ci: add depguard (#6963)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
2025-12-22 23:26:39 -08:00 · 2024-06-20 06:48:08 +04:00
parent dfe757e37a
commit 983ac15f22
73 changed files with 154 additions and 119 deletions
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,4 +1,14 @@
 linters-settings:
+  depguard:
+    rules:
+      main:
+        list-mode: lax
+        deny:
+          # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
+          - pkg: "golang.org/x/exp/slices"
+            desc: "Use 'slices' instead"
+          - pkg: "golang.org/x/exp/maps"
+            desc: "Use 'maps' or 'github.com/samber/lo' instead"
  dupl:
    threshold: 100
  errcheck:
@@ -81,6 +91,7 @@ linters:
  disable-all: true
  enable:
    - bodyclose
+    - depguard
    - gci
    - goconst
    - gocritic
--- a/go.mod
+++ b/go.mod
@@ -119,7 +119,7 @@ require (
 	github.com/zclconf/go-cty-yaml v1.0.3
 	go.etcd.io/bbolt v1.3.10
 	golang.org/x/crypto v0.24.0
-	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
 	golang.org/x/mod v0.17.0
 	golang.org/x/net v0.26.0
 	golang.org/x/sync v0.7.0
--- a/pkg/cloud/aws/commands/run.go
+++ b/pkg/cloud/aws/commands/run.go
@@ -3,11 +3,11 @@ package commands
 import (
 	"context"
 	"errors"
+	"slices"
 	"sort"
 	"strings"

 	"github.com/aws/aws-sdk-go-v2/service/sts"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy-aws/pkg/errs"
--- a/pkg/commands/artifact/run.go
+++ b/pkg/commands/artifact/run.go
@@ -4,11 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"

 	"github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
 	"github.com/spf13/viper"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/go-version/pkg/semver"
--- a/pkg/compliance/spec/compliance.go
+++ b/pkg/compliance/spec/compliance.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"strings"

-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"

@@ -39,7 +39,7 @@ func (cs *ComplianceSpec) Scanners() (types.Scanners, error) {
 			scannerTypes[scannerType] = struct{}{}
 		}
 	}
-	return maps.Keys(scannerTypes), nil
+	return lo.Keys(scannerTypes), nil
 }

 // CheckIDs return list of compliance check IDs
--- a/pkg/compliance/spec/mapper.go
+++ b/pkg/compliance/spec/mapper.go
@@ -1,7 +1,7 @@
 package spec

 import (
-	"golang.org/x/exp/slices"
+	"slices"

 	"github.com/aquasecurity/trivy/pkg/types"
 )
--- a/pkg/dependency/parser/c/conan/parse.go
+++ b/pkg/dependency/parser/c/conan/parse.go
@@ -2,11 +2,11 @@ package conan

 import (
 	"io"
+	"slices"
 	"strings"

 	"github.com/liamg/jfather"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency"
--- a/pkg/dependency/parser/golang/mod/parse.go
+++ b/pkg/dependency/parser/golang/mod/parse.go
@@ -7,7 +7,6 @@ import (
 	"strings"

 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/mod/modfile"
 	"golang.org/x/xerrors"

@@ -148,7 +147,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		}
 	}

-	return maps.Values(pkgs), nil, nil
+	return lo.Values(pkgs), nil, nil
 }

 // Check if the Go version is less than 1.17
--- a/pkg/dependency/parser/java/pom/artifact.go
+++ b/pkg/dependency/parser/java/pom/artifact.go
@@ -4,10 +4,10 @@ import (
 	"fmt"
 	"os"
 	"regexp"
+	"slices"
 	"strings"

 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"

 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
--- a/pkg/dependency/parser/java/pom/parse.go
+++ b/pkg/dependency/parser/java/pom/parse.go
@@ -9,12 +9,12 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"

 	multierror "github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/net/html/charset"
 	"golang.org/x/xerrors"

--- a/pkg/dependency/parser/julia/manifest/parse.go
+++ b/pkg/dependency/parser/julia/manifest/parse.go
@@ -5,7 +5,7 @@ import (
 	"sort"

 	"github.com/BurntSushi/toml"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"

