critical.json.golden
@@ -63,6 +63,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
          "Severity": "CRITICAL",
          "CweIDs": [
@@ -94,6 +98,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
          "Severity": "CRITICAL",
          "CweIDs": [
--- a/integration/testdata/alpine-39-ignore-cveids.json.golden
+++ b/integration/testdata/alpine-39-ignore-cveids.json.golden
@@ -63,6 +63,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -125,6 +129,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
--- a/integration/testdata/alpine-39.json.golden
+++ b/integration/testdata/alpine-39.json.golden
@@ -63,6 +63,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -115,6 +119,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -177,6 +185,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: information disclosure in fork()",
          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
          "Severity": "MEDIUM",
@@ -229,6 +241,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -291,6 +307,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
          "Severity": "CRITICAL",
          "CweIDs": [
@@ -322,6 +342,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
          "Severity": "CRITICAL",
          "CweIDs": [
--- a/integration/testdata/amazon-1.json.golden
+++ b/integration/testdata/amazon-1.json.golden
@@ -62,6 +62,10 @@
          },
          "SeveritySource": "amazon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
+          "DataSource": {
+            "Name": "Amazon Linux Security Center",
+            "URL": "https://alas.aws.amazon.com/"
+          },
          "Title": "curl: double free due to subsequent call of realloc()",
          "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
          "Severity": "MEDIUM",
--- a/integration/testdata/amazon-2.json.golden
+++ b/integration/testdata/amazon-2.json.golden
@@ -62,6 +62,10 @@
          },
          "SeveritySource": "amazon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
+          "DataSource": {
+            "Name": "Amazon Linux Security Center",
+            "URL": "https://alas.aws.amazon.com/"
+          },
          "Title": "curl: double free due to subsequent call of realloc()",
          "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
          "Severity": "MEDIUM",
@@ -112,6 +116,10 @@
          },
          "SeveritySource": "amazon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5436",
+          "DataSource": {
+            "Name": "Amazon Linux Security Center",
+            "URL": "https://alas.aws.amazon.com/"
+          },
          "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
          "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
          "Severity": "LOW",
--- a/integration/testdata/busybox-with-lockfile.json.golden
+++ b/integration/testdata/busybox-with-lockfile.json.golden
@@ -62,6 +62,10 @@
            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
          },
          "PrimaryURL": "https://osv.dev/vulnerability/RUSTSEC-2019-0001",
+          "DataSource": {
+            "Name": "RustSec Advisory Database",
+            "URL": "https://github.com/RustSec/advisory-db"
+          },
          "Title": "Uncontrolled recursion leads to abort in HTML serialization",
          "Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
          "Severity": "UNKNOWN",
@@ -78,6 +82,10 @@
            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
          },
          "PrimaryURL": "https://osv.dev/vulnerability/RUSTSEC-2021-0074",
+          "DataSource": {
+            "Name": "RustSec Advisory Database",
+            "URL": "https://github.com/RustSec/advisory-db"
+          },
          "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
          "Description": "Affected versions of this crate did not account for namespace-related parsing\ndifferences between HTML, SVG, and MathML. Even if the `svg` and `math` elements\nare not allowed, the underlying HTML parser still treats them differently.\nRunning cleanup without accounting for these differing namespaces resulted in an \"impossible\"\nDOM, which appeared \"safe\" when examining the DOM tree, but when serialized and deserialized,\ncould be exploited to inject abitrary markup.\n\nTo exploit this, the application using this library must allow a tag that is parsed as raw text in HTML.\nThese [elements] are:\n\n* title\n* textarea\n* xmp\n* iframe\n* noembed\n* noframes\n* plaintext\n* noscript\n* style\n* script\n\nApplications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.\n\n[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs",
          "Severity": "UNKNOWN",
--- a/integration/testdata/debian-buster-ignore-unfixed.json.golden
+++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden
@@ -65,6 +65,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
          "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
          "Severity": "CRITICAL",
--- a/integration/testdata/debian-buster.json.golden
+++ b/integration/testdata/debian-buster.json.golden
@@ -61,6 +61,10 @@
          },
          "SeveritySource": "debian",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
          "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
          "Severity": "LOW",
@@ -107,6 +111,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
          "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
          "Severity": "CRITICAL",
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -61,6 +61,10 @@
          },
          "SeveritySource": "debian",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
          "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
          "Severity": "LOW",
@@ -107,6 +111,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -158,6 +166,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -209,6 +221,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -260,6 +276,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
