Embed trivy version in Docker (#88)

* test: add update nvd benchmark

* feat: used json.Unmarshal to reduce memory usage

.dockerignore

@@ -1 +1,2 @@
+.circleci
 imgs

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,45 @@
+<!--
+
+---------------------------------------------------
+FEATURE REQUEST
+---------------------------------------------------
+
+If this is a FEATURE REQUEST, request format does not matter  
+ 
+
+---------------------------------------------------
+BUG REPORT INFORMATION
+---------------------------------------------------
+
+You do NOT have to include this information if this is a FEATURE REQUEST
+    
+If this is a BUG REPORT, provide key information from your environment:
+
+-->
+
+**Description**
+
+<!--
+Briefly describe the problem you are having in a few paragraphs.
+-->
+
+**What did you expect to happen?**
+
+
+**What happened instead?**
+
+
+**Output of run with `-debug`:**
+
+```
+(paste your output here)
+```
+
+**Output of `trivy -v`:**
+
+```
+(paste your output here)
+```
+
+**Additional details (base image name, container registry info...):**
+

Dockerfile

@@ -4,7 +4,7 @@ WORKDIR /app/
 RUN apk --no-cache add git
 RUN go mod download
 ADD . /app/
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o /trivy cmd/trivy/main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X main.version=$(git describe --tags --abbrev=0)" -a -o /trivy cmd/trivy/main.go
 
 FROM alpine:3.9
 RUN apk --no-cache add ca-certificates git

README.md

@@ -39,6 +39,7 @@ See [Comparison with other scanners](#comparison-with-other-scanners) for detail
   - [Scan an image file](#scan-an-image-file)
   - [Save the results as JSON](#save-the-results-as-json)
   - [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
+  - [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
   - [Skip an update of vulnerability DB](#skip-an-update-of-vulnerability-db)
   - [Ignore unfixed vulnerabilities](#ignore-unfixed-vulnerabilities)
   - [Specify exit code](#specify-exit-code)
@@ -48,6 +49,7 @@ See [Comparison with other scanners](#comparison-with-other-scanners) for detail
 - [Continuous Integration (CI)](#continuous-integration-ci)
   - [Travis CI](#travis-ci)
   - [Circle CI](#circle-ci)
+  - [Authorization for Private Docker Registry](#authorization-for-private-docker-registry)
 - [Vulnerability Detection](#vulnerability-detection)
   - [OS Packages](#os-packages)
   - [Application Dependencies](#application-dependencies)
@@ -55,9 +57,9 @@ See [Comparison with other scanners](#comparison-with-other-scanners) for detail
 - [Comparison with other scanners](#comparison-with-other-scanners)
   - [Overview](#overview)
   - [Accuracy](#accuracy)
-  - [vs Clair, Quay](#vs-clair)
+  - [vs Clair](#vs-clair)
   - [vs Anchore Engine](#vs-anchore-engine)
-  - [vs Docker Hub, GCR](#vs-quay-docker-hub-gcr)
+  - [vs Quay, Docker Hub, GCR](#vs-quay-docker-hub-gcr)
 - [Q&A](#qa)
   - [Homebrew](#homebrew)
   - [Others](#others)
@@ -75,7 +77,7 @@ See [here](#continuous-integration-ci) for details.
 
 - Detect comprehensive vulnerabilities
   - OS packages (Alpine, **Red Hat Universal Base Image**, Red Hat Enterprise Linux, CentOS, Debian and Ubuntu)
-  - **Application dependencies** (Bundler, Composer, Pipenv, npm, yarn and Cargo)
+  - **Application dependencies** (Bundler, Composer, Pipenv, Poetry, npm, yarn and Cargo)
 - Simple
   - Specify only an image name
   - See [Quick Start](#quick-start) and [Examples](#examples)
@@ -109,7 +111,7 @@ $ sudo yum -y install trivy
 or
 
 ```
-$ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.rpm
+$ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.15/trivy_0.0.15_Linux-64bit.rpm
 ```
 
 ## Debian/Ubuntu
@@ -130,29 +132,33 @@ or
 
 ```
 $ sudo apt-get install rpm
-$ wget https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.deb
-$ sudo dpkg -i trivy_0.0.13_Linux-64bit.deb
+$ wget https://github.com/knqyf263/trivy/releases/download/v0.0.15/trivy_0.0.15_Linux-64bit.deb
+$ sudo dpkg -i trivy_0.0.15_Linux-64bit.deb
 ```
 
 ## Mac OS X / Homebrew
 
-You can use homebrew on OS X.
+You can use homebrew on Mac OS.
 
 ```
-$ brew tap knqyf263/trivy
 $ brew install knqyf263/trivy/trivy
 ```
 
 ## Binary (Including Windows)
 
-Go to [the releases page](https://github.com/knqyf263/trivy/releases), find the version you want, and download the zip file. Unpack the zip file, and put the binary to somewhere you want (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
+Get the latest version from [this page](https://github.com/knqyf263/trivy/releases/latest), and download the archive file for your operating system/architecture. Unpack the archive, and put the binary somewhere in your `$PATH` (on UNIX-y systems, /usr/local/bin or the like). Make sure it has execution bits turned on.
 
 You need to install `rpm` command for scanning RHEL/CentOS.
 
 ## From source
 
 ```sh
-$ go get -u github.com/knqyf263/trivy
+$ mkdir -p $GOPATH/src/github.com/knqyf263
+$ cd $GOPATH/src/github.com/knqyf263
+$ git clone https://github.com/knqyf263/trivy
+$ cd trivy/cmd/trivy/
+$ export GO111MODULE=on
+$ go install
 ```
 
 # Quick Start
@@ -197,21 +203,24 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 Replace [YOUR_CACHE_DIR] with the cache directory on your machine.
 
 ```
-$ docker run -v [YOUR_CACHE_DIR]:/root/.cache/ knqyf263/trivy [YOUR_IMAGE_NAME]
+$ docker run --rm -v [YOUR_CACHE_DIR]:/root/.cache/ knqyf263/trivy [YOUR_IMAGE_NAME]
 ```
 
 Example for macOS:
 
 ```
-$ docker run -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine
+$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine
 ```
 
 If you would like to scan the image on your host machine, you need to mount `docker.sock`.
 
 ```
-$ docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine
+$ docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
+    -v $HOME/Library/Caches:/root/.cache/ knqyf263/trivy python:3.4-alpine
 ```
 
+Please re-pull latest `knqyf263/trivy` if an error occured.
+
 <details>
 <summary>Result</summary>
 