 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
@@ -156,7 +156,7 @@ func decodeDependency(man *primitiveManifest, dep primitiveDependency, metadata
 	var possibleDepsMap map[string]string
 	err = metadata.PrimitiveDecode(dep.Dependencies, &possibleDepsMap)
 	if err == nil {
-		possibleUuids := maps.Values(possibleDepsMap)
+		possibleUuids := lo.Values(possibleDepsMap)
 		sort.Strings(possibleUuids)
 		dep.DependsOn = possibleUuids
 		return dep, nil
--- a/pkg/dependency/parser/nodejs/npm/parse.go
+++ b/pkg/dependency/parser/nodejs/npm/parse.go
@@ -3,6 +3,7 @@ package npm
 import (
 	"fmt"
 	"io"
+	"maps"
 	"path"
 	"slices"
 	"sort"
@@ -10,7 +11,6 @@ import (

 	"github.com/liamg/jfather"
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -186,7 +186,7 @@ func (p *Parser) parseV2(packages map[string]Package) ([]ftypes.Package, []ftype

 	}

-	return maps.Values(pkgs), deps
+	return lo.Values(pkgs), deps
 }

 // for local package npm uses links. e.g.:
--- a/pkg/dependency/parser/nodejs/pnpm/parse.go
+++ b/pkg/dependency/parser/nodejs/pnpm/parse.go
@@ -7,7 +7,6 @@ import (
 	"strings"

 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"

@@ -216,7 +215,7 @@ func (p *Parser) parseV9(lockFile LockFile) ([]ftypes.Package, []ftypes.Dependen
 		}
 	}

-	return maps.Values(resolvedPkgs), maps.Values(resolvedDeps)
+	return lo.Values(resolvedPkgs), lo.Values(resolvedDeps)
 }

 // markRootPkgs sets `Dev` to false for non dev dependency.
--- a/pkg/dependency/parser/php/composer/parse.go
+++ b/pkg/dependency/parser/php/composer/parse.go
@@ -6,7 +6,7 @@ import (
 	"strings"

 	"github.com/liamg/jfather"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -98,7 +98,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		})
 	}

-	pkgSlice := maps.Values(pkgs)
+	pkgSlice := lo.Values(pkgs)
 	sort.Sort(ftypes.Packages(pkgSlice))
 	sort.Sort(deps)

--- a/pkg/dependency/parser/ruby/bundler/parse.go
+++ b/pkg/dependency/parser/ruby/bundler/parse.go
@@ -5,7 +5,7 @@ import (
 	"sort"
 	"strings"

-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -103,7 +103,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 		return nil, nil, xerrors.Errorf("scan error: %w", err)
 	}

-	pkgSlice := maps.Values(pkgs)
+	pkgSlice := lo.Values(pkgs)
 	sort.Sort(ftypes.Packages(pkgSlice))
 	return pkgSlice, deps, nil
 }
--- a/pkg/dependency/parser/swift/cocoapods/parse.go
+++ b/pkg/dependency/parser/swift/cocoapods/parse.go
@@ -4,7 +4,7 @@ import (
 	"sort"
 	"strings"

-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"

@@ -86,7 +86,7 @@ func (p *Parser) Parse(r xio.ReadSeekerAt) ([]ftypes.Package, []ftypes.Dependenc
 	}

 	sort.Sort(deps)
-	return utils.UniquePackages(maps.Values(parsedDeps)), deps, nil
+	return utils.UniquePackages(lo.Values(parsedDeps)), deps, nil
 }

 func parseDep(dep string) (ftypes.Package, error) {
--- a/pkg/dependency/parser/utils/utils.go
+++ b/pkg/dependency/parser/utils/utils.go
@@ -2,9 +2,10 @@ package utils

 import (
 	"fmt"
+	"maps"
 	"sort"

-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"

 	ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
 )
@@ -48,7 +49,7 @@ func UniquePackages(pkgs []ftypes.Package) []ftypes.Package {
 			}
 		}
 	}
-	pkgSlice := maps.Values(unique)
+	pkgSlice := lo.Values(unique)
 	sort.Sort(ftypes.Packages(pkgSlice))

 	return pkgSlice
--- a/pkg/detector/ospkg/redhat/redhat.go
+++ b/pkg/detector/ospkg/redhat/redhat.go
@@ -3,13 +3,13 @@ package redhat
 import (
 	"context"
 	"fmt"
+	"slices"
 	"sort"
 	"strings"
 	"time"

 	version "github.com/knqyf263/go-rpm-version"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
@@ -176,7 +176,7 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
 		}
 	}