@@ -59,6 +59,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -124,6 +128,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
          "Severity": "LOW",
@@ -193,6 +201,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -258,6 +270,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
          "Severity": "LOW",
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -76,6 +76,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -141,6 +145,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
          "Severity": "LOW",
@@ -210,6 +218,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
          "Severity": "MEDIUM",
@@ -275,6 +287,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
          "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
          "Severity": "LOW",
--- a/integration/testdata/fixtures/db/data-source.yaml
+++ b/integration/testdata/fixtures/db/data-source.yaml
@@ -0,0 +1,382 @@
+- bucket: data-source
+  pairs:
+    - key: GitHub Security Advisory Composer
+      value:
+        Name: "GitHub Security Advisory Composer"
+        URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
+    - key: GitHub Security Advisory Maven
+      value:
+        Name: "GitHub Security Advisory Maven"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
+    - key: GitHub Security Advisory Npm
+      value:
+        Name: "GitHub Security Advisory Npm"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+    - key: GitHub Security Advisory Nuget
+      value:
+        Name: "GitHub Security Advisory Nuget"
+        URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Anuget"
+    - key: GitHub Security Advisory Pip
+      value:
+        Name: "GitHub Security Advisory Pip"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+    - key: GitHub Security Advisory RubyGems
+      value:
+        Name: "GitHub Security Advisory RubyGems"
+        URL: "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
+    - key: Oracle Linux 5
+      value:
+        Name: "Oracle Linux OVAL definitions"
+        URL: "https://linux.oracle.com/security/oval/"
+    - key: Oracle Linux 6
+      value:
+        Name: "Oracle Linux OVAL definitions"
+        URL: "https://linux.oracle.com/security/oval/"
+    - key: Oracle Linux 7
+      value:
+        Name: "Oracle Linux OVAL definitions"
+        URL: "https://linux.oracle.com/security/oval/"
+    - key: Oracle Linux 8
+      value:
+        Name: "Oracle Linux OVAL definitions"
+        URL: "https://linux.oracle.com/security/oval/"
+    - key: Photon OS 1.0
+      value:
+        Name: "Photon OS CVE metadata"
+        URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
+    - key: Photon OS 2.0
+      value:
+        Name: "Photon OS CVE metadata"
+        URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
+    - key: Photon OS 3.0
+      value:
+        Name: "Photon OS CVE metadata"
+        URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
+    - key: Photon OS 4.0
+      value:
+        Name: "Photon OS CVE metadata"
+        URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
+    - key: SUSE Linux Enterprise 11
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 11-PUBCLOUD
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 11.1
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 11.2
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 11.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 11.4
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 12
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 12.1
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 12.2
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 12.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 12.4
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 12.5
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15-ESPOS
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15.1
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15.2
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15.4
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 5.0
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 5.1
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: alma 8
+      value:
+        Name: "AlmaLinux Product Errata"
+        URL:  "https://errata.almalinux.org/"
+    - key: alpine 3.10
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.11
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.12
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.13
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.14
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.15
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.2
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.3
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.4
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.5
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.6
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.7
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.8
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: alpine 3.9
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
+    - key: amazon linux 1
+      value:
+        Name: "Amazon Linux Security Center"
+        URL: "https://alas.aws.amazon.com/"
+    - key: amazon linux 2
+      value:
+        Name: "Amazon Linux Security Center"
+        URL: "https://alas.aws.amazon.com/"
+    - key: archlinux
+      value:
+        Name: "Arch Linux Vulnerable issues"
+        URL: "https://security.archlinux.org/"
+    - key: cargo::Open Source Vulnerability
+      value:
+        Name: "RustSec Advisory Database"
+        URL:  "https://github.com/RustSec/advisory-db"
+    - key: debian 10
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
+    - key: debian 11
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