@@ -516,6 +525,115 @@ $ trivy -f json -o results.json golang:1.12-alpine
 
 </details>
 
+<details>
+<summary>JSON</summary>
+
+```
+[
+  {
+    "Target": "php-app/composer.lock",
+    "Vulnerabilities": null
+  },
+  {
+    "Target": "node-app/package-lock.json",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2018-16487",
+        "PkgName": "lodash",
+        "InstalledVersion": "4.17.4",
+        "FixedVersion": "\u003e=4.17.11",
+        "Title": "lodash: Prototype pollution in utilities function",
+        "Description": "A prototype pollution vulnerability was found in lodash \u003c4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16487",
+        ]
+      }
+    ]
+  },
+  {
+    "Target": "trivy-ci-test (alpine 3.7.1)",
+    "Vulnerabilities": [
+      {
+        "VulnerabilityID": "CVE-2018-16840",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.0-r0",
+        "FixedVersion": "7.61.1-r1",
+        "Title": "curl: Use-after-free when closing \"easy\" handle in Curl_close()",
+        "Description": "A heap use-after-free flaw was found in curl versions from 7.59.0 through 7.61.1 in the code related to closing an easy handle. ",
+        "Severity": "HIGH",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16840",
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-3822",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.0-r0",
+        "FixedVersion": "7.61.1-r2",
+        "Title": "curl: NTLMv2 type-3 header stack buffer overflow",
+        "Description": "libcurl versions from 7.36.0 to before 7.64.0 are vulnerable to a stack-based buffer overflow. ",
+        "Severity": "HIGH",
+        "References": [
+          "https://curl.haxx.se/docs/CVE-2019-3822.html",
+          "https://lists.apache.org/thread.html/8338a0f605bdbb3a6098bb76f666a95fc2b2f53f37fa1ecc89f1146f@%3Cdevnull.infra.apache.org%3E"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-16839",
+        "PkgName": "curl",
+        "InstalledVersion": "7.61.0-r0",
+        "FixedVersion": "7.61.1-r1",
+        "Title": "curl: Integer overflow leading to heap-based buffer overflow in Curl_sasl_create_plain_message()",
+        "Description": "Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service.",
+        "Severity": "HIGH",
+        "References": [
+          "https://github.com/curl/curl/commit/f3a24d7916b9173c69a3e0ee790102993833d6c5",
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-19486",
+        "PkgName": "git",
+        "InstalledVersion": "2.15.2-r0",
+        "FixedVersion": "2.15.3-r0",
+        "Title": "git: Improper handling of PATH allows for commands to be executed from the current directory",
+        "Description": "Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.",
+        "Severity": "HIGH",
+        "References": [
+          "https://usn.ubuntu.com/3829-1/",
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2018-17456",
+        "PkgName": "git",
+        "InstalledVersion": "2.15.2-r0",
+        "FixedVersion": "2.15.3-r0",
+        "Title": "git: arbitrary code execution via .gitmodules",
+        "Description": "Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive \"git clone\" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.",
+        "Severity": "HIGH",
+        "References": [
+          "http://www.securitytracker.com/id/1041811",
+        ]
+      }
+    ]
+  },
+  {
+    "Target": "python-app/Pipfile.lock",
+    "Vulnerabilities": null
+  },
+  {
+    "Target": "ruby-app/Gemfile.lock",
+    "Vulnerabilities": null
+  },
+  {
+    "Target": "rust-app/Cargo.lock",
+    "Vulnerabilities": null
+  }
+]
+```
+
+</details>
+
 ### Filter the vulnerabilities by severities
 
 ```
@@ -579,6 +697,143 @@ Total: 1785 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1680, CRITICAL: 105)
 
 </details>
 
+
+### Filter the vulnerabilities by type
+
+```
+$ trivy --vuln-type os ruby:2.3.0
+```
+
+Available values:
+  - library
+  - os
+
+<details>
+<summary>Result</summary>
+
+```
+2019-05-22T19:36:50.530+0200	INFO	Updating vulnerability database...
+2019-05-22T19:36:51.681+0200	INFO	Detecting Alpine vulnerabilities...
+2019-05-22T19:36:51.685+0200	INFO	Updating npm Security DB...
+2019-05-22T19:36:52.389+0200	INFO	Detecting npm vulnerabilities...
+2019-05-22T19:36:52.390+0200	INFO	Updating pipenv Security DB...
+2019-05-22T19:36:53.406+0200	INFO	Detecting pipenv vulnerabilities...
+
+ruby:2.3.0 (debian 8.4)
+Total: 4751 (UNKNOWN: 1, LOW: 150, MEDIUM: 3504, HIGH: 1013, CRITICAL: 83)
+
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |              TITLE               |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| curl    | CVE-2018-14618   | CRITICAL | 7.61.0-r0         | 7.61.1-r0     | curl: NTLM password overflow     |
+|         |                  |          |                   |               | via integer overflow             |
++         +------------------+----------+                   +---------------+----------------------------------+
+|         | CVE-2018-16839   | HIGH     |                   | 7.61.1-r1     | curl: Integer overflow leading   |
+|         |                  |          |                   |               | to heap-based buffer overflow in |
+|         |                  |          |                   |               | Curl_sasl_create_plain_message() |
++         +------------------+          +                   +---------------+----------------------------------+
+|         | CVE-2019-3822    |          |                   | 7.61.1-r2     | curl: NTLMv2 type-3 header       |
+|         |                  |          |                   |               | stack buffer overflow            |
++         +------------------+          +                   +---------------+----------------------------------+
+|         | CVE-2018-16840   |          |                   | 7.61.1-r1     | curl: Use-after-free when        |
+|         |                  |          |                   |               | closing "easy" handle in         |
+|         |                  |          |                   |               | Curl_close()                     |
++         +------------------+----------+                   +---------------+----------------------------------+
+|         | CVE-2019-3823    | MEDIUM   |                   | 7.61.1-r2     | curl: SMTP end-of-response       |
+|         |                  |          |                   |               | out-of-bounds read               |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2018-16890   |          |                   |               | curl: NTLM type-2 heap           |
+|         |                  |          |                   |               | out-of-bounds buffer read        |
++         +------------------+          +                   +---------------+----------------------------------+
+|         | CVE-2018-16842   |          |                   | 7.61.1-r1     | curl: Heap-based buffer          |
+|         |                  |          |                   |               | over-read in the curl tool       |
+|         |                  |          |                   |               | warning formatting               |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| git     | CVE-2018-17456   | HIGH     | 2.15.2-r0         | 2.15.3-r0     | git: arbitrary code execution    |
+|         |                  |          |                   |               | via .gitmodules                  |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2018-19486   |          |                   |               | git: Improper handling of        |
+|         |                  |          |                   |               | PATH allows for commands to be   |
+|         |                  |          |                   |               | executed from...                 |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| libssh2 | CVE-2019-3855    | CRITICAL | 1.8.0-r2          | 1.8.1-r0      | libssh2: Integer overflow in     |
+|         |                  |          |                   |               | transport read resulting in      |
+|         |                  |          |                   |               | out of bounds write...           |
++         +------------------+----------+                   +               +----------------------------------+
+|         | CVE-2019-3861    | MEDIUM   |                   |               | libssh2: Out-of-bounds reads     |
+|         |                  |          |                   |               | with specially crafted SSH       |
+|         |                  |          |                   |               | packets                          |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3857    |          |                   |               | libssh2: Integer overflow in     |
+|         |                  |          |                   |               | SSH packet processing channel    |
+|         |                  |          |                   |               | resulting in out of...           |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3856    |          |                   |               | libssh2: Integer overflow in     |
+|         |                  |          |                   |               | keyboard interactive handling    |
+|         |                  |          |                   |               | resulting in out of bounds...    |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3863    |          |                   |               | libssh2: Integer overflow        |
+|         |                  |          |                   |               | in user authenticate             |
+|         |                  |          |                   |               | keyboard interactive allows      |
+|         |                  |          |                   |               | out-of-bounds writes             |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3862    |          |                   |               | libssh2: Out-of-bounds memory    |
+|         |                  |          |                   |               | comparison with specially        |
+|         |                  |          |                   |               | crafted message channel          |
+|         |                  |          |                   |               | request                          |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3860    |          |                   |               | libssh2: Out-of-bounds reads     |
+|         |                  |          |                   |               | with specially crafted SFTP      |
+|         |                  |          |                   |               | packets                          |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3858    |          |                   |               | libssh2: Zero-byte allocation    |
+|         |                  |          |                   |               | with a specially crafted SFTP    |
+|         |                  |          |                   |               | packed leading to an...          |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-3859    |          |                   |               | libssh2: Unchecked use of        |
+|         |                  |          |                   |               | _libssh2_packet_require and      |
+|         |                  |          |                   |               | _libssh2_packet_requirev         |
+|         |                  |          |                   |               | resulting in out-of-bounds       |
+|         |                  |          |                   |               | read                             |
++---------+------------------+          +-------------------+---------------+----------------------------------+
+| libxml2 | CVE-2018-14404   |          | 2.9.7-r0          | 2.9.8-r1      | libxml2: NULL pointer            |
+|         |                  |          |                   |               | dereference in                   |
+|         |                  |          |                   |               | xpath.c:xmlXPathCompOpEval()     |
+|         |                  |          |                   |               | can allow attackers to cause     |
+|         |                  |          |                   |               | a...                             |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2018-14567   |          |                   |               | libxml2: Infinite loop when      |
+|         |                  |          |                   |               | --with-lzma is used allows for   |
+|         |                  |          |                   |               | denial of service...             |
++         +------------------+----------+                   +               +----------------------------------+
+|         | CVE-2018-9251    | LOW      |                   |               | libxml2: infinite loop in        |
+|         |                  |          |                   |               | xz_decomp function in xzlib.c    |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| openssh | CVE-2019-6109    | MEDIUM   | 7.5_p1-r9         | 7.5_p1-r10    | openssh: Missing character       |
+|         |                  |          |                   |               | encoding in progress display     |
+|         |                  |          |                   |               | allows for spoofing of scp...    |
++         +------------------+          +                   +               +----------------------------------+
+|         | CVE-2019-6111    |          |                   |               | openssh: Improper validation     |
+|         |                  |          |                   |               | of object names allows           |
+|         |                  |          |                   |               | malicious server to overwrite    |
+|         |                  |          |                   |               | files...                         |
++         +------------------+----------+                   +               +----------------------------------+
+|         | CVE-2018-20685   | LOW      |                   |               | openssh: scp client improper     |
+|         |                  |          |                   |               | directory name validation        |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| sqlite  | CVE-2018-20346   | MEDIUM   | 3.21.0-r1         | 3.25.3-r0     | CVE-2018-20505 CVE-2018-20506    |
+|         |                  |          |                   |               | sqlite: Multiple flaws in        |
+|         |                  |          |                   |               | sqlite which can be triggered    |
+|         |                  |          |                   |               | via...                           |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+| tar     | CVE-2018-20482   | LOW      | 1.29-r1           | 1.31-r0       | tar: Infinite read loop in       |
+|         |                  |          |                   |               | sparse_dump_region function in   |
+|         |                  |          |                   |               | sparse.c                         |
++---------+------------------+----------+-------------------+---------------+----------------------------------+
+```
+
+</details>
+
 ### Skip an update of vulnerability DB
 
 `Trivy` always updates vulnerability database when it starts operating. This is usually fast as it is a difference update. But if you want to skip even that, use the `--skip-update` option.
@@ -607,6 +862,37 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
 
 </details>
 
+### Update only you are specified distributions
+
+By default, `Trivy` always updates vulnerability database of all distribution. Use the `--only-update` option if you want to update only specified distributions.
+
+```
+$ trivy --only-update alpine,debian python:3.4-alpine3.9
+$ trivy --only-update alpine python:3.4-alpine3.9
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2019-05-21T19:37:06.301+0900    INFO    Updating vulnerability database...
+2019-05-21T19:37:07.793+0900    INFO    Updating alpine data...
+2019-05-21T19:37:08.127+0900    INFO    Detecting Alpine vulnerabilities...
+
+python:3.4-alpine3.9 (alpine 3.9.2)
+===================================
+Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
+
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+| openssl | CVE-2019-1543    | MEDIUM   | 1.1.1a-r1         | 1.1.1b-r1     | openssl: ChaCha20-Poly1305     |
+|         |                  |          |                   |               | with long nonces               |
++---------+------------------+----------+-------------------+---------------+--------------------------------+
+```
+
+</details>
+
 ### Ignore unfixed vulnerabilities
 
 By default, `Trivy` also detects unpatched/unfixed vulnerabilities. This means you can't fix these vulnerabilities even if you update all packages.
@@ -790,8 +1076,9 @@ env:
 
 before_install:
   - docker build -t trivy-ci-test:${COMMIT} .
-  - wget https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.tar.gz
-  - tar zxvf trivy_0.0.13_Linux-64bit.tar.gz
+  - export VERSION=$(curl --silent "https://api.github.com/repos/knqyf263/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+  - wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
+  - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
 script:
   - ./trivy --exit-code 0 --severity HIGH --quiet --auto-refresh trivy-ci-test:${COMMIT}
   - ./trivy --exit-code 1 --severity CRITICAL --quiet --auto-refresh trivy-ci-test:${COMMIT}
@@ -806,6 +1093,7 @@ Repository: https://github.com/knqyf263/trivy-ci-test
 ## CircleCI
 
