feat(mariner): add support for CBL-Mariner (#1640)

Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-21 23:00:42 -08:00 · 2022-01-30 05:53:07 +09:00
parent 9e903a1d88
commit 84dd33f7e9
44 changed files with 581 additions and 51 deletions
--- a/README.md
+++ b/README.md
@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Features
 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
  - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Misconfiguration detection (IaC scanning) 
  - A wide variety of built-in policies are provided **out of the box**
--- a/docs/getting-started/overview.md
+++ b/docs/getting-started/overview.md
@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
 ## Features
 - Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
    - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
    - A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -77,4 +77,4 @@ Please see [LICENSE][license] for Trivy licensing information.
 [podman]: ../advanced/container/podman.md
 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
--- a/docs/vulnerability/detection/data-source.md
+++ b/docs/vulnerability/detection/data-source.md
@@ -14,6 +14,7 @@
 | AlmaLinux      | [AlmaLinux Product Errata][alma]         |
 | Rocky Linux    | [Rocky Linux UpdateInfo][rocky]          |
 | Oracle Linux   | [OVAL][oracle]                           |
 | CBL-Mariner    | [OVAL][mariner]                          |
 | OpenSUSE/SLES	 | [CVRF][suse]                             |
 | Photon OS      | [Photon Security Advisory][photon]       |
@@ -58,6 +59,7 @@
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
 [mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
--- a/docs/vulnerability/detection/os.md
+++ b/docs/vulnerability/detection/os.md
@@ -11,6 +11,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | AlmaLinux                        | 8                                        | Installed by yum/rpm          |                  NO                  |
 | Rocky Linux                      | 8                                        | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                               | Installed by yum/rpm          |                  NO                  |
 | CBL-Mariner                      | 1.0, 2.0                                 | Installed by yum/rpm          |                 YES                  |
 | Amazon Linux                     | 1, 2                                     | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                   | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                               | Installed by zypper/rpm       |                  NO                  |
--- a/go.mod
+++ b/go.mod
@@ -7,13 +7,13 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20220128133114-3519fe6e6c21
+	github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57
 	github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20220128150422-5c53ef8a797d
+	github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
--- a/go.sum
+++ b/go.sum
@@ -243,8 +243,8 @@ github.com/aquasecurity/cfsec v0.2.2 h1:hq6MZlg7XFZsrerCv297N4HRlnJM7K6LLd/l/xCz
 github.com/aquasecurity/cfsec v0.2.2/go.mod h1:sUELRJqIPXTOZiHUx7TzyyFFzuk0W22IG6IWAoV8T6U=
 github.com/aquasecurity/defsec v0.0.37 h1:zdZndlKrW257b8VLK1UwfmXiyPuDrNA+wzBilHRk1LA=
 github.com/aquasecurity/defsec v0.0.37/go.mod h1:csaBEcJ3AKy44expnW0dCANEZcS/c1vcJjwBCbnKWBM=
-github.com/aquasecurity/fanal v0.0.0-20220128133114-3519fe6e6c21 h1:7nx6j3boy7oawbPvkp2Vma9OvovZWIGvzJw80w1e71E=
+github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57 h1:/xe+XRO1uQXebv6y1XIM9424XQXVnVZ1dr+V4clegHA=
-github.com/aquasecurity/fanal v0.0.0-20220128133114-3519fe6e6c21/go.mod h1:aU+dKT2D+DLsTEmy/axt19XEIXayz0V9giXCwiypCgQ=
+github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57/go.mod h1:aU+dKT2D+DLsTEmy/axt19XEIXayz0V9giXCwiypCgQ=
 github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff h1:JCKEV3TgUNh9fn+8hXyIdsF9yErA0rUbCkgt2flRKt4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff/go.mod h1:8fJ//Ob6/03lxbn4xa1F+G/giVtiVLxnZNpBp5xOxNk=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
@@ -260,8 +260,8 @@ github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516 h1:moQmzbp
 github.com/aquasecurity/testdocker v0.0.0-20210911155206-e1e85f5a1516/go.mod h1:gTd97VdQ0rg8Mkiic3rPgNOQdprZ7feTAhiD5mGQjgM=
 github.com/aquasecurity/tfsec v0.63.1 h1:KH63HTcUoab7d3PKtqFO6T8K5AY7bzLw7Kiu+EY9U64=
 github.com/aquasecurity/tfsec v0.63.1/go.mod h1:g5ZWmsfqW1FsCaPb9ux8Pzjcyss/WUB2XuRd5slqvnc=
-github.com/aquasecurity/trivy-db v0.0.0-20220128150422-5c53ef8a797d h1:vwK774PmorLkSsL/K4WUa9Y9Tn/5Ksmolv8UGHh0Wjc=
+github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069 h1:TYG76ClrtBiunB43Hme+ahszJfm0E+og+JQsEEMrHbk=
-github.com/aquasecurity/trivy-db v0.0.0-20220128150422-5c53ef8a797d/go.mod h1:BOulYmf+l2bd+Bjo3tTsdnbWCsh5UsJn1MqdiZzmm/Q=
+github.com/aquasecurity/trivy-db v0.0.0-20220129175002-a5adda5ac069/go.mod h1:BOulYmf+l2bd+Bjo3tTsdnbWCsh5UsJn1MqdiZzmm/Q=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
--- a/integration/client_server_test.go
+++ b/integration/client_server_test.go
@@ -203,6 +203,13 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
 			name: "CBL-Mariner 1.0",
 			args: csArgs{
 				Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
 			},
 			golden: "testdata/mariner-1.0.json.golden",
 		},
 		{
 			name: "buxybox with Cargo.lock",
 			args: csArgs{
--- a/integration/docker_engine_test.go
+++ b/integration/docker_engine_test.go
@@ -176,6 +176,12 @@ func TestDockerEngine(t *testing.T) {
 			input:    "testdata/fixtures/images/photon-30.tar.gz",
 			golden:   "testdata/photon-30.json.golden",
 		},
 		{
 			name:     "CBL-Mariner 1.0",
 			imageTag: "cblmariner.azurecr.io/base/core:1.0",
 			input:    "testdata/fixtures/images/mariner-1.0.tar.gz",
 			golden:   "testdata/mariner-1.0.json.golden",
 		},
 		{
 			name:     "busybox with Cargo.lock",
 			imageTag: "busy-cargo:latest",
--- a/integration/standalone_tar_test.go
+++ b/integration/standalone_tar_test.go
@@ -216,13 +216,21 @@ func TestTar(t *testing.T) {
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "photon 3.0 integration",
+			name: "photon 3.0",
 			testArgs: args{
 				Format: "json",
 				Input:  "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
 			name: "CBL-Mariner 1.0",
 			testArgs: args{
 				Format: "json",
 				Input:  "testdata/fixtures/images/mariner-1.0.tar.gz",
 			},
 			golden: "testdata/mariner-1.0.json.golden",
 		},
 		{
 			name: "buxybox with Cargo.lock integration",
 			testArgs: args{
--- a/integration/testdata/almalinux-8.json.golden
+++ b/integration/testdata/almalinux-8.json.golden
@@ -85,16 +85,21 @@
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2021/08/26/2",
            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