+    - key: debian 12
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
+    - key: debian 7
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
+    - key: debian 8
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
+    - key: debian 9
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
+    - key: go::GitLab Advisory Database Community
+      value:
+        Name: "GitLab Advisory Database Community"
+        URL:  "https://gitlab.com/gitlab-org/advisories-community"
+    - key: go::The Go Vulnerability Database
+      value:
+        Name: "The Go Vulnerability Database"
+        URL:  "https://github.com/golang/vulndb"
+    - key: maven::GitLab Advisory Database Community
+      value:
+        Name: "GitLab Advisory Database Community"
+        URL:  "https://gitlab.com/gitlab-org/advisories-community"
+    - key: nodejs-security-wg
+      value:
+        Name: "Node.js Ecosystem Security Working Group"
+        URL:  "https://github.com/nodejs/security-wg"
+    - key: openSUSE Leap 15.0
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 15.1
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 15.2
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 15.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 15.4
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 42.1
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 42.2
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: openSUSE Leap 42.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: php-security-advisories
+      value:
+        Name: "PHP Security Advisories Database"
+        URL: "https://github.com/FriendsOfPHP/security-advisories"
+    - key: pip::Open Source Vulnerability
+      value:
+        Name: "Python Packaging Advisory Database"
+        URL: "https://github.com/pypa/advisory-db"
+    - key: rocky 8
+      value:
+        Name: "Rocky Linux updateinfo"
+        URL: "https://download.rockylinux.org/pub/rocky/"
+    - key: ruby-advisory-db
+      value:
+        Name: "Ruby Advisory Database"
+        URL:  "https://github.com/rubysec/ruby-advisory-db"
+    - key: ubuntu 12.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 12.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 13.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 13.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 14.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 14.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 15.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 15.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 16.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 16.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 17.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 17.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 18.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 18.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 19.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 19.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 20.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 20.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 21.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 21.10
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
--- a/integration/testdata/fluentd-gems.json.golden
+++ b/integration/testdata/fluentd-gems.json.golden
@@ -118,6 +118,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
+          "DataSource": {
+            "Name": "Debian Security Tracker",
+            "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
+          },
          "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
          "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
          "Severity": "CRITICAL",
@@ -172,6 +176,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
+          "DataSource": {
+            "Name": "GitHub Security Advisory RubyGems",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Arubygems"
+          },
          "Title": "rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore",
          "Description": "A deserialization of untrusted data vulnernerability exists in rails \u003c 5.2.4.3, rails \u003c 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.",
          "Severity": "CRITICAL",
--- a/integration/testdata/nodejs.json.golden
+++ b/integration/testdata/nodejs.json.golden
@@ -28,6 +28,10 @@
          "Layer": {},
          "SeveritySource": "nodejs-security-wg",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-11358",
+          "DataSource": {
+            "Name": "GitHub Security Advisory Npm",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+          },
          "Title": "jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection",
          "Description": "jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.",
          "Severity": "MEDIUM",
@@ -137,6 +141,10 @@
          "Layer": {},
          "SeveritySource": "ghsa-npm",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-10744",
+          "DataSource": {
+            "Name": "GitHub Security Advisory Npm",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
+          },
          "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties",
          "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.",
          "Severity": "CRITICAL",
--- a/integration/testdata/opensuse-leap-151.json.golden
+++ b/integration/testdata/opensuse-leap-151.json.golden
@@ -68,6 +68,10 @@
          "Layer": {
            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
          },
+          "DataSource": {
+            "Name": "SUSE CVRF",
+            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
+          },
          "Title": "Security update for openssl-1_1",
          "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
          "Severity": "MEDIUM",
@@ -84,6 +88,10 @@
          "Layer": {