-	vulns := maps.Values(uniqVulns)
+	vulns := lo.Values(uniqVulns)
 	sort.Slice(vulns, func(i, j int) bool {
 		return vulns[i].VulnerabilityID < vulns[j].VulnerabilityID
 	})
--- a/pkg/downloader/download.go
+++ b/pkg/downloader/download.go
@@ -2,10 +2,10 @@ package downloader

 import (
 	"context"
+	"maps"
 	"os"

 	getter "github.com/hashicorp/go-getter"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 )

--- a/pkg/fanal/analyzer/analyzer.go
+++ b/pkg/fanal/analyzer/analyzer.go
@@ -6,12 +6,12 @@ import (
 	"io/fs"
 	"os"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"
 	"sync"

 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/sync/semaphore"
 	"golang.org/x/xerrors"

--- a/pkg/fanal/analyzer/config_analyzer.go
+++ b/pkg/fanal/analyzer/config_analyzer.go
@@ -2,9 +2,9 @@ package analyzer

 import (
 	"context"
+	"slices"

 	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/types"
--- a/pkg/fanal/analyzer/imgconf/apk/apk.go
+++ b/pkg/fanal/analyzer/imgconf/apk/apk.go
@@ -13,7 +13,7 @@ import (
 	"time"

 	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -138,7 +138,7 @@ func (a alpineCmdAnalyzer) parseConfig(apkIndexArchive *apkIndex, config *v1.Con
 		}
 	}

-	return maps.Values(uniqPkgs)
+	return lo.Values(uniqPkgs)
 }

 func (a alpineCmdAnalyzer) parseCommand(command string, envs map[string]string) (pkgs []string) {
--- a/pkg/fanal/analyzer/language/dart/pub/pubspec.go
+++ b/pkg/fanal/analyzer/language/dart/pub/pubspec.go
@@ -10,7 +10,6 @@ import (
 	"sort"

 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"

@@ -166,7 +165,7 @@ func parsePubSpecYaml(r io.Reader) (string, []string, error) {

 	// pubspec.yaml uses version ranges
 	// save only dependencies names
-	dependsOn := maps.Keys(spec.Dependencies)
+	dependsOn := lo.Keys(spec.Dependencies)

 	return dependency.ID(types.Pub, spec.Name, spec.Version), dependsOn, nil
 }
--- a/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go
+++ b/pkg/fanal/analyzer/language/dotnet/nuget/nuget.go
@@ -7,9 +7,9 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nuget/config"
--- a/pkg/fanal/analyzer/language/golang/mod/mod.go
+++ b/pkg/fanal/analyzer/language/golang/mod/mod.go
@@ -10,11 +10,10 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"unicode"

 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency/parser/golang/mod"
@@ -262,7 +261,7 @@ func mergeGoSum(gomod, gosum *types.Application) {
 		uniq[lib.Name] = lib
 	}

-	gomod.Packages = maps.Values(uniq)
+	gomod.Packages = lo.Values(uniq)
 }

 func findLicense(dir string, classifierConfidenceLevel float64) ([]string, error) {
--- a/pkg/fanal/analyzer/language/julia/pkg/pkg.go
+++ b/pkg/fanal/analyzer/language/julia/pkg/pkg.go
@@ -7,12 +7,11 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"

 	"github.com/BurntSushi/toml"
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	julia "github.com/aquasecurity/trivy/pkg/dependency/parser/julia/manifest"
@@ -167,7 +166,7 @@ func walkDependencies(directDeps map[string]string, allPackages types.Packages,
 		walkIndirectDependencies(pkg, pkgsByID, visited)
 	}

-	return maps.Values(visited)
+	return lo.Values(visited)
 }

 // Marks all indirect dependencies as indirect. Starts from `rootPkg`. Visited deps are added to `visited`.
--- a/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go
+++ b/pkg/fanal/analyzer/language/nodejs/yarn/yarn.go
@@ -15,7 +15,6 @@ import (

 	"github.com/hashicorp/go-multierror"
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency/parser/nodejs/packagejson"
@@ -186,7 +185,7 @@ func (a yarnAnalyzer) analyzeDependencies(fsys fs.FS, dir string, app *types.App
 	// If the same package is found in both prod and dev dependencies, use the one in prod.
 	pkgs = lo.Assign(devPkgs, pkgs)