            "https://access.redhat.com/security/cve/CVE-2021-3712",
            "https://crates.io/crates/openssl-src",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
            "https://linux.oracle.com/cve/CVE-2021-3712.html",
-            "https://linux.oracle.com/errata/ELSA-2021-9632.html",
+            "https://linux.oracle.com/errata/ELSA-2022-9023.html",
            "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
            "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
            "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
            "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
            "https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
            "https://security.netapp.com/advisory/ntap-20210827-0010/",
            "https://ubuntu.com/security/notices/USN-5051-1",
            "https://ubuntu.com/security/notices/USN-5051-2",
@@ -105,8 +110,7 @@
            "https://www.openssl.org/news/secadv/20210824.txt",
            "https://www.oracle.com/security-alerts/cpuoct2021.html",
            "https://www.tenable.com/security/tns-2021-16",
-            "https://www.tenable.com/security/tns-2022-02",
+            "https://www.tenable.com/security/tns-2022-02"
            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json"
          ],
          "PublishedDate": "2021-08-24T15:15:00Z",
          "LastModifiedDate": "2022-01-06T09:15:00Z"
--- a/integration/testdata/alpine-310-registry.json.golden
+++ b/integration/testdata/alpine-310-registry.json.golden
@@ -93,6 +93,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
            "https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -152,6 +153,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -217,6 +219,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
            "https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -276,6 +279,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
--- a/integration/testdata/alpine-310.gitlab.golden
+++ b/integration/testdata/alpine-310.gitlab.golden
@@ -33,6 +33,8 @@
        }
      ],
      "links": [{
          "url": "https://access.redhat.com/security/cve/CVE-2019-1549"
        },{
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
        },{
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
@@ -108,6 +110,8 @@
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
        },{
          "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
        },{
          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
        },{
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
        },{
@@ -197,6 +201,8 @@
        }
      ],
      "links": [{
          "url": "https://access.redhat.com/security/cve/CVE-2019-1549"
        },{
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
        },{
          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
@@ -272,6 +278,8 @@
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
        },{
          "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
        },{
          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
        },{
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
        },{
--- a/integration/testdata/alpine-310.html.golden
+++ b/integration/testdata/alpine-310.html.golden
@@ -99,6 +99,7 @@
        <td class="pkg-version">1.1.1c-r0</td>
        <td>1.1.1d-r0</td>
        <td class="links" data-more-links="off">
          <a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
          <a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
@@ -129,6 +130,7 @@
        <td class="links" data-more-links="off">
          <a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
          <a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
          <a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
@@ -165,6 +167,7 @@
        <td class="pkg-version">1.1.1c-r0</td>
        <td>1.1.1d-r0</td>
        <td class="links" data-more-links="off">
          <a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
          <a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
@@ -195,6 +198,7 @@
        <td class="links" data-more-links="off">
          <a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
          <a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
          <a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
--- a/integration/testdata/alpine-310.json.golden
+++ b/integration/testdata/alpine-310.json.golden
@@ -86,6 +86,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
            "https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -144,6 +145,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -208,6 +210,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
            "https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -266,6 +269,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
--- a/integration/testdata/alpine-39-ignore-cveids.json.golden
+++ b/integration/testdata/alpine-39-ignore-cveids.json.golden
@@ -88,6 +88,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -154,6 +155,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
--- a/integration/testdata/alpine-39.json.golden
+++ b/integration/testdata/alpine-39.json.golden
@@ -86,6 +86,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
            "https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -144,6 +145,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -208,6 +210,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-1549",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
            "https://linux.oracle.com/cve/CVE-2019-1549.html",
@@ -266,6 +269,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
--- a/integration/testdata/amazon-1.json.golden
+++ b/integration/testdata/amazon-1.json.golden
@@ -87,6 +87,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
            "https://access.redhat.com/security/cve/CVE-2019-5481",
            "https://curl.haxx.se/docs/CVE-2019-5481.html",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
            "https://linux.oracle.com/cve/CVE-2019-5481.html",
--- a/integration/testdata/amazon-2.json.golden
+++ b/integration/testdata/amazon-2.json.golden
@@ -87,6 +87,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
            "https://access.redhat.com/security/cve/CVE-2019-5481",
            "https://curl.haxx.se/docs/CVE-2019-5481.html",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
            "https://linux.oracle.com/cve/CVE-2019-5481.html",
@@ -142,6 +143,7 @@
            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html",
            "http://www.openwall.com/lists/oss-security/2019/09/11/6",
            "https://access.redhat.com/security/cve/CVE-2019-5436",
            "https://curl.haxx.se/docs/CVE-2019-5436.html",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436",
