Add --refresh option

.dockerignore

@@ -0,0 +1 @@
+imgs

Dockerfile

@@ -0,0 +1,14 @@
+FROM golang:1.12-alpine AS builder
+ADD go.mod go.sum /app/
+WORKDIR /app/
+RUN apk --no-cache add git
+RUN go mod download
+ADD . /app/
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o /trivy cmd/trivy/main.go
+
+FROM alpine:3.9
+RUN apk --no-cache add ca-certificates git
+COPY --from=builder /trivy /usr/local/bin/trivy
+RUN chmod +x /usr/local/bin/trivy
+
+CMD ["trivy"]

README.md

@@ -29,6 +29,12 @@ $ sudo yum -y update
 $ sudo yum -y install trivy
 ```
 
+or
+
+```
+$ rpm -ivh https://github.com/knqyf263/trivy/releases/download/v0.0.3/trivy_0.0.3_Linux-64bit.rpm
+```
+
 ## Debian/Ubuntu
 
 Replace `[CODE_NAME]` with your code name
@@ -43,6 +49,14 @@ $ sudo apt-get update
 $ sudo apt-get install trivy
 ```
 
+or
+
+```
+$ sudo apt-get install rpm
+$ wget https://github.com/knqyf263/trivy/releases/download/v0.0.3/trivy_0.0.3_Linux-64bit.deb
+$ sudo dpkg -i trivy_0.0.3_Linux-64bit.deb
+```
+
 ## Mac OS X / Homebrew
 You can use homebrew on OS X.
 ```
@@ -60,6 +74,69 @@ $ go get -u github.com/knqyf263/trivy
 ```
 
 # Examples
+## Continuous Integration (CI)
+Scan your image built in Travis CI/CircleCI. The test will fail if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0` .
+
+**Note**: The first time take a while (faster by cache after the second time)
+### Travis CI
+
+```
+$ cat .travis.yml
+services:
+  - docker
+
+before_install:
+  - docker build -t trivy-ci-test:latest .
+  - wget https://github.com/knqyf263/trivy/releases/download/v0.0.3/trivy_0.0.3_Linux-64bit.tar.gz
+  - tar zxvf trivy_0.0.3_Linux-64bit.tar.gz
+script:
+  - ./trivy --exit-code 1 --quiet trivy-ci-test:latest
+cache:
+  directories:
+    - $HOME/.cache/trivy
+```
+
+example: https://travis-ci.org/knqyf263/trivy-ci-test  
+repository: https://github.com/knqyf263/trivy-ci-test
+
+### Circle CI
+
+```
+$ cat .circleci/config.yml
+jobs:
+  build:
+    docker:
+      - image: docker:18.09-git
+    steps:
+      - checkout
+      - setup_remote_docker
+      - restore_cache:
+          key: vulnerability-db
+      - run:
+          name: Build image
+          command: docker build -t trivy-ci-test:latest .
+      - run:
+          name: Install trivy
+          command: |
+            wget https://github.com/knqyf263/trivy/releases/download/v0.0.4/trivy_0.0.4_Linux-64bit.tar.gz
+            tar zxvf trivy_0.0.4_Linux-64bit.tar.gz
+            mv trivy /usr/local/bin
+      - run:
+          name: Scan the local image with trivy
+          command: trivy --exit-code 1 --quiet trivy-ci-test:latest
+      - save_cache:
+          key: vulnerability-db
+          paths:
+            - $HOME/.cache/trivy
+workflows:
+  version: 2
+  release:
+    jobs:
+      - build
+```
+
+example: https://circleci.com/gh/knqyf263/trivy-ci-test  
+repository: https://github.com/knqyf263/trivy-ci-test
 
 # Usage
 
@@ -70,17 +147,20 @@ NAME:
 USAGE:
   main [options] image_name
 VERSION:
-  0.0.1
+  0.0.3
 OPTIONS:
   --format value, -f value    format (table, json) (default: "table")
   --input value, -i value     input file path instead of image name
-  --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN")
+  --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL")
   --output value, -o value    output file name
+  --exit-code value           Exit code when vulnerabilities were found (default: 0)