            "DiffID": "sha256:f7f9ae80878a1c56d8f9ca977a5d844168f7afc0c1429feef9366e713eac06ff"
          },
+          "DataSource": {
+            "Name": "SUSE CVRF",
+            "URL": "https://ftp.suse.com/pub/projects/security/cvrf/"
+          },
          "Title": "Security update for openssl-1_1",
          "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.",
          "Severity": "MEDIUM",
--- a/integration/testdata/oraclelinux-8-slim.json.golden
+++ b/integration/testdata/oraclelinux-8-slim.json.golden
@@ -71,6 +71,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-3823",
+          "DataSource": {
+            "Name": "Oracle Linux OVAL definitions",
+            "URL": "https://linux.oracle.com/security/oval/"
+          },
          "Title": "curl: SMTP end-of-response out-of-bounds read",
          "Description": "libcurl versions from 7.34.0 to before 7.64.0 are vulnerable to a heap out-of-bounds read in the code handling the end-of-response for SMTP. If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains no character ending the parsed number, and `len` is set to 5, then the `strtol()` call reads beyond the allocated buffer. The read contents will not be returned to the caller.",
          "Severity": "HIGH",
@@ -120,6 +124,10 @@
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5436",
+          "DataSource": {
+            "Name": "Oracle Linux OVAL definitions",
+            "URL": "https://linux.oracle.com/security/oval/"
+          },
          "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
          "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
          "Severity": "HIGH",
--- a/integration/testdata/photon-30.json.golden
+++ b/integration/testdata/photon-30.json.golden
@@ -72,6 +72,10 @@
          },
          "SeveritySource": "photon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "DataSource": {
+            "Name": "Photon OS CVE metadata",
+            "URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
+          },
          "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
          "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
          "Severity": "HIGH",
@@ -115,6 +119,10 @@
          },
          "SeveritySource": "photon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
+          "DataSource": {
+            "Name": "Photon OS CVE metadata",
+            "URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
+          },
          "Title": "curl: double free due to subsequent call of realloc()",
          "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
          "Severity": "CRITICAL",
@@ -165,6 +173,10 @@
          },
          "SeveritySource": "photon",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
+          "DataSource": {
+            "Name": "Photon OS CVE metadata",
+            "URL": "https://packages.vmware.com/photon/photon_cve_metadata/"
+          },
          "Title": "curl: double free due to subsequent call of realloc()",
          "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
          "Severity": "CRITICAL",
--- a/integration/testdata/pip.json.golden
+++ b/integration/testdata/pip.json.golden
@@ -28,6 +28,10 @@
          "Layer": {},
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14806",
+          "DataSource": {
+            "Name": "GitHub Security Advisory Pip",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+          },
          "Title": "python-werkzeug: insufficient debugger PIN randomness vulnerability",
          "Description": "Pallets Werkzeug before 0.15.3, when used with Docker, has insufficient debugger PIN randomness because Docker containers share the same machine id.",
          "Severity": "HIGH",
@@ -68,6 +72,10 @@
          "Layer": {},
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-28724",
+          "DataSource": {
+            "Name": "GitHub Security Advisory Pip",
+            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
+          },
          "Title": "python-werkzeug: open redirect via double slash in the URL",
          "Description": "Open redirect vulnerability in werkzeug before 0.11.6 via a double slash in the URL.",
          "Severity": "MEDIUM",
--- a/integration/testdata/rockylinux-8.json.golden
+++ b/integration/testdata/rockylinux-8.json.golden
@@ -61,6 +61,10 @@
          },
          "SeveritySource": "rocky",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
+          "DataSource": {
+            "Name": "Rocky Linux updateinfo",
+            "URL": "https://download.rockylinux.org/pub/rocky/"
+          },
          "Title": "openssl: Read buffer overruns processing ASN.1 strings",
          "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
          "Severity": "MEDIUM",
--- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
+++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
@@ -80,6 +80,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -128,6 +132,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -176,6 +184,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -224,6 +236,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
--- a/integration/testdata/ubuntu-1804.json.golden
+++ b/integration/testdata/ubuntu-1804.json.golden
@@ -79,6 +79,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "bash: when effective UID is not equal to its real UID the saved UID is not dropped",
          "Description": "An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support \"saved UID\" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use \"enable -f\" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected.",
          "Severity": "LOW",
@@ -122,6 +126,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -170,6 +178,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -218,6 +230,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
@@ -266,6 +282,10 @@
          },