-	pkgSlice := maps.Values(pkgs)
+	pkgSlice := lo.Values(pkgs)
 	sort.Sort(types.Packages(pkgSlice))

 	// Save packages
--- a/pkg/fanal/analyzer/language/php/composer/composer.go
+++ b/pkg/fanal/analyzer/language/php/composer/composer.go
@@ -8,10 +8,10 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency/parser/php/composer"
--- a/pkg/fanal/analyzer/language/rust/cargo/cargo.go
+++ b/pkg/fanal/analyzer/language/rust/cargo/cargo.go
@@ -6,15 +6,15 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"maps"
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"sort"

 	"github.com/BurntSushi/toml"
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/go-version/pkg/semver"
@@ -148,7 +148,7 @@ func (a cargoAnalyzer) removeDevDependencies(fsys fs.FS, dir string, app *types.
 		a.walkIndirectDependencies(pkg, pkgIDs, pkgs)
 	}

-	pkgSlice := maps.Values(pkgs)
+	pkgSlice := lo.Values(pkgs)
 	sort.Sort(types.Packages(pkgSlice))

 	// Save only prod packages
--- a/pkg/fanal/analyzer/licensing/license.go
+++ b/pkg/fanal/analyzer/licensing/license.go
@@ -6,9 +6,9 @@ import (
 	"math"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/os/alpine/alpine.go
+++ b/pkg/fanal/analyzer/os/alpine/alpine.go
@@ -4,8 +4,8 @@ import (
 	"bufio"
 	"context"
 	"os"
+	"slices"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/os/release/release.go
+++ b/pkg/fanal/analyzer/os/release/release.go
@@ -4,10 +4,9 @@ import (
 	"bufio"
 	"context"
 	"os"
+	"slices"
 	"strings"

-	"golang.org/x/exp/slices"
-
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
 )
--- a/pkg/fanal/analyzer/os/ubuntu/esm.go
+++ b/pkg/fanal/analyzer/os/ubuntu/esm.go
@@ -4,8 +4,8 @@ import (
 	"context"
 	"encoding/json"
 	"os"
+	"slices"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/os/ubuntu/ubuntu.go
+++ b/pkg/fanal/analyzer/os/ubuntu/ubuntu.go
@@ -4,9 +4,9 @@ import (
 	"bufio"
 	"context"
 	"os"
+	"slices"
 	"strings"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/pkg/apk/apk.go
+++ b/pkg/fanal/analyzer/pkg/apk/apk.go
@@ -8,12 +8,12 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"slices"
 	"sort"
 	"strings"

 	apkVersion "github.com/knqyf263/go-apk-version"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"

 	"github.com/aquasecurity/trivy/pkg/digest"
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/pkg/dpkg/copyright.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/copyright.go
@@ -7,10 +7,10 @@ import (
 	"os"
 	"path"
 	"regexp"
+	"slices"
 	"strings"

 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
@@ -11,12 +11,12 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"

 	debVersion "github.com/knqyf263/go-deb-version"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/digest"
--- a/pkg/fanal/analyzer/pkg/rpm/rpm.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpm.go
@@ -6,12 +6,12 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"

 	rpmdb "github.com/knqyf263/go-rpmdb/pkg"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/digest"
--- a/pkg/fanal/analyzer/pkg/rpm/rpmqa.go
+++ b/pkg/fanal/analyzer/pkg/rpm/rpmqa.go
@@ -4,9 +4,9 @@ import (
 	"bufio"
 	"context"
 	"os"
+	"slices"
 	"strings"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/analyzer/repo/apk/apk.go
+++ b/pkg/fanal/analyzer/repo/apk/apk.go
@@ -5,8 +5,8 @@ import (
 	"context"
 	"os"
 	"regexp"
+	"slices"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	ver "github.com/aquasecurity/go-version/pkg/version"
--- a/pkg/fanal/analyzer/secret/secret.go
+++ b/pkg/fanal/analyzer/secret/secret.go
@@ -7,10 +7,10 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"