            "https://linux.oracle.com/cve/CVE-2019-5436.html",
--- a/integration/testdata/busybox-with-lockfile.json.golden
+++ b/integration/testdata/busybox-with-lockfile.json.golden
@@ -61,17 +61,11 @@
          "Layer": {
            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
          },
          "PrimaryURL": "https://osv.dev/vulnerability/RUSTSEC-2019-0001",
          "DataSource": {
            "Name": "RustSec Advisory Database",
            "URL": "https://github.com/RustSec/advisory-db"
          },
-          "Title": "Uncontrolled recursion leads to abort in HTML serialization",
+          "Severity": "UNKNOWN"
          "Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
          "Severity": "UNKNOWN",
          "References": [
            "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
          ]
        },
        {
          "VulnerabilityID": "RUSTSEC-2021-0074",
@@ -81,17 +75,11 @@
          "Layer": {
            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
          },
          "PrimaryURL": "https://osv.dev/vulnerability/RUSTSEC-2021-0074",
          "DataSource": {
            "Name": "RustSec Advisory Database",
            "URL": "https://github.com/RustSec/advisory-db"
          },
-          "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
+          "Severity": "UNKNOWN"
          "Description": "Affected versions of this crate did not account for namespace-related parsing\ndifferences between HTML, SVG, and MathML. Even if the `svg` and `math` elements\nare not allowed, the underlying HTML parser still treats them differently.\nRunning cleanup without accounting for these differing namespaces resulted in an \"impossible\"\nDOM, which appeared \"safe\" when examining the DOM tree, but when serialized and deserialized,\ncould be exploited to inject abitrary markup.\n\nTo exploit this, the application using this library must allow a tag that is parsed as raw text in HTML.\nThese [elements] are:\n\n* title\n* textarea\n* xmp\n* iframe\n* noembed\n* noframes\n* plaintext\n* noscript\n* style\n* script\n\nApplications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.\n\n[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs",
          "Severity": "UNKNOWN",
          "References": [
            "https://github.com/rust-ammonia/ammonia/pull/142"
          ]
        }
      ]
    }
--- a/integration/testdata/centos-7-ignore-unfixed.json.golden
+++ b/integration/testdata/centos-7-ignore-unfixed.json.golden
@@ -194,6 +194,7 @@
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
            "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
            "https://nvd.nist.gov/vuln/detail/CVE-2018-0734",
            "https://security.netapp.com/advisory/ntap-20181105-0002/",
            "https://security.netapp.com/advisory/ntap-20190118-0002/",
            "https://security.netapp.com/advisory/ntap-20190423-0002/",
--- a/integration/testdata/centos-7.json.golden
+++ b/integration/testdata/centos-7.json.golden
@@ -99,6 +99,7 @@
            "https://linux.oracle.com/cve/CVE-2019-18276.html",
            "https://linux.oracle.com/errata/ELSA-2021-1679.html",
            "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
            "https://security.gentoo.org/glsa/202105-34",
            "https://security.netapp.com/advisory/ntap-20200430-0003/",
            "https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -236,6 +237,7 @@
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
            "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
            "https://nvd.nist.gov/vuln/detail/CVE-2018-0734",
            "https://security.netapp.com/advisory/ntap-20181105-0002/",
            "https://security.netapp.com/advisory/ntap-20190118-0002/",
            "https://security.netapp.com/advisory/ntap-20190423-0002/",
--- a/integration/testdata/debian-buster-ignore-unfixed.json.golden
+++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden
@@ -90,6 +90,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
            "https://access.redhat.com/security/cve/CVE-2019-18224",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
            "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
--- a/integration/testdata/debian-buster.json.golden
+++ b/integration/testdata/debian-buster.json.golden
@@ -91,6 +91,7 @@
            "https://linux.oracle.com/cve/CVE-2019-18276.html",
            "https://linux.oracle.com/errata/ELSA-2021-1679.html",
            "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
            "https://security.gentoo.org/glsa/202105-34",
            "https://security.netapp.com/advisory/ntap-20200430-0003/",
            "https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -136,6 +137,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
            "https://access.redhat.com/security/cve/CVE-2019-18224",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
            "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
--- a/integration/testdata/debian-stretch.json.golden
+++ b/integration/testdata/debian-stretch.json.golden
@@ -91,6 +91,7 @@
            "https://linux.oracle.com/cve/CVE-2019-18276.html",
            "https://linux.oracle.com/errata/ELSA-2021-1679.html",
            "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
            "https://security.gentoo.org/glsa/202105-34",
            "https://security.netapp.com/advisory/ntap-20200430-0003/",
            "https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -134,12 +135,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -189,12 +192,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -244,12 +249,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -299,12 +306,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
--- a/integration/testdata/distroless-base.json.golden
+++ b/integration/testdata/distroless-base.json.golden
@@ -84,6 +84,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -157,6 +158,7 @@
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1563",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
@@ -226,6 +228,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -299,6 +302,7 @@
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1563",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
--- a/integration/testdata/distroless-python27.json.golden
+++ b/integration/testdata/distroless-python27.json.golden
@@ -101,6 +101,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -174,6 +175,7 @@
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1563",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
@@ -243,6 +245,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1551",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
@@ -316,6 +319,7 @@
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