          "SeveritySource": "ubuntu",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5094",
+          "DataSource": {
+            "Name": "Ubuntu CVE Tracker",
+            "URL": "https://git.launchpad.net/ubuntu-cve-tracker"
+          },
          "Title": "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write",
          "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
          "Severity": "MEDIUM",
--- a/pkg/detector/ospkg/alma/alma.go
+++ b/pkg/detector/ospkg/alma/alma.go
@@ -90,6 +90,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 					InstalledVersion: installed,
 					FixedVersion:     fixedVersion.String(),
 					Layer:            pkg.Layer,
+					DataSource:       adv.DataSource,
 				}
 				vulns = append(vulns, vuln)
 			}
--- a/pkg/detector/ospkg/alma/alma_test.go
+++ b/pkg/detector/ospkg/alma/alma_test.go
@@ -1,6 +1,7 @@
 package alma_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"testing"
 	"time"

@@ -28,8 +29,11 @@ func TestScanner_Detect(t *testing.T) {
 		wantErr  string
 	}{
 		{
-			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/alma.yaml"},
+			name: "happy path",
+			fixtures: []string{
+				"testdata/fixtures/alma.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
 			args: args{
 				osVer: "8.4",
 				pkgs: []ftypes.Package{
@@ -56,12 +60,16 @@ func TestScanner_Detect(t *testing.T) {
 					InstalledVersion: "3.6.8-36.el8.alma",
 					FixedVersion:     "3.6.8-37.el8.alma",
 					Layer:            ftypes.Layer{},
+					DataSource: &dbTypes.DataSource{
+						Name: "AlmaLinux Product Errata",
+						URL:  "https://errata.almalinux.org/",
+					},
 				},
 			},
 		},
 		{
 			name:     "skip modular package",
-			fixtures: []string{"testdata/fixtures/modular.yaml"},
+			fixtures: []string{"testdata/fixtures/modular.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "8.4",
 				pkgs: []ftypes.Package{
@@ -85,7 +93,7 @@ func TestScanner_Detect(t *testing.T) {
 		},
 		{
 			name:     "Get returns an error",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "8.4",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/alma/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/alma/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: alma 8
+      value:
+        Name: "AlmaLinux Product Errata"
+        URL:  "https://errata.almalinux.org/"
--- a/pkg/detector/ospkg/alpine/alpine.go
+++ b/pkg/detector/ospkg/alpine/alpine.go
@@ -112,6 +112,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,
+				DataSource:       adv.DataSource,
 			})
 		}
 	}
--- a/pkg/detector/ospkg/alpine/alpine_test.go
+++ b/pkg/detector/ospkg/alpine/alpine_test.go
@@ -1,6 +1,7 @@
 package alpine_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"sort"
 	"testing"
 	"time"
@@ -30,7 +31,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/alpine.yaml"},
+			fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "3.10.2",
 				pkgs: []ftypes.Package{
@@ -60,6 +61,10 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Alpine Secdb",
+						URL:  "https://secdb.alpinelinux.org/",
+					},
 				},
 				{
 					PkgName:          "ansible",
@@ -69,12 +74,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Alpine Secdb",
+						URL:  "https://secdb.alpinelinux.org/",
+					},
 				},
 			},
 		},
 		{
 			name:     "contain rc",
-			fixtures: []string{"testdata/fixtures/alpine.yaml"},
+			fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "3.10",
 				pkgs: []ftypes.Package{
@@ -92,12 +101,16 @@ func TestScanner_Detect(t *testing.T) {
 					VulnerabilityID:  "CVE-2020-1234",
 					InstalledVersion: "1.6-r0",
 					FixedVersion:     "1.6-r1",
+					DataSource: &dbTypes.DataSource{
+						Name: "Alpine Secdb",
+						URL:  "https://secdb.alpinelinux.org/",
+					},
 				},
 			},
 		},
 		{
 			name:     "contain pre",
-			fixtures: []string{"testdata/fixtures/alpine.yaml"},
+			fixtures: []string{"testdata/fixtures/alpine.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "3.10",
 				pkgs: []ftypes.Package{
@@ -121,12 +134,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Alpine Secdb",
+						URL:  "https://secdb.alpinelinux.org/",
+					},
 				},
 			},
 		},
 		{
 			name:     "Get returns an error",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "3.10.2",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/alpine/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/alpine/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: alpine 3.10
+      value:
+        Name: "Alpine Secdb"
+        URL: "https://secdb.alpinelinux.org/"
--- a/pkg/detector/ospkg/amazon/amazon.go
+++ b/pkg/detector/ospkg/amazon/amazon.go
@@ -104,6 +104,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 					FixedVersion:     adv.FixedVersion,
 					Layer:            pkg.Layer,
 					Custom:           adv.Custom,
+					DataSource:       adv.DataSource,
 				}
 				vulns = append(vulns, vuln)
 			}
--- a/pkg/detector/ospkg/amazon/amazon_test.go
+++ b/pkg/detector/ospkg/amazon/amazon_test.go
@@ -1,6 +1,7 @@
 package amazon_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"testing"
 	"time"

@@ -29,7 +30,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "amazon linux 1",
-			fixtures: []string{"testdata/fixtures/amazon.yaml"},
+			fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "1.2",
 				pkgs: []ftypes.Package{
@@ -53,12 +54,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Amazon Linux Security Center",
+						URL:  "https://alas.aws.amazon.com/",
+					},
 				},
 			},
 		},
 		{
 			name:     "amazon linux 2",
-			fixtures: []string{"testdata/fixtures/amazon.yaml"},
+			fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "2",
 				pkgs: []ftypes.Package{
@@ -80,12 +85,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Amazon Linux Security Center",
+						URL:  "https://alas.aws.amazon.com/",
+					},
 				},
 			},
 		},
 		{
 			name:     "empty version",
