feat(lang-pkg): add data sources (#1625)

2025-12-22 07:10:41 -08:00 · 2022-01-27 14:22:06 +02:00
parent a31ddbe971
commit 50bb938a21
26 changed files with 176 additions and 99 deletions
--- a/go.mod
+++ b/go.mod
@@ -13,7 +13,7 @@ require (
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20220119092408-3e43e9ac6def
+	github.com/aquasecurity/trivy-db v0.0.0-20220125230746-e5eec5a98bf1
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
--- a/go.sum
+++ b/go.sum
@@ -241,10 +241,8 @@ github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbp
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
 github.com/aquasecurity/tfsec v0.63.1 h1:KH63HTcUoab7d3PKtqFO6T8K5AY7bzLw7Kiu+EY9U64=
 github.com/aquasecurity/tfsec v0.63.1/go.mod h1:g5ZWmsfqW1FsCaPb9ux8Pzjcyss/WUB2XuRd5slqvnc=
-github.com/aquasecurity/trivy-db v0.0.0-20220116182821-1a83ba8d44cf h1:STzhFjoXPmE+HQzjydti5w5KNvQpUYwaH4y878jq+II=
-github.com/aquasecurity/trivy-db v0.0.0-20220116182821-1a83ba8d44cf/go.mod h1:rnojVJTK+RySsfLW7xMqmQRSjQpm5fEjS+/N4kf3fcc=
-github.com/aquasecurity/trivy-db v0.0.0-20220119092408-3e43e9ac6def h1:2E1Fj1ouevZG/2ii+XgZitDf3h5fyvNeUKduHbpDZr0=
-github.com/aquasecurity/trivy-db v0.0.0-20220119092408-3e43e9ac6def/go.mod h1:rnojVJTK+RySsfLW7xMqmQRSjQpm5fEjS+/N4kf3fcc=
+github.com/aquasecurity/trivy-db v0.0.0-20220125230746-e5eec5a98bf1 h1:mOaPyX+hVglWFk8TbLA7q01GnqVcf6yPusaQaWnDNjE=
+github.com/aquasecurity/trivy-db v0.0.0-20220125230746-e5eec5a98bf1/go.mod h1:rnojVJTK+RySsfLW7xMqmQRSjQpm5fEjS+/N4kf3fcc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
--- a/integration/testdata/fixtures/db/ruby.yaml
+++ b/integration/testdata/fixtures/db/ruby.yaml
@@ -1,4 +1,4 @@
- bucket: GitHub Security Advisory Rubygems
+- bucket: GitHub Security Advisory RubyGems
  pairs:
    - bucket: activesupport
      pairs:
--- a/pkg/commands/option/report.go
+++ b/pkg/commands/option/report.go
@@ -94,6 +94,10 @@ func (c *ReportOption) Init(logger *zap.SugaredLogger) error {
 }

 func (c *ReportOption) populateVulnTypes() error {
+	if c.vulnType == "" {
+		return nil
+	}
+
 	for _, v := range strings.Split(c.vulnType, ",") {
 		if types.NewVulnType(v) == types.VulnTypeUnknown {
 			return xerrors.Errorf("unknown vulnerability type (%s)", v)
@@ -104,6 +108,10 @@ func (c *ReportOption) populateVulnTypes() error {
 }

 func (c *ReportOption) populateSecurityChecks() error {
+	if c.securityChecks == "" {
+		return nil
+	}
+
 	for _, v := range strings.Split(c.securityChecks, ",") {
 		if types.NewSecurityCheck(v) == types.SecurityCheckUnknown {
 			return xerrors.Errorf("unknown security check (%s)", v)
--- a/pkg/detector/library/advisory.go
+++ b/pkg/detector/library/advisory.go
@@ -49,6 +49,7 @@ func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
 			FixedVersion:     s.createFixedVersions(advisory),
+			DataSource:       advisory.DataSource,
 		}
 		vulns = append(vulns, vuln)
 	}
--- a/pkg/detector/library/bundler/advisory.go
+++ b/pkg/detector/library/bundler/advisory.go
@@ -5,20 +5,14 @@ import (