            "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
            "https://access.redhat.com/security/cve/CVE-2019-1563",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
--- a/integration/testdata/fixtures/db/mariner.yaml
+++ b/integration/testdata/fixtures/db/mariner.yaml
@@ -0,0 +1,8 @@
 - bucket: CBL-Mariner 1.0
  pairs:
    - bucket: vim
      pairs:
        - key: CVE-2022-0158 
          value:
            FixedVersion: 0:8.2.4082-1.cm1
        - key: CVE-2022-0261
--- a/integration/testdata/fixtures/db/vulnerability.yaml
+++ b/integration/testdata/fixtures/db/vulnerability.yaml
@@ -24,6 +24,7 @@
      - http://www.openwall.com/lists/oss-security/2016/11/17/9
      - http://www.securityfocus.com/bid/94398
      - https://access.redhat.com/errata/RHSA-2017:1931
      - https://access.redhat.com/security/cve/CVE-2016-9401
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9401
      - https://linux.oracle.com/cve/CVE-2016-9401.html
      - https://linux.oracle.com/errata/ELSA-2017-1931.html
@@ -75,6 +76,7 @@
      - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
      - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
      - https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
      - https://nvd.nist.gov/vuln/detail/CVE-2018-0734
      - https://security.netapp.com/advisory/ntap-20181105-0002/
      - https://security.netapp.com/advisory/ntap-20190118-0002/
      - https://security.netapp.com/advisory/ntap-20190423-0002/
@@ -95,6 +97,7 @@
      VendorSeverity:
        amazon: 2.0
        arch-linux: 1.0
        cbl-mariner: 2.0
        nvd: 2.0
        oracle-oval: 1.0
        photon: 2.0
@@ -116,6 +119,7 @@
      PublishedDate: 2019-07-26T00:15:00Z
      References:
      - https://access.redhat.com/errata/RHSA-2019:3024
      - https://access.redhat.com/security/cve/CVE-2019-10744
      - https://github.com/advisories/GHSA-jf85-cpcp-j695
      - https://github.com/lodash/lodash/pull/4336
      - https://nvd.nist.gov/vuln/detail/CVE-2019-10744
@@ -163,6 +167,7 @@
      - https://access.redhat.com/errata/RHSA-2019:2587
      - https://access.redhat.com/errata/RHSA-2019:3023
      - https://access.redhat.com/errata/RHSA-2019:3024
      - https://access.redhat.com/security/cve/CVE-2019-11358
      - https://backdropcms.org/security/backdrop-sa-core-2019-009
      - https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
@@ -278,6 +283,7 @@
      References:
      - http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html
      - http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html
      - https://access.redhat.com/security/cve/CVE-2019-14806
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806
      - https://github.com/advisories/GHSA-gq9m-qvpx-68hc
      - "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168"
@@ -309,6 +315,7 @@
      LastModifiedDate: 2020-10-20T22:15:00Z
      PublishedDate: 2019-09-10T17:15:00Z
      References:
      - https://access.redhat.com/security/cve/CVE-2019-1549
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
      - https://linux.oracle.com/cve/CVE-2019-1549.html
@@ -356,6 +363,7 @@
      References:
      - http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html
      - http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html
      - https://access.redhat.com/security/cve/CVE-2019-1551
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
@@ -484,6 +492,7 @@
      - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
      - http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
      - http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
      - https://access.redhat.com/security/cve/CVE-2019-1563
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97
@@ -543,6 +552,7 @@
      References:
      - http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html
      - http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html
      - https://access.redhat.com/security/cve/CVE-2019-18224
      - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224
      - https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c
@@ -585,12 +595,14 @@
      - https://linux.oracle.com/cve/CVE-2019-18276.html
      - https://linux.oracle.com/errata/ELSA-2021-1679.html
      - https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E
      - https://nvd.nist.gov/vuln/detail/CVE-2019-18276
      - https://security.gentoo.org/glsa/202105-34
      - https://security.netapp.com/advisory/ntap-20200430-0003/
      - https://www.youtube.com/watch?v=-wGtxJ8opa8
      Severity: HIGH
      Title: "bash: when effective UID is not equal to its real UID the saved UID is not dropped"
      VendorSeverity:
        cbl-mariner: 3.0
        nvd: 3.0
        oracle-oval: 1.0
        photon: 3.0
@@ -615,6 +627,7 @@
      References:
      - http://www.securityfocus.com/bid/106950
      - https://access.redhat.com/errata/RHSA-2019:3701
      - https://access.redhat.com/security/cve/CVE-2019-3823
      - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823
      - https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf
      - https://curl.haxx.se/docs/CVE-2019-3823.html
@@ -656,12 +669,14 @@
      LastModifiedDate: 2021-01-11T19:21:00Z
      PublishedDate: 2019-09-24T22:15:00Z
      References:
      - https://access.redhat.com/security/cve/CVE-2019-5094
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094
      - https://linux.oracle.com/cve/CVE-2019-5094.html
      - https://linux.oracle.com/errata/ELSA-2020-4011.html
      - https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html
      - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/
      - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/
      - https://nvd.nist.gov/vuln/detail/CVE-2019-5094
      - https://seclists.org/bugtraq/2019/Sep/58
      - https://security.gentoo.org/glsa/202003-05
      - https://security.netapp.com/advisory/ntap-20200115-0002/
@@ -675,6 +690,7 @@
      Title: "e2fsprogs: Crafted ext4 partition leads to out-of-bounds write"
      VendorSeverity:
        amazon: 2.0
        cbl-mariner: 2.0
        nvd: 2.0
        oracle-oval: 2.0
        photon: 2.0
@@ -700,6 +716,7 @@
      - http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html
      - http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html
      - http://www.openwall.com/lists/oss-security/2019/09/11/6
      - https://access.redhat.com/security/cve/CVE-2019-5436
      - https://curl.haxx.se/docs/CVE-2019-5436.html
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436
      - https://linux.oracle.com/cve/CVE-2019-5436.html
@@ -745,6 +762,7 @@
      References:
      - http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html
      - http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html
      - https://access.redhat.com/security/cve/CVE-2019-5481