 ```
+$ cat .circleci/config.yml
 jobs:
   build:
     docker:
@@ -821,8 +1109,15 @@ jobs:
       - run:
           name: Install trivy
           command: |
-            wget https://github.com/knqyf263/trivy/releases/download/v0.0.13/trivy_0.0.13_Linux-64bit.tar.gz
-            tar zxvf trivy_0.0.13_Linux-64bit.tar.gz
+            apk add --update curl
+            VERSION=$(
+                curl --silent "https://api.github.com/repos/knqyf263/trivy/releases/latest" | \
+                grep '"tag_name":' | \
+                sed -E 's/.*"v([^"]+)".*/\1/'
+            )
+
+            wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
+            tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
             mv trivy /usr/local/bin
       - run:
           name: Scan the local image with trivy
@@ -841,6 +1136,52 @@ workflows:
 Example: https://circleci.com/gh/knqyf263/trivy-ci-test  
 Repository: https://github.com/knqyf263/trivy-ci-test
 
+## Authorization for Private Docker Registry
+
+Trivy can download images from private registry, without installing `Docker` and any 3rd party tools.
+That's because it's easy to run in a CI process.
+
+All you have to do is install `Trivy` and set ENV vars.
+But, I can't recommend using ENV vars in your local machine to you.
+
+### Docker Hub
+
+Docker Hub needs `TRIVY_AUTH_URL`, `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+You don't need to set ENV vars when download from public repository.
+
+```bash
+export TRIVY_AUTH_URL=https://registry.hub.docker.com
+export TRIVY_USERNAME={DOCKERHUB_USERNAME}
+export TRIVY_PASSWORD={DOCKERHUB_PASSWORD}
+```
+
+### Amazon ECR (Elastic Container Registry)
+
+Trivy uses AWS SDK. You don't need to install `aws` CLI tool.
+You can use [AWS CLI's ENV Vars](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html).
+
+### GCR (Google Container Registry)
+
+Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+
+If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+```bash
+# must set TRIVY_USERNAME empty char
+export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
+```
+
+### Self Hosted Registry (BasicAuth)
+
+BasicAuth server needs `TRIVY_USERNAME` and `TRIVY_PASSWORD`.
+
+```bash
+export TRIVY_USERNAME={USERNAME}
+export TRIVY_PASSWORD={PASSWORD}
+
+# if you want to use 80 port, use NonSSL
+export TRIVY_NON_SSL=true
+```
+
 # Vulnerability Detection
 
 ## OS Packages
@@ -862,6 +1203,7 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 
 - Gemfile.lock
 - Pipfile.lock
+- poetry.lock
 - composer.lock
 - package-lock.json
 - yarn.lock
@@ -879,7 +1221,7 @@ NAME:
 USAGE:
   main [options] image_name
 VERSION:
-  0.0.13
+  0.0.15
 OPTIONS:
   --format value, -f value    format (table, json) (default: "table")
   --input value, -i value     input file path instead of image name
@@ -894,6 +1236,7 @@ OPTIONS:
   --refresh                   refresh DB (usually used after version update of trivy)
   --auto-refresh              refresh DB automatically when updating version of trivy
   --debug, -d                 debug mode
+  --vuln-type value           comma-separated list of vulnerability types (os,library)
   --help, -h                  show help
   --version, -v               print the version
 ```
@@ -933,7 +1276,7 @@ The results of [composer:1.7.2](https://hub.docker.com/_/composer?tab=tags) usin
 
 <img src="imgs/alpine.png" width="500">
 
-`Trivy` has high accuracy and high precision, while GCR did not detect any vulnerability. Althogh Docker Hub has many True Positive, it also has many False Positive.
+`Trivy` has high accuracy and high precision, while GCR did not detect any vulnerability. Although Docker Hub has many True Positive, it also has many False Positive.
 
 ### RHEL/CentOS
 
@@ -959,8 +1302,8 @@ In the case of other OS, the result is similar to other container scanners.
 However, the purpose of this database is to make it possible to know what packages has backported fixes.
 As README says, it is not a complete database of all security issues in Alpine.
 
-`Trivy` collects vulnerability information in Alpine Linux from [Alpine LInux Redmine](https://bugs.alpinelinux.org/projects/alpine/issues).
-Then, those vulnerabilities will be saved on [vuln-list](https://github.com/knqyf263/vuln-list/tree/master/alpine)
+`Trivy` collects vulnerability information in Alpine Linux from [Alpine Linux Redmine](https://bugs.alpinelinux.org/projects/alpine/issues).
+Then, those vulnerabilities will be saved on [vuln-list](https://github.com/knqyf263/vuln-list/tree/master/alpine).
 
 `alpine-secdb` has 6959 vulnerabilities (as of 2019/05/12).
 `vuln-list` has 11101 vulnerabilities related with Alpine Linux (as of 2019/05/12).
@@ -968,7 +1311,7 @@ There is a difference in detection accuracy because the number of vulnerabilitie
 
 In addition, `Trivy` analyzes the middle layer as well and find out which version of the library was used for static linking.
 
-`Clair` can not handle the following cases because it analyzes the image after applying the all layers.
+`Clair` can not handle the following cases because it analyzes the image after applying all layers.
 
 ```
 RUN apk add --no-cache sqlite-dev \
@@ -992,7 +1335,7 @@ Also, `Anchore Engine` needs some steps to start scanning.
 
 ## vs Quay, Docker Hub, GCR
 
-As `Quay` seems to use `Clair` internally, it has the same accuracy with `Clair`. `Docker Hub` can scan only official images. `GCR` hardly detects vulnerability on Alpine Linux. Also, it is locked to a specific registry.
+As `Quay` seems to use `Clair` internally, it has the same accuracy than `Clair`. `Docker Hub` can scan only official images. `GCR` hardly detects vulnerabilities on Alpine Linux. Also, it is locked to a specific registry.
 
 `Trivy` can be used regardless of the registry. In addition, it is easy to be integrated with CI/CD services.
 

cmd/trivy/main.go

@@ -69,6 +69,10 @@ OPTIONS:
 			Name:  "skip-update",
 			Usage: "skip db update",
 		},
+		cli.StringFlag{
+			Name:  "only-update",
+			Usage: "update db only specified distribution (comma separated)",
+		},
 		cli.BoolFlag{
 			Name:  "reset",
 			Usage: "remove all caches and database",
@@ -101,11 +105,14 @@ OPTIONS:
 			Name:  "cache-dir",
 			Usage: "cache directory",
 		},
+		cli.StringFlag{
+			Name:  "vuln-type",
+			Value: "os,library",
+			Usage: "comma-separated list of vulnerability types (os,library)",
+		},
 	}
 
-	app.Action = func(c *cli.Context) error {
-		return pkg.Run(c)
-	}
+	app.Action = pkg.Run
 
 	err := app.Run(os.Args)
 	if err != nil {

go.mod

@@ -5,22 +5,20 @@ go 1.12
 require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91
+	github.com/caarlos0/env/v6 v6.0.0
 	github.com/emirpasic/gods v1.12.0 // indirect
 	github.com/etcd-io/bbolt v1.3.2
 	github.com/fatih/color v1.7.0
 	github.com/genuinetools/reg v0.16.0
 	github.com/gliderlabs/ssh v0.1.3 // indirect
-	github.com/golang/protobuf v1.3.1 // indirect
-	github.com/knqyf263/fanal v0.0.0-20190517090627-af48380166ef
+	github.com/knqyf263/fanal v0.0.0-20190706175150-0e953d070757
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
-	github.com/knqyf263/go-dep-parser v0.0.0-20190515172517-b8305876c9c2
+	github.com/knqyf263/go-dep-parser v0.0.0-20190521150559-1ef8521d17a0
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/knqyf263/go-version v1.1.1
 	github.com/mattn/go-colorable v0.1.1 // indirect
-	github.com/mattn/go-runewidth v0.0.4 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/olekukonko/tablewriter v0.0.1
-	github.com/stretchr/testify v1.3.0 // indirect
+	github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
 	github.com/urfave/cli v1.20.0
 	github.com/xanzy/ssh-agent v0.2.1 // indirect
 	go.etcd.io/bbolt v1.3.2 // indirect
@@ -28,8 +26,6 @@ require (
 	go.uber.org/multierr v1.1.0 // indirect
 	go.uber.org/zap v1.9.1
 	golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5
-	golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 // indirect
-	golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67 // indirect
 	golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373
 	gopkg.in/cheggaaa/pb.v1 v1.0.28
 	gopkg.in/src-d/go-billy.v4 v4.3.0 // indirect
@@ -38,6 +34,4 @@ require (
 	gopkg.in/yaml.v2 v2.2.2
 )
 
-replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55
-
-replace github.com/olekukonko/tablewriter => github.com/knqyf263/tablewriter v0.0.2
+replace github.com/genuinetools/reg => github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00

go.sum

@@ -8,10 +8,11 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0 h1:wykTgKwhVr2t2qs+xI020s6W5dt614QqCHV+7W9dg64=
 github.com/GoogleCloudPlatform/docker-credential-gcr v1.5.0/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
-github.com/Microsoft/go-winio v0.4.11 h1:zoIOcVf0xPN1tnMVbTtEdI+P8OofVk3NObnwOQ6nK2Q=
-github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
+github.com/Microsoft/go-winio v0.4.12 h1:xAfWHN1IrQ0NJ9TBC0KBZoqLjzDTr1ML+4MywiUOryc=
+github.com/Microsoft/go-winio v0.4.12/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
 github.com/alcortesm/tgz v0.0.0-20161220082320-9c5fe88206d7 h1:uSoVVbwJiQipAclBbw+8quDsfcvFjOpI5iCf4p/cqCs=
@@ -25,35 +26,39 @@ github.com/aws/aws-sdk-go v1.19.11 h1:tqaTGER6Byw3QvsjGW0p018U2UOqaJPeJuzoaF7jjo
 github.com/aws/aws-sdk-go v1.19.11/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973 h1:xJ4a3vCFaGF/jqvzLMYoU8P317H5OQ+Via4RmuPwCS0=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0 h1:HWo1m869IqiPhD389kmkxeTalrjNbbJTC8LXupb+sl0=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91 h1:GMmnK0dvr0Sf0gx3DvTbln0c8DE07B7sPVD9dgHOqo4=
 github.com/briandowns/spinner v0.0.0-20190319032542-ac46072a5a91/go.mod h1:hw/JEQBIE+c/BLI4aKM8UU8v+ZqrD3h7HC27kKt8JQU=
+github.com/caarlos0/env/v6 v6.0.0 h1:NZt6FAoB8ieKO5lEwRdwCzYxWFx7ZYF2R7UcoyaWtyc=
+github.com/caarlos0/env/v6 v6.0.0/go.mod h1:+wdyOmtjoZIW2GJOc2OYa5NoOFuWD/bIpWqm30NgtRk=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb h1:qSMRxG547z/BgQmyVyADxaMADQXVAD9uleP2sQeClbo=
-github.com/containerd/continuity v0.0.0-20180921161001-7f53d412b9eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a h1:glxUtT0RlaVJU86kg78ygzfhwW6D+uj5H+aOK01QDgI=
-github.com/coreos/clair v0.0.0-20180919182544-44ae4bc9590a/go.mod h1:uXhHPWAoRqw0jJc2f8RrPCwRhIo9otQ8OEWUFtpCiwA=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc h1:TP+534wVlf61smEIq1nwLLAjQVEK2EADoW3CX9AuT+8=
+github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deckarep/golang-set v1.7.1 h1:SCQV0S6gTtp6itiFrTqI+pfmJ4LN85S1YzhDf9rTHJQ=
 github.com/deckarep/golang-set v1.7.1/go.mod h1:93vsz/8Wt4joVM7c2AVqh+YRMiUSc14yDtF28KmMOgQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c h1:QlAVcyoF7QQVN7zV+xYBjgwtRVlRU3WCTCpb2mcqQrM=
 github.com/docker/cli v0.0.0-20180920165730-54c19e67f69c/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f h1:hYf+mPizfvpH6VgIxdntnOmQHd1F1mQUc1oG+j3Ol2g=
-github.com/docker/distribution v0.0.0-20180920194744-16128bbac47f/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.7.1+incompatible h1:a5mlkVzth6W5A4fOsS3D2EO5BUmsJpcB+cRlLU7cSug=
+github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f h1:W4fbqg0JUwy6lLesoJaV/rE0fwAmtdtinMa64X1CEh0=
 github.com/docker/docker v0.0.0-20180924202107-a9c061deec0f/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43 h1:gZ4lWixV821UVbYtr+oz1ZPCHkbtE+ivfmHyZRgyl2Y=
 github.com/docker/docker-ce v0.0.0-20180924210327-f53bd8bb8e43/go.mod h1:l1FUGRYBvbjnZ8MS6A2xOji4aZFlY/Qmgz7p4oXH7ac=
-github.com/docker/docker-credential-helpers v0.6.1 h1:Dq4iIfcM7cNtddhLVWe9h4QDjsi4OER3Z8voPu/I52g=
-github.com/docker/docker-credential-helpers v0.6.1/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
+github.com/docker/docker-credential-helpers v0.6.2 h1:CrW9H1VMf3a4GrtyAi7IUJjkJVpwBBpX0+mvkvYJaus=
+github.com/docker/docker-credential-helpers v0.6.2/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/go-connections v0.0.0-20180821093606-97c2040d34df/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
-github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916 h1:yWHOI+vFjEsAakUTSrtqc/SAHrhSkmn48pqjidZX3QA=
-github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
-github.com/docker/go-units v0.3.3 h1:Xk8S3Xj5sLGlG5g67hJmYMmUgXv5N4PhkjJHHqrwnTk=
-github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82 h1:X0fj836zx99zFu83v/M79DuBn84IL/Syx1SY6Y5ZEMA=
+github.com/docker/go-metrics v0.0.0-20181218153428-b84716841b82/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
@@ -66,23 +71,24 @@ github.com/etcd-io/bbolt v1.3.2 h1:RLRQ0TKLX7DlBRXAJHvbmXL17Q3KNnTBtZ9B6Qo+/Y0=
 github.com/etcd-io/bbolt v1.3.2/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fernet/fernet-go v0.0.0-20180830025343-9eac43b88a5e/go.mod h1:2H9hjfbpSMHwY503FclkV/lZTBh2YlOmLLSda12uL8c=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/genuinetools/pkg v0.0.0-20180910213200-1c141f661797/go.mod h1:XTcrCYlXPxnxL2UpnwuRn7tcaTn9HAhxFoFJucootk8=
+github.com/genuinetools/pkg v0.0.0-20181022210355-2fcf164d37cb/go.mod h1:XTcrCYlXPxnxL2UpnwuRn7tcaTn9HAhxFoFJucootk8=
 github.com/gliderlabs/ssh v0.1.1/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/gliderlabs/ssh v0.1.3 h1:cBU46h1lYQk5f2Z+jZbewFKy+1zzE2aUX/ilcPDAm9M=
 github.com/gliderlabs/ssh v0.1.3/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0 h1:xU6/SpYbvkNYiptHJYEDRseDLvYE7wSqhYYNy0QSUzI=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.2.0 h1:28o5sBqPkBsMGnC6b4MvE2TzSr5/AT4c/1fLqVGIwlk=
 github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -93,6 +99,8 @@ github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8l
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0 h1:+dTQ8DZQJz0Mb/HjFlkptS1FeQ4cWSnN941F8aEG4SQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
@@ -100,7 +108,8 @@ github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/mux v1.6.2 h1:Pgr17XVTNXAk3q/r4CpKzC5xBM/qW1uVLV+IhRZpIIk=
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
-github.com/grpc-ecosystem/grpc-gateway v1.5.0/go.mod h1:RSKVYQBd5MCa4OVpNdGskqpgL2+G+NZTnrVHpWWfpdw=
+github.com/gorilla/mux v1.7.1 h1:Dw4jY2nghMMRsh1ol8dv1axHkDwMQK2DHerMNJsIpJU=
+github.com/gorilla/mux v1.7.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
@@ -112,14 +121,15 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e h1:RgQk53JHp/Cjunrr1WlsXSZpqXn+uREuHvUVcK82CV8=
 github.com/kevinburke/ssh_config v0.0.0-20180830205328-81db2a75821e/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
-github.com/knqyf263/fanal v0.0.0-20190517090627-af48380166ef h1:mxKy5exy/vKIhV86Ar7E1AzNS/NCjfyrcRKcoblgZd8=
-github.com/knqyf263/fanal v0.0.0-20190517090627-af48380166ef/go.mod h1:bycEQTZsPG1IOBXWwTNxruhtNN0KYDgux0CMgu9UGoQ=
+github.com/knqyf263/fanal v0.0.0-20190706175150-0e953d070757 h1:+GxAt32Vfj1v2KPUvA44zcTRwZrJbUu5BVvtiU7Y1vo=
+github.com/knqyf263/fanal v0.0.0-20190706175150-0e953d070757/go.mod h1:kdmitQCmUcpPs1JZA3/kBuxu0AeN9OnVLl7SRkPUoGU=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
 github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
-github.com/knqyf263/go-dep-parser v0.0.0-20190515172517-b8305876c9c2 h1:bQGj8WH6X4czC2FlkgUKKFq2xPnJovzf61T4Yl9sVZs=
-github.com/knqyf263/go-dep-parser v0.0.0-20190515172517-b8305876c9c2/go.mod h1:gSiqSkOFPstUZu/qZ4wnNJS69PtQQnPl397vxKHJ5mQ=
+github.com/knqyf263/go-dep-parser v0.0.0-20190521150559-1ef8521d17a0 h1:DOQ2UbTciy48dV9vpZ25BOiShrWIWZwBdMOy7SD1Wow=
+github.com/knqyf263/go-dep-parser v0.0.0-20190521150559-1ef8521d17a0/go.mod h1:gSiqSkOFPstUZu/qZ4wnNJS69PtQQnPl397vxKHJ5mQ=
