Support Photon OS (#340)

* Add photon

* test(vulnerability): use generated structs and mock

* test(photon): add integration tests

* test(photon): comment in

* test(integration): add vulnerability details to trivy.db

* chore(mod): update dependencies

* chore(README): add Photon OS

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>

README.md

@@ -77,7 +77,7 @@ See [here](#continuous-integration-ci) for details.
 # Features
 
 - Detect comprehensive vulnerabilities
-  - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux and Distroless)
+  - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
   - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)
 - Simple
   - Specify only an image name
@@ -1316,11 +1316,12 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 | Amazon Linux                 | 1, 2                                     | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                | 42, 15                                   | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux        | 11, 12, 15                               | Installed by zypper/rpm       |                  NO                  |
+| Photon OS                    | 1.0, 2.0, 3.0                            | Installed by tdnf/yum/rpm     |                  NO                  |
 | Debian GNU/Linux             | wheezy, jessie, stretch, buster          | Installed by apt/apt-get/dpkg |                 YES                  |
 | Ubuntu                       | 12.04, 14.04, 16.04, 18.04, 18.10, 19.04 | Installed by apt/apt-get/dpkg |                 YES                  |
 | Distroless                   | Any                                      | Installed by apt/apt-get/dpkg |                 YES                  |
 
-RHEL, CentOS, Oracle Linux, SUSE and Amazon Linux package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available.
+RHEL, CentOS, Oracle Linux, SUSE, Amazon Linux and Photon OS package information is stored in a binary format, and Trivy uses the `rpm` executable to parse this information when scanning an image based on RHEL or CentOS. The Trivy container image includes `rpm`, and the installers include it as a dependency. If you installed the `trivy` binary using `wget` or `curl`, or if you build it from source, you will also need to ensure that `rpm` is available.
 
 Distroless: https://github.com/GoogleContainerTools/distroless
 

go.mod

@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/aquasecurity/fanal v0.0.0-20191225115707-0939236aadb8
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297
+	github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cheggaaa/pb/v3 v3.0.3
 	github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f

go.sum

@@ -34,8 +34,8 @@ github.com/aquasecurity/fanal v0.0.0-20191225115707-0939236aadb8/go.mod h1:I+y3t
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/trivy v0.1.6/go.mod h1:5hobyhxLzDtxruHzPxpND2PUKOssvGUdE9BocpJUwo4=
-github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297 h1:XyGsaTMGASjxlXW2w+Dn6vwRje8MHASymxj1QEE+xwI=
+github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1 h1:IVXoVH8ejJuBdxgH/+er2WjBxc0tqIGuBCqI5aWW3A0=
-github.com/aquasecurity/trivy-db v0.0.0-20191223151440-3e45ca45a297/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw=
+github.com/aquasecurity/trivy-db v0.0.0-20191226181755-d6cabf5bc5d1/go.mod h1:Uf9bXd50zTHtWTP7+7u5+OFCPtUVrmsS4v0RXd7E5lw=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=

integration/client_server_test.go

@@ -277,6 +277,30 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-423.json.golden",
 		},
+		{
+			name: "photon 1.0 integration",
+			testArgs: args{
+				Version: "dev",
+				Input:   "testdata/fixtures/photon-10.tar.gz",
+			},
+			golden: "testdata/photon-10.json.golden",
+		},
+		{
+			name: "photon 2.0 integration",
+			testArgs: args{
+				Version: "dev",
+				Input:   "testdata/fixtures/photon-20.tar.gz",
+			},
+			golden: "testdata/photon-20.json.golden",
+		},
+		{
+			name: "photon 3.0 integration",
+			testArgs: args{
+				Version: "dev",
+				Input:   "testdata/fixtures/photon-30.tar.gz",
+			},
+			golden: "testdata/photon-30.json.golden",
+		},
 		{
 			name: "invalid token",
 			testArgs: args{

integration/standalone_test.go

@@ -311,6 +311,36 @@ func TestRun_WithTar(t *testing.T) {
 			},
 			golden: "testdata/opensuse-leap-423.json.golden",
 		},
+		{
+			name: "photon 1.0 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/photon-10.tar.gz",
+			},
+			golden: "testdata/photon-10.json.golden",
+		},
+		{
+			name: "photon 2.0 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/photon-20.tar.gz",
+			},
+			golden: "testdata/photon-20.json.golden",
+		},
+		{
+			name: "photon 3.0 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/photon-30.tar.gz",
+			},
+			golden: "testdata/photon-30.json.golden",
+		},
 	}
 