-			fixtures: []string{"testdata/fixtures/amazon.yaml"},
+			fixtures: []string{"testdata/fixtures/amazon.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "2",
 				pkgs: []ftypes.Package{
@@ -97,7 +106,7 @@ func TestScanner_Detect(t *testing.T) {
 		},
 		{
 			name:     "Get returns an error",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "1",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/amazon/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/amazon/testdata/fixtures/data-source.yaml
@@ -0,0 +1,10 @@
+- bucket: data-source
+  pairs:
+    - key: amazon linux 1
+      value:
+        Name: "Amazon Linux Security Center"
+        URL: "https://alas.aws.amazon.com/"
+    - key: amazon linux 2
+      value:
+        Name: "Amazon Linux Security Center"
+        URL: "https://alas.aws.amazon.com/"
--- a/pkg/detector/ospkg/debian/debian.go
+++ b/pkg/detector/ospkg/debian/debian.go
@@ -106,6 +106,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,
+				DataSource:       adv.DataSource,
 			}

 			if adv.Severity != dbTypes.SeverityUnknown {
--- a/pkg/detector/ospkg/debian/debian_test.go
+++ b/pkg/detector/ospkg/debian/debian_test.go
@@ -32,7 +32,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/debian.yaml"},
+			fixtures: []string{"testdata/fixtures/debian.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "9.1",
 				pkgs: []ftypes.Package{
@@ -57,6 +57,10 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Debian Security Tracker",
+						URL:  "https://salsa.debian.org/security-tracker-team/security-tracker",
+					},
 				},
 				{
 					PkgName:          "htpasswd",
@@ -69,12 +73,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Debian Security Tracker",
+						URL:  "https://salsa.debian.org/security-tracker-team/security-tracker",
+					},
 				},
 			},
 		},
 		{
 			name:     "invalid bucket",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "9.1",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/debian/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/debian/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: debian 9
+      value:
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
--- a/pkg/detector/ospkg/oracle/oracle.go
+++ b/pkg/detector/ospkg/oracle/oracle.go
@@ -88,6 +88,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 				InstalledVersion: installed,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,
+				DataSource:       adv.DataSource,
 			}
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = adv.FixedVersion
--- a/pkg/detector/ospkg/oracle/oracle_test.go
+++ b/pkg/detector/ospkg/oracle/oracle_test.go
@@ -1,6 +1,7 @@
 package oracle

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"testing"
 	"time"

@@ -108,7 +109,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "detected",
-			fixtures: []string{"testdata/fixtures/oracle7.yaml"},
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "7",
 				pkgs: []ftypes.Package{
@@ -129,12 +130,16 @@ func TestScanner_Detect(t *testing.T) {
 					PkgName:          "curl",
 					InstalledVersion: "7.29.0-59.0.1.el7",
 					FixedVersion:     "7.29.0-59.0.1.el7_9.1",
+					DataSource: &dbTypes.DataSource{
+						Name: "Oracle Linux OVAL definitions",
+						URL:  "https://linux.oracle.com/security/oval/",
+					},
 				},
 			},
 		},
 		{
 			name:     "without ksplice",
-			fixtures: []string{"testdata/fixtures/oracle7.yaml"},
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "7",
 				pkgs: []ftypes.Package{
@@ -153,7 +158,7 @@ func TestScanner_Detect(t *testing.T) {
 		},
 		{
 			name:     "the installed version has ksplice2",
-			fixtures: []string{"testdata/fixtures/oracle7.yaml"},
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "7",
 				pkgs: []ftypes.Package{
@@ -174,7 +179,7 @@ func TestScanner_Detect(t *testing.T) {
 		},
 		{
 			name:     "with ksplice",
-			fixtures: []string{"testdata/fixtures/oracle7.yaml"},
+			fixtures: []string{"testdata/fixtures/oracle7.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "7",
 				pkgs: []ftypes.Package{
@@ -197,12 +202,16 @@ func TestScanner_Detect(t *testing.T) {
 					PkgName:          "glibc",
 					InstalledVersion: "2:2.17-156.ksplice1.el7",
 					FixedVersion:     "2:2.17-157.ksplice1.el7_3.4",
+					DataSource: &dbTypes.DataSource{
+						Name: "Oracle Linux OVAL definitions",
+						URL:  "https://linux.oracle.com/security/oval/",
+					},
 				},
 			},
 		},
 		{
 			name:     "malformed",
-			fixtures: []string{"testdata/fixtures/invalid-type.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid-type.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "7",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/oracle/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/oracle/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: Oracle Linux 7
+      value:
+        Name: "Oracle Linux OVAL definitions"
+        URL: "https://linux.oracle.com/security/oval/"
--- a/pkg/detector/ospkg/photon/photon.go
+++ b/pkg/detector/ospkg/photon/photon.go
@@ -81,6 +81,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 				InstalledVersion: installed,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,
+				DataSource:       adv.DataSource,
 			}
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = adv.FixedVersion
--- a/pkg/detector/ospkg/photon/photon_test.go
+++ b/pkg/detector/ospkg/photon/photon_test.go
@@ -1,6 +1,7 @@
 package photon_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"testing"
 	"time"

@@ -29,7 +30,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/photon.yaml"},
+			fixtures: []string{"testdata/fixtures/photon.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "1.0",
 				pkgs: []ftypes.Package{
@@ -55,12 +56,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Photon OS CVE metadata",
+						URL:  "https://packages.vmware.com/photon/photon_cve_metadata/",
+					},
 				},
 			},
 		},
 		{