 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
@@ -34,10 +34,26 @@ var (
 		"Pipfile.lock",
 		"Gemfile.lock",
 	}
-	skipDirs = []string{".git", "node_modules"}
+	skipDirs = []string{
+		".git",
+		"node_modules",
+	}
 	skipExts = []string{
-		".jpg", ".png", ".gif", ".doc", ".pdf", ".bin", ".svg", ".socket", ".deb", ".rpm",
-		".zip", ".gz", ".gzip", ".tar", ".pyc",
+		".jpg",
+		".png",
+		".gif",
+		".doc",
+		".pdf",
+		".bin",
+		".svg",
+		".socket",
+		".deb",
+		".rpm",
+		".zip",
+		".gz",
+		".gzip",
+		".tar",
+		".pyc",
 	}
 )

--- a/pkg/fanal/artifact/image/image.go
+++ b/pkg/fanal/artifact/image/image.go
@@ -6,12 +6,12 @@ import (
 	"io"
 	"os"
 	"reflect"
+	"slices"
 	"strings"
 	"sync"

 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/artifact/image/remote_sbom.go
+++ b/pkg/fanal/artifact/image/remote_sbom.go
@@ -6,11 +6,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"

 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	sbomatt "github.com/aquasecurity/trivy/pkg/attestation/sbom"
--- a/pkg/fanal/handler/handler.go
+++ b/pkg/fanal/handler/handler.go
@@ -2,9 +2,9 @@ package handler

 import (
 	"context"
+	"slices"
 	"sort"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/fanal/handler/sysfile/filter.go
+++ b/pkg/fanal/handler/sysfile/filter.go
@@ -2,10 +2,9 @@ package nodejs

 import (
 	"context"
+	"slices"
 	"strings"

-	"golang.org/x/exp/slices"
-
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/artifact"
 	"github.com/aquasecurity/trivy/pkg/fanal/handler"
--- a/pkg/fanal/handler/unpackaged/unpackaged.go
+++ b/pkg/fanal/handler/unpackaged/unpackaged.go
@@ -4,8 +4,8 @@ import (
 	"bytes"
 	"context"
 	"errors"
+	"slices"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	sbomatt "github.com/aquasecurity/trivy/pkg/attestation/sbom"
--- a/pkg/fanal/secret/scanner.go
+++ b/pkg/fanal/secret/scanner.go
@@ -5,12 +5,12 @@ import (
 	"errors"
 	"os"
 	"regexp"
+	"slices"
 	"sort"
 	"strings"
 	"sync"

 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 	"gopkg.in/yaml.v3"

--- a/pkg/fanal/walker/fs_test.go
+++ b/pkg/fanal/walker/fs_test.go
@@ -6,12 +6,12 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/exp/slices"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/walker"
--- a/pkg/fanal/walker/vm.go
+++ b/pkg/fanal/walker/vm.go
@@ -5,13 +5,13 @@ import (
 	"io"
 	"io/fs"
 	"path/filepath"
+	"slices"
 	"strings"

 	"github.com/masahiro331/go-disk"
 	"github.com/masahiro331/go-disk/gpt"
 	"github.com/masahiro331/go-disk/mbr"
 	"github.com/masahiro331/go-disk/types"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/vm/filesystem"
--- a/pkg/flag/options.go
+++ b/pkg/flag/options.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -14,7 +15,6 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/flag/report_flags.go
+++ b/pkg/flag/report_flags.go
@@ -1,11 +1,11 @@
 package flag

 import (
+	"slices"
 	"strings"

 	"github.com/mattn/go-shellwords"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
--- a/pkg/iac/adapters/cloudformation/aws/ec2/security_group.go
+++ b/pkg/iac/adapters/cloudformation/aws/ec2/security_group.go
@@ -1,7 +1,7 @@
 package ec2

 import (
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"

 	"github.com/aquasecurity/trivy/pkg/iac/providers/aws/ec2"
 	"github.com/aquasecurity/trivy/pkg/iac/scanners/cloudformation/parser"
@@ -43,7 +43,7 @@ func getSecurityGroups(ctx parser.FileContext) []ec2.SecurityGroup {
 	}

 	if len(mGroups) > 0 {
-		return maps.Values(mGroups)
+		return lo.Values(mGroups)
 	}
 	return nil
 }
--- a/pkg/iac/adapters/terraform/google/iam/adapt.go
+++ b/pkg/iac/adapters/terraform/google/iam/adapt.go
@@ -1,7 +1,7 @@
 package iam

 import (
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"