      - https://curl.haxx.se/docs/CVE-2019-5481.html
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481
      - https://linux.oracle.com/cve/CVE-2019-5481.html
@@ -787,6 +805,7 @@
      LastModifiedDate: 2020-12-01T16:05:00Z
      PublishedDate: 2020-11-18T15:15:00Z
      References:
      - https://access.redhat.com/security/cve/CVE-2020-28724
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724
      - https://github.com/advisories/GHSA-3p3h-qghp-hvh2
      - https://github.com/pallets/flask/issues/1639
@@ -828,6 +847,7 @@
      Severity: HIGH
      Title: "glibc: stack-based buffer overflow if the input to any of the printf family of functions is an 80-bit long double with a non-canonical bit pattern"
      VendorSeverity:
        amazon: 2.0
        arch-linux: 2.0
        nvd: 3.0
        oracle-oval: 2.0
@@ -852,6 +872,7 @@
      References:
      - http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html
      - http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html
      - https://access.redhat.com/security/cve/CVE-2020-8165
      - https://github.com/advisories/GHSA-2p68-f74v-9wc6
      - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml
      - "https://groups.google.com/forum/#!msg/rubyonrails-security/bv6fW4S0Y1c/KnkEqM7AAQAJ"
@@ -887,16 +908,21 @@
      PublishedDate: 2021-08-24T15:15:00Z
      References:
      - http://www.openwall.com/lists/oss-security/2021/08/26/2
      - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json
      - https://access.redhat.com/security/cve/CVE-2021-3712
      - https://crates.io/crates/openssl-src
      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11
      - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12
      - https://kc.mcafee.com/corporate/index?page=content&id=SB10366
      - https://linux.oracle.com/cve/CVE-2021-3712.html
-      - https://linux.oracle.com/errata/ELSA-2021-9632.html
+      - https://linux.oracle.com/errata/ELSA-2022-9023.html
      - https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E
      - https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E
      - https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html
      - https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html
      - https://nvd.nist.gov/vuln/detail/CVE-2021-3712
      - https://rustsec.org/advisories/RUSTSEC-2021-0098.html
      - https://security.netapp.com/advisory/ntap-20210827-0010/
      - https://ubuntu.com/security/notices/USN-5051-1
      - https://ubuntu.com/security/notices/USN-5051-2
@@ -908,40 +934,64 @@
      - https://www.oracle.com/security-alerts/cpuoct2021.html
      - https://www.tenable.com/security/tns-2021-16
      - https://www.tenable.com/security/tns-2022-02
      - https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json
      Severity: HIGH
      Title: "openssl: Read buffer overruns processing ASN.1 strings"
      VendorSeverity:
        alma: 2.0
        amazon: 2.0
        arch-linux: 3.0
        cbl-mariner: 3.0
        nvd: 3.0
        oracle-oval: 2.0
        photon: 3.0
        redhat: 2.0
        rocky: 2.0
        ubuntu: 2.0
-  - key: RUSTSEC-2019-0001
+  - key: CVE-2022-0158
    value:
-      Description: |-
+      CVSS:
-        Affected versions of this crate did use recursion for serialization of HTML
+        nvd:
-        DOM trees.
+          V2Score: 4.3
-        
+          V2Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
-        This allows an attacker to cause abort due to stack overflow by providing
+          V3Score: 3.3
-        a pathologically nested input.
+          V3Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
-        
+        redhat:
-        The flaw was corrected by serializing the DOM tree iteratively instead.
+          V3Score: 3.3
          V3Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
      CweIDs:
      - CWE-122
      Description: vim is vulnerable to Heap-based Buffer Overflow
      LastModifiedDate: 2022-01-15T16:15:00Z
      PublishedDate: 2022-01-10T16:15:00Z
      References:
-      - "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
+      - http://www.openwall.com/lists/oss-security/2022/01/15/1
-      Severity: UNKNOWN
+      - https://access.redhat.com/security/cve/CVE-2022-0158
-      Title: Uncontrolled recursion leads to abort in HTML serialization
+      - https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39
-  - key: RUSTSEC-2021-0074
+      - https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b
      - https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/
      - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HD5S2FC2HF22A7XQXK2XXIR46EARVWIM/
      - https://nvd.nist.gov/vuln/detail/CVE-2022-0158
      Severity: LOW
      Title: "vim: heap-based read buffer overflow in compile_get_env()"
      VendorSeverity:
        cbl-mariner: 1.0
        nvd: 1.0
        redhat: 1.0
  - key: CVE-2022-0261
    value:
-      Description: "Affected versions of this crate did not account for namespace-related parsing\ndifferences between HTML, SVG, and MathML. Even if the `svg` and `math` elements\nare not allowed, the underlying HTML parser still treats them differently.\nRunning cleanup without accounting for these differing namespaces resulted in an \"impossible\"\nDOM, which appeared \"safe\" when examining the DOM tree, but when serialized and deserialized,\ncould be exploited to inject abitrary markup.\n\nTo exploit this, the application using this library must allow a tag that is parsed as raw text in HTML.\nThese [elements] are:\n\n* title\n* textarea\n* xmp\n* iframe\n* noembed\n* noframes\n* plaintext\n* noscript\n* style\n* script\n\nApplications that do not explicitly allow any of these tags should not be affected, since none are allowed by default.\n\n[elements]: https://github.com/servo/html5ever/blob/57eb334c0ffccc6f88d563419f0fbeef6ff5741c/html5ever/src/tree_builder/rules.rs"
+      CweIDs:
      - CWE-122
      Description: Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
      LastModifiedDate: 2022-01-18T16:15:00Z
      PublishedDate: 2022-01-18T16:15:00Z
      References:
-      - https://github.com/rust-ammonia/ammonia/pull/142
+      - https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc
-      Severity: UNKNOWN
+      - https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82
-      Title: Incorrect handling of embedded SVG and MathML leads to mutation XSS
+      - https://nvd.nist.gov/vuln/detail/CVE-2022-0261
      Severity: HIGH
      Title: CVE-2022-0261 affecting package vim 8.2.4081
      VendorSeverity:
        cbl-mariner: 3.0
  - key: openSUSE-SU-2020:0062-1
    value:
      Description: "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809).                             \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project."