 github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936 h1:HDjRqotkViMNcGMGicb7cgxklx8OwnjtCBmyWEqrRvM=
 github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
 github.com/knqyf263/go-rpmdb v0.0.0-20190501070121-10a1c42a10dc/go.mod h1:MrSSvdMpTSymaQWk1yFr9sxFSyQmKMj6jkbvGrchBV8=
@@ -127,10 +137,10 @@ github.com/knqyf263/go-version v1.1.1 h1:+MpcBC9b7rk5ihag8Y/FLG8get1H2GjniwKQ+9D
 github.com/knqyf263/go-version v1.1.1/go.mod h1:0tBvHvOBSf5TqGNcY+/ih9o8qo3R16iZCpB9rP0D3VM=
 github.com/knqyf263/nested v0.0.1 h1:Sv26CegUMhjt19zqbBKntjwESdxe5hxVPSk0+AKjdUc=
 github.com/knqyf263/nested v0.0.1/go.mod h1:zwhsIhMkBg90DTOJQvxPkKIypEHPYkgWHs4gybdlUmk=
-github.com/knqyf263/tablewriter v0.0.2 h1:lGaBruL/oJt8FAlMVy9KU0oQ/6NXAJjvK7wBgZyc+Og=
-github.com/knqyf263/tablewriter v0.0.2/go.mod h1:NDOJQAZxabBL3e13jQVktkvbr6bxXXPon8Lyh7fRPPc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@@ -152,9 +162,12 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/olekukonko/tablewriter v0.0.1/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
+github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a h1:0LD5FJGQpEyD78OdhX97W75RjYmMjfLPp1ePrk5URxs=
+github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a/go.mod h1:rSAaSIOAGT9odnlyGlUfAJaoc5w2fSBUmeGDbRWPxyQ=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.7.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2 h1:QhPf3A2AZW3tTGvHPg0TA+CR3oHbVLlXUhlghqISp1I=
 github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
@@ -173,27 +186,36 @@ github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v0.0.0-20180924113449-f69c853d21c1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829 h1:D+CiwcpGTW6pL6bv6KI3KbyEyCKyS+1JWS2h8PNDnGA=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
+github.com/prometheus/client_golang v0.9.3 h1:9iH4JKXLzFbOAdtqv/a+j8aewx2Y8lAjAydhbaScPF8=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f h1:BVwpUVJDADN2ufcGik7W992pyps0wZ888b/y9GXcLTU=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
-github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90 h1:S/YWwWx/RA8rT8tKFRuGUZhuA90OyIBpPCXkcbwU8DE=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.2.0 h1:kUZDBDTdBVBYBj5Tmh2NZLlF60mfjA27rM34b+cVwNU=
 github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
-github.com/prometheus/procfs v0.0.0-20180920065004-418d78d0b9a7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/common v0.4.0 h1:7etb9YClo3a6HjLzfl6rIQaU+FDfi0VSX39io3aQ+DM=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1 h1:/K3IL0Z1quvmJ7X0A1AwNEK7CRkVK3YwfOU/QAL4WGg=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084 h1:sofwID9zm4tzrgykg80hfFph1mryUeLRsUfoocVVmRY=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
-github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
+github.com/shurcooL/httpfs v0.0.0-20181222201310-74dc9339e414/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
 github.com/sirupsen/logrus v1.2.0 h1:juTguoYk5qI21pwyTXY3B3Y5cOTH3ZUyZCg1v/mihuo=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.4.1 h1:GL2rEmy6nsikmW0r8opw9JIRScdMF5hA8cOYLH7In1k=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/src-d/gcfg v1.4.0 h1:xXbNR5AlLSA315x2UO+fTSSAXCDf+Ar38/6oyGbDKQ4=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -201,8 +223,8 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55 h1:O7Xl4zpk6zjYnwxUd7lubrx7xdzQ+PqfTgaxLE9nF+o=
-github.com/tomoyamachi/reg v0.16.2-0.20190418055600-c6010b917a55/go.mod h1:12Fe9EIvK3dG/qWhNk5e9O96I8SGmCKLsJ8GsXUbk+Y=
+github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00 h1:0e4vRd9YqnQBIAIAE39jLKDWffRfJWxloyWwcaMAQho=
+github.com/tomoyamachi/reg v0.16.1-0.20190706172545-2a2250fd7c00/go.mod h1:RQE7h2jyIxekQZ24/wad0c9RGP+KSq4XzHh7h83ALi8=
 github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
 github.com/xanzy/ssh-agent v0.2.0/go.mod h1:0NyE30eGUDliuLEHJgYte/zncp2zdTStcOnWhgSqHD8=
@@ -218,27 +240,25 @@ go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/
 go.uber.org/zap v1.9.1 h1:XCJQEf3W6eZaVwhRBof6ImoYGJSITeKWsyeh3HFu/5o=
 go.uber.org/zap v1.9.1/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5 h1:bselrhR0Or1vomJZC8ZIjWtbDmn9OYFLX5Ik9alpJpE=
 golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/lint v0.0.0-20180702182130-06c8688daad7/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180925072008-f04abc6bdfa7/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3 h1:0GoQqolDA55aaLxZyTzK/Y2ePZzZTUrRacwib7cNsYQ=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c h1:uOCk1iQW6Vc18bnC13MfzScl+wdKBmM9Y9kU7Z83/lw=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421 h1:Wo7BWFiOk0QRFMLYMqJGFMd9CgUAcGx7V+qEg/h5IBI=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -246,29 +266,37 @@ golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180903190138-2b024373dcd9/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180925112736-b09afc3d579e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181122145206-62eef0e2fa9b/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190221075227-b4e8571b14e0/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67 h1:1Fzlr8kkDLQwqMP8GxrhptBLqZG/EDpiATneiZHY998=
-golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190506115046-ca7f33d4116e h1:bq5BY1tGuaK8HxuwN6pT6kWgTVLeJ5KwuyBpsl1CZL4=
+golang.org/x/sys v0.0.0-20190506115046-ca7f33d4116e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2 h1:z99zHgr7hKfrUcX/KsoJk5FJfjTceCKIp96+biqP4To=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c h1:fqgJT0MGcGpPgpWU7VRdRjuArfcOvC4AoJmILihzhDg=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190503185657-3b6f9c0030f7/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373 h1:PPwnA7z1Pjf7XYaBP9GL1VAMZmcIWyFz7QCMSIIa3Bg=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
@@ -276,15 +304,16 @@ google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9Ywl
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20180924164928-221a8d4f7494/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107 h1:xtNn7qFlagY2mQNFHMSRPjT2RkOV4OXM7P5TVy9xATo=
 google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/grpc v1.15.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873 h1:nfPFGzJkUDX6uBmpN/pSw7MbOAWegH5QDQuoXFHedLg=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0 h1:cfg4PD8YEdSFnm7qLV4++93WcmhH2nIUhMjhdCvl3j8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+google.golang.org/grpc v1.20.1 h1:Hz2g2wirWK7H0qIIhGIqRGTuMwTE8HEKFnDZZ7lm9NU=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
@@ -292,7 +321,6 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/cheggaaa/pb.v1 v1.0.28 h1:n1tBJnnK2r7g9OW2btFH91V92STTUevLXYFb8gy9EMk=
 gopkg.in/cheggaaa/pb.v1 v1.0.28/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/src-d/go-billy.v4 v4.2.1/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
 gopkg.in/src-d/go-billy.v4 v4.3.0 h1:KtlZ4c1OWbIs4jCv5ZXrTqG8EQocr0g/d4DjNg70aek=
 gopkg.in/src-d/go-billy.v4 v4.3.0/go.mod h1:tm33zBoOwxjYHZIE+OV8bxTWFMJLrconzFMd38aARFk=
@@ -307,8 +335,8 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gotest.tools v2.1.0+incompatible h1:5USw7CrJBYKqjg9R7QlA6jzqZKEAtvW82aNmsxxGPxw=
-gotest.tools v2.1.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