 	for _, c := range cases {

integration/testdata/opensuse-leap-151.json.golden

@@ -100,4 +100,4 @@
       }
     ]
   }
-]
+]

integration/testdata/opensuse-leap-423.json.golden

@@ -3,4 +3,4 @@
     "Target": "testdata/fixtures/opensuse-leap-423.tar.gz (opensuse.leap 42.3)",
     "Vulnerabilities": null
   }
-]
+]

integration/testdata/oraclelinux-6-slim.json.golden

@@ -162,5 +162,4 @@
       }
     ]
   }
-]
+]
-

integration/testdata/oraclelinux-7-slim.json.golden

@@ -855,5 +855,4 @@
       }
     ]
   }
-]
+]
-

integration/testdata/oraclelinux-8-slim.json.golden

@@ -3,4 +3,4 @@
     "Target": "testdata/fixtures/oraclelinux-8-slim.tar.gz (oracle 8.0)",
     "Vulnerabilities": null
   }
-]
+]

integration/testdata/photon-10.json.golden

@@ -0,0 +1,61 @@
+[
+  {
+    "Target": "testdata/fixtures/photon-10.tar.gz (photon 1.0)",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2012-6711",
+        "PkgName": "bash",
+        "InstalledVersion": "4.3.48-3.ph1",
+        "FixedVersion": "4.3.48-4.ph1",
+        "Title": "bash: heap-based buffer overflow during echo of unsupported characters",
+        "Description": "A heap-based buffer overflow exists in GNU Bash before 4.3 when wide characters, not supported by the current locale set in the LC_CTYPE environment variable, are printed through the echo built-in function. A local attacker, who can provide data to print through the \"echo -e\" built-in function, may use this flaw to crash a script or execute code with the privileges of the bash process. This occurs because ansicstr() in lib/sh/strtrans.c mishandles u32cconv().",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel\u0026id=863d31ae775d56b785dc5b0105b6d251515d81d5",
+          "http://www.securityfocus.com/bid/108824",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1721071",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6711"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph1",
+        "FixedVersion": "1.0.2t-1.ph1",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph1",
+        "FixedVersion": "1.0.2t-1.ph1",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      }
+    ]
+  }
+]