 	"github.com/aquasecurity/trivy/pkg/iac/providers/google/iam"
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
@@ -36,9 +36,9 @@ func (a *adapter) Adapt() iam.IAM {

 func (a *adapter) buildIAMOutput() iam.IAM {
 	return iam.IAM{
-		Organizations:                 fromPtrSlice(maps.Values(a.orgs)),
-		Folders:                       fromPtrSlice(maps.Values(a.folders)),
-		Projects:                      fromPtrSlice(maps.Values(a.projects)),
+		Organizations:                 fromPtrSlice(lo.Values(a.orgs)),
+		Folders:                       fromPtrSlice(lo.Values(a.folders)),
+		Projects:                      fromPtrSlice(lo.Values(a.projects)),
 		WorkloadIdentityPoolProviders: a.workloadIdentityPoolProviders,
 	}
 }
--- a/pkg/iac/scanners/azure/value.go
+++ b/pkg/iac/scanners/azure/value.go
@@ -1,11 +1,10 @@
 package azure

 import (
+	"slices"
 	"strings"
 	"time"

-	"golang.org/x/exp/slices"
-
 	armjson2 "github.com/aquasecurity/trivy/pkg/iac/scanners/azure/arm/parser/armjson"
 	"github.com/aquasecurity/trivy/pkg/iac/types"
 )
@@ -249,7 +248,13 @@ func (v Value) AsBoolValue(defaultValue bool, metadata types.Metadata) types.Boo
 	v.Resolve()
 	if v.Kind == KindString {
 		possibleValue := strings.ToLower(v.rLit.(string))
-		if slices.Contains([]string{"true", "1", "yes", "on", "enabled"}, possibleValue) {
+		if slices.Contains([]string{
+			"true",
+			"1",
+			"yes",
+			"on",
+			"enabled",
+		}, possibleValue) {
 			return types.Bool(true, metadata)
 		}
 	}
--- a/pkg/iac/scanners/terraform/parser/evaluator.go
+++ b/pkg/iac/scanners/terraform/parser/evaluator.go
@@ -5,13 +5,13 @@ import (
 	"errors"
 	"io/fs"
 	"reflect"
+	"slices"

 	"github.com/hashicorp/hcl/v2"
 	"github.com/hashicorp/hcl/v2/ext/typeexpr"
 	"github.com/samber/lo"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/convert"
-	"golang.org/x/exp/slices"

 	"github.com/aquasecurity/trivy/pkg/iac/debug"
 	"github.com/aquasecurity/trivy/pkg/iac/ignore"
@@ -273,7 +273,12 @@ func (e *evaluator) expandDynamicBlock(b *terraform.Block) {
 }

 func isBlockSupportsForEachMetaArgument(block *terraform.Block) bool {
-	return slices.Contains([]string{"module", "resource", "data", "dynamic"}, block.Type())
+	return slices.Contains([]string{
+		"module",
+		"resource",
+		"data",
+		"dynamic",
+	}, block.Type())
 }

 func (e *evaluator) expandBlockForEaches(blocks terraform.Blocks, isDynamic bool) terraform.Blocks {
@@ -357,7 +362,11 @@ func (e *evaluator) expandBlockForEaches(blocks terraform.Blocks, isDynamic bool
 }

 func isBlockSupportsCountMetaArgument(block *terraform.Block) bool {
-	return slices.Contains([]string{"module", "resource", "data"}, block.Type())
+	return slices.Contains([]string{
+		"module",
+		"resource",
+		"data",
+	}, block.Type())
 }

 func (e *evaluator) expandBlockCounts(blocks terraform.Blocks) terraform.Blocks {
--- a/pkg/iac/scanners/terraform/parser/modules_test.go
+++ b/pkg/iac/scanners/terraform/parser/modules_test.go
@@ -8,7 +8,6 @@ import (
 	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/exp/maps"

 	"github.com/aquasecurity/trivy/internal/testutil"
 )
@@ -43,7 +42,10 @@ module "this" {
  source = "../modules/s3"
 }`,
 			},
-			expected: []string{"code", "code/example"},
+			expected: []string{
+				"code",
+				"code/example",
+			},
 		},
 		{
 			name: "without module block",
@@ -51,7 +53,10 @@ module "this" {
 				"code/infra1/main.tf": `resource "test" "this" {}`,
 				"code/infra2/main.tf": `resource "test" "this" {}`,
 			},
-			expected: []string{"code/infra1", "code/infra2"},
+			expected: []string{
+				"code/infra1",
+				"code/infra2",
+			},
 		},
 	}