pkg/db/db.go

@@ -105,9 +105,7 @@ func Put(root *bolt.Bucket, nestedBucket, key string, value interface{}) error {
 	return nested.Put([]byte(key), v)
 }
 func BatchUpdate(fn func(tx *bolt.Tx) error) error {
-	err := db.Batch(func(tx *bolt.Tx) error {
-		return fn(tx)
-	})
+	err := db.Batch(fn)
 	if err != nil {
 		return xerrors.Errorf("error in batch update: %w", err)
 	}

pkg/git/git.go

@@ -92,7 +92,7 @@ func clone(url, repoPath string) error {
 }
 
 func cloneByOSCommand(url, repoPath string) error {
-	commandAndArgs := []string{"clone", url, repoPath}
+	commandAndArgs := []string{"clone", "--depth=1", url, repoPath}
 	_, err := utils.Exec("git", commandAndArgs)
 	if err != nil {
 		return xerrors.Errorf("error in git clone: %w", err)

pkg/report/writer.go

@@ -17,8 +17,8 @@ import (
 type Results []Result
 
 type Result struct {
-	FileName        string `json:"file"`
-	Vulnerabilities []vulnerability.DetectedVulnerability
+	FileName        string                                `json:"Target"`
+	Vulnerabilities []vulnerability.DetectedVulnerability `json:"Vulnerabilities"`
 }
 
 type Writer interface {
@@ -84,11 +84,7 @@ type JsonWriter struct {
 }
 
 func (jw JsonWriter) Write(results Results) error {
-	out := map[string][]vulnerability.DetectedVulnerability{}
-	for _, result := range results {
-		out[result.FileName] = result.Vulnerabilities
-	}
-	output, err := json.MarshalIndent(out, "", "  ")
+	output, err := json.MarshalIndent(results, "", "  ")
 	if err != nil {
 		return xerrors.Errorf("failed to marshal json: %w", err)
 	}

pkg/run.go

@@ -7,25 +7,22 @@ import (
 
 	"github.com/genuinetools/reg/registry"
 	"github.com/knqyf263/fanal/cache"
-
-	"github.com/knqyf263/trivy/pkg/utils"
-
-	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
-
-	"github.com/knqyf263/trivy/pkg/report"
-	"github.com/knqyf263/trivy/pkg/scanner"
-	"github.com/knqyf263/trivy/pkg/vulnsrc"
-
-	"github.com/urfave/cli"
-	"golang.org/x/xerrors"
-
 	"github.com/knqyf263/trivy/pkg/db"
 	"github.com/knqyf263/trivy/pkg/log"
+	"github.com/knqyf263/trivy/pkg/report"
+	"github.com/knqyf263/trivy/pkg/scanner"
+	"github.com/knqyf263/trivy/pkg/types"
+	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+	"github.com/urfave/cli"
+	"golang.org/x/xerrors"
 )
 
 func Run(c *cli.Context) (err error) {
 	cliVersion := c.App.Version
 
+	utils.Quiet = c.Bool("quiet")
 	debug := c.Bool("debug")
 	if err = log.InitLogger(debug); err != nil {
 		l.Fatal(err)
@@ -72,8 +69,17 @@ func Run(c *cli.Context) (err error) {
 
 	autoRefresh := c.Bool("auto-refresh")
 	skipUpdate := c.Bool("skip-update")
-	if (refresh || autoRefresh) && skipUpdate {
-		return xerrors.New("The --skip-update option can not be specified with the --refresh or --auto-refresh option")
+	onlyUpdate := c.String("only-update")
+	if refresh || autoRefresh {
+		if skipUpdate {
+			return xerrors.New("The --skip-update option can not be specified with the --refresh or --auto-refresh option")
+		}
+		if onlyUpdate != "" {
+			return xerrors.New("The --only-update option can not be specified with the --refresh or --auto-refresh option")
+		}
+	}
+	if skipUpdate && onlyUpdate != "" {
+		return xerrors.New("The --skip-update and --only-update option can not be specified both")
 	}
 
 	if err = db.Init(); err != nil {
@@ -83,7 +89,7 @@ func Run(c *cli.Context) (err error) {
 	needRefresh := false
 	dbVersion := db.GetVersion()
 	if dbVersion != "" && dbVersion != cliVersion {
-		if !autoRefresh {
+		if !refresh && !autoRefresh {
 			return xerrors.New("Detected version update of trivy. Please try again with --refresh or --auto-refresh option")
 		}
 		needRefresh = true
@@ -96,19 +102,27 @@ func Run(c *cli.Context) (err error) {
 		}
 	}
 
+	updateTargets := vulnsrc.UpdateList
+	if onlyUpdate != "" {
+		log.Logger.Warn("The --only-update option may cause the vulnerability details such as severity and title not to be displayed")
+		updateTargets = strings.Split(onlyUpdate, ",")
+	}
+
 	if !skipUpdate {
-		if err = vulnsrc.Update(); err != nil {
+		if err = vulnsrc.Update(updateTargets); err != nil {
 			return xerrors.Errorf("error in vulnerability DB update: %w", err)
 		}
 	}
 
+	if err = db.SetVersion(cliVersion); err != nil {
+		return xerrors.Errorf("unexpected error: %w", err)
+	}
+
 	// When specifying no image name and file name
 	if noTarget {
 		return nil
 	}
 
-	utils.Quiet = c.Bool("quiet")
-
 	o := c.String("output")
 	output := os.Stdout
 	if o != "" {
@@ -143,7 +157,11 @@ func Run(c *cli.Context) (err error) {
 		}
 	}
 
-	vulns, err := scanner.ScanImage(imageName, filePath)
+	scanOptions := types.ScanOptions{VulnType: strings.Split(c.String("vuln-type"), ",")}
+
+	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)
+
+	vulns, err := scanner.ScanImage(imageName, filePath, scanOptions)
 	if err != nil {
 		return xerrors.Errorf("error in image scan: %w", err)
 	}
@@ -158,23 +176,19 @@ func Run(c *cli.Context) (err error) {
 	}
 
 	var writer report.Writer
-	switch c.String("format") {
+	switch format := c.String("format"); format {
 	case "table":
 		writer = &report.TableWriter{Output: output}
 	case "json":
 		writer = &report.JsonWriter{Output: output}
 	default:
-		xerrors.New("unknown format")
+		return xerrors.Errorf("unknown format: %v", format)
 	}
 
 	if err = writer.Write(results); err != nil {
 		return xerrors.Errorf("failed to write results: %w", err)
 	}
 
-	if err = db.SetVersion(cliVersion); err != nil {
-		return xerrors.Errorf("unexpected error: %w", err)
-	}
-
 	exitCode := c.Int("exit-code")
 	if exitCode != 0 {
 		for _, result := range results {

pkg/scanner/library/bundler/advisory.go

@@ -32,6 +32,7 @@ type Advisory struct {
 	Gem                string
 	Cve                string
 	Osvdb              string
+	Ghsa               string
 	Title              string
 	Url                string
 	Description        string
@@ -88,7 +89,12 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 			vulnerabilityID = fmt.Sprintf("CVE-%s", advisory.Cve)
 		} else if advisory.Osvdb != "" {
 			vulnerabilityID = fmt.Sprintf("OSVDB-%s", advisory.Osvdb)
+		} else if advisory.Ghsa != "" {
+			vulnerabilityID = fmt.Sprintf("GHSA-%s", advisory.Ghsa)
+		} else {
+			return nil
 		}
+
 		vulns = append(vulns, vulnerability.Vulnerability{
 			ID:          vulnerabilityID,
 			CvssScore:   advisory.CvssV2,

pkg/scanner/library/composer/advisory.go

@@ -7,7 +7,6 @@ import (
 	"strings"
 
 	"github.com/etcd-io/bbolt"
-
 	"github.com/knqyf263/trivy/pkg/db"
 	"golang.org/x/xerrors"
 
@@ -73,9 +72,15 @@ func (s *Scanner) walk() (AdvisoryDB, error) {
 		}
 		advisoryDB[advisory.Reference] = append(advisories, advisory)
 
+		vulnerabilityID := advisory.Cve
+		if vulnerabilityID == "" {
+			// e.g. CVE-2019-12139.yaml => CVE-2019-12139
+			vulnerabilityID = strings.TrimSuffix(info.Name(), ".yaml")
+		}
+
 		// for displaying vulnerability detail
 		vulns = append(vulns, vulnerability.Vulnerability{
-			ID:         advisory.Cve,
+			ID:         vulnerabilityID,
 			References: []string{advisory.Link},
 			Title:      advisory.Title,
 		})

pkg/scanner/library/python/advisory.go

@@ -1,4 +1,4 @@
-package pipenv
+package python
 
 import (
 	"encoding/json"

pkg/scanner/library/python/scan.go

@@ -1,4 +1,4 @@
-package pipenv
+package python
 
 import (
 	"os"
@@ -9,21 +9,24 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/go-dep-parser/pkg/pipenv"
+	"github.com/knqyf263/go-dep-parser/pkg/poetry"
 	ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
 	"github.com/knqyf263/go-version"
 	"github.com/knqyf263/trivy/pkg/scanner/utils"
 )
 
 const (
-	scannerType = "pipenv"
+	ScannerTypePipenv = "pipenv"
+	ScannerTypePoetry = "poetry"
 )
 
 type Scanner struct {
-	db AdvisoryDB
+	db          AdvisoryDB
+	scannerType string
 }
 