   --skip-update               skip db update
   --clean, -c                 clean all cache
+  --quiet, -q                 suppress progress bar
   --debug, -d                 debug mode
   --help, -h                  show help
   --version, -v               print the version
+
 ```
 
 # Q&A

cmd/trivy/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	l "log"
 	"os"
 	"strings"
 
@@ -59,6 +60,11 @@ OPTIONS:
 			Name:  "output, o",
 			Usage: "output file name",
 		},
+		cli.IntFlag{
+			Name:  "exit-code",
+			Usage: "Exit code when vulnerabilities were found",
+			Value: 0,
+		},
 		cli.BoolFlag{
 			Name:  "skip-update",
 			Usage: "skip db update",
@@ -67,6 +73,18 @@ OPTIONS:
 			Name:  "clean, c",
 			Usage: "clean all cache",
 		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "suppress progress bar",
+		},
+		cli.BoolFlag{
+			Name:  "ignore-unfixed",
+			Usage: "display only fixed vulnerabilities",
+		},
+		cli.BoolFlag{
+			Name:  "refresh",
+			Usage: "refresh DB (usually used after version update of trivy)",
+		},
 		cli.BoolFlag{
 			Name:  "debug, d",
 			Usage: "debug mode",
@@ -79,6 +97,9 @@ OPTIONS:
 
 	err := app.Run(os.Args)
 	if err != nil {
-		log.Logger.Fatal(err)
+		if log.Logger != nil {
+			log.Logger.Fatal(err)
+		}
+		l.Fatal(err)
 	}
 }

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/fatih/color v1.7.0
 	github.com/gliderlabs/ssh v0.1.3 // indirect
 	github.com/golang/protobuf v1.3.1 // indirect
-	github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6
+	github.com/knqyf263/fanal v0.0.0-20190507123206-ceab60083e70
 	github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b
 	github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936

go.sum

@@ -117,6 +117,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/knqyf263/berkeleydb v0.0.0-20190501065933-fafe01fb9662/go.mod h1:bu1CcN4tUtoRcI/B/RFHhxMNKFHVq/c3SV+UTyduoXg=
 github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6 h1:iSztZNfwEPMN2CvUX1SxNEclRZn+rwRMdsnAegxRJk4=
 github.com/knqyf263/fanal v0.0.0-20190506110705-2b5cb3000ff6/go.mod h1:OiuWIClssf5WzbMcR8lfspdBVaP+vRQndY4kHeFgrDw=
+github.com/knqyf263/fanal v0.0.0-20190507123206-ceab60083e70 h1:L27WBZxk7N70WilG91kgvs0EnV+JVCoOTsNQa8tMBJs=
+github.com/knqyf263/fanal v0.0.0-20190507123206-ceab60083e70/go.mod h1:OiuWIClssf5WzbMcR8lfspdBVaP+vRQndY4kHeFgrDw=
 github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b h1:DiDMmSwuY27PJxA2Gs0+uI/bQ/ehKARaGXRdlp+wFis=
 github.com/knqyf263/go-deb-version v0.0.0-20170509080151-9865fe14d09b/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
 github.com/knqyf263/go-dep-parser v0.0.0-20190429154931-c377a5391790 h1:c02gG0yRNr25lcLOH+678SuuxxMUq36i48PQnmAweWk=

pkg/db/db.go

@@ -2,10 +2,11 @@ package db
 
 import (
 	"encoding/json"
-	"github.com/knqyf263/trivy/pkg/log"
 	"os"
 	"path/filepath"
 
+	"github.com/knqyf263/trivy/pkg/log"
+
 	"golang.org/x/xerrors"
 
 	"github.com/knqyf263/trivy/pkg/utils"
@@ -14,11 +15,11 @@ import (
 )
 
 var (
-	db *bolt.DB
+	db    *bolt.DB
+	dbDir = filepath.Join(utils.CacheDir(), "db")
 )
 
 func Init() (err error) {
-	dbDir := filepath.Join(utils.CacheDir(), "db")
 	if err = os.MkdirAll(dbDir, 0700); err != nil {
 		return xerrors.Errorf("failed to mkdir: %w", err)
 	}
@@ -32,6 +33,33 @@ func Init() (err error) {
 	return nil
 }
 
+func Reset() error {
+	if err := os.RemoveAll(dbDir); err != nil {