 			name:     "invalid bucket",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "1.0",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/photon/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/photon/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: Photon OS 1.0
+      value:
+        Name: "Photon OS CVE metadata"
+        URL: "https://packages.vmware.com/photon/photon_cve_metadata/"
--- a/pkg/detector/ospkg/rocky/rocky.go
+++ b/pkg/detector/ospkg/rocky/rocky.go
@@ -90,6 +90,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 					InstalledVersion: installed,
 					FixedVersion:     fixedVersion.String(),
 					Layer:            pkg.Layer,
+					DataSource:       adv.DataSource,
 				}
 				vulns = append(vulns, vuln)
 			}
--- a/pkg/detector/ospkg/rocky/rocky_test.go
+++ b/pkg/detector/ospkg/rocky/rocky_test.go
@@ -1,6 +1,7 @@
 package rocky_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"testing"
 	"time"

@@ -29,7 +30,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/rocky.yaml"},
+			fixtures: []string{"testdata/fixtures/rocky.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "8.5",
 				pkgs: []ftypes.Package{
@@ -56,12 +57,16 @@ func TestScanner_Detect(t *testing.T) {
 					InstalledVersion: "4.18.0-348.el8.0.3",
 					FixedVersion:     "4.18.0-348.2.1.el8_5",
 					Layer:            ftypes.Layer{},
+					DataSource: &dbTypes.DataSource{
+						Name: "Rocky Linux updateinfo",
+						URL:  "https://download.rockylinux.org/pub/rocky/",
+					},
 				},
 			},
 		},
 		{
 			name:     "skip modular package",
-			fixtures: []string{"testdata/fixtures/modular.yaml"},
+			fixtures: []string{"testdata/fixtures/modular.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "8.5",
 				pkgs: []ftypes.Package{
@@ -85,7 +90,7 @@ func TestScanner_Detect(t *testing.T) {
 		},
 		{
 			name:     "Get returns an error",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "8.5",
 				pkgs: []ftypes.Package{
--- a/pkg/detector/ospkg/rocky/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/rocky/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: rocky 8
+      value:
+        Name: "Rocky Linux updateinfo"
+        URL: "https://download.rockylinux.org/pub/rocky/"
--- a/pkg/detector/ospkg/suse/suse.go
+++ b/pkg/detector/ospkg/suse/suse.go
@@ -132,6 +132,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 				InstalledVersion: installed,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,
+				DataSource:       adv.DataSource,
 			}
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = adv.FixedVersion
--- a/pkg/detector/ospkg/suse/suse_test.go
+++ b/pkg/detector/ospkg/suse/suse_test.go
@@ -1,6 +1,7 @@
 package suse_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"testing"
 	"time"

@@ -30,7 +31,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:         "happy path",
-			fixtures:     []string{"testdata/fixtures/suse.yaml"},
+			fixtures:     []string{"testdata/fixtures/suse.yaml", "testdata/fixtures/data-source.yaml"},
 			distribution: suse.OpenSUSE,
 			args: args{
 				osVer: "15.3",
@@ -57,12 +58,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "SUSE CVRF",
+						URL:  "https://ftp.suse.com/pub/projects/security/cvrf/",
+					},
 				},
 			},
 		},
 		{
 			name:         "broken bucket",
-			fixtures:     []string{"testdata/fixtures/invalid.yaml"},
+			fixtures:     []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			distribution: suse.SUSEEnterpriseLinux,
 			args: args{
 				osVer: "15.3",
--- a/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/suse/testdata/fixtures/data-source.yaml
@@ -0,0 +1,10 @@
+- bucket: data-source
+  pairs:
+    - key: openSUSE Leap 15.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
+    - key: SUSE Linux Enterprise 15.3
+      value:
+        Name: "SUSE CVRF"
+        URL: "https://ftp.suse.com/pub/projects/security/cvrf/"
--- a/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/ubuntu/testdata/fixtures/data-source.yaml
@@ -0,0 +1,10 @@
+- bucket: data-source
+  pairs:
+    - key: ubuntu 20.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
+    - key: ubuntu 21.04
+      value:
+        Name: "Ubuntu CVE Tracker"
+        URL: "https://git.launchpad.net/ubuntu-cve-tracker"
--- a/pkg/detector/ospkg/ubuntu/ubuntu.go
+++ b/pkg/detector/ospkg/ubuntu/ubuntu.go
@@ -115,6 +115,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,
+				DataSource:       adv.DataSource,
 			}

 			if adv.FixedVersion == "" {
--- a/pkg/detector/ospkg/ubuntu/ubuntu_test.go
+++ b/pkg/detector/ospkg/ubuntu/ubuntu_test.go
@@ -1,6 +1,7 @@
 package ubuntu_test

 import (
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"sort"
 	"testing"
 	"time"
@@ -30,7 +31,7 @@ func TestScanner_Detect(t *testing.T) {
 	}{
 		{
 			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/ubuntu.yaml"},
+			fixtures: []string{"testdata/fixtures/ubuntu.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "20.04",
 				pkgs: []ftypes.Package{
@@ -54,6 +55,10 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Ubuntu CVE Tracker",
+						URL:  "https://git.launchpad.net/ubuntu-cve-tracker",
+					},
 				},
 				{
 					PkgName:          "wpa",
@@ -63,12 +68,16 @@ func TestScanner_Detect(t *testing.T) {
 					Layer: ftypes.Layer{
 						DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 					},
+					DataSource: &dbTypes.DataSource{
+						Name: "Ubuntu CVE Tracker",
+						URL:  "https://git.launchpad.net/ubuntu-cve-tracker",
+					},
 				},
 			},
 		},
 		{
 			name:     "broken bucket",
-			fixtures: []string{"testdata/fixtures/invalid.yaml"},
+			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "21.04",
 				pkgs: []ftypes.Package{
--- a/pkg/rpc/convert.go
+++ b/pkg/rpc/convert.go
@@ -140,6 +140,7 @@ func ConvertToRPCVulns(vulns []types.DetectedVulnerability) []*common.Vulnerabil
 			PublishedDate:      publishedDate,
