Support Amazon Linux (#182)

* Support Amazon Linux

* amazon: Add tests for Scanner Detect functionality

* amazon: Add more test cases for unhappy paths.

This commit also asserts the logged output via observer.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Add a test case for invalid fixed pkg version

Signed-off-by: Simarpreet Singh <simar@linux.com>

* mod: go mod tidy

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Inject dependency seams for exposed db interface and logger.

This commit also exposes an interface for doing db operations.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Use injected logger for scanner.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon_test: Add a sample testdata dir

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Add tests for for Get() for amazon vulns.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* vulnsrc_test: Fix invocation call to SetVersion()

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon_test: Add a test for severirtyFromPriority

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon_test: Add tests for constructVersion()

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Refactor walkFunc outside for testability purposes

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Refactor walkFn and add tests for it.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* amazon: Refactor commitFunc closure and add tests

This commit also introduces an interface for the
vulnerability package to be used as a seam.

Signed-off-by: Simarpreet Singh <simar@linux.com>

* Revert "amazon: Use injected logger for scanner."

This reverts commit 5a81e4d824a95f4de4aae2e2b903eedd0f7e241f.

* test(amazon): fix failed tests

* fix(vulnerability): trim references

* test(amazon): add integration test

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/aquasecurity/fanal v0.0.0-20191015084852-e80236018d26
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
+	github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2
 	github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/emirpasic/gods v1.12.0 // indirect
@@ -16,11 +17,10 @@ require (
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/knqyf263/go-version v1.1.1
-	github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348
+	github.com/kylelemons/godebug v1.1.0
-	github.com/mattn/go-colorable v0.1.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
-	github.com/stretchr/testify v1.3.0
+	github.com/stretchr/testify v1.4.0
 	github.com/urfave/cli v1.20.0
 	github.com/xanzy/ssh-agent v0.2.1 // indirect
 	go.etcd.io/bbolt v1.3.2 // indirect
@@ -28,12 +28,14 @@ require (
 	go.uber.org/multierr v1.1.0 // indirect
 	go.uber.org/zap v1.9.1
 	golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5
-	golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7
+	golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 // indirect
+	golang.org/x/sys v0.0.0-20191020152052-9984515f0562 // indirect
+	golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898
 	gopkg.in/cheggaaa/pb.v1 v1.0.28
 	gopkg.in/src-d/go-billy.v4 v4.3.0 // indirect
 	gopkg.in/src-d/go-git-fixtures.v3 v3.4.0 // indirect
 	gopkg.in/src-d/go-git.v4 v4.10.0
-	gopkg.in/yaml.v2 v2.2.2
+	gopkg.in/yaml.v2 v2.2.4
 )
 
 replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00

go.sum

@@ -22,12 +22,14 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
-github.com/aquasecurity/fanal v0.0.0-20190930214148-1d3b788f4003 h1:jKLG8daiXJ/QcAJ3cq4cGkrvPpafzEzlbiKQPkkhaa4=
-github.com/aquasecurity/fanal v0.0.0-20190930214148-1d3b788f4003/go.mod h1:dD1Ny21eY5FSDyERfUIMwdgYhg6Lnw611VOwDHmTSoQ=
 github.com/aquasecurity/fanal v0.0.0-20191015084852-e80236018d26 h1:HvyiDHbYDm094Oo59MWIWtZ3Lt2Uu6nQ06IsG2jvIrg=
 github.com/aquasecurity/fanal v0.0.0-20191015084852-e80236018d26/go.mod h1:dD1Ny21eY5FSDyERfUIMwdgYhg6Lnw611VOwDHmTSoQ=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
+github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
+github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
+github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83 h1:ukTLOeMC0aVxbJWVg6hOsVJ0VPIo8w++PbNsze/pqF8=
+github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
 github.com/aws/aws-sdk-go v1.19.11 h1:tqaTGER6Byw3QvsjGW0p018U2UOqaJPeJuzoaF7jjoQ=
 github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
@@ -70,6 +72,10 @@ github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNE
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
+github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f h1:8GDPb0tCY8LQ+OJ3dbHb5sA6YZWXFORQYZx5sdsTlMs=
+github.com/elazarl/goproxy v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
+github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f h1:AUj1VoZUfhPhOPHULCQQDnGhRelpFWHMLhQVWDsS0v4=
+github.com/elazarl/goproxy/ext v0.0.0-20190421051319-9d40249d3c2f/go.mod h1:gNh8nYJoAm43RfaxurUnxr+N1PwuFV3ZMl/efxlIlY8=
 github.com/emirpasic/gods v1.9.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
@@ -110,12 +116,16 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.7.1 h1:Dw4jY2nghMMRsh1ol8dv1axHkDwMQK2DHerMNJsIpJU=
 github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/hashicorp/go-version v1.2.0 h1:3vNe/fWF5CBgRIguda1meWhsZHy3m8gCJ5wx+dIzX/E=
+github.com/hashicorp/go-version v1.2.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -124,6 +134,8 @@ github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJS
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp/Cjunrr1WlsXSZpqXn+uREuHvUVcK82CV8=
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
@@ -151,10 +163,14 @@ github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/mattn/go-colorable v0.1.1 h1:G1f5SKeVxmagw/IyvzvtZE4Gybcc4Tr1tf7I8z0XgOg=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-isatty v0.0.5 h1:tHXDdz1cpzGaovsTB+TVB8q90WEokoVmfMqoVcrLUgw=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed h1:fCWISZq4YN4ulCJx7x0KB15rqxLEe3mtNJL8cSOGKZU=
+github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed/go.mod h1:SDJ4hurDYyQ9/7nc+eCYtXqdufgK4Cq9TJlwPklqEYA=
 github.com/mattn/go-runewidth v0.0.4 h1:2BvfKmzob6Bmd4YsL0zygOqfdFnK7GR4QL06Do4/p7Y=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
@@ -178,6 +194,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM
 github.com/opencontainers/runc v0.1.1 h1:GlxAyO6x8rfZYN9Tt0Kti5a/cP41iuiO2yYT0IJGY8Y=
 github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
+github.com/parnurzeal/gorequest v0.2.16 h1:T/5x+/4BT+nj+3eSknXmCTnEVGSzFzPGdpqmUVVZXHQ=
+github.com/parnurzeal/gorequest v0.2.16/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
 github.com/pelletier/go-buffruneio v0.2.0 h1:U4t4R6YkofJ5xHm3dJzuRpPZ0mr5MMCoAWooScCR7aA=
 github.com/pelletier/go-buffruneio v0.2.0/go.mod h1:JkE26KsDizTr40EUHkXVtNPvgGtbSNq5BcowyYOWdKo=
 github.com/peterhellberg/link v1.0.0 h1:mUWkiegowUXEcmlb+ybF75Q/8D2Y0BjZtR8cxoKhaQo=
@@ -210,21 +228,30 @@ github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084 h1:sofwID9zm4tzr
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/rogpeppe/go-charset v0.0.0-20180617210344-2471d30d28b4/go.mod h1:qgYeAmZ5ZIpBWTGllZSQnw97Dj+woV0toclVaRGI8pc=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/shurcooL/httpfs v0.0.0-20181222201310-74dc9339e414/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
+github.com/simplereach/timeutils v1.2.0/go.mod h1:VVbQDfN/FHRZa1LSqcwo4kNZ62OOyqLLGQKYB3pB0Q8=
 github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
+github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00 h1:0e4vRd9YqnQBIAIAE39jLKDWffRfJWxloyWwcaMAQho=
 github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00/go.mod h1:RQE7h2jyIxekQZ24/wad0c9RGP+KSq4XzHh7h83ALi8=
 github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
@@ -261,6 +288,8 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582 h1:p9xBe/w/OzkeYVKm234g55gMdD1nSIooTir5kV11kfA=
+golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -280,8 +309,11 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190506115046-ca7f33d4116e h1:bq5BY1tGuaK8HxuwN6pT6kWgTVLeJ5KwuyBpsl1CZL4=
 golang.org/x/sys v0.0.0-20190506115046-ca7f33d4116e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191020152052-9984515f0562 h1:wOweSabW7qssfcg63CEDHHA4zyoqRlGU6eYV7IUMCq0=
+golang.org/x/sys v0.0.0-20191020152052-9984515f0562/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -298,11 +330,14 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190503185657-3b6f9c0030f7/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 h1:PPwnA7z1Pjf7XYaBP9GL1VAMZmcIWyFz7QCMSIIa3Bg=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898 h1:/atklqdjdhuosWIl6AIbOeHJjicWYPqR9bpxqxYG2pA=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
@@ -325,6 +360,7 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
 gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
 gopkg.in/src-d/go-billy.v4 v4.3.0 h1:KtlZ4c1OWbIs4jCv5ZXrTqG8EQocr0g/d4DjNg70aek=
 gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
@@ -339,8 +375,12 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
+moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=

integration/tar_input_test.go

@@ -279,6 +279,26 @@ func TestRun_WithTar(t *testing.T) {
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
+		{
+			name: "amazon 1 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/amazon-1.tar.gz",
+			},
+			golden: "testdata/amazon-1.json.golden",
+		},
+		{
+			name: "amazon 2 integration",
+			testArgs: args{
+				Version:    "dev",
+				SkipUpdate: true,
+				Format:     "json",
+				Input:      "testdata/fixtures/amazon-2.tar.gz",
+			},
+			golden: "testdata/amazon-2.json.golden",
+		},
 	}
 
 	for _, c := range cases {

integration/testdata/amazon-1.json.golden

@@ -0,0 +1,130 @@
+[
+  {
+    "Target": "testdata/fixtures/amazon-1.tar.gz (amazon AMI release 2018.03)",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2019-5481",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.1-11.91.amzn1",
+        "FixedVersion": "7.61.1-12.93.amzn1",
+        "Title": "curl: double free due to subsequent call of realloc()",
+        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5481.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5482",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.1-11.91.amzn1",
+        "FixedVersion": "7.61.1-12.93.amzn1",
+        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
+        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5482.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5481",
+        "PkgName": "libcurl",
+        "InstalledVersion": "7.61.1-11.91.amzn1",
+        "FixedVersion": "7.61.1-12.93.amzn1",
+        "Title": "curl: double free due to subsequent call of realloc()",
+        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5481.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5482",
+        "PkgName": "libcurl",
+        "InstalledVersion": "7.61.1-11.91.amzn1",
+        "FixedVersion": "7.61.1-12.93.amzn1",
+        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
+        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
+        "Severity": "HIGH",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+          "https://curl.haxx.se/docs/CVE-2019-5482.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9511",
+        "PkgName": "libnghttp2",
+        "InstalledVersion": "1.21.1-1.4.amzn1",
+        "FixedVersion": "1.31.1-2.5.amzn1",
+        "Title": "HTTP/2: large amount of data requests leads to denial of service",
+        "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511",
+          "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
+          "https://kb.cert.org/vuls/id/605641/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/",
+          "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
+          "https://seclists.org/bugtraq/2019/Aug/40",
+          "https://security.netapp.com/advisory/ntap-20190823-0002/",
+          "https://security.netapp.com/advisory/ntap-20190823-0005/",
+          "https://support.f5.com/csp/article/K02591030",
+          "https://usn.ubuntu.com/4099-1/",
+          "https://www.debian.org/security/2019/dsa-4505",
+          "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
+          "https://www.synology.com/security/advisory/Synology_SA_19_33"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9513",
+        "PkgName": "libnghttp2",
+        "InstalledVersion": "1.21.1-1.4.amzn1",
+        "FixedVersion": "1.31.1-2.5.amzn1",
+        "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
+        "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513",
+          "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
+          "https://kb.cert.org/vuls/id/605641/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
+          "https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/",
+          "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
+          "https://seclists.org/bugtraq/2019/Aug/40",
+          "https://security.netapp.com/advisory/ntap-20190823-0002/",
+          "https://security.netapp.com/advisory/ntap-20190823-0005/",
+          "https://support.f5.com/csp/article/K02591030",
+          "https://usn.ubuntu.com/4099-1/",
+          "https://www.debian.org/security/2019/dsa-4505",
+          "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
+          "https://www.synology.com/security/advisory/Synology_SA_19_33"
+        ]
+      }
+    ]
+  }
+]