+		return xerrors.Errorf("failed to reset DB: %w", err)
+	}
+	return nil
+}
+
+func GetVersion() string {
+	var version string
+	value, err := Get("trivy", "metadata", "version")
+	if err != nil {
+		return ""
+	}
+	if err = json.Unmarshal(value, &version); err != nil {
+		return ""
+	}
+	return version
+}
+
+func SetVersion(version string) error {
+	err := Update("trivy", "metadata", "version", version)
+	if err != nil {
+		return xerrors.Errorf("failed to save DB version: %w", err)
+	}
+	return nil
+}
+
 func Update(rootBucket, nestedBucket, key string, value interface{}) error {
 	err := db.Update(func(tx *bolt.Tx) error {
 		return PutNestedBucket(tx, rootBucket, nestedBucket, key, value)

pkg/git/git.go

@@ -4,9 +4,9 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"time"
 
-	"github.com/briandowns/spinner"
+	"github.com/knqyf263/trivy/pkg/db"
+
 	"github.com/knqyf263/trivy/pkg/log"
 	"github.com/knqyf263/trivy/pkg/utils"
 	"golang.org/x/xerrors"
@@ -33,10 +33,13 @@ func CloneOrPull(url, repoPath string) (map[string]struct{}, error) {
 			updatedFiles[strings.TrimSpace(filename)] = struct{}{}
 		}
 	} else {
+		if !utils.IsCommandAvailable("git") {
+			log.Logger.Warn("Recommend installing git (if not, DB update is very slow)")
+		}
 		log.Logger.Debug("remove an existed directory")
 
-		s := spinner.New(spinner.CharSets[36], 100*time.Millisecond)
-		s.Suffix = " The first time will take a while..."
+		suffix := " The first time will take a while..."
+		s := utils.NewSpinner(suffix)
 		s.Start()
 		defer s.Stop()
 
@@ -51,6 +54,10 @@ func CloneOrPull(url, repoPath string) (map[string]struct{}, error) {
 			return nil, xerrors.Errorf("failed to clone repository: %w", err)
 		}
 
+	}
+
+	// Need to refresh all vulnerabilities
+	if db.GetVersion() == "" {
 		err = filepath.Walk(repoPath, func(path string, info os.FileInfo, err error) error {
 			if info.IsDir() {
 				return nil
@@ -74,7 +81,6 @@ func clone(url, repoPath string) error {
 	if utils.IsCommandAvailable("git") {
 		return cloneByOSCommand(url, repoPath)
 	}
-	log.Logger.Warn("Recommend installing git (if not, DB update is very slow)")
 
 	_, err := git.PlainClone(repoPath, false, &git.CloneOptions{
 		URL: url,

pkg/report/writer.go

@@ -42,8 +42,17 @@ func (tw TableWriter) write(result Result) {
 	severityCount := map[string]int{}
 	for _, v := range result.Vulnerabilities {
 		severityCount[v.Severity]++
+
+		title := v.Title
+		if title == "" {
+			title = v.Description
+		}
+		splittedTitle := strings.Split(title, " ")
+		if len(splittedTitle) >= 12 {
+			title = strings.Join(splittedTitle[:12], " ") + "..."
+		}
 		table.Append([]string{v.PkgName, v.VulnerabilityID, vulnerability.ColorizeSeverity(v.Severity),
-			v.InstalledVersion, v.FixedVersion, v.Title})
+			v.InstalledVersion, v.FixedVersion, title})
 	}
 
 	var results []string

pkg/run.go

@@ -5,6 +5,8 @@ import (
 	"os"
 	"strings"
 
+	"github.com/knqyf263/fanal/cache"
+
 	"github.com/knqyf263/trivy/pkg/utils"
 
 	"github.com/knqyf263/trivy/pkg/vulnsrc/vulnerability"
@@ -21,12 +23,26 @@ import (
 )
 
 func Run(c *cli.Context) (err error) {
+	cliVersion := c.App.Version
+
 	debug := c.Bool("debug")
 	if err = log.InitLogger(debug); err != nil {
 		l.Fatal(err)
 	}
 	log.Logger.Debugf("cache dir:  %s", utils.CacheDir())
 
+	clean := c.Bool("clean")
+	if clean {
+		log.Logger.Info("Cleaning caches...")