--- a/integration/testdata/fluentd-gems.json.golden
+++ b/integration/testdata/fluentd-gems.json.golden
@@ -143,6 +143,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00008.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00009.html",
            "https://access.redhat.com/security/cve/CVE-2019-18224",
            "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
            "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
@@ -201,6 +202,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00031.html",
            "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00034.html",
            "https://access.redhat.com/security/cve/CVE-2020-8165",
            "https://github.com/advisories/GHSA-2p68-f74v-9wc6",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2020-8165.yml",
            "https://groups.google.com/forum/#!msg/rubyonrails-security/bv6fW4S0Y1c/KnkEqM7AAQAJ",
--- a/integration/testdata/mariner-1.0.json.golden
+++ b/integration/testdata/mariner-1.0.json.golden
@@ -0,0 +1,105 @@
 {
  "SchemaVersion": 2,
  "ArtifactName": "testdata/fixtures/images/mariner-1.0.tar.gz",
  "ArtifactType": "container_image",
  "Metadata": {
    "OS": {
      "Family": "cbl-mariner",
      "Name": "1.0.20220122"
    },
    "ImageID": "sha256:8cdcbf18341ed8afa5322e7b0077f8ef3f46896882c921df5f97c51b369f6767",
    "DiffIDs": [
      "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
    ],
    "ImageConfig": {
      "architecture": "amd64",
      "created": "2022-01-27T01:19:38.526301656Z",
      "docker_version": "20.10.12",
      "history": [
        {
          "created": "2022-01-27T01:19:38.526301656Z",
          "comment": "Imported from -"
        }
      ],
      "os": "linux",
      "rootfs": {
        "type": "layers",
        "diff_ids": [
          "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
        ]
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "testdata/fixtures/images/mariner-1.0.tar.gz (cbl-mariner 1.0.20220122)",
      "Class": "os-pkgs",
      "Type": "cbl-mariner",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-0261",
          "PkgName": "vim",
          "InstalledVersion": "8.2.4081-1.cm1",
          "Layer": {
            "DiffID": "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0261",
          "Title": "CVE-2022-0261 affecting package vim 8.2.4081",
          "Description": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-122"
          ],
          "References": [
            "https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc",
            "https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-0261"
          ],
          "PublishedDate": "2022-01-18T16:15:00Z",
          "LastModifiedDate": "2022-01-18T16:15:00Z"
        },
        {
          "VulnerabilityID": "CVE-2022-0158",
          "PkgName": "vim",
          "InstalledVersion": "8.2.4081-1.cm1",
          "FixedVersion": "8.2.4082-1.cm1",
          "Layer": {
            "DiffID": "sha256:4266328c97a194b2ca52ec83bc05496596303f5e9b244ffa99cf84763a487804"
          },
          "SeveritySource": "nvd",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-0158",
          "Title": "vim: heap-based read buffer overflow in compile_get_env()",
          "Description": "vim is vulnerable to Heap-based Buffer Overflow",
          "Severity": "LOW",
          "CweIDs": [
            "CWE-122"
          ],
          "CVSS": {
            "nvd": {
              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
              "V2Score": 4.3,
              "V3Score": 3.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
              "V3Score": 3.3
            }
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2022/01/15/1",
            "https://access.redhat.com/security/cve/CVE-2022-0158",
            "https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39",
            "https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b",
            "https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HD5S2FC2HF22A7XQXK2XXIR46EARVWIM/",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-0158"
          ],
          "PublishedDate": "2022-01-10T16:15:00Z",
          "LastModifiedDate": "2022-01-15T16:15:00Z"
        }
      ]
    }
  ]
 }
--- a/integration/testdata/nodejs.json.golden
+++ b/integration/testdata/nodejs.json.golden
@@ -66,6 +66,7 @@
            "https://access.redhat.com/errata/RHSA-2019:2587",
            "https://access.redhat.com/errata/RHSA-2019:3023",
            "https://access.redhat.com/errata/RHSA-2019:3024",
            "https://access.redhat.com/security/cve/CVE-2019-11358",
            "https://backdropcms.org/security/backdrop-sa-core-2019-009",
            "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358",
@@ -162,6 +163,7 @@
          },
          "References": [
            "https://access.redhat.com/errata/RHSA-2019:3024",
            "https://access.redhat.com/security/cve/CVE-2019-10744",
            "https://github.com/advisories/GHSA-jf85-cpcp-j695",
            "https://github.com/lodash/lodash/pull/4336",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-10744",
--- a/integration/testdata/oraclelinux-8-slim.json.golden
+++ b/integration/testdata/oraclelinux-8-slim.json.golden
@@ -96,6 +96,7 @@
          "References": [
            "http://www.securityfocus.com/bid/106950",
            "https://access.redhat.com/errata/RHSA-2019:3701",
            "https://access.redhat.com/security/cve/CVE-2019-3823",
            "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3823",
            "https://cert-portal.siemens.com/productcert/pdf/ssa-936080.pdf",
            "https://curl.haxx.se/docs/CVE-2019-3823.html",
@@ -150,6 +151,7 @@
            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html",
            "http://www.openwall.com/lists/oss-security/2019/09/11/6",
            "https://access.redhat.com/security/cve/CVE-2019-5436",
            "https://curl.haxx.se/docs/CVE-2019-5436.html",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436",
            "https://linux.oracle.com/cve/CVE-2019-5436.html",
--- a/integration/testdata/photon-30.json.golden
+++ b/integration/testdata/photon-30.json.golden
@@ -102,6 +102,7 @@
            "https://linux.oracle.com/cve/CVE-2019-18276.html",
            "https://linux.oracle.com/errata/ELSA-2021-1679.html",
            "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
            "https://security.gentoo.org/glsa/202105-34",
            "https://security.netapp.com/advisory/ntap-20200430-0003/",
            "https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -144,6 +145,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
            "https://access.redhat.com/security/cve/CVE-2019-5481",
            "https://curl.haxx.se/docs/CVE-2019-5481.html",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
            "https://linux.oracle.com/cve/CVE-2019-5481.html",
@@ -198,6 +200,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
            "https://access.redhat.com/security/cve/CVE-2019-5481",