integration/testdata/amazon-2.json.golden

@@ -0,0 +1,952 @@
+[
+  {
+    "Target": "testdata/fixtures/amazon-2.tar.gz (amazon 2 (Karoo))",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2019-5435",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.1-9.amzn2.0.1",
+        "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "Title": "curl: Integer overflows in curl_url_set() function",
+        "Description": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://curl.haxx.se/docs/CVE-2019-5435.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/",
+          "https://security.netapp.com/advisory/ntap-20190606-0004/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5436",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.1-9.amzn2.0.1",
+        "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
+        "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html",
+          "https://curl.haxx.se/docs/CVE-2019-5436.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/",
+          "https://security.netapp.com/advisory/ntap-20190606-0004/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-12450",
+        "PkgName": "glib2",
+        "InstalledVersion": "2.54.2-2.amzn2",
+        "FixedVersion": "2.56.1-4.amzn2",
+        "Title": "glib2: file_copy_fallback in gio/gfile.c in GNOME GLib does not properly restrict file permissions while a copy operation is in progress",
+        "Description": "file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12450",
+          "https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174",
+          "https://lists.debian.org/debian-lts-announce/2019/06/msg00013.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2W4WIOAGO3M743M5KZLVQZM3NGHQDYLI/",
+          "https://security.netapp.com/advisory/ntap-20190606-0003/",
+          "https://usn.ubuntu.com/4014-1/",
+          "https://usn.ubuntu.com/4014-2/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5435",
+        "PkgName": "libcurl",
+        "InstalledVersion": "7.61.1-9.amzn2.0.1",
+        "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "Title": "curl: Integer overflows in curl_url_set() function",
+        "Description": "An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://curl.haxx.se/docs/CVE-2019-5435.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/",
+          "https://security.netapp.com/advisory/ntap-20190606-0004/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5436",
+        "PkgName": "libcurl",
+        "InstalledVersion": "7.61.1-9.amzn2.0.1",
+        "FixedVersion": "7.61.1-11.amzn2.0.2",
+        "Title": "curl: TFTP receive heap buffer overflow in tftp_receive_packet() function",
+        "Description": "A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00008.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00017.html",
+          "https://curl.haxx.se/docs/CVE-2019-5436.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SMG3V4VTX2SE3EW3HQTN3DDLQBTORQC2/",
+          "https://security.netapp.com/advisory/ntap-20190606-0004/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9511",
+        "PkgName": "libnghttp2",
+        "InstalledVersion": "1.31.1-1.amzn2.0.2",
+        "FixedVersion": "1.39.2-1.amzn2",
+        "Title": "HTTP/2: large amount of data requests leads to denial of service",
+        "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511",
+          "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
+          "https://kb.cert.org/vuls/id/605641/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/",
+          "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
+          "https://seclists.org/bugtraq/2019/Aug/40",
+          "https://security.netapp.com/advisory/ntap-20190823-0002/",
+          "https://security.netapp.com/advisory/ntap-20190823-0005/",
+          "https://support.f5.com/csp/article/K02591030",
+          "https://usn.ubuntu.com/4099-1/",
+          "https://www.debian.org/security/2019/dsa-4505",
+          "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
+          "https://www.synology.com/security/advisory/Synology_SA_19_33"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9513",
+        "PkgName": "libnghttp2",
+        "InstalledVersion": "1.31.1-1.amzn2.0.2",
+        "FixedVersion": "1.39.2-1.amzn2",
+        "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
+        "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513",
+          "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
+          "https://kb.cert.org/vuls/id/605641/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
+          "https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/",
+          "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
+          "https://seclists.org/bugtraq/2019/Aug/40",
+          "https://security.netapp.com/advisory/ntap-20190823-0002/",
+          "https://security.netapp.com/advisory/ntap-20190823-0005/",
+          "https://support.f5.com/csp/article/K02591030",
+          "https://usn.ubuntu.com/4099-1/",
+          "https://www.debian.org/security/2019/dsa-4505",
+          "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
+          "https://www.synology.com/security/advisory/Synology_SA_19_33"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-3858",
+        "PkgName": "libssh2",
+        "InstalledVersion": "1.4.3-12.amzn2.2",
+        "FixedVersion": "1.4.3-12.amzn2.2.1",
+        "Title": "libssh2: Zero-byte allocation with a specially crafted SFTP packed leading to an out-of-bounds read",
+        "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
+          "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
+          "http://www.openwall.com/lists/oss-security/2019/03/18/3",
+          "http://www.securityfocus.com/bid/107485",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3858",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3858",
+          "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
+          "https://seclists.org/bugtraq/2019/Apr/25",
+          "https://seclists.org/bugtraq/2019/Mar/25",
+          "https://security.netapp.com/advisory/ntap-20190327-0005/",
+          "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
+          "https://www.debian.org/security/2019/dsa-4431",
+          "https://www.libssh2.org/CVE-2019-3858.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-3861",
+        "PkgName": "libssh2",
+        "InstalledVersion": "1.4.3-12.amzn2.2",
+        "FixedVersion": "1.4.3-12.amzn2.2.1",
+        "Title": "libssh2: Out-of-bounds reads with specially crafted SSH packets",
+        "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3861",
+          "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
+          "https://seclists.org/bugtraq/2019/Apr/25",
+          "https://security.netapp.com/advisory/ntap-20190327-0005/",
+          "https://www.debian.org/security/2019/dsa-4431",
+          "https://www.libssh2.org/CVE-2019-3861.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-3862",
+        "PkgName": "libssh2",
+        "InstalledVersion": "1.4.3-12.amzn2.2",
+        "FixedVersion": "1.4.3-12.amzn2.2.2",
+        "Title": "libssh2: Out-of-bounds memory comparison with specially crafted message channel request",
+        "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
+          "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
+          "http://www.openwall.com/lists/oss-security/2019/03/18/3",
+          "http://www.securityfocus.com/bid/107485",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3862",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3862",
+          "https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/",
+          "https://seclists.org/bugtraq/2019/Apr/25",
+          "https://seclists.org/bugtraq/2019/Mar/25",
+          "https://security.netapp.com/advisory/ntap-20190327-0005/",
+          "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-767",
+          "https://www.debian.org/security/2019/dsa-4431",
+          "https://www.libssh2.org/CVE-2019-3862.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2016-4658",
+        "PkgName": "libxml2",
+        "InstalledVersion": "2.9.1-6.amzn2.3.2",
+        "FixedVersion": "2.9.1-6.amzn2.3.3",
+        "Title": "libxml2: Use after free via namespace node in XPointer ranges",
+        "Description": "xpointer.c in libxml2 before 2.9.5 (as used in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3, and other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.",
+        "Severity": "CRITICAL",
+        "References": [
+          "http://lists.apple.com/archives/security-announce/2016/Sep/msg00006.html",
+          "http://lists.apple.com/archives/security-announce/2016/Sep/msg00008.html",
+          "http://lists.apple.com/archives/security-announce/2016/Sep/msg00010.html",
+          "http://lists.apple.com/archives/security-announce/2016/Sep/msg00011.html",
+          "http://www.securityfocus.com/bid/93054",
+          "http://www.securitytracker.com/id/1036858",
+          "http://www.securitytracker.com/id/1038623",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658",
+          "https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b",
+          "https://security.gentoo.org/glsa/201701-37",
+          "https://support.apple.com/HT207141",
+          "https://support.apple.com/HT207142",
+          "https://support.apple.com/HT207143",
+          "https://support.apple.com/HT207170"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-16931",
+        "PkgName": "libxml2",
+        "InstalledVersion": "2.9.1-6.amzn2.3.2",
+        "FixedVersion": "2.9.1-6.amzn2.3.3",
+        "Title": "libxml2: Mishandling parameter-entity references",
+        "Description": "parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.",
+        "Severity": "HIGH",
+        "References": [
+          "http://xmlsoft.org/news.html",
+          "https://bugzilla.gnome.org/show_bug.cgi?id=766956",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16931",
+          "https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3",
+          "https://lists.debian.org/debian-lts-announce/2017/11/msg00041.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-10684",
+        "PkgName": "ncurses",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c",
+        "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464687",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-10685",
+        "PkgName": "ncurses",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function",
+        "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464692",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-11112",
+        "PkgName": "ncurses",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Illegal address access in append_acs function",
+        "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464686",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-11113",
+        "PkgName": "ncurses",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function",
+        "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464691",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-10684",
+        "PkgName": "ncurses-base",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c",
+        "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464687",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-10685",
+        "PkgName": "ncurses-base",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function",
+        "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464692",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-11112",
+        "PkgName": "ncurses-base",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Illegal address access in append_acs function",
+        "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464686",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-11113",
+        "PkgName": "ncurses-base",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function",
+        "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464691",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-10684",
+        "PkgName": "ncurses-libs",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Stack-based buffer overflow in fmt_entry function in dump_entry.c",
+        "Description": "In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464687",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10684",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-10685",
+        "PkgName": "ncurses-libs",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Stack-based buffer overflow caused by format string vulnerability in fmt_entry function",
+        "Description": "In ncurses 6.0, there is a format string vulnerability in the fmt_entry function. A crafted input will lead to a remote arbitrary code execution attack.",
+        "Severity": "HIGH",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464692",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10685",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-11112",
+        "PkgName": "ncurses-libs",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Illegal address access in append_acs function",
+        "Description": "In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the append_acs function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464686",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11112",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2017-11113",
+        "PkgName": "ncurses-libs",
+        "InstalledVersion": "6.0-8.20170212.amzn2.1.2",
+        "FixedVersion": "6.0-8.20170212.amzn2.1.3",
+        "Title": "ncurses: Null pointer dereference vulnerability in _nc_parse_entry function",
+        "Description": "In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_entry function of tinfo/parse_entry.c. It could lead to a remote denial of service attack if the terminfo library code is used to process untrusted terminfo data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugzilla.redhat.com/show_bug.cgi?id=1464691",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11113",
+          "https://security.gentoo.org/glsa/201804-13"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-12404",
+        "PkgName": "nss",
+        "InstalledVersion": "3.36.0-7.amzn2",
+        "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
+        "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
+          "http://www.securityfocus.com/bid/107260",
+          "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-0495",
+        "PkgName": "nss",
+        "InstalledVersion": "3.36.0-7.amzn2",
+        "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
+        "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
+        "Severity": "LOW",
+        "References": [
+          "http://www.securitytracker.com/id/1041144",
+          "http://www.securitytracker.com/id/1041147",
+          "https://access.redhat.com/errata/RHSA-2018:3221",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1296",
+          "https://access.redhat.com/errata/RHSA-2019:1297",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
+          "https://dev.gnupg.org/T4011",
+          "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
+          "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
+          "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
+          "https://usn.ubuntu.com/3689-1/",
+          "https://usn.ubuntu.com/3689-2/",
+          "https://usn.ubuntu.com/3692-1/",
+          "https://usn.ubuntu.com/3692-2/",
+          "https://usn.ubuntu.com/3850-1/",
+          "https://usn.ubuntu.com/3850-2/",
+          "https://www.debian.org/security/2018/dsa-4231",
+          "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
+          "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-12404",
+        "PkgName": "nss-sysinit",
+        "InstalledVersion": "3.36.0-7.amzn2",
+        "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
+        "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
+          "http://www.securityfocus.com/bid/107260",
+          "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-0495",
+        "PkgName": "nss-sysinit",
+        "InstalledVersion": "3.36.0-7.amzn2",
+        "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
+        "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
+        "Severity": "LOW",
+        "References": [
+          "http://www.securitytracker.com/id/1041144",
+          "http://www.securitytracker.com/id/1041147",
+          "https://access.redhat.com/errata/RHSA-2018:3221",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1296",
+          "https://access.redhat.com/errata/RHSA-2019:1297",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
+          "https://dev.gnupg.org/T4011",
+          "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
+          "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
+          "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
+          "https://usn.ubuntu.com/3689-1/",
+          "https://usn.ubuntu.com/3689-2/",
+          "https://usn.ubuntu.com/3692-1/",
+          "https://usn.ubuntu.com/3692-2/",
+          "https://usn.ubuntu.com/3850-1/",
+          "https://usn.ubuntu.com/3850-2/",
+          "https://www.debian.org/security/2018/dsa-4231",
+          "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
+          "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-12404",
+        "PkgName": "nss-tools",
+        "InstalledVersion": "3.36.0-7.amzn2",
+        "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "Title": "nss: Cache side-channel variant of the Bleichenbacher attack",
+        "Description": "A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This is a variant of the Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) and affects all NSS versions prior to NSS 3.41.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00021.html",
+          "http://www.securityfocus.com/bid/107260",
+          "https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2018-12404",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12404"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-0495",
+        "PkgName": "nss-tools",
+        "InstalledVersion": "3.36.0-7.amzn2",
+        "FixedVersion": "3.44.0-4.amzn2.0.2",
+        "Title": "ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries",
+        "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
+        "Severity": "LOW",
+        "References": [
+          "http://www.securitytracker.com/id/1041144",
+          "http://www.securitytracker.com/id/1041147",
+          "https://access.redhat.com/errata/RHSA-2018:3221",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1296",
+          "https://access.redhat.com/errata/RHSA-2019:1297",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0495",
+          "https://dev.gnupg.org/T4011",
+          "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965",
+          "https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html",
+          "https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html",
+          "https://usn.ubuntu.com/3689-1/",
+          "https://usn.ubuntu.com/3689-2/",
+          "https://usn.ubuntu.com/3692-1/",
+          "https://usn.ubuntu.com/3692-2/",
+          "https://usn.ubuntu.com/3850-1/",
+          "https://usn.ubuntu.com/3850-2/",
+          "https://www.debian.org/security/2018/dsa-4231",
+          "https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/",
+          "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5010",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
+        "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-1060",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib",
+        "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method.  An attacker could use this flaw to cause denial of service.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://www.securitytracker.com/id/1042001",
+          "https://access.redhat.com/errata/RHBA-2019:0327",
+          "https://access.redhat.com/errata/RHSA-2018:3041",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1260",
+          "https://bugs.python.org/issue32981",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060",
+          "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us",
+          "https://usn.ubuntu.com/3817-1/",
+          "https://usn.ubuntu.com/3817-2/",
+          "https://www.debian.org/security/2018/dsa-4306",
+          "https://www.debian.org/security/2018/dsa-4307"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-1061",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib",
+        "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://www.securitytracker.com/id/1042001",
+          "https://access.redhat.com/errata/RHBA-2019:0327",
+          "https://access.redhat.com/errata/RHSA-2018:3041",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1260",
+          "https://bugs.python.org/issue32981",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061",
+          "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us",
+          "https://usn.ubuntu.com/3817-1/",
+          "https://usn.ubuntu.com/3817-2/",
+          "https://www.debian.org/security/2018/dsa-4306",
+          "https://www.debian.org/security/2018/dsa-4307"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-20406",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data",
+        "Description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugs.python.org/issue34656",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406",
+          "https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd",
+          "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/",
+          "https://python-security.readthedocs.io/vuln/pickle-load-dos.html",
+          "https://security.netapp.com/advisory/ntap-20190416-0010/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-10160",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-2.amzn2.0.1",
+        "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
+        "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://access.redhat.com/errata/RHSA-2019:1587",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160",
+          "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09",
+          "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e",
+          "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de",
+          "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468",
+          "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
+          "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html",
+          "https://security.netapp.com/advisory/ntap-20190617-0003/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9636",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
+        "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html",
+          "http://www.securityfocus.com/bid/107400",
+          "https://access.redhat.com/errata/RHBA-2019:0959",
+          "https://access.redhat.com/errata/RHSA-2019:0710",
+          "https://access.redhat.com/errata/RHSA-2019:0765",
+          "https://access.redhat.com/errata/RHSA-2019:0806",
+          "https://access.redhat.com/errata/RHSA-2019:0902",
+          "https://access.redhat.com/errata/RHSA-2019:0981",
+          "https://access.redhat.com/errata/RHSA-2019:0997",
+          "https://access.redhat.com/errata/RHSA-2019:1467",
+          "https://bugs.python.org/issue36216",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636",
+          "https://github.com/python/cpython/pull/12201",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/",
+          "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html",
+          "https://security.netapp.com/advisory/ntap-20190517-0001/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9948",
+        "PkgName": "python",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-3.amzn2.0.1",
+        "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
+        "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html",
+          "http://www.securityfocus.com/bid/107549",
+          "https://bugs.python.org/issue35907",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948",
+          "https://github.com/python/cpython/pull/11842",
+          "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
+          "https://security.netapp.com/advisory/ntap-20190404-0004/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-5010",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: NULL pointer dereference using a specially crafted X509 certificate",
+        "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-1060",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: DOS via regular expression catastrophic backtracking in apop() method in pop3lib",
+        "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method.  An attacker could use this flaw to cause denial of service.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://www.securitytracker.com/id/1042001",
+          "https://access.redhat.com/errata/RHBA-2019:0327",
+          "https://access.redhat.com/errata/RHSA-2018:3041",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1260",
+          "https://bugs.python.org/issue32981",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060",
+          "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us",
+          "https://usn.ubuntu.com/3817-1/",
+          "https://usn.ubuntu.com/3817-2/",
+          "https://www.debian.org/security/2018/dsa-4306",
+          "https://www.debian.org/security/2018/dsa-4307"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-1061",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib",
+        "Description": "python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method.  An attacker could use this flaw to cause denial of service.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://www.securitytracker.com/id/1042001",
+          "https://access.redhat.com/errata/RHBA-2019:0327",
+          "https://access.redhat.com/errata/RHSA-2018:3041",
+          "https://access.redhat.com/errata/RHSA-2018:3505",
+          "https://access.redhat.com/errata/RHSA-2019:1260",
+          "https://bugs.python.org/issue32981",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061",
+          "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-final",
+          "https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html",
+          "https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbst03951en_us",
+          "https://usn.ubuntu.com/3817-1/",
+          "https://usn.ubuntu.com/3817-2/",
+          "https://www.debian.org/security/2018/dsa-4306",
+          "https://www.debian.org/security/2018/dsa-4307"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-20406",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data",
+        "Description": "Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a \"resize to twice the size\" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://bugs.python.org/issue34656",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20406",
+          "https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd",
+          "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/",
+          "https://python-security.readthedocs.io/vuln/pickle-load-dos.html",
+          "https://security.netapp.com/advisory/ntap-20190416-0010/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-10160",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-2.amzn2.0.1",
+        "Title": "python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc",
+        "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://access.redhat.com/errata/RHSA-2019:1587",
+          "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160",
+          "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09",
+          "https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e",
+          "https://github.com/python/cpython/commit/f61599b050c621386a3fc6bc480359e2d3bb93de",
+          "https://github.com/python/cpython/commit/fd1771dbdd28709716bd531580c40ae5ed814468",
+          "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
+          "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html",
+          "https://security.netapp.com/advisory/ntap-20190617-0003/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9636",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-1.amzn2.0.1",
+        "Title": "python: Information Disclosure due to urlsplit improper NFKC normalization",
+        "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html",
+          "http://www.securityfocus.com/bid/107400",
+          "https://access.redhat.com/errata/RHBA-2019:0959",
+          "https://access.redhat.com/errata/RHSA-2019:0710",
+          "https://access.redhat.com/errata/RHSA-2019:0765",
+          "https://access.redhat.com/errata/RHSA-2019:0806",
+          "https://access.redhat.com/errata/RHSA-2019:0902",
+          "https://access.redhat.com/errata/RHSA-2019:0981",
+          "https://access.redhat.com/errata/RHSA-2019:0997",
+          "https://access.redhat.com/errata/RHSA-2019:1467",
+          "https://bugs.python.org/issue36216",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9636",
+          "https://github.com/python/cpython/pull/12201",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CFBAAGM27H73OLYBUA2IAZFSUN6KGLME/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D3LXPABKVLFYUHRYJPM3CSS5MS6FXKS7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ICBEGRHIPHWPG2VGYS6R4EVKVUUF4AQW/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFAXBEY2TGOBDRKTR556JBXBVFSAKD6I/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMWSKTNOHSUOT3L25QFJAVCFYZX46FYK/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXASHCDD4PQFKTMKQN4YOP5ZH366ABN4/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L25RTMKCF62DLC2XVSNXGX7C7HXISLVM/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TR6GCO3WTV4D5L23WTCBF275VE6BVNI3/",
+          "https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html",
+          "https://security.netapp.com/advisory/ntap-20190517-0001/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-9948",
+        "PkgName": "python-libs",
+        "InstalledVersion": "2.7.14-58.amzn2.0.4",
+        "FixedVersion": "2.7.16-3.amzn2.0.1",
+        "Title": "python: Undocumented local_file protocol allows remote attackers to bypass protection mechanisms",
+        "Description": "urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call.",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00050.html",
+          "http://www.securityfocus.com/bid/107549",
+          "https://bugs.python.org/issue35907",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9948",
+          "https://github.com/python/cpython/pull/11842",
+          "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html",
+          "https://security.netapp.com/advisory/ntap-20190404-0004/"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-12735",
+        "PkgName": "vim-minimal",
+        "InstalledVersion": "2:7.4.160-4.amzn2.0.16",
+        "FixedVersion": "2:8.1.1602-1.amzn2",
+        "Title": "vim/neovim: ':source!' command allows arbitrary command execution via modelines",
+        "Description": "getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.",
+        "Severity": "CRITICAL",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00031.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00036.html",
+          "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00037.html",
+          "http://www.securityfocus.com/bid/108724",
+          "https://bugs.debian.org/930020",
+          "https://bugs.debian.org/930024",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735",
+          "https://github.com/neovim/neovim/pull/10082",
+          "https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md",
+          "https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2BMDSHTF754TITC6AQJPCS5IRIDMMIM7/",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TRIRBC2YRGKPAWVRMZS4SZTGGCVRVZPR/",
+          "https://usn.ubuntu.com/4016-1/",
+          "https://usn.ubuntu.com/4016-2/",
+          "https://www.debian.org/security/2019/dsa-4467"
+        ]
+      }
+    ]
+  }
+]