+		if err = cache.Clear(); err != nil {
+			return xerrors.New("failed to remove image layer cache")
+		}
+		if err = os.RemoveAll(utils.CacheDir()); err != nil {
+			return xerrors.New("failed to remove cache")
+		}
+		return nil
+	}
+
 	args := c.Args()
 	filePath := c.String("input")
 	if filePath == "" && len(args) == 0 {
@@ -34,13 +50,8 @@ func Run(c *cli.Context) (err error) {
 		cli.ShowAppHelpAndExit(c, 1)
 	}
 
-	clean := c.Bool("clean")
-	if clean {
-		log.Logger.Info("Cleaning caches...")
-		if err = os.RemoveAll(utils.CacheDir()); err != nil {
-			return xerrors.New("failed to remove cache")
-		}
-	}
+	utils.Quiet = c.Bool("quiet")
+
 	o := c.String("output")
 	output := os.Stdout
 	if o != "" {
@@ -53,26 +64,41 @@ func Run(c *cli.Context) (err error) {
 	for _, s := range strings.Split(c.String("severity"), ",") {
 		severity, err := vulnerability.NewSeverity(s)
 		if err != nil {
-			return xerrors.Errorf("error in severity option: %w", err)
+			log.Logger.Infof("error in severity option: %s", err)
+			cli.ShowAppHelpAndExit(c, 1)
 		}
 		severities = append(severities, severity)
 	}
 
+	if c.Bool("refresh") {
+		log.Logger.Info("Resetting DB...")
+		if err = db.Reset(); err != nil {
+			return xerrors.Errorf("error in refresh DB: %w", err)
+		}
+	}
+
 	if err = db.Init(); err != nil {
 		return xerrors.Errorf("error in vulnerability DB initialize: %w", err)
 	}
 
+	dbVersion := db.GetVersion()
+	if dbVersion != "" && dbVersion != cliVersion {
+		log.Logger.Fatal("Detected version update of trivy. Please try again with --refresh option")
+	}
+
 	if !c.Bool("skip-update") {
 		if err = vulnsrc.Update(); err != nil {
 			return xerrors.Errorf("error in vulnerability DB update: %w", err)
 		}
 	}
 
+	ignoreUnfixed := c.Bool("ignore-unfixed")
+
 	var imageName string
 	if filePath == "" {
 		imageName = args[0]
 	}
-	results, err := scanner.ScanImage(imageName, filePath, severities)
+	results, err := scanner.ScanImage(imageName, filePath, severities, ignoreUnfixed)
 	if err != nil {
 		return xerrors.Errorf("error in image scan: %w", err)
 	}
@@ -88,7 +114,20 @@ func Run(c *cli.Context) (err error) {
 	}
 
 	if err = writer.Write(results); err != nil {
-		return err
+		return xerrors.Errorf("failed to write results: %w", err)
+	}
+
+	if err = db.SetVersion(cliVersion); err != nil {
+		return xerrors.Errorf("unexpected error: %w", err)
+	}
+
+	exitCode := c.Int("exit-code")
+	if exitCode != 0 {
+		for _, result := range results {
+			if len(result.Vulnerabilities) > 0 {
+				os.Exit(exitCode)
+			}
+		}
 	}
 
 	return nil

pkg/scanner/scan.go

@@ -5,6 +5,9 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"sort"
+
+	"github.com/genuinetools/reg/registry"
 
 	"github.com/knqyf263/trivy/pkg/log"
 
@@ -31,11 +34,19 @@ var (
 		vulnerability.NodejsSecurityWg, vulnerability.PythonSafetyDB}
 )
 
-func ScanImage(imageName, filePath string, severities []vulnerability.Severity) (report.Results, error) {
+func ScanImage(imageName, filePath string, severities []vulnerability.Severity, ignoreUnfixed bool) (report.Results, error) {
 	var results report.Results
 	var err error
 	ctx := context.Background()
 
+	image, err := registry.ParseImage(imageName)
+	if err != nil {
+		return nil, xerrors.Errorf("invalid image: %w", err)
+	}
+	if image.Tag == "latest" {
+		log.Logger.Warn("You should avoid using the :latest tag as it is cached. You need to specify '--clean' option when :latest image is changed")