            "https://curl.haxx.se/docs/CVE-2019-5481.html",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
            "https://linux.oracle.com/cve/CVE-2019-5481.html",
--- a/integration/testdata/pip.json.golden
+++ b/integration/testdata/pip.json.golden
@@ -53,6 +53,7 @@
          "References": [
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00034.html",
            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00047.html",
            "https://access.redhat.com/security/cve/CVE-2019-14806",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14806",
            "https://github.com/advisories/GHSA-gq9m-qvpx-68hc",
            "https://github.com/pallets/werkzeug/blob/7fef41b120327d3912fbe12fb64f1951496fcf3e/src/werkzeug/debug/__init__.py#L168",
@@ -95,6 +96,7 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2020-28724",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28724",
            "https://github.com/advisories/GHSA-3p3h-qghp-hvh2",
            "https://github.com/pallets/flask/issues/1639",
--- a/integration/testdata/rockylinux-8.json.golden
+++ b/integration/testdata/rockylinux-8.json.golden
@@ -18,11 +18,11 @@
      "docker_version": "20.10.7",
      "history": [
        {
-          "created": "2021-12-15T20:22:36Z",
+          "created": "2021-12-15T20:22:36.373826081Z",
          "created_by": "/bin/sh -c #(nop) ADD file:790b4c6a174560d4701baf59e884e7d07f50f0e193e545d6d5ed1d7390979d1a in / "
        },
        {
-          "created": "2021-12-15T20:22:37Z",
+          "created": "2021-12-15T20:22:37.180885096Z",
          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
          "empty_layer": true
        }
@@ -85,16 +85,21 @@
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2021/08/26/2",
            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
            "https://access.redhat.com/security/cve/CVE-2021-3712",
            "https://crates.io/crates/openssl-src",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
            "https://linux.oracle.com/cve/CVE-2021-3712.html",
-            "https://linux.oracle.com/errata/ELSA-2021-9632.html",
+            "https://linux.oracle.com/errata/ELSA-2022-9023.html",
            "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
            "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
            "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
            "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
            "https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
            "https://security.netapp.com/advisory/ntap-20210827-0010/",
            "https://ubuntu.com/security/notices/USN-5051-1",
            "https://ubuntu.com/security/notices/USN-5051-2",
@@ -105,8 +110,7 @@
            "https://www.openssl.org/news/secadv/20210824.txt",
            "https://www.oracle.com/security-alerts/cpuoct2021.html",
            "https://www.tenable.com/security/tns-2021-16",
-            "https://www.tenable.com/security/tns-2022-02",
+            "https://www.tenable.com/security/tns-2022-02"
            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json"
          ],
          "PublishedDate": "2021-08-24T15:15:00Z",
          "LastModifiedDate": "2022-01-06T09:15:00Z"
--- a/integration/testdata/ubi-7.json.golden
+++ b/integration/testdata/ubi-7.json.golden
@@ -110,6 +110,7 @@
            "https://linux.oracle.com/cve/CVE-2019-18276.html",
            "https://linux.oracle.com/errata/ELSA-2021-1679.html",
            "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
            "https://security.gentoo.org/glsa/202105-34",
            "https://security.netapp.com/advisory/ntap-20200430-0003/",
            "https://www.youtube.com/watch?v=-wGtxJ8opa8"
--- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
+++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden
@@ -103,12 +103,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -155,12 +157,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -207,12 +211,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -259,12 +265,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
--- a/integration/testdata/ubuntu-1804.json.golden
+++ b/integration/testdata/ubuntu-1804.json.golden
@@ -109,6 +109,7 @@
            "https://linux.oracle.com/cve/CVE-2019-18276.html",
            "https://linux.oracle.com/errata/ELSA-2021-1679.html",
            "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-18276",
            "https://security.gentoo.org/glsa/202105-34",
            "https://security.netapp.com/advisory/ntap-20200430-0003/",
            "https://www.youtube.com/watch?v=-wGtxJ8opa8"
@@ -149,12 +150,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -201,12 +204,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -253,12 +258,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
@@ -305,12 +312,14 @@
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2019-5094",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
            "https://linux.oracle.com/cve/CVE-2019-5094.html",
            "https://linux.oracle.com/errata/ELSA-2020-4011.html",
            "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AKETJ6BREDUHRWQTV35SPGG5C6H7KSI/",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6DOBCYQKCTTWXBLMUPJ5TX3FY7JNCOKY/",
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5094",
            "https://seclists.org/bugtraq/2019/Sep/58",
            "https://security.gentoo.org/glsa/202003-05",
            "https://security.netapp.com/advisory/ntap-20200115-0002/",
--- a/pkg/detector/ospkg/detect.go
+++ b/pkg/detector/ospkg/detect.go
@@ -12,6 +12,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/alpine"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/photon"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat"
@@ -36,6 +37,7 @@ var (
 		fos.Alpine:       alpine.NewScanner(),
 		fos.Alma:         alma.NewScanner(),
 		fos.Amazon:       amazon.NewScanner(),
 		fos.CBLMariner:   mariner.NewScanner(),
 		fos.Debian:       debian.NewScanner(),
 		fos.Ubuntu:       ubuntu.NewScanner(),
 		fos.RedHat:       redhat.NewScanner(),
--- a/pkg/detector/ospkg/mariner/mariner.go
+++ b/pkg/detector/ospkg/mariner/mariner.go
@@ -0,0 +1,82 @@
 package mariner
 import (
 	"strings"
 	version "github.com/knqyf263/go-rpm-version"
 	"golang.org/x/xerrors"
 	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/mariner"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/utils"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 // Scanner implements the CBL-Mariner scanner
 type Scanner struct {
 	vs mariner.VulnSrc
 }
 // NewScanner is the factory method for Scanner
 func NewScanner() *Scanner {
 	return &Scanner{
 		vs: mariner.NewVulnSrc(),
 	}
 }
 // Detect vulnerabilities in package using CBL-Mariner scanner
 func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting CBL-Mariner vulnerabilities...")
 	// e.g. 1.0.20210127
 	if strings.Count(osVer, ".") > 1 {
 		osVer = osVer[:strings.LastIndex(osVer, ".")]