integration/testdata/centos-7-critical.json.golden

@@ -11,7 +11,6 @@
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
         "References": [
-          "\nhttps://curl.haxx.se/docs/CVE-2018-14618.html\n    ",
           "http://www.securitytracker.com/id/1041605",
           "https://access.redhat.com/errata/RHSA-2018:3558",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618",
@@ -34,7 +33,6 @@
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
         "References": [
-          "\nhttps://curl.haxx.se/docs/CVE-2018-14618.html\n    ",
           "http://www.securitytracker.com/id/1041605",
           "https://access.redhat.com/errata/RHSA-2018:3558",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618",
@@ -57,7 +55,6 @@
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "CRITICAL",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3855.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",

integration/testdata/centos-7-ignore-unfixed.json.golden

@@ -11,8 +11,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA flaw was found in the way bind implemented tunable which limited simultaneous TCP client connections. A remote attacker could use this flaw to exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files. In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://kb.isc.org/docs/cve-2018-5743\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743"
+          "https://kb.isc.org/docs/cve-2018-5743"
         ]
       },
       {
@@ -24,7 +24,6 @@
         "Description": "To provide fine-grained controls over the ability to use Dynamic DNS (DDNS) to update records in a zone, BIND 9 provides a feature called update-policy. Various rules can be configured to limit the types of updates that can be performed by a client, depending on the key used when sending the update request. Unfortunately, some rule types were not initially documented, and when documentation for them was added to the Administrator Reference Manual (ARM) in change #3112, the language that was added to the ARM at that time incorrectly described the behavior of two rule types, krb5-subdomain and ms-subdomain. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. This affects BIND versions prior to BIND 9.11.5 and BIND 9.12.3.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://kb.isc.org/docs/cve-2018-5741\n    ",
           "http://www.securityfocus.com/bid/105379",
           "http://www.securitytracker.com/id/1041674",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5741",
@@ -90,7 +89,6 @@
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
         "References": [
-          "\nhttps://curl.haxx.se/docs/CVE-2018-14618.html\n    ",
           "http://www.securitytracker.com/id/1041605",
           "https://access.redhat.com/errata/RHSA-2018:3558",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618",
@@ -113,7 +111,6 @@
         "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://curl.haxx.se/docs/CVE-2018-16842.html\n    ",
           "http://www.securitytracker.com/id/1042014",
           "https://access.redhat.com/errata/RHSA-2019:2181",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842",
@@ -647,7 +644,6 @@
         "Description": "curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)",
         "Severity": "CRITICAL",
         "References": [
-          "\nhttps://curl.haxx.se/docs/CVE-2018-14618.html\n    ",
           "http://www.securitytracker.com/id/1041605",
           "https://access.redhat.com/errata/RHSA-2018:3558",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14618",
@@ -670,7 +666,6 @@
         "Description": "Curl versions 7.14.1 through 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://curl.haxx.se/docs/CVE-2018-16842.html\n    ",
           "http://www.securitytracker.com/id/1042014",
           "https://access.redhat.com/errata/RHSA-2019:2181",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16842",
@@ -693,7 +688,6 @@
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "CRITICAL",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3855.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
@@ -723,7 +717,6 @@
         "Description": "An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3856.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "https://access.redhat.com/errata/RHSA-2019:0679",
@@ -747,7 +740,6 @@
         "Description": "An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3857.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "https://access.redhat.com/errata/RHSA-2019:0679",
@@ -771,7 +763,6 @@
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 when a specially crafted SFTP packet is received from the server. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3858.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
@@ -799,7 +790,6 @@
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH packets with a padding length value greater than the packet length are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3861.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3861",
@@ -821,7 +811,6 @@
         "Description": "An out of bounds read flaw was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit status message and no payload are parsed. A remote attacker who compromises a SSH server may be able to cause a Denial of Service or read data in the client memory.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3862.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "http://packetstormsecurity.com/files/152136/Slackware-Security-Advisory-libssh2-Updates.html",
@@ -849,7 +838,6 @@
         "Description": "A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.libssh2.org/CVE-2019-3863.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html",
           "https://access.redhat.com/errata/RHSA-2019:0679",
@@ -888,7 +876,6 @@
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/\n    ",
           "http://www.securitytracker.com/id/1041144",
           "http://www.securitytracker.com/id/1041147",
           "https://access.redhat.com/errata/RHSA-2018:3221",
@@ -935,7 +922,6 @@
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/\n    ",
           "http://www.securitytracker.com/id/1041144",
           "http://www.securitytracker.com/id/1041147",
           "https://access.redhat.com/errata/RHSA-2018:3221",
@@ -982,7 +968,6 @@
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/\n    ",
           "http://www.securitytracker.com/id/1041144",
           "http://www.securitytracker.com/id/1041147",
           "https://access.redhat.com/errata/RHSA-2018:3221",
@@ -1043,7 +1028,6 @@
         "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.openssl.org/news/secadv/20190226.txt\nhttps://github.com/RUB-NDS/TLS-Padding-Oracles\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html",
@@ -1052,6 +1036,7 @@
           "http://www.securityfocus.com/bid/107174",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559",
           "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
+          "https://github.com/RUB-NDS/TLS-Padding-Oracles",
           "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
           "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html",
           "https://security.gentoo.org/glsa/201903-10",
@@ -1076,7 +1061,6 @@
         "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://github.com/bbbrumley/portsmash\nhttps://www.openssl.org/news/secadv/20181112.txt\n    ",
           "http://www.securityfocus.com/bid/105897",
           "https://access.redhat.com/errata/RHSA-2019:0483",
           "https://access.redhat.com/errata/RHSA-2019:0651",
@@ -1092,6 +1076,7 @@
           "https://www.debian.org/security/2018/dsa-4348",
           "https://www.debian.org/security/2018/dsa-4355",
           "https://www.exploit-db.com/exploits/45785/",
+          "https://www.openssl.org/news/secadv/20181112.txt",
           "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
           "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
           "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
@@ -1108,7 +1093,6 @@
         "Description": "procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt\n    ",
           "http://seclists.org/oss-sec/2018/q2/122",
           "http://www.securityfocus.com/bid/104214",
           "https://access.redhat.com/errata/RHSA-2019:2189",
@@ -1132,8 +1116,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010"
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
         ]
       },
       {
@@ -1145,7 +1129,6 @@
         "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://bugs.python.org/issue34623\n    ",
           "http://www.securityfocus.com/bid/105396",
           "http://www.securitytracker.com/id/1041740",
           "https://access.redhat.com/errata/RHSA-2019:1260",
@@ -1171,7 +1154,6 @@
         "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html\n    ",
           "https://access.redhat.com/errata/RHSA-2019:1587",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160",
           "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09",
@@ -1192,7 +1174,6 @@
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html",
@@ -1286,8 +1267,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010"
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
         ]
       },
       {
@@ -1299,7 +1280,6 @@
         "Description": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. Python 3.8, 3.7, 3.6, 3.5, 3.4, 2.7 are believed to be vulnerable.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://bugs.python.org/issue34623\n    ",
           "http://www.securityfocus.com/bid/105396",
           "http://www.securitytracker.com/id/1041740",
           "https://access.redhat.com/errata/RHSA-2019:1260",
@@ -1325,7 +1305,6 @@
         "Description": "A security regression of CVE-2019-9636 was discovered in python since commit d537ab0ff9767ef024f26246899728f0116b1ec3 affecting versions 2.7, 3.5, 3.6, 3.7 and from v3.8.0a4 through v3.8.0b1, which still allows an attacker to exploit CVE-2019-9636 by abusing the user and password parts of a URL. When an application parses user-supplied URLs to store cookies, authentication credentials, or other kind of information, it is possible for an attacker to provide specially crafted URLs to make the application locate host-related information (e.g. cookies, authentication data) and send them to a different host than where it should, unlike if the URLs had been correctly parsed. The result of an attack may vary based on the application.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization2.html\n    ",
           "https://access.redhat.com/errata/RHSA-2019:1587",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10160",
           "https://github.com/python/cpython/commit/250b62acc59921d399f0db47db3b462cd6037e09",
@@ -1346,7 +1325,6 @@
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html",
@@ -1459,7 +1437,6 @@
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.qualys.com/2019/01/09/system-down/system-down.txt\n    ",
           "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html",
           "http://seclists.org/fulldisclosure/2019/May/21",
           "http://www.openwall.com/lists/oss-security/2019/05/10/4",
@@ -1518,7 +1495,6 @@
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.qualys.com/2019/01/09/system-down/system-down.txt\n    ",
           "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html",
           "http://seclists.org/fulldisclosure/2019/May/21",
           "http://www.openwall.com/lists/oss-security/2019/05/10/4",