 	"golang.org/x/xerrors"

-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	bundlerSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/bundler"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

-// VulnSrc defines the operation on bundler vulnerability
-type VulnSrc interface {
-	Get(pkgName string) ([]bundlerSrc.Advisory, error)
-}
-
 // Advisory implements the bundler VulnSrc
 type Advisory struct {
 	comparer RubyGemsComparer
-	vs       VulnSrc
+	vs       bundlerSrc.VulnSrc
 }

 // NewAdvisory is the factory method to return bundler.Advisory
@@ -38,11 +32,7 @@ func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect

 	var vulns []types.DetectedVulnerability
 	for _, advisory := range advisories {
-		adv := dbTypes.Advisory{
-			UnaffectedVersions: advisory.UnaffectedVersions,
-			PatchedVersions:    advisory.PatchedVersions,
-		}
-		if !a.comparer.IsVulnerable(pkgVer, adv) {
+		if !a.comparer.IsVulnerable(pkgVer, advisory) {
 			continue
 		}

@@ -51,6 +41,7 @@ func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect
 			PkgName:          strings.TrimSpace(pkgName),
 			InstalledVersion: pkgVer,
 			FixedVersion:     strings.Join(advisory.PatchedVersions, ", "),
+			DataSource:       advisory.DataSource,
 		}
 		vulns = append(vulns, vuln)
 	}
--- a/pkg/detector/library/bundler/advisory_test.go
+++ b/pkg/detector/library/bundler/advisory_test.go
@@ -3,12 +3,13 @@ package bundler_test
 import (
 	"testing"

-	"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
+	"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

@@ -30,13 +31,20 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				pkgName: "activesupport",
 				pkgVer:  "4.1.1",
 			},
-			fixtures: []string{"testdata/fixtures/gem.yaml"},
+			fixtures: []string{
+				"testdata/fixtures/gem.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "activesupport",
 					InstalledVersion: "4.1.1",
 					VulnerabilityID:  "CVE-2015-3226",
 					FixedVersion:     ">= 4.2.2, ~> 4.1.11",
+					DataSource: &dbTypes.DataSource{
+						Name: "Ruby Advisory Database",
+						URL:  "https://github.com/rubysec/ruby-advisory-db",
+					},
 				},
 			},
 		},
@@ -72,10 +80,9 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				require.NotNil(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr)
 				return
-			} else {
-				assert.NoError(t, err)
 			}

+			assert.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}
--- a/pkg/detector/library/bundler/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/bundler/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: ruby-advisory-db
+      value:
+        Name: "Ruby Advisory Database"
+        URL:  "https://github.com/rubysec/ruby-advisory-db"
--- a/pkg/detector/library/composer/advisory.go
+++ b/pkg/detector/library/composer/advisory.go
@@ -6,7 +6,6 @@ import (

 	"golang.org/x/xerrors"

-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	composerSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/composer"
 	"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -36,19 +35,18 @@ func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect

 	var vulns []types.DetectedVulnerability
 	for _, advisory := range advisories {
-		var affectedVersions []string
 		var patchedVersions []string
-		for _, branch := range advisory.Branches {
-			for _, version := range branch.Versions {
-				if !strings.HasPrefix(version, "<=") && strings.HasPrefix(version, "<") {
-					patchedVersions = append(patchedVersions, strings.Trim(version, "<"))
+		for _, vulnerableRange := range advisory.VulnerableVersions {
+			// e.g. ">=5, <5.3.1"
+			for _, v := range strings.Split(vulnerableRange, ", ") {
+				// e.g. "<5.3.1"
+				if !strings.HasPrefix(v, "<=") && strings.HasPrefix(v, "<") {
+					patchedVersions = append(patchedVersions, strings.Trim(v, "<"))
 				}
 			}
-			affectedVersions = append(affectedVersions, strings.Join(branch.Versions, ", "))
 		}

-		adv := dbTypes.Advisory{VulnerableVersions: affectedVersions}
-		if !s.comparer.IsVulnerable(pkgVer, adv) {
+		if !s.comparer.IsVulnerable(pkgVer, advisory) {
 			continue
 		}