@@ -60,7 +65,7 @@ module "this" {
 			fsys := testutil.CreateFS(t, tt.files)
 			parser := New(fsys, "", OptionStopOnHCLError(true))

-			modules := lo.Map(maps.Keys(tt.files), func(p string, _ int) string {
+			modules := lo.Map(lo.Keys(tt.files), func(p string, _ int) string {
 				return path.Dir(p)
 			})

--- a/pkg/k8s/report/report.go
+++ b/pkg/k8s/report/report.go
@@ -4,10 +4,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"slices"
 	"strings"

-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
+	"github.com/samber/lo"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy-kubernetes/pkg/artifacts"
@@ -114,7 +114,7 @@ func (r Report) consolidate() ConsolidatedReport {
 		index[key] = v
 	}

-	consolidated.Findings = maps.Values(index)
+	consolidated.Findings = lo.Values(index)

 	return consolidated
 }
--- a/pkg/k8s/report/summary.go
+++ b/pkg/k8s/report/summary.go
@@ -3,11 +3,11 @@ package report
 import (
 	"fmt"
 	"io"
+	"slices"
 	"sort"
 	"strconv"
 	"strings"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/table"
--- a/pkg/k8s/scanner/scanner_test.go
+++ b/pkg/k8s/scanner/scanner_test.go
@@ -6,9 +6,9 @@ import (
 	"testing"

 	"github.com/package-url/packageurl-go"
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/exp/maps"

 	"github.com/aquasecurity/trivy-kubernetes/pkg/artifacts"
 	cmd "github.com/aquasecurity/trivy/pkg/commands/artifact"
@@ -284,7 +284,7 @@ func TestScanner_Scan(t *testing.T) {
 			got, err := scanner.Scan(ctx, tt.artifacts)
 			require.NoError(t, err)

-			gotComponents := maps.Values(got.BOM.Components())
+			gotComponents := lo.Values(got.BOM.Components())
 			require.Equal(t, len(tt.wantComponents), len(gotComponents))

 			sort.Slice(gotComponents, func(i, j int) bool {
--- a/pkg/licensing/expression/types.go
+++ b/pkg/licensing/expression/types.go
@@ -2,8 +2,7 @@ package expression

 import (
 	"fmt"
-
-	"golang.org/x/exp/slices"
+	"slices"

 	"github.com/aquasecurity/trivy/pkg/licensing"
 )
--- a/pkg/licensing/scanner.go
+++ b/pkg/licensing/scanner.go
@@ -1,7 +1,7 @@
 package licensing

 import (
-	"golang.org/x/exp/slices"
+	"slices"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/fanal/types"
--- a/pkg/mapfs/fs.go
+++ b/pkg/mapfs/fs.go
@@ -6,10 +6,10 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	xsync "github.com/aquasecurity/trivy/pkg/x/sync"
--- a/pkg/module/module.go
+++ b/pkg/module/module.go
@@ -8,13 +8,13 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"slices"
 	"sync"

 	"github.com/samber/lo"
 	"github.com/tetratelabs/wazero"
 	"github.com/tetratelabs/wazero/api"
 	wasi "github.com/tetratelabs/wazero/imports/wasi_snapshot_preview1"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
--- a/pkg/rekor/client.go
+++ b/pkg/rekor/client.go
@@ -3,6 +3,7 @@ package rekor
 import (
 	"context"
 	"net/url"
+	"slices"

 	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/go-openapi/strfmt"
@@ -10,7 +11,6 @@ import (
 	eclient "github.com/sigstore/rekor/pkg/generated/client/entries"
 	"github.com/sigstore/rekor/pkg/generated/client/index"
 	"github.com/sigstore/rekor/pkg/generated/models"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/log"
--- a/pkg/report/table/table.go
+++ b/pkg/report/table/table.go
@@ -6,10 +6,10 @@ import (
 	"io"
 	"os"
 	"runtime"
+	"slices"
 	"strings"