integration/testdata/centos-7-low-high.json.golden

@@ -11,8 +11,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA flaw was found in the way bind implemented tunable which limited simultaneous TCP client connections. A remote attacker could use this flaw to exhaust the pool of file descriptors available to named, potentially affecting network connections and the management of files such as log files or zone journal files. In cases where the named process is not limited by OS-enforced per-process limits, this could additionally potentially lead to exhaustion of all available free file descriptors on that system.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://kb.isc.org/docs/cve-2018-5743\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5743"
+          "https://kb.isc.org/docs/cve-2018-5743"
         ]
       },
       {
@@ -66,7 +66,6 @@
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/\n    ",
           "http://www.securitytracker.com/id/1041144",
           "http://www.securitytracker.com/id/1041147",
           "https://access.redhat.com/errata/RHSA-2018:3221",
@@ -98,7 +97,6 @@
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/\n    ",
           "http://www.securitytracker.com/id/1041144",
           "http://www.securitytracker.com/id/1041147",
           "https://access.redhat.com/errata/RHSA-2018:3221",
@@ -130,7 +128,6 @@
         "Description": "Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/\n    ",
           "http://www.securitytracker.com/id/1041144",
           "http://www.securitytracker.com/id/1041147",
           "https://access.redhat.com/errata/RHSA-2018:3221",
@@ -162,7 +159,6 @@
         "Description": "Simultaneous Multi-threading (SMT) in processors can enable local users to exploit software vulnerable to timing attacks via a side-channel timing attack on 'port contention'.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://github.com/bbbrumley/portsmash\nhttps://www.openssl.org/news/secadv/20181112.txt\n    ",
           "http://www.securityfocus.com/bid/105897",
           "https://access.redhat.com/errata/RHSA-2019:0483",
           "https://access.redhat.com/errata/RHSA-2019:0651",
@@ -178,6 +174,7 @@
           "https://www.debian.org/security/2018/dsa-4348",
           "https://www.debian.org/security/2018/dsa-4355",
           "https://www.exploit-db.com/exploits/45785/",
+          "https://www.openssl.org/news/secadv/20181112.txt",
           "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
           "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
           "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
@@ -194,8 +191,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010"
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
         ]
       },
       {
@@ -207,8 +204,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010"
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
         ]
       },
       {
@@ -220,7 +217,6 @@
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.qualys.com/2019/01/09/system-down/system-down.txt\n    ",
           "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html",
           "http://seclists.org/fulldisclosure/2019/May/21",
           "http://www.openwall.com/lists/oss-security/2019/05/10/4",
@@ -260,7 +256,6 @@
         "Description": "An out of bounds read was discovered in systemd-journald in the way it parses log messages that terminate with a colon ':'. A local attacker can use this flaw to disclose process memory data. Versions from v221 to v239 are vulnerable.",
         "Severity": "LOW",
         "References": [
-          "\nhttps://www.qualys.com/2019/01/09/system-down/system-down.txt\n    ",
           "http://packetstormsecurity.com/files/152841/System-Down-A-systemd-journald-Exploit.html",
           "http://seclists.org/fulldisclosure/2019/May/21",
           "http://www.openwall.com/lists/oss-security/2019/05/10/4",

integration/testdata/debian-buster.json.golden

@@ -481,11 +481,11 @@
         "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00049.html",
           "https://dev.gnupg.org/T4541",
           "https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020",
-          "https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762"
+          "https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762",
+          "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html"
         ]
       },
       {
@@ -626,7 +626,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",
@@ -642,7 +641,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",

integration/testdata/debian-stretch.json.golden

@@ -1069,11 +1069,11 @@
         "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00049.html",
           "https://dev.gnupg.org/T4541",
           "https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020",
-          "https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762"
+          "https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762",
+          "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html"
         ]
       },
       {
@@ -1158,7 +1158,6 @@
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
         "References": [
-          "\nhttp://cat.eyalro.net/\n    ",
           "http://cat.eyalro.net/",
           "http://www.securityfocus.com/bid/106092",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16869",
@@ -1187,7 +1186,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",
@@ -1203,7 +1201,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",

integration/testdata/distroless-python27.json.golden

@@ -765,8 +765,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010"
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
         ]
       },
       {
@@ -864,7 +864,6 @@
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html",
@@ -1004,7 +1003,6 @@
         "Description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries that occur after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases), aka Magellan.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://access.redhat.com/articles/3758321\nhttps://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html\nhttps://blade.tencent.com/magellan/index_en.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00040.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00070.html",
           "http://www.securityfocus.com/bid/106323",
@@ -1040,7 +1038,6 @@
         "Description": "SQLite 3.25.2, when queries are run on a table with a malformed PRIMARY KEY, allows remote attackers to cause a denial of service (application crash) by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases).",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://access.redhat.com/articles/3758321\nhttps://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html\nhttps://blade.tencent.com/magellan/index_en.html\n    ",
           "http://seclists.org/fulldisclosure/2019/Jan/62",
           "http://seclists.org/fulldisclosure/2019/Jan/64",
           "http://seclists.org/fulldisclosure/2019/Jan/66",
@@ -1048,6 +1045,9 @@
           "http://seclists.org/fulldisclosure/2019/Jan/68",
           "http://seclists.org/fulldisclosure/2019/Jan/69",
           "http://www.securityfocus.com/bid/106698",
+          "https://access.redhat.com/articles/3758321",
+          "https://blade.tencent.com/magellan/index_en.html",
+          "https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20505",
           "https://seclists.org/bugtraq/2019/Jan/28",
           "https://seclists.org/bugtraq/2019/Jan/29",
@@ -1075,7 +1075,6 @@
         "Description": "SQLite before 3.25.3, when the FTS3 extension is enabled, encounters an integer overflow (and resultant buffer overflow) for FTS3 queries in a \"merge\" operation that occurs after crafted changes to FTS3 shadow tables, allowing remote attackers to execute arbitrary code by leveraging the ability to run arbitrary SQL statements (such as in certain WebSQL use cases). This is a different vulnerability than CVE-2018-20346.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://access.redhat.com/articles/3758321\nhttps://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html\nhttps://blade.tencent.com/magellan/index_en.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00070.html",
           "http://seclists.org/fulldisclosure/2019/Jan/62",
           "http://seclists.org/fulldisclosure/2019/Jan/64",
@@ -1084,6 +1083,9 @@
           "http://seclists.org/fulldisclosure/2019/Jan/68",
           "http://seclists.org/fulldisclosure/2019/Jan/69",
           "http://www.securityfocus.com/bid/106698",
+          "https://access.redhat.com/articles/3758321",
+          "https://blade.tencent.com/magellan/index_en.html",
+          "https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20506",
           "https://seclists.org/bugtraq/2019/Jan/28",
           "https://seclists.org/bugtraq/2019/Jan/29",
@@ -1146,7 +1148,6 @@
         "Description": "Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html",
           "https://chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html",
           "https://crbug.com/952406",
@@ -1362,8 +1363,8 @@
         "Description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided.\n    \nA null pointer dereference vulnerability was found in the certificate parsing code in Python. This causes a denial of service to applications when parsing specially crafted certificates. This vulnerability is unlikely to be triggered if application enables SSL/TLS certificate validation and accepts certificates only from trusted root certificate authorities.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html\n    ",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5010"
+          "https://python-security.readthedocs.io/vuln/ssl-crl-dps-dos.html"
         ]
       },
       {
@@ -1461,7 +1462,6 @@
         "Description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00092.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00097.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00024.html",

integration/testdata/ubuntu-1604.json.golden

@@ -106,7 +106,7 @@
         "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f\nhttps://access.redhat.com/articles/4264021\n    ",
+          "https://access.redhat.com/articles/4264021",
           "https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f",
           "https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html",
           "https://twitter.com/lambdafu/status/1147162583969009664"
@@ -121,7 +121,7 @@
         "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f\nhttps://access.redhat.com/articles/4264021\n    ",
+          "https://access.redhat.com/articles/4264021",
           "https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f",
           "https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html",
           "https://twitter.com/lambdafu/status/1147162583969009664"
@@ -719,13 +719,13 @@
         "Description": "The Debian initrd script for the cryptsetup package 2:1.7.3-2 and earlier allows physically proximate attackers to gain shell access via many log in attempts with an invalid password.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://access.redhat.com/articles/2786581\nhttp://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html\n    ",
           "http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html",
           "http://www.openwall.com/lists/oss-security/2016/11/14/13",
           "http://www.openwall.com/lists/oss-security/2016/11/15/1",
           "http://www.openwall.com/lists/oss-security/2016/11/15/4",
           "http://www.openwall.com/lists/oss-security/2016/11/16/6",
           "http://www.securityfocus.com/bid/94315",
+          "https://access.redhat.com/articles/2786581",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4484",
           "https://gitlab.com/cryptsetup/cryptsetup/commit/ef8a7d82d8d3716ae9b58179590f7908981fa0cb"
         ]
@@ -1217,7 +1217,6 @@
         "Description": "The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (invalid memory read) via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/",
@@ -1234,7 +1233,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",
@@ -1250,7 +1248,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",
@@ -2416,7 +2413,6 @@
         "Description": "inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://wiki.mozilla.org/images/0/09/Zlib-report.pdf\nhttps://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7\n    ",
           "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html",
@@ -2436,6 +2432,7 @@
           "https://access.redhat.com/errata/RHSA-2017:3453",
           "https://bugzilla.redhat.com/show_bug.cgi?id=1402346",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9841",
+          "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7",
           "https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb",
           "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html",
           "https://security.gentoo.org/glsa/201701-56",
@@ -2457,7 +2454,6 @@
         "Description": "The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.",
         "Severity": "HIGH",
         "References": [
-          "\nhttps://wiki.mozilla.org/images/0/09/Zlib-report.pdf\nhttps://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7\n    ",
           "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html",
@@ -2477,6 +2473,7 @@
           "https://access.redhat.com/errata/RHSA-2017:3453",
           "https://bugzilla.redhat.com/show_bug.cgi?id=1402351",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843",
+          "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7",
           "https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811",
           "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html",
           "https://security.gentoo.org/glsa/201701-56",
@@ -2498,7 +2495,6 @@
         "Description": "inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://wiki.mozilla.org/images/0/09/Zlib-report.pdf\nhttps://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7\n    ",
           "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html",
@@ -2516,6 +2512,7 @@
           "https://access.redhat.com/errata/RHSA-2017:3453",
           "https://bugzilla.redhat.com/show_bug.cgi?id=1402345",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9840",
+          "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7",
           "https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0",
           "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html",
           "https://security.gentoo.org/glsa/201701-56",
@@ -2536,7 +2533,6 @@
         "Description": "The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://wiki.mozilla.org/images/0/09/Zlib-report.pdf\nhttps://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7\n    ",
           "http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html",
           "http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html",
@@ -2554,6 +2550,7 @@
           "https://access.redhat.com/errata/RHSA-2017:3453",
           "https://bugzilla.redhat.com/show_bug.cgi?id=1402348",
           "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9842",
+          "https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit#heading=h.t13tvnx4loq7",
           "https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958",
           "https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html",
           "https://security.gentoo.org/glsa/201701-56",