+	}
+
 	var target string
 	var files extractor.FileMap
 	if imageName != "" {
@@ -67,7 +78,7 @@ func ScanImage(imageName, filePath string, severities []vulnerability.Severity)
 
 	results = append(results, report.Result{
 		FileName:        fmt.Sprintf("%s (%s %s)", target, osFamily, osVersion),
-		Vulnerabilities: processVulnerabilties(osVulns, severities),
+		Vulnerabilities: processVulnerabilties(osVulns, severities, ignoreUnfixed),
 	})
 
 	libVulns, err := library.Scan(files)
@@ -77,7 +88,7 @@ func ScanImage(imageName, filePath string, severities []vulnerability.Severity)
 	for path, vulns := range libVulns {
 		results = append(results, report.Result{
 			FileName:        path,
-			Vulnerabilities: processVulnerabilties(vulns, severities),
+			Vulnerabilities: processVulnerabilties(vulns, severities, ignoreUnfixed),
 		})
 	}
 
@@ -91,26 +102,39 @@ func ScanFile(f *os.File, severities []vulnerability.Severity) (report.Result, e
 	}
 	result := report.Result{
 		FileName:        f.Name(),
-		Vulnerabilities: processVulnerabilties(vulns, severities),
+		Vulnerabilities: processVulnerabilties(vulns, severities, false),
 	}
 	return result, nil
 }
 
-func processVulnerabilties(vulns []types.Vulnerability, severities []vulnerability.Severity) []types.Vulnerability {
+func processVulnerabilties(vulns []types.Vulnerability, severities []vulnerability.Severity, ignoreUnfixed bool) []types.Vulnerability {
 	var vulnerabilities []types.Vulnerability
 	for _, vuln := range vulns {
-		sev, title := getDetail(vuln.VulnerabilityID)
+		sev, title, description, references := getDetail(vuln.VulnerabilityID)
 
 		// Filter vulnerabilities by severity
 		for _, s := range severities {
 			if s == sev {
 				vuln.Severity = fmt.Sprint(sev)
 				vuln.Title = title
+				vuln.Description = description
+				vuln.References = references
+
+				// Ignore unfixed vulnerabilities
+				if ignoreUnfixed && vuln.FixedVersion == "" {
+					continue
+				}
 				vulnerabilities = append(vulnerabilities, vuln)
 				break
 			}
 		}
 	}
+	sort.Slice(vulnerabilities, func(i, j int) bool {
+		if vulnerabilities[i].PkgName != vulnerabilities[j].PkgName {
+			return vulnerabilities[i].PkgName < vulnerabilities[j].PkgName
+		}
+		return vulnerability.CompareSeverityString(vulnerabilities[j].Severity, vulnerabilities[i].Severity)
+	})
 	return vulnerabilities
 }
 
@@ -126,17 +150,15 @@ func openStream(path string) (*os.File, error) {
 	return os.Open(path)
 }
 
-func getDetail(vulnID string) (vulnerability.Severity, string) {
+func getDetail(vulnID string) (vulnerability.Severity, string, string, []string) {
 	details, err := vulnerability.Get(vulnID)
 	if err != nil {
 		log.Logger.Debug(err)
-		return vulnerability.SeverityUnknown, ""
+		return vulnerability.SeverityUnknown, "", "", nil
 	} else if len(details) == 0 {
-		return vulnerability.SeverityUnknown, ""
+		return vulnerability.SeverityUnknown, "", "", nil
 	}
-	severity := getSeverity(details)
-	title := getTitle(details)
-	return severity, title
+	return getSeverity(details), getTitle(details), getDescription(details), getReferences(details)
 }
 
 func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.Severity {
@@ -171,6 +193,37 @@ func getTitle(details map[string]vulnerability.Vulnerability) string {
 	return ""
 }
 
+func getDescription(details map[string]vulnerability.Vulnerability) string {