integration/testdata/photon-20.json.golden

@@ -0,0 +1,227 @@
+[
+  {
+    "Target": "testdata/fixtures/photon-20.tar.gz (photon 2.0)",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2019-5481",
+        "PkgName": "curl",
+        "InstalledVersion": "7.59.0-7.ph2",
+        "FixedVersion": "7.59.0-9.ph2",
+        "Title": "curl: double free due to subsequent call of realloc()",
+        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5481.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5482",
+        "PkgName": "curl",
+        "InstalledVersion": "7.59.0-7.ph2",
+        "FixedVersion": "7.59.0-9.ph2",
+        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
+        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5482.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-16890",
+        "PkgName": "curl",
+        "InstalledVersion": "7.59.0-7.ph2",
+        "FixedVersion": "7.59.0-8.ph2",
+        "Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
+        "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://www.securityfocus.com/bid/106947",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890",
+          "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf",
+          "https://curl.haxx.se/docs/CVE-2018-16890.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890",
+          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E",
+          "https://security.netapp.com/advisory/ntap-20190315-0001/",
+          "https://usn.ubuntu.com/3882-1/",
+          "https://www.debian.org/security/2019/dsa-4386",
+          "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
+          "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5481",
+        "PkgName": "curl-libs",
+        "InstalledVersion": "7.59.0-7.ph2",
+        "FixedVersion": "7.59.0-9.ph2",
+        "Title": "curl: double free due to subsequent call of realloc()",
+        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5481.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5482",
+        "PkgName": "curl-libs",
+        "InstalledVersion": "7.59.0-7.ph2",
+        "FixedVersion": "7.59.0-9.ph2",
+        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
+        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5482.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-16890",
+        "PkgName": "curl-libs",
+        "InstalledVersion": "7.59.0-7.ph2",
+        "FixedVersion": "7.59.0-8.ph2",
+        "Title": "curl: NTLM type-2 heap out-of-bounds buffer read",
+        "Description": "libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a heap buffer out-of-bounds read. The function handling incoming NTLM type-2 messages (`lib/vauth/ntlm.c:ntlm_decode_type2_target`) does not validate incoming data correctly and is subject to an integer overflow vulnerability. Using that overflow, a malicious or broken NTLM server could trick libcurl to accept a bad length + offset combination that would lead to a buffer read out-of-bounds.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://www.securityfocus.com/bid/106947",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16890",
+          "https://cert-portal.siemens.com/productcert/pdf/ssa-436177.pdf",
+          "https://curl.haxx.se/docs/CVE-2018-16890.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890",
+          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E",
+          "https://security.netapp.com/advisory/ntap-20190315-0001/",
+          "https://usn.ubuntu.com/3882-1/",
+          "https://www.debian.org/security/2019/dsa-4386",
+          "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
+          "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5094",
+        "PkgName": "e2fsprogs-libs",
+        "InstalledVersion": "1.43.4-2.ph2",
+        "FixedVersion": "1.43.4-3.ph2",
+        "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
+          "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
+          "https://seclists.org/bugtraq/2019/Sep/58",
+          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
+          "https://usn.ubuntu.com/4142-2/",
+          "https://www.debian.org/security/2019/dsa-4535"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-20843",
+        "PkgName": "expat-libs",
+        "InstalledVersion": "2.2.4-1.ph2",
+        "FixedVersion": "2.2.4-2.ph2",
+        "Title": "expat: large number of colons in input makes parser consume high amount of resources, leading to DoS",
+        "Description": "In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226",
+          "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843",
+          "https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes",
+          "https://github.com/libexpat/libexpat/issues/186",
+          "https://github.com/libexpat/libexpat/pull/262",
+          "https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6",
+          "https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html",
+          "https://seclists.org/bugtraq/2019/Jun/39",
+          "https://security.netapp.com/advisory/ntap-20190703-0001/",
+          "https://usn.ubuntu.com/4040-1/",
+          "https://usn.ubuntu.com/4040-2/",
+          "https://www.debian.org/security/2019/dsa-4472"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-13115",
+        "PkgName": "libssh2",
+        "InstalledVersion": "1.8.2-1.ph2",
+        "FixedVersion": "1.9.0-1.ph2",
+        "Title": "libssh2: integer overflow in kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c leads to out-of-bounds write",
+        "Description": "In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://blog.semmle.com/libssh2-integer-overflow/",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13115",
+          "https://github.com/libssh2/libssh2/compare/02ecf17...42d37aa",
+          "https://github.com/libssh2/libssh2/pull/350",
+          "https://libssh2.org/changes.html",
+          "https://lists.debian.org/debian-lts-announce/2019/07/msg00024.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph2",
+        "FixedVersion": "1.0.2t-1.ph2",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph2",
+        "FixedVersion": "1.0.2t-1.ph2",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-16168",
+        "PkgName": "sqlite-libs",
+        "InstalledVersion": "3.27.2-3.ph2",
+        "FixedVersion": "3.27.2-5.ph2",
+        "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://security.netapp.com/advisory/ntap-20190926-0003/",
+          "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html",
+          "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62",
+          "https://www.sqlite.org/src/timeline?c=98357d8c1263920b"
+        ]
+      }
+    ]
+  }
+]

integration/testdata/photon-30.json.golden

@@ -0,0 +1,142 @@
+[
+  {
+    "Target": "testdata/fixtures/photon-30.tar.gz (photon 3.0)",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2019-5481",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.1-4.ph3",
+        "FixedVersion": "7.61.1-5.ph3",
+        "Title": "curl: double free due to subsequent call of realloc()",
+        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5481.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5482",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.1-4.ph3",
+        "FixedVersion": "7.61.1-5.ph3",
+        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
+        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5482.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5481",
+        "PkgName": "curl-libs",
+        "InstalledVersion": "7.61.1-4.ph3",
+        "FixedVersion": "7.61.1-5.ph3",
+        "Title": "curl: double free due to subsequent call of realloc()",
+        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5481.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5482",
+        "PkgName": "curl-libs",
+        "InstalledVersion": "7.61.1-4.ph3",
+        "FixedVersion": "7.61.1-5.ph3",
+        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
+        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5482.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5094",
+        "PkgName": "e2fsprogs-libs",
+        "InstalledVersion": "1.44.3-2.ph3",
+        "FixedVersion": "1.44.3-3.ph3",
+        "Description": "An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094",
+          "https://lists.debian.org/debian-lts-announce/2019/09/msg00029.html",
+          "https://seclists.org/bugtraq/2019/Sep/58",
+          "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887",
+          "https://usn.ubuntu.com/4142-2/",
+          "https://www.debian.org/security/2019/dsa-4535"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph3",
+        "FixedVersion": "1.0.2t-1.ph3",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "openssl",
+        "InstalledVersion": "1.0.2s-1.ph3",
+        "FixedVersion": "1.0.2t-1.ph3",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-16168",
+        "PkgName": "sqlite-libs",
+        "InstalledVersion": "3.27.2-3.ph3",
+        "FixedVersion": "3.27.2-5.ph3",
+        "Description": "In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a \"severe division by zero in the query planner.\"",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://security.netapp.com/advisory/ntap-20190926-0003/",
+          "https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html",
+          "https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62",
+          "https://www.sqlite.org/src/timeline?c=98357d8c1263920b"
+        ]
+      }
+    ]
+  }
+]