integration/testdata/ubuntu-1804.json.golden

@@ -89,7 +89,7 @@
         "Description": "Interaction between the sks-keyserver code through 1.2.0 of the SKS keyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f\nhttps://access.redhat.com/articles/4264021\n    ",
+          "https://access.redhat.com/articles/4264021",
           "https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f",
           "https://lists.gnupg.org/pipermail/gnupg-announce/2019q3/000439.html",
           "https://twitter.com/lambdafu/status/1147162583969009664"
@@ -554,11 +554,11 @@
         "Description": "In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.)",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html\n    ",
           "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00049.html",
           "https://dev.gnupg.org/T4541",
           "https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020",
-          "https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762"
+          "https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762",
+          "https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12904.html"
         ]
       },
       {
@@ -587,7 +587,6 @@
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way gnutls handles verification of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run process on the same physical core as the victim process, could use this to extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
         "References": [
-          "\nhttp://cat.eyalro.net/\n    ",
           "http://cat.eyalro.net/",
           "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00017.html",
           "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00068.html",
@@ -605,7 +604,6 @@
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
         "References": [
-          "\nhttp://cat.eyalro.net/\n    ",
           "http://cat.eyalro.net/",
           "http://www.securityfocus.com/bid/106092",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16869",
@@ -638,7 +636,6 @@
         "Description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
         "Severity": "LOW",
         "References": [
-          "\nhttp://cat.eyalro.net/\n    ",
           "http://cat.eyalro.net/",
           "http://www.securityfocus.com/bid/106092",
           "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16869",
@@ -667,7 +664,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",
@@ -683,7 +679,6 @@
         "Description": "Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file.",
         "Severity": "MEDIUM",
         "References": [
-          "\nhttps://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/\n    ",
           "http://www.securityfocus.com/bid/97067",
           "https://access.redhat.com/errata/RHSA-2018:2486",
           "https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/",

pkg/db/db.go

@@ -19,6 +19,17 @@ var (
 	dbDir string
 )
 
+type Operations interface {
+	SetVersion(string) error
+	Update(string, string, string, interface{}) error
+	BatchUpdate(func(*bolt.Tx) error) error
+	PutNestedBucket(*bolt.Tx, string, string, string, interface{}) error
+	ForEach(string, string) (map[string][]byte, error)
+}
+
+type Config struct {
+}
+
 func Init() (err error) {
 	dbDir = filepath.Join(utils.CacheDir(), "db")
 	if err = os.MkdirAll(dbDir, 0700); err != nil {
@@ -68,17 +79,17 @@ func GetVersion() string {
 	return version
 }
 
-func SetVersion(version string) error {
+func (dbc Config) SetVersion(version string) error {
-	err := Update("trivy", "metadata", "version", version)
+	err := dbc.Update("trivy", "metadata", "version", version)
 	if err != nil {
 		return xerrors.Errorf("failed to save DB version: %w", err)
 	}
 	return nil
 }
 
-func Update(rootBucket, nestedBucket, key string, value interface{}) error {
+func (dbc Config) Update(rootBucket, nestedBucket, key string, value interface{}) error {
 	err := db.Update(func(tx *bolt.Tx) error {
-		return PutNestedBucket(tx, rootBucket, nestedBucket, key, value)
+		return dbc.PutNestedBucket(tx, rootBucket, nestedBucket, key, value)
 	})
 	if err != nil {
 		return xerrors.Errorf("error in db update: %w", err)
@@ -86,13 +97,14 @@ func Update(rootBucket, nestedBucket, key string, value interface{}) error {
 	return err
 }
 
-func PutNestedBucket(tx *bolt.Tx, rootBucket, nestedBucket, key string, value interface{}) error {
+func (dbc Config) PutNestedBucket(tx *bolt.Tx, rootBucket, nestedBucket, key string, value interface{}) error {
 	root, err := tx.CreateBucketIfNotExists([]byte(rootBucket))
 	if err != nil {
 		return xerrors.Errorf("failed to create a bucket: %w", err)
 	}
 	return Put(root, nestedBucket, key, value)
 }
+
 func Put(root *bolt.Bucket, nestedBucket, key string, value interface{}) error {
 	nested, err := root.CreateBucketIfNotExists([]byte(nestedBucket))
 	if err != nil {
@@ -104,7 +116,8 @@ func Put(root *bolt.Bucket, nestedBucket, key string, value interface{}) error {
 	}
 	return nested.Put([]byte(key), v)
 }
-func BatchUpdate(fn func(tx *bolt.Tx) error) error {
+
+func (dbc Config) BatchUpdate(fn func(tx *bolt.Tx) error) error {
 	err := db.Batch(fn)
 	if err != nil {
 		return xerrors.Errorf("error in batch update: %w", err)
@@ -131,7 +144,7 @@ func Get(rootBucket, nestedBucket, key string) (value []byte, err error) {
 	return value, nil
 }
 
-func ForEach(rootBucket, nestedBucket string) (value map[string][]byte, err error) {
+func (dbc Config) ForEach(rootBucket, nestedBucket string) (value map[string][]byte, err error) {
 	value = map[string][]byte{}
 	err = db.View(func(tx *bolt.Tx) error {
 		root := tx.Bucket([]byte(rootBucket))

pkg/db/db_mock.go

@@ -0,0 +1,43 @@
+package db
+
+import (
+	bolt "github.com/etcd-io/bbolt"
+	"github.com/stretchr/testify/mock"
+)
+
+type MockDBConfig struct {
+	mock.Mock
+}
+
+func (_m *MockDBConfig) SetVersion(version string) error {
+	ret := _m.Called(version)
+	return ret.Error(0)
+}
+
+func (_m *MockDBConfig) Update(a, b, c string, d interface{}) error {
+	ret := _m.Called(a, b, c, d)
+	return ret.Error(0)
+}
+
+func (_m *MockDBConfig) BatchUpdate(f func(*bolt.Tx) error) error {
+	ret := _m.Called(f)
+	return ret.Error(0)
+}
+
+func (_m *MockDBConfig) PutNestedBucket(a *bolt.Tx, b, c, d string, e interface{}) error {
+	ret := _m.Called(a, b, c, d, e)
+	return ret.Error(0)
+}
+
+func (_m *MockDBConfig) ForEach(a string, b string) (map[string][]byte, error) {
+	ret := _m.Called(a, b)
+	ret0 := ret.Get(0)
+	if ret0 == nil {
+		return nil, ret.Error(1)
+	}
+	r, ok := ret0.(map[string][]byte)
+	if !ok {
+		return nil, ret.Error(1)
+	}
+	return r, ret.Error(1)
+}

pkg/run.go

@@ -113,7 +113,8 @@ func Run(c *cli.Context) (err error) {
 		}
 	}
 
-	if err = db.SetVersion(cliVersion); err != nil {
+	dbc := db.Config{}
+	if err = dbc.SetVersion(cliVersion); err != nil {
 		return xerrors.Errorf("unexpected error: %w", err)
 	}
 

pkg/scanner/library/bundler/advisory.go

@@ -121,7 +121,8 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 }
 
 func (s *Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
-	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+	vdb := vulnerability.DB{}
+	return vdb.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.RubySec, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)

pkg/scanner/library/cargo/advisory.go

@@ -104,7 +104,8 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 }
 
 func (s *Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
-	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+	vdb := vulnerability.DB{}
+	return vdb.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.RustSec, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)

pkg/scanner/library/composer/advisory.go

@@ -101,7 +101,8 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 }
 
 func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
-	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+	vdb := vulnerability.DB{}
+	return vdb.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.PhpSecurityAdvisories, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)

pkg/scanner/library/node/advisory.go

@@ -115,7 +115,8 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 }
 
 func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
-	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+	vdb := vulnerability.DB{}
+	return vdb.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.NodejsSecurityWg, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)

pkg/scanner/library/python/advisory.go

@@ -82,7 +82,8 @@ func (s *Scanner) parse() (AdvisoryDB, error) {
 }
 
 func (s Scanner) saveVulnerabilities(vulns []vulnerability.Vulnerability) error {
-	return vulnerability.BatchUpdate(func(b *bbolt.Bucket) error {
+	vdb := vulnerability.DB{}
+	return vdb.BatchUpdate(func(b *bbolt.Bucket) error {
 		for _, vuln := range vulns {
 			if err := db.Put(b, vuln.ID, vulnerability.PythonSafetyDB, vuln); err != nil {
 				return xerrors.Errorf("failed to save %s vulnerability: %w", s.Type(), err)

pkg/scanner/ospkg/amazon/amazon.go

@@ -0,0 +1,81 @@
+package amazon
+
+import (
+	"strings"
+
+	"go.uber.org/zap"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/vulnsrc/amazon"
+	version "github.com/knqyf263/go-deb-version"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/scanner/utils"
+	"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
+)
+
+type Scanner struct {
+	l  *zap.SugaredLogger
+	ac amazon.Operations
+}
+
+func NewScanner() *Scanner {
+	return &Scanner{
+		l:  log.Logger,
+		ac: amazon.NewVulnSrc(),
+	}
+}
+
+func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
+	log.Logger.Info("Detecting Amazon Linux vulnerabilities...")
+
+	osVer = strings.Fields(osVer)[0]
+	if osVer != "2" {
+		osVer = "1"
+	}
+	log.Logger.Debugf("amazon: os version: %s", osVer)
+	log.Logger.Debugf("amazon: the number of packages: %d", len(pkgs))
+
+	var vulns []vulnerability.DetectedVulnerability
+	for _, pkg := range pkgs {
+		advisories, err := s.ac.Get(osVer, pkg.Name)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get amazon advisories: %w", err)
+		}
+
+		installed := utils.FormatVersion(pkg)
+		if installed == "" {
+			continue
+		}
+
+		installedVersion, err := version.NewVersion(installed)
+		if err != nil {
+			log.Logger.Debugf("failed to parse Amazon Linux installed package version: %s", err)
+			continue
+		}
+
+		for _, adv := range advisories {
+			fixedVersion, err := version.NewVersion(adv.FixedVersion)
+			if err != nil {
+				log.Logger.Debugf("failed to parse Amazon Linux package version: %s", err)
+				continue
+			}
+
+			if installedVersion.LessThan(fixedVersion) {
+				vuln := vulnerability.DetectedVulnerability{
+					VulnerabilityID:  adv.VulnerabilityID,
+					PkgName:          pkg.Name,
+					InstalledVersion: installed,
+					FixedVersion:     adv.FixedVersion,
+				}
+				vulns = append(vulns, vuln)
+			}
+		}
+	}
+	return vulns, nil
+}
+
+func (s *Scanner) IsSupportedVersion(osFamily, osVer string) bool {
+	return true
+}