 	}
 	log.Logger.Debugf("CBL-Mariner: os version: %s", osVer)
 	log.Logger.Debugf("CBL-Mariner: the number of packages: %d", len(pkgs))
 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
 		// CBL Mariner OVAL contains source package names only.
 		advisories, err := s.vs.Get(osVer, pkg.SrcName)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
 		}
 		installed := utils.FormatSrcVersion(pkg)
 		installedVersion := version.NewVersion(installed)
 		for _, adv := range advisories {
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
 				Layer:            pkg.Layer,
 				DataSource:       adv.DataSource,
 			}
 			// Unpatched vulnerabilities
 			if adv.FixedVersion == "" {
 				vulns = append(vulns, vuln)
 				continue
 			}
 			// Patched vulnerabilities
 			fixedVersion := version.NewVersion(adv.FixedVersion)
 			if installedVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = fixedVersion.String()
 				vulns = append(vulns, vuln)
 			}
 		}
 	}
 	return vulns, nil
 }
 // IsSupportedVersion checks the OS version can be scanned using CBL-Mariner scanner
 func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
 	// EOL is not in public at the moment.
 	return true
 }
--- a/pkg/detector/ospkg/mariner/mariner_test.go
+++ b/pkg/detector/ospkg/mariner/mariner_test.go
@@ -0,0 +1,145 @@
 package mariner_test
 import (
 	"testing"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	ftypes "github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy/pkg/dbtest"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/mariner"
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 func TestScanner_Detect(t *testing.T) {
 	type args struct {
 		osVer string
 		pkgs  []ftypes.Package
 	}
 	tests := []struct {
 		name     string
 		args     args
 		fixtures []string
 		want     []types.DetectedVulnerability
 		wantErr  string
 	}{
 		{
 			name: "happy path 1.0 SrcName and Name are different",
 			fixtures: []string{
 				"testdata/fixtures/mariner.yaml",
 				"testdata/fixtures/data-source.yaml",
 			},
 			args: args{
 				osVer: "1.0",
 				pkgs: []ftypes.Package{
 					{
 						Name:       "bind-utils",
 						Epoch:      0,
 						Version:    "9.16.14",
 						Release:    "1.cm1",
 						Arch:       "aarch64",
 						SrcName:    "bind",
 						SrcEpoch:   0,
 						SrcVersion: "9.16.14",
 						SrcRelease: "1.cm1",
 						License:    "ISC",
 						Layer:      ftypes.Layer{},
 					},
 				},
 			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "bind-utils",
 					VulnerabilityID:  "CVE-2019-6470",
 					InstalledVersion: "9.16.14-1.cm1",
 					FixedVersion:     "9.16.15-1.cm1",
 					Layer:            ftypes.Layer{},
 					DataSource: &dbTypes.DataSource{
 						Name: "CBL-Mariner Vulnerability Data",
 						URL:  "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
 					},
 				},
 			},
 		},
 		{
 			name: "happy path 2.0",
 			fixtures: []string{
 				"testdata/fixtures/mariner.yaml",
 				"testdata/fixtures/data-source.yaml",
 			},
 			args: args{
 				osVer: "2.0",
 				pkgs: []ftypes.Package{
 					{
 						Name:       "vim",
 						Epoch:      0,
 						Version:    "8.2.4081",
 						Release:    "1.cm1",
 						Arch:       "aarch64",
 						SrcName:    "vim",
 						SrcEpoch:   0,
 						SrcVersion: "8.2.4081",
 						SrcRelease: "1.cm1",
 						License:    "Vim",
 						Layer:      ftypes.Layer{},
 					},
 				},
 			},
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "vim",
 					VulnerabilityID:  "CVE-2022-0261",
 					InstalledVersion: "8.2.4081-1.cm1",
 					Layer:            ftypes.Layer{},
 					DataSource: &dbTypes.DataSource{
 						Name: "CBL-Mariner Vulnerability Data",
 						URL:  "https://github.com/microsoft/CBL-MarinerVulnerabilityData",
 					},
 				},
 			},
 		},
 		{
 			name:     "broken advisory",
 			fixtures: []string{"testdata/fixtures/invalid.yaml", "testdata/fixtures/data-source.yaml"},
 			args: args{
 				osVer: "1.0",
 				pkgs: []ftypes.Package{
 					{
 						Name:       "bind-utils",
 						Epoch:      0,
 						Version:    "9.16.14",
 						Release:    "1.cm1",
 						Arch:       "aarch64",
 						SrcName:    "bind",
 						SrcEpoch:   0,
 						SrcVersion: "9.16.14",
 						SrcRelease: "1.cm1",
 						License:    "ISC",
 						Layer:      ftypes.Layer{},
 					},
 				},
 			},
 			wantErr: "failed to get CBL-Mariner advisories",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			_ = dbtest.InitDB(t, tt.fixtures)
 			defer db.Close()
 			s := mariner.NewScanner()
 			got, err := s.Detect(tt.args.osVer, tt.args.pkgs)
 			if tt.wantErr != "" {
 				require.Error(t, err)
 				assert.Contains(t, err.Error(), tt.wantErr)
 				return
 			}
 			assert.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
--- a/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml
+++ b/pkg/detector/ospkg/mariner/testdata/fixtures/data-source.yaml
@@ -0,0 +1,12 @@
 - bucket: data-source
  pairs:
    - key: CBL-Mariner 1.0
      value:
        Name: "CBL-Mariner Vulnerability Data"
        URL:  "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
 - bucket: data-source
  pairs:
    - key: CBL-Mariner 2.0
      value:
        Name: "CBL-Mariner Vulnerability Data"
        URL:  "https://github.com/microsoft/CBL-MarinerVulnerabilityData"
--- a/pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml
+++ b/pkg/detector/ospkg/mariner/testdata/fixtures/invalid.yaml
@@ -0,0 +1,9 @@
 - bucket: CBL-Mariner 1.0
  pairs:
    - bucket: bind
      pairs:
        - key: CVE-2021-25219
          value:
            FixedVersion:
              - foo
              - bar
--- a/pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml
+++ b/pkg/detector/ospkg/mariner/testdata/fixtures/mariner.yaml
@@ -0,0 +1,16 @@
 - bucket: CBL-Mariner 1.0
  pairs:
    - bucket: bind
      pairs:
        - key: CVE-2020-8618
          value:
            FixedVersion: 0:9.16.3-2.cm1
        - key: CVE-2019-6470
          value:
            FixedVersion: 0:9.16.15-1.cm1
 - bucket: CBL-Mariner 2.0
  pairs:
    - bucket: vim
      pairs:
        - key: CVE-2022-0261