@@ -57,6 +55,7 @@ func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
 			FixedVersion:     strings.Join(patchedVersions, ", "),
+			DataSource:       advisory.DataSource,
 		}
 		vulns = append(vulns, vuln)
 	}
--- a/pkg/detector/library/composer/advisory_test.go
+++ b/pkg/detector/library/composer/advisory_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/detector/library/composer"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -30,13 +31,20 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				pkgName: "aws/aws-sdk-php",
 				pkgVer:  "3.2.0",
 			},
-			fixtures: []string{"testdata/fixtures/composer.yaml"},
+			fixtures: []string{
+				"testdata/fixtures/composer.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "aws/aws-sdk-php",
 					InstalledVersion: "3.2.0",
 					VulnerabilityID:  "CVE-2015-5723",
 					FixedVersion:     "3.2.1",
+					DataSource: &dbTypes.DataSource{
+						Name: "PHP Security Advisories Database",
+						URL:  "https://github.com/FriendsOfPHP/security-advisories",
+					},
 				},
 			},
 		},
--- a/pkg/detector/library/composer/testdata/fixtures/composer.yaml
+++ b/pkg/detector/library/composer/testdata/fixtures/composer.yaml
@@ -4,25 +4,13 @@
      pairs:
        - key: CVE-2015-5723
          value:
-            Branches:
-              3.x:
-                Versions:
-                  - ">=3.0.0"
-                  - "<3.2.1"
+            VulnerableVersions:
+              - ">=3.0.0, <3.2.1"
    - bucket: "composer://guzzlehttp/guzzle"
      pairs:
        - key: CVE-2016-5385
          value:
-            Branches:
-              4.x:
-                Versions:
-                  - ">=4.0.0rc2"
-                  - "<4.2.4"
-              5.3:
-                Versions:
-                  - ">=5"
-                  - "<5.3.1"
-              master:
-                Versions:
-                  - ">=6"
-                  - "<6.2.1"
+            VulnerableVersions:
+              - ">=4.0.0rc2, <4.2.4"
+              - ">=5, <5.3.1"
+              - ">=6, <6.2.1"
--- a/pkg/detector/library/composer/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/composer/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: php-security-advisories
+      value:
+        Name: "PHP Security Advisories Database"
+        URL: "https://github.com/FriendsOfPHP/security-advisories"
--- a/pkg/detector/library/composer/testdata/fixtures/invalid-type.yaml
+++ b/pkg/detector/library/composer/testdata/fixtures/invalid-type.yaml
@@ -4,4 +4,4 @@
      pairs:
        - key: CVE-2015-5723
          value:
-            Branches: invalid
+            VulnerableVersions: invalid
--- a/pkg/detector/library/driver.go
+++ b/pkg/detector/library/driver.go
@@ -87,7 +87,7 @@ func (d *Driver) Type() string {

 func newRubyGemsDriver() Driver {
 	c := bundler.RubyGemsComparer{}
-	return Aggregate(vulnerability.RubyGems, NewAdvisory(vulnerability.RubyGems, c), bundler.NewAdvisory(), ghsa.NewAdvisory(ecosystem.Rubygems, c))
+	return Aggregate(vulnerability.RubyGems, NewAdvisory(vulnerability.RubyGems, c), bundler.NewAdvisory(), ghsa.NewAdvisory(ecosystem.RubyGems, c))
 }

 func newComposerDriver() Driver {
--- a/pkg/detector/library/driver_test.go
+++ b/pkg/detector/library/driver_test.go
@@ -8,6 +8,7 @@ import (