pkg/scanner/ospkg/amazon/amazon_test.go

@@ -0,0 +1,168 @@
+package amazon
+
+import (
+	"errors"
+	"testing"
+
+	"go.uber.org/zap"
+
+	"go.uber.org/zap/zapcore"
+	"go.uber.org/zap/zaptest/observer"
+
+	"github.com/aquasecurity/fanal/analyzer"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
+	"github.com/stretchr/testify/assert"
+)
+
+type MockAmazonConfig struct {
+	update func(string, map[string]struct{}) error
+	get    func(string, string) ([]vulnerability.Advisory, error)
+}
+
+func (mac MockAmazonConfig) Update(a string, b map[string]struct{}) error {
+	if mac.update != nil {
+		return mac.update(a, b)
+	}
+	return nil
+}
+
+func (mac MockAmazonConfig) Get(a string, b string) ([]vulnerability.Advisory, error) {
+	if mac.get != nil {
+		return mac.get(a, b)
+	}
+	return []vulnerability.Advisory{}, nil
+}
+
+func TestScanner_Detect(t *testing.T) {
+	t.Run("happy path", func(t *testing.T) {
+		zc, recorder := observer.New(zapcore.DebugLevel)
+		log.Logger = zap.New(zc).Sugar()
+		s := &Scanner{
+			l: log.Logger,
+			ac: MockAmazonConfig{
+				get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
+					return []vulnerability.Advisory{
+						{
+							VulnerabilityID: "123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []analyzer.Package{
+			{
+				Name:       "testpkg",
+				Version:    "2.1.0",
+				Release:    "hotfix",
+				SrcRelease: "test-hotfix",
+				SrcVersion: "2.1.0",
+			},
+			{
+				Name: "foopkg",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []vulnerability.DetectedVulnerability{
+			{
+				VulnerabilityID:  "123",
+				PkgName:          "testpkg",
+				InstalledVersion: "2.1.0-hotfix",
+				FixedVersion:     "3.0.0",
+			},
+		}, vuls)
+
+		loggedMessages := getAllLoggedLogs(recorder)
+		assert.Contains(t, loggedMessages, "amazon: os version: 1")
+		assert.Contains(t, loggedMessages, "amazon: the number of packages: 2")
+	})
+
+	t.Run("get vulnerabilities fails to fetch", func(t *testing.T) {
+		_ = log.InitLogger(true, false)
+		s := &Scanner{
+			l: log.Logger,
+			ac: MockAmazonConfig{
+				get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
+					return nil, errors.New("failed to fetch advisories")
+				},
+			},
+		}
+		vuls, err := s.Detect("foo", []analyzer.Package{
+			{
+				Name: "testpkg",
+			},
+		})
+		assert.Equal(t, "failed to get amazon advisories: failed to fetch advisories", err.Error())
+		assert.Empty(t, vuls)
+	})
+
+	t.Run("invalid installed package version", func(t *testing.T) {
+		zc, recorder := observer.New(zapcore.DebugLevel)
+		log.Logger = zap.New(zc).Sugar()
+		s := &Scanner{
+			l: log.Logger,
+			ac: MockAmazonConfig{
+				get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
+					return []vulnerability.Advisory{
+						{
+							VulnerabilityID: "123",
+							FixedVersion:    "3.0.0",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []analyzer.Package{
+			{
+				Name:    "testpkg",
+				Version: "badsourceversion",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []vulnerability.DetectedVulnerability(nil), vuls)
+		loggedMessages := getAllLoggedLogs(recorder)
+		assert.Contains(t, loggedMessages, "failed to parse Amazon Linux installed package version: upstream_version must start with digit")
+	})
+
+	t.Run("invalid fixed package version", func(t *testing.T) {
+		zc, recorder := observer.New(zapcore.DebugLevel)
+		log.Logger = zap.New(zc).Sugar()
+		s := &Scanner{
+			l: log.Logger,
+			ac: MockAmazonConfig{
+				get: func(s string, s2 string) (advisories []vulnerability.Advisory, e error) {
+					return []vulnerability.Advisory{
+						{
+							VulnerabilityID: "123",
+							FixedVersion:    "thisisbadversioning",
+						},
+					}, nil
+				},
+			},
+		}
+
+		vuls, err := s.Detect("3.1.0", []analyzer.Package{
+			{
+				Name:    "testpkg",
+				Version: "3.1.0",
+			},
+		})
+		assert.NoError(t, err)
+		assert.Equal(t, []vulnerability.DetectedVulnerability(nil), vuls)
+		loggedMessages := getAllLoggedLogs(recorder)
+		assert.Contains(t, loggedMessages, "failed to parse Amazon Linux package version: upstream_version must start with digit")
+	})
+
+}
+
+func getAllLoggedLogs(recorder *observer.ObservedLogs) []string {
+	allLogs := recorder.AllUntimed()
+	var loggedMessages []string
+	for _, l := range allLogs {
+		loggedMessages = append(loggedMessages, l.Message)
+	}
+	return loggedMessages
+}

pkg/scanner/ospkg/scan.go

@@ -15,6 +15,7 @@ import (
 	"github.com/aquasecurity/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/scanner/ospkg/alpine"
+	"github.com/aquasecurity/trivy/pkg/scanner/ospkg/amazon"
 	"github.com/aquasecurity/trivy/pkg/scanner/ospkg/debian"
 	"github.com/aquasecurity/trivy/pkg/scanner/ospkg/redhat"
 	"github.com/aquasecurity/trivy/pkg/scanner/ospkg/ubuntu"
@@ -44,6 +45,8 @@ func Scan(files extractor.FileMap) (string, string, []vulnerability.DetectedVuln
 		s = ubuntu.NewScanner()
 	case fos.RedHat, fos.CentOS:
 		s = redhat.NewScanner()
+	case fos.Amazon:
+		s = amazon.NewScanner()
 	default:
 		log.Logger.Warnf("unsupported os : %s", os.Family)
 		return "", "", nil, nil

pkg/utils/progress.go

@@ -37,6 +37,7 @@ func (s *Spinner) Stop() {
 	s.client.Stop()
 }
 
+// TODO: Expose an interface for progressbar
 type ProgressBar struct {
 	client *pb.ProgressBar
 }

pkg/vulnsrc/alpine/alpine.go

@@ -63,7 +63,8 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 func save(cves []AlpineCVE) error {
 	log.Logger.Debug("Saving Alpine DB")
 
-	err := db.BatchUpdate(func(tx *bolt.Tx) error {
+	dbc := db.Config{}
+	err := dbc.BatchUpdate(func(tx *bolt.Tx) error {
 		for _, cve := range cves {
 			platformName := fmt.Sprintf(platformFormat, cve.Release)
 			pkgName := cve.Package
@@ -72,7 +73,7 @@ func save(cves []AlpineCVE) error {
 				FixedVersion:    cve.FixedVersion,
 				Repository:      cve.Repository,
 			}
-			if err := db.PutNestedBucket(tx, platformName, pkgName, cve.VulnerabilityID, advisory); err != nil {
+			if err := dbc.PutNestedBucket(tx, platformName, pkgName, cve.VulnerabilityID, advisory); err != nil {
 				return xerrors.Errorf("failed to save alpine advisory: %w", err)
 			}
 
@@ -80,7 +81,8 @@ func save(cves []AlpineCVE) error {
 				Title:       cve.Subject,
 				Description: cve.Description,
 			}
-			if err := vulnerability.Put(tx, cve.VulnerabilityID, vulnerability.Alpine, vuln); err != nil {
+			vdb := vulnerability.DB{}
+			if err := vdb.Put(tx, cve.VulnerabilityID, vulnerability.Alpine, vuln); err != nil {
 				return xerrors.Errorf("failed to save alpine vulnerability: %w", err)
 			}
 		}
@@ -94,7 +96,7 @@ func save(cves []AlpineCVE) error {
 
 func Get(release string, pkgName string) ([]Advisory, error) {
 	bucket := fmt.Sprintf(platformFormat, release)
-	advisories, err := db.ForEach(bucket, pkgName)
+	advisories, err := db.Config{}.ForEach(bucket, pkgName)
 	if err != nil {
 		return nil, xerrors.Errorf("error in Alpine foreach: %w", err)
 	}

pkg/vulnsrc/amazon/amazon.go

@@ -0,0 +1,199 @@
+package amazon
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strings"
+
+	"github.com/aquasecurity/trivy/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/utils"
+	"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/vuln-list-update/amazon"
+	bolt "github.com/etcd-io/bbolt"
+	"golang.org/x/xerrors"
+)
+
+const (
+	amazonDir      = "amazon"
+	platformFormat = "amazon linux %s"
+)
+
+var (
+	targetVersions = []string{"1", "2"}
+	fileWalker     = utils.FileWalk // TODO: Remove once utils.go exposes an interface
+)
+
+type Operations interface {
+	Update(string, map[string]struct{}) error
+	Get(string, string) ([]vulnerability.Advisory, error)
+}
+
+type VulnSrc struct {
+	dbc      db.Operations
+	vdb      vulnerability.Operations
+	bar      *utils.ProgressBar
+	alasList []alas
+}
+
+type alas struct {
+	Version string
+	amazon.ALAS
+}
+
+func NewVulnSrc() VulnSrc {
+	return VulnSrc{
+		dbc: db.Config{},
+		vdb: vulnerability.DB{},
+	}
+}
+
+func (vs VulnSrc) Update(dir string, updatedFiles map[string]struct{}) error {
+	rootDir := filepath.Join(dir, amazonDir)
+	targets, err := utils.FilterTargets(amazonDir, updatedFiles) //TODO: Untested
+	if err != nil {
+		return xerrors.Errorf("failed to filter target files: %w", err)
+	} else if len(targets) == 0 {
+		log.Logger.Debug("amazon: no updated file")
+		return nil
+	}
+	log.Logger.Debugf("Amazon Linux AMI Security Advisory updated files: %d", len(targets))
+
+	vs.bar = utils.PbStartNew(len(targets))
+	defer vs.bar.Finish()
+
+	err = fileWalker(rootDir, targets, vs.walkFunc)
+	if err != nil {
+		return xerrors.Errorf("error in amazon walk: %w", err)
+	}
+
+	if err = vs.save(); err != nil {
+		return xerrors.Errorf("error in amazon save: %w", err)
+	}
+
+	return nil
+}
+
+func (vs *VulnSrc) walkFunc(r io.Reader, path string) error {
+	paths := strings.Split(path, string(filepath.Separator))
+	if len(paths) < 2 {
+		return nil
+	}
+	version := paths[len(paths)-2]
+	if !utils.StringInSlice(version, targetVersions) {
+		log.Logger.Debugf("unsupported amazon version: %s", version)
+		return nil
+	}
+
+	var vuln amazon.ALAS
+	if err := json.NewDecoder(r).Decode(&vuln); err != nil {
+		return xerrors.Errorf("failed to decode amazon JSON: %w", err)
+	}
+
+	vs.alasList = append(vs.alasList, alas{
+		Version: version,
+		ALAS:    vuln,
+	})
+	vs.bar.Increment()
+	return nil
+}
+
+func (vs VulnSrc) save() error {
+	log.Logger.Debug("Saving amazon DB")
+	err := vs.dbc.BatchUpdate(vs.commit())
+	if err != nil {
+		return xerrors.Errorf("error in batch update: %w", err)
+	}
+	return nil
+}
+
+// TODO: Cleanup the double layer of nested closures
+func (vs VulnSrc) commit() func(tx *bolt.Tx) error {
+	return vs.commitFunc
+}
+
+func (vs VulnSrc) commitFunc(tx *bolt.Tx) error {
+	for _, alas := range vs.alasList {
+		for _, cveID := range alas.CveIDs {
+			for _, pkg := range alas.Packages {
+				platformName := fmt.Sprintf(platformFormat, alas.Version)
+				advisory := vulnerability.Advisory{
+					VulnerabilityID: cveID,
+					FixedVersion:    constructVersion(pkg.Epoch, pkg.Version, pkg.Release),
+				}
+				if err := vs.dbc.PutNestedBucket(tx, platformName, pkg.Name, cveID, advisory); err != nil {
+					return xerrors.Errorf("failed to save amazon advisory: %w", err)
+				}
+
+				var references []string
+				for _, ref := range alas.References {
+					references = append(references, ref.Href)
+				}
+
+				vuln := vulnerability.Vulnerability{
+					Severity:    severityFromPriority(alas.Severity),
+					References:  references,
+					Description: alas.Description,
+					Title:       "",
+				}
+				if err := vs.vdb.Put(tx, cveID, vulnerability.Amazon, vuln); err != nil {
+					return xerrors.Errorf("failed to save amazon vulnerability: %w", err)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// Get returns a security advisory
+func (vs VulnSrc) Get(version string, pkgName string) ([]vulnerability.Advisory, error) {
+	bucket := fmt.Sprintf(platformFormat, version)
+	advisories, err := vs.dbc.ForEach(bucket, pkgName)
+	if err != nil {
+		return nil, xerrors.Errorf("error in amazon foreach: %w", err)
+	}
+	if len(advisories) == 0 {
+		return nil, nil
+	}
+
+	var results []vulnerability.Advisory
+	for _, v := range advisories {
+		var advisory vulnerability.Advisory
+		if err = json.Unmarshal(v, &advisory); err != nil {
+			return nil, xerrors.Errorf("failed to unmarshal amazon JSON: %w", err)
+		}
+		results = append(results, advisory)
+	}
+	return results, nil
+}
+
+func severityFromPriority(priority string) vulnerability.Severity {
+	switch priority {
+	case "low":
+		return vulnerability.SeverityLow
+	case "medium":
+		return vulnerability.SeverityMedium
+	case "important":
+		return vulnerability.SeverityHigh
+	case "critical":
+		return vulnerability.SeverityCritical
+	default:
+		return vulnerability.SeverityUnknown
+	}
+}
+
+func constructVersion(epoch, version, release string) string {
+	verStr := ""
+	if epoch != "0" && epoch != "" {
+		verStr += fmt.Sprintf("%s:", epoch)
+	}
+	verStr += version
+
+	if release != "" {
+		verStr += fmt.Sprintf("-%s", release)
+
+	}
+	return verStr
+}