-func NewScanner() *Scanner {
-	return &Scanner{}
+func NewScanner(scannerType string) *Scanner {
+	return &Scanner{scannerType: scannerType}
 }
 
 func (s *Scanner) Detect(pkgName string, pkgVer *version.Version) ([]vulnerability.DetectedVulnerability, error) {
@@ -63,12 +66,28 @@ func createFixedVersions(specs []string) string {
 }
 
 func (s *Scanner) ParseLockfile(f *os.File) ([]ptypes.Library, error) {
+	if s.Type() == ScannerTypePipenv {
+		return s.parsePipenv(f)
+	}
+	return s.parsePoetry(f)
+}
+
+func (s *Scanner) parsePipenv(f *os.File) ([]ptypes.Library, error) {
 	libs, err := pipenv.Parse(f)
 	if err != nil {
 		return nil, xerrors.Errorf("invalid Pipfile.lock format: %w", err)
 	}
 	return libs, nil
 }
-func (s *Scanner) Type() string {
-	return scannerType
+
+func (s *Scanner) parsePoetry(f *os.File) ([]ptypes.Library, error) {
+	libs, err := poetry.Parse(f)
+	if err != nil {
+		return nil, xerrors.Errorf("invalid poetry.lock format: %w", err)
+	}
+	return libs, nil
+}
+
+func (s *Scanner) Type() string {
+	return s.scannerType
 }

pkg/scanner/library/scan.go

@@ -12,6 +12,7 @@ import (
 	_ "github.com/knqyf263/fanal/analyzer/library/composer"
 	_ "github.com/knqyf263/fanal/analyzer/library/npm"
 	_ "github.com/knqyf263/fanal/analyzer/library/pipenv"
+	_ "github.com/knqyf263/fanal/analyzer/library/poetry"
 	_ "github.com/knqyf263/fanal/analyzer/library/yarn"
 	"github.com/knqyf263/fanal/extractor"
 	ptypes "github.com/knqyf263/go-dep-parser/pkg/types"
@@ -21,7 +22,8 @@ import (
 	"github.com/knqyf263/trivy/pkg/scanner/library/cargo"
 	"github.com/knqyf263/trivy/pkg/scanner/library/composer"
 	"github.com/knqyf263/trivy/pkg/scanner/library/node"
-	"github.com/knqyf263/trivy/pkg/scanner/library/pipenv"
+	"github.com/knqyf263/trivy/pkg/scanner/library/python"
+	"github.com/knqyf263/trivy/pkg/types"
 	"golang.org/x/xerrors"
 )
 
@@ -46,14 +48,16 @@ func NewScanner(filename string) Scanner {
 	case "yarn.lock":
 		scanner = node.NewScanner(node.ScannerTypeYarn)
 	case "Pipfile.lock":
-		scanner = pipenv.NewScanner()
+		scanner = python.NewScanner(python.ScannerTypePipenv)
+	case "poetry.lock":
+		scanner = python.NewScanner(python.ScannerTypePoetry)
 	default:
 		return nil
 	}
 	return scanner
 }
 
-func Scan(files extractor.FileMap) (map[string][]vulnerability.DetectedVulnerability, error) {
+func Scan(files extractor.FileMap, scanOptions types.ScanOptions) (map[string][]vulnerability.DetectedVulnerability, error) {
 	results, err := analyzer.GetLibraries(files)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to analyze libraries: %w", err)
@@ -72,9 +76,7 @@ func Scan(files extractor.FileMap) (map[string][]vulnerability.DetectedVulnerabi
 			return nil, xerrors.Errorf("failed to scan %s vulnerabilities: %w", scanner.Type(), err)
 		}
 
-		if len(vulns) != 0 {
-			vulnerabilities[string(path)] = vulns
-		}
+		vulnerabilities[string(path)] = vulns
 	}
 	return vulnerabilities, nil
 }

pkg/scanner/ospkg/alpine/alpine.go

@@ -3,17 +3,13 @@ package alpine
 import (
 	"strings"
 
-	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
-
-	"golang.org/x/xerrors"
-
-	version "github.com/knqyf263/go-rpm-version"
-	"github.com/knqyf263/trivy/pkg/scanner/utils"
-
-	"github.com/knqyf263/trivy/pkg/vulnsrc/alpine"
-
 	"github.com/knqyf263/fanal/analyzer"
+	version "github.com/knqyf263/go-rpm-version"
 	"github.com/knqyf263/trivy/pkg/log"
+	"github.com/knqyf263/trivy/pkg/scanner/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/alpine"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+	"golang.org/x/xerrors"
 )
 
 type Scanner struct{}

pkg/scanner/ospkg/debian/debian.go

@@ -30,7 +30,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 		osVer = osVer[:strings.Index(osVer, ".")]
 	}
 	log.Logger.Debugf("debian: os version: %s", osVer)
-	log.Logger.Debugf("debian: the number of packages: %s", len(pkgs))
+	log.Logger.Debugf("debian: the number of packages: %d", len(pkgs))
 
 	var vulns []vulnerability.DetectedVulnerability
 	for _, pkg := range pkgs {

pkg/scanner/ospkg/redhat/redhat.go

@@ -24,7 +24,7 @@ func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability
 		osVer = osVer[:strings.Index(osVer, ".")]
 	}
 	log.Logger.Debugf("redhat: os version: %s", osVer)
-	log.Logger.Debugf("redhat: the number of packages: %s", len(pkgs))
+	log.Logger.Debugf("redhat: the number of packages: %d", len(pkgs))
 
 	var vulns []vulnerability.DetectedVulnerability
 	for _, pkg := range pkgs {

pkg/scanner/ospkg/scan.go

@@ -5,7 +5,9 @@ import (
 	_ "github.com/knqyf263/fanal/analyzer/command/apk"
 	fos "github.com/knqyf263/fanal/analyzer/os"
 	_ "github.com/knqyf263/fanal/analyzer/os/alpine"
+	_ "github.com/knqyf263/fanal/analyzer/os/amazonlinux"
 	_ "github.com/knqyf263/fanal/analyzer/os/debianbase"
+	_ "github.com/knqyf263/fanal/analyzer/os/opensuse"
 	_ "github.com/knqyf263/fanal/analyzer/os/redhatbase"
 	_ "github.com/knqyf263/fanal/analyzer/pkg/apk"
 	_ "github.com/knqyf263/fanal/analyzer/pkg/dpkg"
@@ -41,7 +43,8 @@ func Scan(files extractor.FileMap) (string, string, []vulnerability.DetectedVuln
 	case fos.RedHat, fos.CentOS:
 		s = redhat.NewScanner()
 	default:
-		return "", "", nil, xerrors.Errorf("unsupported os : %s", os.Family)
+		log.Logger.Warnf("unsupported os : %s", os.Family)
+		return "", "", nil, nil
 	}
 	pkgs, err := analyzer.GetPackages(files)
 	if err != nil {

pkg/scanner/ospkg/ubuntu/ubuntu.go

@@ -20,7 +20,7 @@ func NewScanner() *Scanner {
 func (s *Scanner) Detect(osVer string, pkgs []analyzer.Package) ([]vulnerability.DetectedVulnerability, error) {
 	log.Logger.Info("Detecting Ubuntu vulnerabilities...")
 	log.Logger.Debugf("ubuntu: os version: %s", osVer)
-	log.Logger.Debugf("ubuntu: the number of packages: %s", len(pkgs))
+	log.Logger.Debugf("ubuntu: the number of packages: %d", len(pkgs))
 
 	var vulns []vulnerability.DetectedVulnerability
 	for _, pkg := range pkgs {

pkg/scanner/scan.go

@@ -10,13 +10,14 @@ import (
 	"github.com/knqyf263/fanal/extractor"
 	"github.com/knqyf263/trivy/pkg/scanner/library"
 	"github.com/knqyf263/trivy/pkg/scanner/ospkg"
+	"github.com/knqyf263/trivy/pkg/types"
+	"github.com/knqyf263/trivy/pkg/utils"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 	"golang.org/x/crypto/ssh/terminal"
 	"golang.org/x/xerrors"
 )
 
-func ScanImage(imageName, filePath string) (map[string][]vulnerability.DetectedVulnerability, error) {
-	var err error
+func ScanImage(imageName, filePath string, scanOptions types.ScanOptions) (map[string][]vulnerability.DetectedVulnerability, error) {
 	results := map[string][]vulnerability.DetectedVulnerability{}
 	ctx := context.Background()
 
@@ -24,7 +25,11 @@ func ScanImage(imageName, filePath string) (map[string][]vulnerability.DetectedV
 	var files extractor.FileMap
 	if imageName != "" {
 		target = imageName
-		files, err = analyzer.Analyze(ctx, imageName)
+		dockerOption, err := types.GetDockerOption()
+		if err != nil {
+			return nil, xerrors.Errorf("failed to get docker option: %w", err)
+		}
+		files, err = analyzer.Analyze(ctx, imageName, dockerOption)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to analyze image: %w", err)
 		}
@@ -43,20 +48,25 @@ func ScanImage(imageName, filePath string) (map[string][]vulnerability.DetectedV
 		return nil, xerrors.New("image name or image file must be specified")
 	}
 
-	osFamily, osVersion, osVulns, err := ospkg.Scan(files)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to scan image: %w", err)
-
+	if utils.StringInSlice("os", scanOptions.VulnType) {
+		osFamily, osVersion, osVulns, err := ospkg.Scan(files)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to scan image: %w", err)
+		}
+		if osFamily != "" {
+			imageDetail := fmt.Sprintf("%s (%s %s)", target, osFamily, osVersion)
+			results[imageDetail] = osVulns
+		}
 	}
-	imageDetail := fmt.Sprintf("%s (%s %s)", target, osFamily, osVersion)
-	results[imageDetail] = osVulns
 