 	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/detector/library"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -27,9 +28,12 @@ func TestDriver_Detect(t *testing.T) {
 		wantErr  string
 	}{
 		{
-			name:     "happy path",
-			fixtures: []string{"testdata/fixtures/php.yaml"},
-			libType:  ftypes.Composer,
+			name: "happy path",
+			fixtures: []string{
+				"testdata/fixtures/php.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.Composer,
 			args: args{
 				pkgName: "symfony/symfony",
 				pkgVer:  "4.2.6",
@@ -40,6 +44,10 @@ func TestDriver_Detect(t *testing.T) {
 					PkgName:          "symfony/symfony",
 					InstalledVersion: "4.2.6",
 					FixedVersion:     "4.2.7",
+					DataSource: &dbTypes.DataSource{
+						Name: "GitLab Advisory Database Community",
+						URL:  "https://gitlab.com/gitlab-org/advisories-community",
+					},
 				},
 			},
 		},
@@ -61,9 +69,12 @@ func TestDriver_Detect(t *testing.T) {
 			},
 		},
 		{
-			name:     "no patched versions in the advisory",
-			fixtures: []string{"testdata/fixtures/php.yaml"},
-			libType:  ftypes.Composer,
+			name: "no patched versions in the advisory",
+			fixtures: []string{
+				"testdata/fixtures/php.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.Composer,
 			args: args{
 				pkgName: "symfony/symfony",
 				pkgVer:  "4.4.6",
@@ -74,13 +85,20 @@ func TestDriver_Detect(t *testing.T) {
 					PkgName:          "symfony/symfony",
 					InstalledVersion: "4.4.6",
 					FixedVersion:     "4.4.7",
+					DataSource: &dbTypes.DataSource{
+						Name: "PHP Security Advisories Database",
+						URL:  "https://github.com/FriendsOfPHP/security-advisories",
+					},
 				},
 			},
 		},
 		{
-			name:     "no vulnerable versions in the advisory",
-			fixtures: []string{"testdata/fixtures/ruby.yaml"},
-			libType:  ftypes.Bundler,
+			name: "no vulnerable versions in the advisory",
+			fixtures: []string{
+				"testdata/fixtures/ruby.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
+			libType: ftypes.Bundler,
 			args: args{
 				pkgName: "activesupport",
 				pkgVer:  "4.1.1",
@@ -91,6 +109,10 @@ func TestDriver_Detect(t *testing.T) {
 					PkgName:          "activesupport",
 					InstalledVersion: "4.1.1",
 					FixedVersion:     ">= 4.2.2, ~> 4.1.11",
+					DataSource: &dbTypes.DataSource{
+						Name: "Ruby Advisory Database",
+						URL:  "https://github.com/rubysec/ruby-advisory-db",
+					},
 				},
 			},
 		},
--- a/pkg/detector/library/ghsa/advisory.go
+++ b/pkg/detector/library/ghsa/advisory.go
@@ -5,20 +5,14 @@ import (

 	"golang.org/x/xerrors"

-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
 	"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
 	"github.com/aquasecurity/trivy/pkg/types"
 )

-// VulnSrc defines the operations on vulnerability source
-type VulnSrc interface {
-	Get(pkgName string) ([]ghsa.Advisory, error)
-}
-
 // Advisory implements VulnSrc
 type Advisory struct {
-	vs       VulnSrc
+	vs       ghsa.VulnSrc
 	comparer comparer.Comparer
 }

@@ -39,8 +33,7 @@ func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect

 	var vulns []types.DetectedVulnerability
 	for _, advisory := range advisories {
-		adv := dbTypes.Advisory{VulnerableVersions: advisory.VulnerableVersions}
-		if !s.comparer.IsVulnerable(pkgVer, adv) {
+		if !s.comparer.IsVulnerable(pkgVer, advisory) {
 			continue
 		}