pkg/vulnsrc/amazon/amazon_test.go

@@ -0,0 +1,397 @@
+package amazon
+
+import (
+	"errors"
+	"io"
+	"os"
+	"strings"
+	"testing"
+
+	bolt "github.com/etcd-io/bbolt"
+	"github.com/stretchr/testify/mock"
+
+	"github.com/aquasecurity/trivy/pkg/db"
+
+	"github.com/aquasecurity/vuln-list-update/amazon"
+
+	"github.com/aquasecurity/trivy/pkg/utils"
+
+	"github.com/aquasecurity/trivy/pkg/vulnsrc/vulnerability"
+
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMain(m *testing.M) {
+	err := log.InitLogger(false, true)
+	if err != nil {
+		log.Fatal(err)
+	}
+	utils.Quiet = true
+	os.Exit(m.Run())
+}
+
+func TestVulnSrc_Update(t *testing.T) {
+	testCases := []struct {
+		name           string
+		cacheDir       string
+		batchUpdateErr error
+		expectedError  error
+		expectedVulns  []vulnerability.Advisory
+	}{
+		{
+			name:          "happy path",
+			cacheDir:      "testdata",
+			expectedError: nil,
+		},
+		{
+			name:          "cache dir doesnt exist",
+			cacheDir:      "badpathdoesnotexist",
+			expectedError: errors.New("error in amazon walk: error in file walk: lstat badpathdoesnotexist/amazon: no such file or directory"),
+		},
+		{
+			name:           "unable to save amazon defintions",
+			cacheDir:       "testdata",
+			batchUpdateErr: errors.New("unable to batch update"),
+			expectedError:  errors.New("error in amazon save: error in batch update: unable to batch update"),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockDBConfig := new(db.MockDBConfig)
+			mockDBConfig.On("BatchUpdate", mock.Anything).Return(tc.batchUpdateErr)
+			ac := VulnSrc{dbc: mockDBConfig}
+
+			err := ac.Update(tc.cacheDir, map[string]struct{}{"amazon": {}})
+			switch {
+			case tc.expectedError != nil:
+				assert.EqualError(t, err, tc.expectedError.Error(), tc.name)
+			default:
+				assert.NoError(t, err, tc.name)
+			}
+		})
+	}
+}
+
+func TestVulnSrc_Get(t *testing.T) {
+	type forEachReturn struct {
+		b   map[string][]byte
+		err error
+	}
+	testCases := []struct {
+		name          string
+		forEachFunc   forEachReturn
+		expectedError error
+		expectedVulns []vulnerability.Advisory
+	}{
+		{
+			name: "happy path",
+			forEachFunc: forEachReturn{
+				b: map[string][]byte{
+					"advisory1": []byte(`{"VulnerabilityID":"123","FixedVersion":"2.0.0"}`),
+				},
+				err: nil,
+			},
+			expectedError: nil,
+			expectedVulns: []vulnerability.Advisory{{VulnerabilityID: "123", FixedVersion: "2.0.0"}},
+		},
+		{
+			name:          "no advisories are returned",
+			forEachFunc:   forEachReturn{b: nil, err: nil},
+			expectedError: nil,
+			expectedVulns: []vulnerability.Advisory(nil),
+		},
+		{
+			name:          "amazon forEach return an error",
+			forEachFunc:   forEachReturn{b: nil, err: errors.New("foreach func returned an error")},
+			expectedError: errors.New("error in amazon foreach: foreach func returned an error"),
+			expectedVulns: nil,
+		},
+		{
+			name:          "failed to unmarshal amazon json",
+			forEachFunc:   forEachReturn{b: map[string][]byte{"foo": []byte(`badbar`)}, err: nil},
+			expectedError: errors.New("failed to unmarshal amazon JSON: invalid character 'b' looking for beginning of value"),
+			expectedVulns: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockDBConfig := new(db.MockDBConfig)
+			mockDBConfig.On("ForEach", mock.Anything, mock.Anything).Return(
+				tc.forEachFunc.b, tc.forEachFunc.err,
+			)
+			ac := VulnSrc{dbc: mockDBConfig}
+
+			vuls, err := ac.Get("1.1.0", "testpkg")
+			switch {
+			case tc.expectedError != nil:
+				assert.EqualError(t, err, tc.expectedError.Error(), tc.name)
+			default:
+				assert.NoError(t, err, tc.name)
+			}
+
+			assert.Equal(t, tc.expectedVulns, vuls, tc.name)
+		})
+	}
+}
+
+func TestSeverityFromPriority(t *testing.T) {
+	testCases := map[string]vulnerability.Severity{
+		"low":       vulnerability.SeverityLow,
+		"medium":    vulnerability.SeverityMedium,
+		"important": vulnerability.SeverityHigh,
+		"critical":  vulnerability.SeverityCritical,
+		"unknown":   vulnerability.SeverityUnknown,
+	}
+	for k, v := range testCases {
+		assert.Equal(t, v, severityFromPriority(k))
+	}
+}
+
+func TestConstructVersion(t *testing.T) {
+	type inputCombination struct {
+		epoch   string
+		version string
+		release string
+	}
+
+	testCases := []struct {
+		name            string
+		inc             inputCombination
+		expectedVersion string
+	}{
+		{
+			name: "happy path",
+			inc: inputCombination{
+				epoch:   "2",
+				version: "3",
+				release: "master",
+			},
+			expectedVersion: "2:3-master",
+		},
+		{
+			name: "no epoch",
+			inc: inputCombination{
+				version: "2",
+				release: "master",
+			},
+			expectedVersion: "2-master",
+		},
+		{
+			name: "no release",
+			inc: inputCombination{
+				epoch:   "",
+				version: "2",
+			},
+			expectedVersion: "2",
+		},
+		{
+			name: "no epoch and release",
+			inc: inputCombination{
+				version: "2",
+			},
+			expectedVersion: "2",
+		},
+		{
+			name:            "no epoch release or version",
+			inc:             inputCombination{},
+			expectedVersion: "",
+		},
+	}
+
+	for _, tc := range testCases {
+		assert.Equal(t, tc.expectedVersion, constructVersion(tc.inc.epoch, tc.inc.version, tc.inc.release), tc.name)
+	}
+}
+
+func TestVulnSrc_WalkFunc(t *testing.T) {
+	testCases := []struct {
+		name             string
+		ioReader         io.Reader
+		inputPath        string
+		expectedALASList []alas
+		expectedError    error
+		expectedLogs     []string
+	}{
+		{
+			name: "happy path",
+			ioReader: strings.NewReader(`{
+"id":"123",
+"severity":"high"
+}`),
+			inputPath: "1/2/1",
+			expectedALASList: []alas{
+				{
+					Version: "2",
+					ALAS: amazon.ALAS{
+						ID:       "123",
+						Severity: "high",
+					},
+				},
+			},
+			expectedError: nil,
+		},
+		{
+			name:             "amazon returns invalid json",
+			ioReader:         strings.NewReader(`invalidjson`),
+			inputPath:        "1/2/1",
+			expectedALASList: []alas(nil),
+			expectedError:    errors.New("failed to decode amazon JSON: invalid character 'i' looking for beginning of value"),
+		},
+		{
+			name:          "unsupported amazon version",
+			inputPath:     "foo/bar/baz",
+			expectedError: nil,
+			expectedLogs:  []string{"unsupported amazon version: bar"},
+		},
+		{
+			name:          "empty path",
+			inputPath:     "",
+			expectedError: nil,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ac := VulnSrc{
+				bar: utils.PbStartNew(1),
+			}
+
+			err := ac.walkFunc(tc.ioReader, tc.inputPath)
+			switch {
+			case tc.expectedError != nil:
+				assert.EqualError(t, err, tc.expectedError.Error(), tc.name)
+			default:
+				assert.NoError(t, err, tc.name)
+			}
+
+			assert.Equal(t, tc.expectedALASList, ac.alasList, tc.name)
+		})
+	}
+}
+
+func TestVulnSrc_CommitFunc(t *testing.T) {
+	testCases := []struct {
+		name               string
+		alasList           []alas
+		putNestedBucketErr error
+		putErr             error
+		expectedError      error
+	}{
+		{
+			name: "happy path",
+			alasList: []alas{
+				{
+					Version: "123",
+					ALAS: amazon.ALAS{
+						ID:       "123",
+						Severity: "high",
+						CveIDs:   []string{"CVE-2020-0001"},
+						References: []amazon.Reference{
+							{
+								ID:    "fooref",
+								Href:  "http://foo.bar/baz",
+								Title: "bartitle",
+							},
+						},
+						Packages: []amazon.Package{
+							{
+								Name:    "testpkg",
+								Epoch:   "123",
+								Version: "456",
+								Release: "testing",
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "failed to save Amazon advisory, PutNestedBucket() return an error",
+			alasList: []alas{
+				{
+					Version: "123",
+					ALAS: amazon.ALAS{
+						ID:       "123",
+						Severity: "high",
+						CveIDs:   []string{"CVE-2020-0001"},
+						References: []amazon.Reference{
+							{
+								ID:    "fooref",
+								Href:  "http://foo.bar/baz",
+								Title: "bartitle",
+							},
+						},
+						Packages: []amazon.Package{
+							{
+								Name:    "testpkg",
+								Epoch:   "123",
+								Version: "456",
+								Release: "testing",
+							},
+						},
+					},
+				},
+			},
+			putNestedBucketErr: errors.New("putnestedbucket failed to save"),
+			expectedError:      errors.New("failed to save amazon advisory: putnestedbucket failed to save"),
+		},
+		{
+			name: "failed to save Amazon advisory, Put() return an error",
+			alasList: []alas{
+				{
+					Version: "123",
+					ALAS: amazon.ALAS{
+						ID:       "123",
+						Severity: "high",
+						CveIDs:   []string{"CVE-2020-0001"},
+						References: []amazon.Reference{
+							{
+								ID:    "fooref",
+								Href:  "http://foo.bar/baz",
+								Title: "bartitle",
+							},
+						},
+						Packages: []amazon.Package{
+							{
+								Name:    "testpkg",
+								Epoch:   "123",
+								Version: "456",
+								Release: "testing",
+							},
+						},
+					},
+				},
+			},
+			putErr:        errors.New("failed to commit to db"),
+			expectedError: errors.New("failed to save amazon vulnerability: failed to commit to db"),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			mockDBConfig := new(db.MockDBConfig)
+			mockDBConfig.On("PutNestedBucket",
+				mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(
+				tc.putNestedBucketErr,
+			)
+			mockVulnDB := new(vulnerability.MockVulnDB)
+			mockVulnDB.On(
+				"Put", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(
+				tc.putErr,
+			)
+
+			vs := VulnSrc{dbc: mockDBConfig, vdb: mockVulnDB, alasList: tc.alasList}
+
+			err := vs.commitFunc(&bolt.Tx{WriteFlag: 0})
+			switch {
+			case tc.expectedError != nil:
+				assert.EqualError(t, err, tc.expectedError.Error(), tc.name)
+			default:
+				assert.NoError(t, err, tc.name)
+			}
+		})
+	}
+}

pkg/vulnsrc/debian-oval/debian-oval.go

@@ -98,8 +98,9 @@ func walkDebian(cri Criteria, pkgs []Package) []Package {
 }
 
 func save(cves []DebianOVAL) error {
+	dbc := db.Config{}
 	log.Logger.Debug("Saving Debian OVAL")
-	err := db.BatchUpdate(func(tx *bolt.Tx) error {
+	err := dbc.BatchUpdate(func(tx *bolt.Tx) error {
 		for _, cve := range cves {
 			affectedPkgs := walkDebian(cve.Criteria, []Package{})
 			for _, affectedPkg := range affectedPkgs {
@@ -114,7 +115,7 @@ func save(cves []DebianOVAL) error {
 					VulnerabilityID: cveID,
 					FixedVersion:    affectedPkg.FixedVersion,
 				}
-				if err := db.PutNestedBucket(tx, platformName, affectedPkg.Name, cveID, advisory); err != nil {
+				if err := dbc.PutNestedBucket(tx, platformName, affectedPkg.Name, cveID, advisory); err != nil {
 					return xerrors.Errorf("failed to save Debian OVAL advisory: %w", err)
 				}
 
@@ -128,7 +129,8 @@ func save(cves []DebianOVAL) error {
 					References:  references,
 				}
 
-				if err := vulnerability.Put(tx, cveID, vulnerability.DebianOVAL, vuln); err != nil {
+				vdb := vulnerability.DB{}
+				if err := vdb.Put(tx, cveID, vulnerability.DebianOVAL, vuln); err != nil {
 					return xerrors.Errorf("failed to save Debian OVAL vulnerability: %w", err)
 				}
 			}
@@ -144,7 +146,7 @@ func save(cves []DebianOVAL) error {
 
 func Get(release string, pkgName string) ([]vulnerability.Advisory, error) {
 	bucket := fmt.Sprintf(platformFormat, release)
-	advisories, err := db.ForEach(bucket, pkgName)
+	advisories, err := db.Config{}.ForEach(bucket, pkgName)
 	if err != nil {
 		return nil, xerrors.Errorf("error in Debian OVAL foreach: %w", err)
 	}

pkg/vulnsrc/debian/debian.go

@@ -73,8 +73,9 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 }
 
 func save(cves []DebianCVE) error {
+	dbc := db.Config{}
 	log.Logger.Debug("Saving Debian DB")
-	err := db.BatchUpdate(func(tx *bolt.Tx) error {
+	err := dbc.BatchUpdate(func(tx *bolt.Tx) error {
 		for _, cve := range cves {
 			for _, release := range cve.Releases {
 				for releaseStr := range release.Repositories {
@@ -90,7 +91,7 @@ func save(cves []DebianCVE) error {
 						VulnerabilityID: cve.VulnerabilityID,
 						//Severity:        severityFromUrgency(release.Urgency),
 					}
-					if err := db.PutNestedBucket(tx, platformName, cve.Package, cve.VulnerabilityID, advisory); err != nil {
+					if err := dbc.PutNestedBucket(tx, platformName, cve.Package, cve.VulnerabilityID, advisory); err != nil {
 						return xerrors.Errorf("failed to save Debian advisory: %w", err)
 					}
 