+	for _, source := range sources {
+		d, ok := details[source]
+		if !ok {
+			continue
+		}
+		if d.Description != "" {
+			return d.Description
+		}
+	}
+	return ""
+}
+
+func getReferences(details map[string]vulnerability.Vulnerability) []string {
+	references := map[string]struct{}{}
+	for _, source := range sources {
+		d, ok := details[source]
+		if !ok {
+			continue
+		}
+		for _, ref := range d.References {
+			references[ref] = struct{}{}
+		}
+	}
+	var refs []string
+	for ref := range references {
+		refs = append(refs, ref)
+	}
+	return refs
+}
+
 func scoreToSeverity(score float64) vulnerability.Severity {
 	if score >= 9.0 {
 		return vulnerability.SeverityCritical

pkg/types/vulnerability.go

@@ -6,6 +6,8 @@ type Vulnerability struct {
 	InstalledVersion string
 	FixedVersion     string
 
-	Title    string
-	Severity string
+	Title       string
+	Description string
+	Severity    string
+	References  []string
 }

pkg/utils/progress.go

@@ -0,0 +1,63 @@
+package utils
+
+import (
+	"time"
+
+	"github.com/briandowns/spinner"
+	pb "gopkg.in/cheggaaa/pb.v1"
+)
+
+var (
+	Quiet = false
+)
+
+type Spinner struct {
+	client *spinner.Spinner
+}
+
+func NewSpinner(suffix string) *Spinner {
+	if Quiet {
+		return &Spinner{}
+	}
+	s := spinner.New(spinner.CharSets[36], 100*time.Millisecond)
+	s.Suffix = suffix
+	return &Spinner{client: s}
+}
+
+func (s *Spinner) Start() {
+	if s.client == nil {
+		return
+	}
+	s.client.Start()
+}
+func (s *Spinner) Stop() {
+	if s.client == nil {
+		return
+	}
+	s.client.Stop()
+}
+
+type ProgressBar struct {
+	client *pb.ProgressBar
+}
+
+func PbStartNew(total int) *ProgressBar {
+	if Quiet {
+		return &ProgressBar{}
+	}
+	bar := pb.StartNew(total)
+	return &ProgressBar{client: bar}
+}
+
+func (p *ProgressBar) Increment() {
+	if p.client == nil {
+		return
+	}
+	p.client.Increment()
+}
+func (p *ProgressBar) Finish() {
+	if p.client == nil {
+		return
+	}
+	p.client.Finish()
+}

pkg/vulnsrc/alpine/alpine.go

@@ -3,7 +3,6 @@ package alpine
 import (
 	"encoding/json"
 	"fmt"
-	"gopkg.in/cheggaaa/pb.v1"
 	"io"
 	"path/filepath"
 
@@ -37,7 +36,7 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	}
 	log.Logger.Debugf("Alpine updated files: %d", len(targets))
 
-	bar := pb.StartNew(len(targets))
+	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
 
 	var cves []AlpineCVE

pkg/vulnsrc/debian-oval/debian-oval.go

@@ -3,7 +3,6 @@ package debianoval
 import (
 	"encoding/json"
 	"fmt"
-	"gopkg.in/cheggaaa/pb.v1"
 	"io"
 	"os"
 	"path/filepath"
@@ -39,7 +38,7 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	}
 	log.Logger.Debugf("Debian OVAL updated files: %d", len(targets))
 
-	bar := pb.StartNew(len(targets))
+	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
 
 	var cves []DebianOVAL

pkg/vulnsrc/debian/debian.go

@@ -3,7 +3,6 @@ package debian
 import (
 	"encoding/json"
 	"fmt"
-	"gopkg.in/cheggaaa/pb.v1"
 	"io"
 	"path/filepath"
 	"strings"
@@ -45,7 +44,7 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	}
 	log.Logger.Debugf("Debian updated files: %d", len(targets))
 
-	bar := pb.StartNew(len(targets))
+	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
 
 	var cves []DebianCVE

pkg/vulnsrc/nvd/nvd.go

@@ -2,7 +2,6 @@ package nvd
 
 import (
 	"encoding/json"
-	"gopkg.in/cheggaaa/pb.v1"
 	"io"
 	"path/filepath"
 
@@ -19,9 +18,7 @@ import (
 )
 
 const (