@@ -49,6 +42,7 @@ func (s *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
 			FixedVersion:     strings.Join(advisory.PatchedVersions, ", "),
+			DataSource:       advisory.DataSource,
 		}
 		vulns = append(vulns, vuln)
 	}
--- a/pkg/detector/library/ghsa/advisory_test.go
+++ b/pkg/detector/library/ghsa/advisory_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	ghsaSrc "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/detector/library/comparer"
@@ -41,13 +42,20 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				pkgName: "symfony/symfony",
 				pkgVer:  "5.1.5-alpha",
 			},
-			fixtures: []string{"testdata/fixtures/ghsa.yaml"},
+			fixtures: []string{
+				"testdata/fixtures/ghsa.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "symfony/symfony",
 					InstalledVersion: "5.1.5-alpha",
 					VulnerabilityID:  "CVE-2020-15094",
 					FixedVersion:     "5.1.5, 4.4.13",
+					DataSource: &dbTypes.DataSource{
+						Name: "GitHub Security Advisory Composer",
+						URL:  "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer",
+					},
 				},
 			},
 		},
@@ -61,13 +69,20 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				pkgName: "AWSSDK.Core",
 				pkgVer:  "3.5.1.30",
 			},
-			fixtures: []string{"testdata/fixtures/ghsa.yaml"},
+			fixtures: []string{
+				"testdata/fixtures/ghsa.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "AWSSDK.Core",
 					InstalledVersion: "3.5.1.30",
 					VulnerabilityID:  "CVE-2020-99999",
 					FixedVersion:     "3.5.1.31",
+					DataSource: &dbTypes.DataSource{
+						Name: "GitHub Security Advisory Nuget",
+						URL:  "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Anuget",
+					},
 				},
 			},
 		},
--- a/pkg/detector/library/ghsa/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/ghsa/testdata/fixtures/data-source.yaml
@@ -0,0 +1,10 @@
+- bucket: data-source
+  pairs:
+    - key: GitHub Security Advisory Composer
+      value:
+        Name: "GitHub Security Advisory Composer"
+        URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Acomposer"
+    - key: GitHub Security Advisory Nuget
+      value:
+        Name: "GitHub Security Advisory Nuget"
+        URL: "https://github.com/advisories?query=type%%3Areviewed+ecosystem%%3Anuget"
--- a/pkg/detector/library/npm/advisory.go
+++ b/pkg/detector/library/npm/advisory.go
@@ -5,7 +5,6 @@ import (

 	"golang.org/x/xerrors"

-	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/node"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
@@ -33,8 +32,7 @@ func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect

 	var vulns []types.DetectedVulnerability
 	for _, advisory := range advisories {
-		adv := convertToGenericAdvisory(advisory)
-		if !a.comparer.IsVulnerable(pkgVer, adv) {
+		if !a.comparer.IsVulnerable(pkgVer, advisory) {
 			continue
 		}

@@ -43,30 +41,16 @@ func (a *Advisory) DetectVulnerabilities(pkgName, pkgVer string) ([]types.Detect
 			PkgName:          pkgName,
 			InstalledVersion: pkgVer,
 			FixedVersion:     createFixedVersions(advisory.PatchedVersions),
+			DataSource:       advisory.DataSource,
 		}
 		vulns = append(vulns, vuln)
 	}
 	return vulns, nil
 }

-func convertToGenericAdvisory(advisory node.Advisory) dbTypes.Advisory {
-	var vulnerable, patched []string
-	if advisory.VulnerableVersions != "" {
-		vulnerable = strings.Split(advisory.VulnerableVersions, "||")
-	}
-	if advisory.PatchedVersions != "" {
-		patched = strings.Split(advisory.PatchedVersions, "||")
-	}
-
-	return dbTypes.Advisory{
-		VulnerableVersions: vulnerable,
-		PatchedVersions:    patched,
-	}
-}
-
-func createFixedVersions(patchedVersions string) string {
+func createFixedVersions(patchedVersions []string) string {
 	var fixedVersions []string
-	for _, s := range strings.Split(patchedVersions, "||") {
+	for _, s := range patchedVersions {
 		fixedVersions = append(fixedVersions, strings.TrimSpace(s))
 	}
 	return strings.Join(fixedVersions, ", ")
--- a/pkg/detector/library/npm/advisory_test.go
+++ b/pkg/detector/library/npm/advisory_test.go
@@ -7,6 +7,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/detector/library/npm"
 	"github.com/aquasecurity/trivy/pkg/types"
@@ -30,13 +31,20 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				pkgName: "electron",
 				pkgVer:  "2.0.17",
 			},
-			fixtures: []string{"testdata/fixtures/npm.yaml"},
+			fixtures: []string{
+				"testdata/fixtures/npm.yaml",
+				"testdata/fixtures/data-source.yaml",
+			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "electron",
 					InstalledVersion: "2.0.17",
 					VulnerabilityID:  "CVE-2019-5786",
 					FixedVersion:     "^2.0.18, ^3.0.16, ^3.1.6, ^4.0.8, ^5.0.0-beta.5",
+					DataSource: &dbTypes.DataSource{
+						Name: "Node.js Ecosystem Security Working Group",
+						URL:  "https://github.com/nodejs/security-wg",
+					},
 				},
 			},
 		},
@@ -79,10 +87,9 @@ func TestAdvisory_DetectVulnerabilities(t *testing.T) {
 				require.NotNil(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr)
 				return
-			} else {
-				assert.NoError(t, err)
 			}