@@ -98,8 +99,8 @@ func save(cves []DebianCVE) error {
 						Severity:    severityFromUrgency(release.Urgency),
 						Description: cve.Description,
 					}
-
+					vdb := vulnerability.DB{}
-					if err := vulnerability.Put(tx, cve.VulnerabilityID, vulnerability.Debian, vuln); err != nil {
+					if err := vdb.Put(tx, cve.VulnerabilityID, vulnerability.Debian, vuln); err != nil {
 						return xerrors.Errorf("failed to save Debian vulnerability: %w", err)
 					}
 				}
@@ -116,7 +117,7 @@ func save(cves []DebianCVE) error {
 
 func Get(release string, pkgName string) ([]vulnerability.Advisory, error) {
 	bucket := fmt.Sprintf(platformFormat, release)
-	advisories, err := db.ForEach(bucket, pkgName)
+	advisories, err := db.Config{}.ForEach(bucket, pkgName)
 	if err != nil {
 		return nil, xerrors.Errorf("error in Debian foreach: %w", err)
 	}

pkg/vulnsrc/nvd/nvd.go

@@ -64,7 +64,8 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 
 func save(items []Item) error {
 	log.Logger.Debug("NVD batch update")
-	err := vulnerability.BatchUpdate(func(b *bolt.Bucket) error {
+	vdb := vulnerability.DB{}
+	err := vdb.BatchUpdate(func(b *bolt.Bucket) error {
 		for _, item := range items {
 			cveID := item.Cve.Meta.ID
 			severity, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV2.Severity)

pkg/vulnsrc/redhat/redhat.go

@@ -113,8 +113,9 @@ type pkg map[string]advisory
 type advisory map[string]interface{}
 
 func save(cves []RedhatCVE) error {
+	dbc := db.Config{}
 	log.Logger.Debug("Saving RedHat DB")
-	err := db.BatchUpdate(func(tx *bolt.Tx) error {
+	err := dbc.BatchUpdate(func(tx *bolt.Tx) error {
 		for _, cve := range cves {
 			for _, affected := range cve.AffectedRelease {
 				if affected.Package == "" {
@@ -131,7 +132,7 @@ func save(cves []RedhatCVE) error {
 					VulnerabilityID: cve.Name,
 					FixedVersion:    version,
 				}
-				if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil {
+				if err := dbc.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil {
 					return xerrors.Errorf("failed to save Red Hat advisory: %w", err)
 				}
 
@@ -156,7 +157,7 @@ func save(cves []RedhatCVE) error {
 					FixedVersion:    "",
 					VulnerabilityID: cve.Name,
 				}
-				if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil {
+				if err := dbc.PutNestedBucket(tx, platformName, pkgName, cve.Name, advisory); err != nil {
 					return xerrors.Errorf("failed to save Red Hat advisory: %w", err)
 				}
 
@@ -175,7 +176,8 @@ func save(cves []RedhatCVE) error {
 				Title:       strings.TrimSpace(title),
 				Description: strings.TrimSpace(strings.Join(cve.Details, "")),
 			}
-			if err := vulnerability.Put(tx, cve.Name, vulnerability.RedHat, vuln); err != nil {
+			vdb := vulnerability.DB{}
+			if err := vdb.Put(tx, cve.Name, vulnerability.RedHat, vuln); err != nil {
 				return xerrors.Errorf("failed to save Red Hat vulnerability: %w", err)
 			}
 		}
@@ -190,7 +192,7 @@ func save(cves []RedhatCVE) error {
 
 func Get(majorVersion string, pkgName string) ([]vulnerability.Advisory, error) {
 	bucket := fmt.Sprintf(platformFormat, majorVersion)
-	advisories, err := db.ForEach(bucket, pkgName)
+	advisories, err := db.Config{}.ForEach(bucket, pkgName)
 	if err != nil {
 		return nil, xerrors.Errorf("error in Red Hat foreach: %w", err)
 	}

pkg/vulnsrc/ubuntu/ubuntu.go

@@ -80,8 +80,9 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 }
 
 func save(cves []UbuntuCVE) error {
+	dbc := db.Config{}
 	log.Logger.Debug("Saving Ubuntu DB")
-	err := db.BatchUpdate(func(tx *bolt.Tx) error {
+	err := dbc.BatchUpdate(func(tx *bolt.Tx) error {
 		for _, cve := range cves {
 			for packageName, patch := range cve.Patches {
 				pkgName := string(packageName)
@@ -100,7 +101,7 @@ func save(cves []UbuntuCVE) error {
 					if status.Status == "released" {
 						advisory.FixedVersion = status.Note
 					}
-					if err := db.PutNestedBucket(tx, platformName, pkgName, cve.Candidate, advisory); err != nil {
+					if err := dbc.PutNestedBucket(tx, platformName, pkgName, cve.Candidate, advisory); err != nil {
 						return xerrors.Errorf("failed to save Ubuntu advisory: %w", err)
 					}
 
@@ -111,7 +112,8 @@ func save(cves []UbuntuCVE) error {
 						// TODO
 						Title: "",
 					}
-					if err := vulnerability.Put(tx, cve.Candidate, vulnerability.Ubuntu, vuln); err != nil {
+					vdb := vulnerability.DB{}
+					if err := vdb.Put(tx, cve.Candidate, vulnerability.Ubuntu, vuln); err != nil {
 						return xerrors.Errorf("failed to save Ubuntu vulnerability: %w", err)
 					}
 				}
@@ -127,7 +129,7 @@ func save(cves []UbuntuCVE) error {
 
 func Get(release string, pkgName string) ([]vulnerability.Advisory, error) {
 	bucket := fmt.Sprintf(platformFormat, release)
-	advisories, err := db.ForEach(bucket, pkgName)
+	advisories, err := db.Config{}.ForEach(bucket, pkgName)
 	if err != nil {
 		return nil, xerrors.Errorf("error in Ubuntu foreach: %w", err)
 	}

pkg/vulnsrc/vulnerability/db.go

@@ -12,7 +12,17 @@ const (
 	rootBucket = "vulnerability"
 )
 
-func Put(tx *bolt.Tx, cveID, source string, vuln Vulnerability) error {
+type Operations interface {
+	Put(*bolt.Tx, string, string, Vulnerability) error
+	Update(string, string, Vulnerability) error
+	BatchUpdate(func(bucket *bolt.Bucket) error) error
+	Get(string) (map[string]Vulnerability, error)
+}
+
+type DB struct {
+}
+
+func (d DB) Put(tx *bolt.Tx, cveID, source string, vuln Vulnerability) error {
 	root, err := tx.CreateBucketIfNotExists([]byte(rootBucket))
 	if err != nil {
 		return err
@@ -20,12 +30,12 @@ func Put(tx *bolt.Tx, cveID, source string, vuln Vulnerability) error {
 	return db.Put(root, cveID, source, vuln)
 }
 
-func Update(cveID, source string, vuln Vulnerability) error {
+func (d DB) Update(cveID, source string, vuln Vulnerability) error {
-	return db.Update(rootBucket, cveID, source, vuln)
+	return db.Config{}.Update(rootBucket, cveID, source, vuln)
 }
 
-func BatchUpdate(fn func(b *bolt.Bucket) error) error {
+func (d DB) BatchUpdate(fn func(b *bolt.Bucket) error) error {
-	return db.BatchUpdate(func(tx *bolt.Tx) error {
+	return db.Config{}.BatchUpdate(func(tx *bolt.Tx) error {
 		root, err := tx.CreateBucketIfNotExists([]byte(rootBucket))
 		if err != nil {
 			return err
@@ -34,8 +44,8 @@ func BatchUpdate(fn func(b *bolt.Bucket) error) error {
 	})
 }
 
-func Get(cveID string) (map[string]Vulnerability, error) {
+func (d DB) Get(cveID string) (map[string]Vulnerability, error) {
-	values, err := db.ForEach(rootBucket, cveID)
+	values, err := db.Config{}.ForEach(rootBucket, cveID)
 	if err != nil {
 		return nil, xerrors.Errorf("error in NVD get: %w", err)
 	}

pkg/vulnsrc/vulnerability/db_mock.go

@@ -0,0 +1,38 @@
+package vulnerability
+
+import (
+	bolt "github.com/etcd-io/bbolt"
+	"github.com/stretchr/testify/mock"
+)
+
+type MockVulnDB struct {
+	mock.Mock
+}
+
+func (_m *MockVulnDB) Update(a, b string, c Vulnerability) error {
+	ret := _m.Called(a, b, c)
+	return ret.Error(0)
+}
+
+func (_m *MockVulnDB) BatchUpdate(f func(bucket *bolt.Bucket) error) error {
+	ret := _m.Called(f)
+	return ret.Error(0)
+}
+
+func (_m *MockVulnDB) Get(a string) (map[string]Vulnerability, error) {
+	ret := _m.Called(a)
+	ret0 := ret.Get(0)
+	if ret0 == nil {
+		return nil, ret.Error(1)
+	}
+	r, ok := ret0.(map[string]Vulnerability)
+	if !ok {
+		return nil, ret.Error(1)
+	}
+	return r, ret.Error(1)
+}
+
+func (_m *MockVulnDB) Put(tx *bolt.Tx, cveID, source string, vuln Vulnerability) error {
+	ret := _m.Called(tx, cveID, source, vuln)
+	return ret.Error(0)
+}

pkg/vulnsrc/vulnerability/vulnerability.go

@@ -18,7 +18,7 @@ const (
 )
 
 var (
-	sources = []string{Nvd, RedHat, Debian, DebianOVAL, Alpine,
+	sources = []string{Nvd, RedHat, Debian, DebianOVAL, Alpine, Amazon,
 		RubySec, RustSec, PhpSecurityAdvisories, NodejsSecurityWg, PythonSafetyDB}
 	getDetailFunc = getDetail
 )
@@ -84,7 +84,7 @@ func getIgnoredIDs(ignoreFile string) []string {
 }
 
 func getDetail(vulnID string) (Severity, string, string, []string) {
-	details, err := Get(vulnID)
+	details, err := DB{}.Get(vulnID)
 	if err != nil {
 		log.Logger.Debug(err)
 		return SeverityUnknown, "", "", nil
@@ -141,12 +141,20 @@ func getDescription(details map[string]Vulnerability) string {
 func getReferences(details map[string]Vulnerability) []string {
 	references := map[string]struct{}{}
 	for _, source := range sources {
+		// Amazon contains unrelated references
+		if source == Amazon {
+			continue
+		}
 		d, ok := details[source]
 		if !ok {
 			continue
 		}
 		for _, ref := range d.References {
-			references[ref] = struct{}{}
+			// e.g. "\nhttps://curl.haxx.se/docs/CVE-2019-5481.html\n    "
+			ref = strings.TrimSpace(ref)
+			for _, r := range strings.Split(ref, "\n") {
+				references[r] = struct{}{}
+			}
 		}
 	}
 	var refs []string

pkg/vulnsrc/vulnsrc.go

@@ -7,6 +7,7 @@ import (
 	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/utils"
 	"github.com/aquasecurity/trivy/pkg/vulnsrc/alpine"
+	"github.com/aquasecurity/trivy/pkg/vulnsrc/amazon"
 	"github.com/aquasecurity/trivy/pkg/vulnsrc/debian"
 	debianoval "github.com/aquasecurity/trivy/pkg/vulnsrc/debian-oval"
 	"github.com/aquasecurity/trivy/pkg/vulnsrc/nvd"
@@ -32,6 +33,7 @@ var (
 		vulnerability.Debian:     debian.Update,
 		vulnerability.DebianOVAL: debianoval.Update,
 		vulnerability.Ubuntu:     ubuntu.Update,
+		vulnerability.Amazon:     amazon.NewVulnSrc().Update,
 	}
 )
 

pkg/vulnsrc/vulnsrc_test.go

@@ -26,8 +26,9 @@ func BenchmarkUpdate(b *testing.B) {
 	b.ResetTimer()
 
 	b.Run("NVD", func(b *testing.B) {
+		dbc := db.Config{}
 		for i := 0; i < b.N; i++ {
-			if err := db.SetVersion(""); err != nil {
+			if err := dbc.SetVersion(""); err != nil {
 				b.Fatal(err)
 			}
 			if err := Update([]string{vulnerability.Nvd}); err != nil {