 	"github.com/fatih/color"
-	"golang.org/x/exp/slices"

 	"github.com/aquasecurity/table"
 	"github.com/aquasecurity/tml"
--- a/pkg/report/table/vulnerability.go
+++ b/pkg/report/table/vulnerability.go
@@ -4,14 +4,13 @@ import (
 	"bytes"
 	"fmt"
 	"path/filepath"
+	"slices"
 	"sort"
 	"strings"
 	"sync"

 	"github.com/samber/lo"
 	"github.com/xlab/treeprint"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"

 	"github.com/aquasecurity/table"
 	"github.com/aquasecurity/tml"
@@ -288,7 +287,7 @@ func addParents(topItem treeprint.Tree, pkg ftypes.Package, parentMap map[string
 	}

 	// Omitted
-	rootIDs := lo.Filter(maps.Keys(roots), func(pkgID string, _ int) bool {
+	rootIDs := lo.Filter(lo.Keys(roots), func(pkgID string, _ int) bool {
 		_, ok := seen[pkgID]
 		return !ok
 	})
@@ -338,7 +337,7 @@ func findAncestor(pkgID string, parentMap map[string]ftypes.Packages, seen map[s
 			}
 		}
 	}
-	return maps.Keys(ancestors)
+	return lo.Keys(ancestors)
 }

 var jarExtensions = []string{
--- a/pkg/result/filter.go
+++ b/pkg/result/filter.go
@@ -5,12 +5,11 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"

 	"github.com/open-policy-agent/opa/rego"
 	"github.com/samber/lo"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
@@ -135,7 +134,7 @@ func filterVulnerabilities(result *types.Result, severities []string, ignoreStat
 	}

 	// Override the detected vulnerabilities
-	result.Vulnerabilities = maps.Values(uniqVulns)
+	result.Vulnerabilities = lo.Values(uniqVulns)
 	if len(result.Vulnerabilities) == 0 {
 		result.Vulnerabilities = nil
 	}
--- a/pkg/sbom/io/decode.go
+++ b/pkg/sbom/io/decode.go
@@ -10,7 +10,7 @@ import (
 	debver "github.com/knqyf263/go-deb-version"
 	rpmver "github.com/knqyf263/go-rpm-version"
 	"github.com/package-url/packageurl-go"
-	"golang.org/x/exp/maps"
+	"github.com/samber/lo"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/dependency"
@@ -363,7 +363,7 @@ func (m *Decoder) addOrphanPkgs(sbom *types.SBOM) error {
 	}

 	if len(osPkgMap) > 1 {
-		return xerrors.Errorf("multiple types of OS packages in SBOM are not supported (%q)", maps.Keys(osPkgMap))
+		return xerrors.Errorf("multiple types of OS packages in SBOM are not supported (%q)", lo.Keys(osPkgMap))
 	}

 	// Add OS packages only when OS is detected.
--- a/pkg/sbom/spdx/marshal.go
+++ b/pkg/sbom/spdx/marshal.go
@@ -3,6 +3,7 @@ package spdx
 import (
 	"context"
 	"fmt"
+	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -13,7 +14,6 @@ import (
 	"github.com/spdx/tools-golang/spdx"
 	"github.com/spdx/tools-golang/spdx/v2/common"
 	spdxutils "github.com/spdx/tools-golang/utils"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/clock"
--- a/pkg/scanner/local/scan.go
+++ b/pkg/scanner/local/scan.go
@@ -4,13 +4,13 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"sort"
 	"strings"
 	"sync"

 	"github.com/google/wire"
 	"github.com/samber/lo"
-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
--- a/pkg/types/target.go
+++ b/pkg/types/target.go
@@ -1,7 +1,7 @@
 package types

 import (
-	"golang.org/x/exp/slices"
+	"slices"
 )

 // VulnType represents vulnerability type
--- a/pkg/utils/fsutils/fs.go
+++ b/pkg/utils/fsutils/fs.go
@@ -7,8 +7,8 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"

-	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"

 	"github.com/aquasecurity/trivy/pkg/log"
--- a/pkg/x/path/path.go
+++ b/pkg/x/path/path.go
@@ -1,9 +1,8 @@
 package path

 import (
+	"slices"
 	"strings"
-
-	"golang.org/x/exp/slices"
 )

 // Contains reports whether the path contains the subpath.