+			assert.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}
--- a/pkg/detector/library/npm/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/npm/testdata/fixtures/data-source.yaml
@@ -0,0 +1,6 @@
+- bucket: data-source
+  pairs:
+    - key: nodejs-security-wg
+      value:
+        Name: "Node.js Ecosystem Security Working Group"
+        URL:  "https://github.com/nodejs/security-wg"
--- a/pkg/detector/library/npm/testdata/fixtures/npm.yaml
+++ b/pkg/detector/library/npm/testdata/fixtures/npm.yaml
@@ -4,5 +4,15 @@
      pairs:
        - key: CVE-2019-5786
          value:
-            PatchedVersions: "^2.0.18 || ^3.0.16 || ^3.1.6 || ^4.0.8 || ^5.0.0-beta.5"
-            VulnerableVersions: "<2.0.18 || <3.0.16 || <3.1.6 || <4.0.8 || <5.0.0-beta.5"
+            PatchedVersions:
+              - "^2.0.18"
+              - "^3.0.16"
+              - "^3.1.6"
+              - "^4.0.8"
+              - "^5.0.0-beta.5"
+            VulnerableVersions:
+              - "<2.0.18"
+              - "<3.0.16"
+              - "<3.1.6"
+              - "<4.0.8"
+              - "<5.0.0-beta.5"
--- a/pkg/detector/library/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/library/testdata/fixtures/data-source.yaml
@@ -0,0 +1,14 @@
+- bucket: data-source
+  pairs:
+    - key: composer::GitLab Advisory Database Community
+      value:
+        Name: "GitLab Advisory Database Community"
+        URL:  "https://gitlab.com/gitlab-org/advisories-community"
+    - key: composer::php-security-advisories
+      value:
+        Name: "PHP Security Advisories Database"
+        URL:  "https://github.com/FriendsOfPHP/security-advisories"
+    - key: rubygems::ruby-advisory-db
+      value:
+        Name: "Ruby Advisory Database"
+        URL:  "https://github.com/rubysec/ruby-advisory-db"
--- a/pkg/detector/library/testdata/fixtures/php.yaml
+++ b/pkg/detector/library/testdata/fixtures/php.yaml
@@ -1,4 +1,4 @@
- bucket: "composer::GitHub Security Advisory Composer"
+- bucket: "composer::GitLab Advisory Database Community"
  pairs:
    - bucket: symfony/symfony
      pairs:
--- a/pkg/scanner/local/testdata/fixtures/happy.yaml
+++ b/pkg/scanner/local/testdata/fixtures/happy.yaml
@@ -1,4 +1,4 @@
- bucket: "GitHub Security Advisory Rubygems"
+- bucket: "GitHub Security Advisory RubyGems"
  pairs:
    - bucket: rails
      pairs:
--- a/pkg/types/vulnerability.go
+++ b/pkg/types/vulnerability.go
@@ -17,6 +17,9 @@ type DetectedVulnerability struct {
 	SeveritySource   string       `json:",omitempty"`
 	PrimaryURL       string       `json:",omitempty"`

+	// DataSource holds where the advisory comes from
+	DataSource *types.DataSource `json:",omitempty"`
+
 	// Custom is for extensibility and not supposed to be used in OSS
 	Custom interface{} `json:",omitempty"`