 			CustomAdvisoryData: customAdvisoryData,
 			CustomVulnData:     customVulnData,
+			DataSource:         ConvertToRPCDataSource(vuln.DataSource),
 		})
 	}
 	return rpcVulns
@@ -180,6 +181,17 @@ func ConvertToRPCLayer(layer ftypes.Layer) *common.Layer {
 	}
 }

+// ConvertToRPCDataSource returns common.DataSource
+func ConvertToRPCDataSource(ds *dbTypes.DataSource) *common.DataSource {
+	if ds == nil {
+		return nil
+	}
+	return &common.DataSource{
+		Name: ds.Name,
+		Url:  ds.URL,
+	}
+}
+
 // ConvertFromRPCResults converts scanner.Result to report.Result
 func ConvertFromRPCResults(rpcResults []*scanner.Result) []report.Result {
 	var results []report.Result
@@ -242,6 +254,7 @@ func ConvertFromRPCVulns(rpcVulns []*common.Vulnerability) []types.DetectedVulne
 			SeveritySource: vuln.SeveritySource,
 			PrimaryURL:     vuln.PrimaryUrl,
 			Custom:         vuln.CustomAdvisoryData.AsInterface(),
+			DataSource:     ConvertFromRPCDataSource(vuln.DataSource),
 		})
 	}
 	return vulns
@@ -292,6 +305,17 @@ func ConvertFromRPCOS(rpcOS *common.OS) *ftypes.OS {
 	}
 }

+// ConvertFromRPCDataSource converts *common.DataSource to *dbTypes.DataSource
+func ConvertFromRPCDataSource(ds *common.DataSource) *dbTypes.DataSource {
+	if ds == nil {
+		return nil
+	}
+	return &dbTypes.DataSource{
+		Name: ds.Name,
+		URL:  ds.Url,
+	}
+}
+
 // ConvertFromRPCPackageInfos converts common.PackageInfo to fanal.PackageInfo
 func ConvertFromRPCPackageInfos(rpcPkgInfos []*common.PackageInfo) []ftypes.PackageInfo {
 	var pkgInfos []ftypes.PackageInfo
--- a/pkg/rpc/convert_test.go
+++ b/pkg/rpc/convert_test.go
@@ -238,6 +238,10 @@ func TestConvertToRpcVulns(t *testing.T) {
 							DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 						},
 						PrimaryURL: "https://avd.aquasec.com/nvd/CVE-2019-0001",
+						DataSource: &dbTypes.DataSource{
+							Name: "GitHub Security Advisory Maven",
+							URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
+						},
 					},
 				},
 			},
@@ -266,6 +270,10 @@ func TestConvertToRpcVulns(t *testing.T) {
 					PrimaryUrl:       "https://avd.aquasec.com/nvd/CVE-2019-0001",
 					PublishedDate:    timestamppb.New(fixedPublishedDate),
 					LastModifiedDate: timestamppb.New(fixedLastModifiedDate),
+					DataSource: &common.DataSource{
+						Name: "GitHub Security Advisory Maven",
+						Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
+					},
 				},
 			},
 		},
@@ -288,6 +296,10 @@ func TestConvertToRpcVulns(t *testing.T) {
 							Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
 							DiffID: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 						},
+						DataSource: &dbTypes.DataSource{
+							Name: "GitHub Security Advisory Maven",
+							URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
+						},
 					},
 				},
 			},
@@ -306,6 +318,10 @@ func TestConvertToRpcVulns(t *testing.T) {
 						Digest: "sha256:154ad0735c360b212b167f424d33a62305770a1fcfb6363882f5c436cfbd9812",
 						DiffId: "sha256:b2a1a2d80bf0c747a4f6b0ca6af5eef23f043fcdb1ed4f3a3e750aef2dc68079",
 					},
+					DataSource: &common.DataSource{
+						Name: "GitHub Security Advisory Maven",
+						Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
+					},
 				},
 			},
 		},
@@ -363,6 +379,10 @@ func TestConvertFromRPCResults(t *testing.T) {
 							PrimaryUrl:       "https://avd.aquasec.com/nvd/CVE-2019-0001",
 							PublishedDate:    timestamppb.New(fixedPublishedDate),
 							LastModifiedDate: timestamppb.New(fixedLastModifiedDate),
+							DataSource: &common.DataSource{
+								Name: "GitHub Security Advisory Maven",
+								Url:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
+							},
 						},
 					},
 				}},
@@ -401,6 +421,10 @@ func TestConvertFromRPCResults(t *testing.T) {
 								PublishedDate:    &fixedPublishedDate,
 								LastModifiedDate: &fixedLastModifiedDate,
 							},
+							DataSource: &dbTypes.DataSource{
+								Name: "GitHub Security Advisory Maven",
+								URL:  "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven",
+							},
 						},
 					},
 				},
--- a/pkg/rpc/server/server_test.go
+++ b/pkg/rpc/server/server_test.go
@@ -47,7 +47,7 @@ func TestScanServer_Scan(t *testing.T) {
 	}{
 		{
 			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
+			fixtures: []string{"testdata/fixtures/vulnerability.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				in: &rpcScanner.ScanRequest{
 					Target:     "alpine:3.11",
@@ -76,6 +76,10 @@ func TestScanServer_Scan(t *testing.T) {
 										LastModifiedDate: utils.MustTimeParse("2020-01-01T01:01:00Z"),
 										PublishedDate:    utils.MustTimeParse("2001-01-01T01:01:00Z"),
 									},
+									DataSource: &dbTypes.DataSource{
+										Name: "DOS vulnerabilities",
+										URL:  "https://vuld-db-example.com/",
+									},
 								},
 							},
 							Type: "alpine",
@@ -117,6 +121,10 @@ func TestScanServer_Scan(t *testing.T) {
 								PublishedDate: &timestamp.Timestamp{
 									Seconds: 978310860,
 								},
+								DataSource: &common.DataSource{
+									Name: "DOS vulnerabilities",
+									Url:  "https://vuld-db-example.com/",
+								},
 							},
 						},
 						Type: "alpine",
--- a/pkg/rpc/server/testdata/fixtures/data-source.yaml
+++ b/pkg/rpc/server/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: vulnerability
+      value:
+        Name: "DOS vulnerabilities"
+        URL:  "https://vuld-db-example.com/"
--- a/rpc/common/service.pb.go
+++ b/rpc/common/service.pb.go
--- a/rpc/common/service.proto
+++ b/rpc/common/service.proto
@@ -100,6 +100,12 @@ message Vulnerability {
  google.protobuf.Value     custom_advisory_data = 17;
  google.protobuf.Value     custom_vuln_data     = 18;
  repeated string           vendor_ids           = 19;
+  DataSource                data_source          = 20;
+}
+
+message DataSource {
+  string name = 1;
+  string url  = 2;
 }

 message Layer {