-	libVulns, err := library.Scan(files)
-	if err != nil {
-		return nil, xerrors.Errorf("failed to scan libraries: %w", err)
-	}
-	for path, vulns := range libVulns {
-		results[path] = vulns
+	if utils.StringInSlice("library", scanOptions.VulnType) {
+		libVulns, err := library.Scan(files, scanOptions)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to scan libraries: %w", err)
+		}
+		for path, vulns := range libVulns {
+			results[path] = vulns
+		}
 	}
 
 	return results, nil

pkg/types/dockerConf.go

@@ -0,0 +1,32 @@
+package types
+
+import (
+	"time"
+
+	"github.com/caarlos0/env/v6"
+	"github.com/knqyf263/fanal/types"
+)
+
+type DockerConfig struct {
+	AuthURL  string        `env:"TRIVY_AUTH_URL"`
+	UserName string        `env:"TRIVY_USERNAME"`
+	Password string        `env:"TRIVY_PASSWORD"`
+	Timeout  time.Duration `env:"TRIVY_TIMEOUT_SEC" envDefault:"60s"`
+	Insecure bool          `env:"TRIVY_INSECURE" envDefault:"true"`
+	NonSSL   bool          `env:"TRIVY_NON_SSL" envDefault:"false"`
+}
+
+func GetDockerOption() (types.DockerOption, error) {
+	cfg := DockerConfig{}
+	if err := env.Parse(&cfg); err != nil {
+		return types.DockerOption{}, err
+	}
+	return types.DockerOption{
+		AuthURL:  cfg.AuthURL,
+		UserName: cfg.UserName,
+		Password: cfg.Password,
+		Timeout:  cfg.Timeout,
+		Insecure: cfg.Insecure,
+		NonSSL:   cfg.NonSSL,
+	}, nil
+}

pkg/types/library.go

@@ -1,6 +1,6 @@
 package types
 
-type Library struct{
-	Name string
+type Library struct {
+	Name    string
 	Version string
 }

pkg/types/scanoptions.go

@@ -0,0 +1,5 @@
+package types
+
+type ScanOptions struct {
+	VulnType []string
+}

pkg/vulnsrc/nvd/nvd.go

@@ -1,6 +1,7 @@
 package nvd
 
 import (
+	"bytes"
 	"encoding/json"
 	"io"
 	"path/filepath"
@@ -14,6 +15,7 @@ import (
 	"github.com/knqyf263/trivy/pkg/utils"
 
 	bolt "github.com/etcd-io/bbolt"
+
 	"github.com/knqyf263/trivy/pkg/db"
 )
 
@@ -35,11 +37,16 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
 	var items []Item
+	buffer := &bytes.Buffer{}
 	err = utils.FileWalk(rootDir, targets, func(r io.Reader, _ string) error {
 		item := Item{}
-		if err := json.NewDecoder(r).Decode(&item); err != nil {
+		if _, err := buffer.ReadFrom(r); err != nil {
+			return xerrors.Errorf("failed to read file: %w", err)
+		}
+		if err := json.Unmarshal(buffer.Bytes(), &item); err != nil {
 			return xerrors.Errorf("failed to decode NVD JSON: %w", err)
 		}
+		buffer.Reset()
 		items = append(items, item)
 		bar.Increment()
 		return nil

pkg/vulnsrc/redhat/types.go

@@ -18,8 +18,8 @@ type RedhatCVE struct {
 	Name                 string `json:"name"`
 	DocumentDistribution string `json:"document_distribution"`
 
-	Details    []string `json:"details" gorm:"-"`
-	References []string `json:"references" gorm:"-"`
+	Details    []string `json:"details"`
+	References []string `json:"references"`
 }
 
 type RedhatCVEAffectedReleaseArray struct {

pkg/vulnsrc/vulnerability/vulnerability.go

@@ -89,17 +89,16 @@ func getDetail(vulnID string) (Severity, string, string, []string) {
 
 func getSeverity(details map[string]Vulnerability) Severity {
 	for _, source := range sources {
-		d, ok := details[source]
-		if !ok {
+		switch d, ok := details[source]; {
+		case !ok:
 			continue
-		}
-		if d.CvssScore > 0 {
+		case d.CvssScore > 0:
 			return scoreToSeverity(d.CvssScore)
-		} else if d.CvssScoreV3 > 0 {
+		case d.CvssScoreV3 > 0:
 			return scoreToSeverity(d.CvssScoreV3)
-		} else if d.Severity != 0 {
+		case d.Severity != 0:
 			return d.Severity
-		} else if d.SeverityV3 != 0 {
+		case d.SeverityV3 != 0:
 			return d.SeverityV3
 		}
 	}
@@ -151,14 +150,16 @@ func getReferences(details map[string]Vulnerability) []string {
 }
 
 func scoreToSeverity(score float64) Severity {
-	if score >= 9.0 {
+	switch {
+	case score >= 9.0:
 		return SeverityCritical
-	} else if score >= 7.0 {
+	case score >= 7.0:
 		return SeverityHigh
-	} else if score >= 4.0 {
+	case score >= 4.0:
 		return SeverityMedium
-	} else if score > 0.0 {
+	case score > 0.0:
 		return SeverityLow
+	default:
+		return SeverityUnknown
 	}
-	return SeverityUnknown
 }

pkg/vulnsrc/vulnsrc.go

@@ -12,6 +12,7 @@ import (
 	"github.com/knqyf263/trivy/pkg/vulnsrc/nvd"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/redhat"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
 	"golang.org/x/xerrors"
 )
 
@@ -19,7 +20,29 @@ const (
 	repoURL = "https://github.com/knqyf263/vuln-list.git"
 )
 
-func Update() (err error) {
+type updateFunc func(dir string, updatedFiles map[string]struct{}) error
+
+var (
+	// UpdateList has list of update distributions
+	UpdateList []string
+	updateMap  = map[string]updateFunc{
+		vulnerability.Nvd:        nvd.Update,
+		vulnerability.Alpine:     alpine.Update,
+		vulnerability.RedHat:     redhat.Update,
+		vulnerability.Debian:     debian.Update,
+		vulnerability.DebianOVAL: debianoval.Update,
+		vulnerability.Ubuntu:     ubuntu.Update,
+	}
+)
+
+func init() {
+	UpdateList = make([]string, 0, len(updateMap))
+	for distribution := range updateMap {
+		UpdateList = append(UpdateList, distribution)
+	}
+}
+
+func Update(names []string) error {
 	log.Logger.Info("Updating vulnerability database...")
 
 	// Clone vuln-list repository
@@ -35,41 +58,15 @@ func Update() (err error) {
 		return nil
 	}
 
-	// Update NVD
-	log.Logger.Info("Updating NVD data...")
-	if err = nvd.Update(dir, updatedFiles); err != nil {
-		return xerrors.Errorf("error in NVD update: %w", err)
+	for _, distribution := range names {
+		updateFunc, ok := updateMap[distribution]
+		if !ok {
+			return xerrors.Errorf("%s does not supported yet", distribution)
+		}
+		log.Logger.Infof("Updating %s data...", distribution)
+		if err := updateFunc(dir, updatedFiles); err != nil {
+			return xerrors.Errorf("error in %s update: %w", distribution, err)
+		}
 	}
-
-	// Update Alpine OVAL
-	log.Logger.Info("Updating Alpine data...")
-	if err = alpine.Update(dir, updatedFiles); err != nil {
-		return xerrors.Errorf("error in Alpine OVAL update: %w", err)
-	}
-
-	//Update RedHat
-	log.Logger.Info("Updating RedHat data...")
-	if err = redhat.Update(dir, updatedFiles); err != nil {
-		return xerrors.Errorf("error in RedHat update: %w", err)
-	}
-
-	// Update Debian
-	log.Logger.Info("Updating Debian data...")
-	if err = debian.Update(dir, updatedFiles); err != nil {
-		return xerrors.Errorf("error in Debian update: %w", err)
-	}
-
-	// Update Debian OVAL
-	log.Logger.Info("Updating Debian OVAL data...")
-	if err = debianoval.Update(dir, updatedFiles); err != nil {
-		return xerrors.Errorf("error in Debian OVAL update: %w", err)
-	}
-
-	//Update Ubuntu
-	log.Logger.Info("Updating Ubuntu data...")
-	if err = ubuntu.Update(dir, updatedFiles); err != nil {
-		return xerrors.Errorf("error in Ubuntu update: %w", err)
-	}
-
 	return nil
 }

pkg/vulnsrc/vulnsrc_test.go

@@ -0,0 +1,38 @@
+package vulnsrc
+
+import (
+	"path/filepath"
+	"testing"
+
+	"go.uber.org/zap"
+
+	"github.com/knqyf263/trivy/pkg/db"
+	"github.com/knqyf263/trivy/pkg/git"
+	"github.com/knqyf263/trivy/pkg/log"
+	"github.com/knqyf263/trivy/pkg/utils"
+	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
+)
+
+func BenchmarkUpdate(b *testing.B) {
+	log.Logger = zap.NewNop().Sugar()
+	utils.Quiet = true
+	if err := db.Init(); err != nil {
+		b.Fatal(err)
+	}
+	dir := filepath.Join(utils.CacheDir(), "vuln-list")
+	if _, err := git.CloneOrPull(repoURL, dir); err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+
+	b.Run("NVD", func(b *testing.B) {
+		for i := 0; i < b.N; i++ {
+			if err := db.SetVersion(""); err != nil {
+				b.Fatal(err)
+			}
+			if err := Update([]string{vulnerability.Nvd}); err != nil {
+				b.Fatal(err)
+			}
+		}
+	})
+}