pkg/detector/ospkg/detect.go

@@ -5,6 +5,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/amazon"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/debian"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/oracle"
+	"github.com/aquasecurity/trivy/pkg/detector/ospkg/photon"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/redhat"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/suse"
 	"github.com/aquasecurity/trivy/pkg/detector/ospkg/ubuntu"
@@ -73,6 +74,8 @@ func newDriver(osFamily, osName string) Driver {
 		d = suse.NewScanner(suse.OpenSUSE)
 	case fos.SLES:
 		d = suse.NewScanner(suse.SUSEEnterpriseLinux)
+	case fos.Photon:
+		d = photon.NewScanner()
 	default:
 		log.Logger.Warnf("unsupported os : %s", osFamily)
 		return nil

pkg/detector/ospkg/photon/photon.go

@@ -0,0 +1,68 @@
+package photon
+
+import (
+	"time"
+
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/photon"
+	version "github.com/knqyf263/go-rpm-version"
+
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/scanner/utils"
+	"github.com/aquasecurity/trivy/pkg/types"
+
+	"k8s.io/utils/clock"
+)
+
+var (
+	eolDates = map[string]time.Time{}
+)
+
+type Scanner struct {
+	vs    dbTypes.VulnSrc
+	clock clock.Clock
+}
+
+func NewScanner() *Scanner {
+	return &Scanner{
+		vs:    photon.NewVulnSrc(),
+		clock: clock.RealClock{},
+	}
+}
+
+func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]types.DetectedVulnerability, error) {
+	log.Logger.Info("Detecting Photon Linux vulnerabilities...")
+	log.Logger.Debugf("Photon Linux: os version: %s", osVer)
+	log.Logger.Debugf("Photon Linux: the number of packages: %d", len(pkgs))
+
+	var vulns []types.DetectedVulnerability
+	for _, pkg := range pkgs {
+		advisories, err := s.vs.Get(osVer, pkg.SrcName)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get Photon Linux advisory: %w", err)
+		}
+
+		installed := utils.FormatVersion(pkg)
+		installedVersion := version.NewVersion(installed)
+		for _, adv := range advisories {
+			fixedVersion := version.NewVersion(adv.FixedVersion)
+			vuln := types.DetectedVulnerability{
+				VulnerabilityID:  adv.VulnerabilityID,
+				PkgName:          pkg.Name,
+				InstalledVersion: installed,
+			}
+			if installedVersion.LessThan(fixedVersion) {
+				vuln.FixedVersion = adv.FixedVersion
+				vulns = append(vulns, vuln)
+			}
+		}
+	}
+	return vulns, nil
+}
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	return true
+}

pkg/scanner/ospkg/scan.go

@@ -8,6 +8,7 @@ import (
 	_ "github.com/aquasecurity/fanal/analyzer/os/alpine"
 	_ "github.com/aquasecurity/fanal/analyzer/os/amazonlinux"
 	_ "github.com/aquasecurity/fanal/analyzer/os/debianbase"
+	_ "github.com/aquasecurity/fanal/analyzer/os/photon"
 	_ "github.com/aquasecurity/fanal/analyzer/os/redhatbase"
 	_ "github.com/aquasecurity/fanal/analyzer/os/suse"
 	_ "github.com/aquasecurity/fanal/analyzer/pkg/apk"

pkg/vulnerability/vulnerability.go

@@ -33,7 +33,7 @@ type Operation interface {
 }
 
 type Client struct {
-	dbc db.Operations
+	dbc db.Operation
 }
 
 func NewClient(dbc db.Config) Client {

pkg/vulnerability/vulnerability_test.go

@@ -26,41 +26,26 @@ func TestMain(m *testing.M) {
 }
 
 func TestClient_FillInfo(t *testing.T) {
-	type getSeverityOutput struct {
-		severity dbTypes.Severity
-		err      error
-	}
-	type getSeverity struct {
-		input  string
-		output getSeverityOutput
-	}
-	type getVulnerabilityOutput struct {
-		vulnerability dbTypes.Vulnerability
-		err           error
-	}
-	type getVulnerability struct {
-		input  string
-		output getVulnerabilityOutput
-	}
-
 	type args struct {
 		vulns []types.DetectedVulnerability
 		light bool
 	}
 	tests := []struct {
 		name             string
-		getSeverity      []getSeverity
+		getSeverity      []db.GetSeverityExpectation
-		getVulnerability []getVulnerability
+		getVulnerability []db.GetVulnerabilityExpectation
 		args             args
 		expected         []types.DetectedVulnerability
 	}{
 		{
 			name: "happy path",
-			getVulnerability: []getVulnerability{
+			getVulnerability: []db.GetVulnerabilityExpectation{
 				{
-					input: "CVE-2019-0001",
+					Args: db.GetVulnerabilityArgs{
-					output: getVulnerabilityOutput{
+						VulnerabilityID: "CVE-2019-0001",
-						vulnerability: dbTypes.Vulnerability{
+					},
+					Returns: db.GetVulnerabilityReturns{
+						Vulnerability: dbTypes.Vulnerability{
 							Title:       "dos",
 							Description: "dos vulnerability",
 							Severity:    dbTypes.SeverityMedium.String(),
@@ -89,17 +74,21 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path with light option",
-			getSeverity: []getSeverity{
+			getSeverity: []db.GetSeverityExpectation{
 				{
-					input: "CVE-2019-0001",
+					Args: db.GetSeverityArgs{
-					output: getSeverityOutput{
+						VulnerabilityID: "CVE-2019-0001",
-						severity: dbTypes.SeverityCritical,
+					},
+					Returns: db.GetSeverityReturns{
+						Severity: dbTypes.SeverityCritical,
 					},
 				},
 				{
-					input: "CVE-2019-0002",
+					Args: db.GetSeverityArgs{
-					output: getSeverityOutput{
+						VulnerabilityID: "CVE-2019-0002",
-						severity: dbTypes.SeverityHigh,
+					},
+					Returns: db.GetSeverityReturns{
+						Severity: dbTypes.SeverityHigh,
 					},
 				},
 			},
@@ -127,11 +116,13 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "GetVulnerability returns an error",
-			getVulnerability: []getVulnerability{
+			getVulnerability: []db.GetVulnerabilityExpectation{
 				{
-					input: "CVE-2019-0004",
+					Args: db.GetVulnerabilityArgs{
-					output: getVulnerabilityOutput{
+						VulnerabilityID: "CVE-2019-0004",
-						err: xerrors.New("failed"),
+					},
+					Returns: db.GetVulnerabilityReturns{
+						Err: xerrors.New("failed"),
 					},
 				},
 			},
@@ -147,11 +138,13 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "GetSeverity returns an error",
-			getSeverity: []getSeverity{
+			getSeverity: []db.GetSeverityExpectation{
 				{
-					input: "CVE-2019-0003",
+					Args: db.GetSeverityArgs{
-					output: getSeverityOutput{
+						VulnerabilityID: "CVE-2019-0003",
-						err: xerrors.New("failed"),
+					},
+					Returns: db.GetSeverityReturns{
+						Err: xerrors.New("failed"),
 					},
 				},
 			},
@@ -174,18 +167,13 @@ func TestClient_FillInfo(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			mockDBConfig := new(db.MockDBConfig)
+			mockDBConfig := new(db.MockOperation)
+			mockDBConfig.ApplyGetSeverityExpectations(tt.getSeverity)
+			mockDBConfig.ApplyGetVulnerabilityExpectations(tt.getVulnerability)
+
 			c := Client{
 				dbc: mockDBConfig,
 			}
-			for _, gs := range tt.getSeverity {
-				mockDBConfig.On("GetSeverity", gs.input).Return(
-					gs.output.severity, gs.output.err)
-			}
-			for _, gv := range tt.getVulnerability {
-				mockDBConfig.On("GetVulnerability", gv.input).Return(
-					gv.output.vulnerability, gv.output.err)
-			}
 
 			c.FillInfo(tt.args.vulns, tt.args.light)
 			assert.Equal(t, tt.expected, tt.args.vulns, tt.name)