-	nvdDir       = "nvd"
-	rootBucket   = "NVD"
-	nestedBucket = "dummy"
+	nvdDir = "nvd"
 )
 
 func Update(dir string, updatedFiles map[string]struct{}) error {
@@ -35,11 +32,11 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	}
 	log.Logger.Debugf("NVD updated files: %d", len(targets))
 
-	bar := pb.StartNew(len(targets))
+	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
-	var items []vulnerability.Item
+	var items []Item
 	err = utils.FileWalk(rootDir, targets, func(r io.Reader, _ string) error {
-		item := vulnerability.Item{}
+		item := Item{}
 		if err := json.NewDecoder(r).Decode(&item); err != nil {
 			return xerrors.Errorf("failed to decode NVD JSON: %w", err)
 		}
@@ -58,20 +55,33 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	return nil
 }
 
-func save(items []vulnerability.Item) error {
+func save(items []Item) error {
 	log.Logger.Debug("NVD batch update")
 	err := vulnerability.BatchUpdate(func(b *bolt.Bucket) error {
 		for _, item := range items {
 			cveID := item.Cve.Meta.ID
 			severity, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV2.Severity)
 			severityV3, _ := vulnerability.NewSeverity(item.Impact.BaseMetricV3.CvssV3.BaseSeverity)
+
+			var references []string
+			for _, ref := range item.Cve.References.ReferenceDataList {
+				references = append(references, ref.URL)
+			}
+
+			var description string
+			for _, d := range item.Cve.Description.DescriptionDataList {
+				if d.Value != "" {
+					description = d.Value
+					break
+				}
+			}
+
 			vuln := vulnerability.Vulnerability{
-				Severity:   severity,
-				SeverityV3: severityV3,
-				// TODO
-				References:  []string{},
+				Severity:    severity,
+				SeverityV3:  severityV3,
+				References:  references,
 				Title:       "",
-				Description: "",
+				Description: description,
 			}
 
 			if err := db.Put(b, cveID, vulnerability.Nvd, vuln); err != nil {

pkg/vulnsrc/nvd/types.go

@@ -0,0 +1,55 @@
+package nvd
+
+type NVD struct {
+	CVEItems []Item `json:"CVE_Items"`
+}
+
+type Item struct {
+	Cve    Cve
+	Impact Impact
+}
+
+type Cve struct {
+	Meta        Meta `json:"CVE_data_meta"`
+	References  References
+	Description Description
+}
+
+type Meta struct {
+	ID string
+}
+
+type Impact struct {
+	BaseMetricV2 BaseMetricV2
+	BaseMetricV3 BaseMetricV3
+}
+
+type BaseMetricV2 struct {
+	Severity string
+}
+
+type BaseMetricV3 struct {
+	CvssV3 CvssV3
+}
+
+type CvssV3 struct {
+	BaseSeverity string
+}
+
+type References struct {
+	ReferenceDataList []ReferenceData `json:"reference_data"`
+}
+type ReferenceData struct {
+	Name      string
+	Refsource string
+	URL       string
+}
+
+type Description struct {
+	DescriptionDataList []DescriptionData `json:"description_data"`
+}
+
+type DescriptionData struct {
+	Lang  string
+	Value string
+}

pkg/vulnsrc/redhat/redhat.go

@@ -3,7 +3,6 @@ package redhat
 import (
 	"encoding/json"
 	"fmt"
-	"gopkg.in/cheggaaa/pb.v1"
 	"io"
 	"io/ioutil"
 	"path/filepath"
@@ -41,7 +40,7 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	}
 	log.Logger.Debugf("Red Hat updated files: %d", len(targets))
 
-	bar := pb.StartNew(len(targets))
+	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
 
 	var cves []RedhatCVE

pkg/vulnsrc/ubuntu/ubuntu.go

@@ -3,7 +3,6 @@ package ubuntu
 import (
 	"encoding/json"
 	"fmt"
-	"gopkg.in/cheggaaa/pb.v1"
 	"io"
 	"path/filepath"
 
@@ -56,7 +55,7 @@ func Update(dir string, updatedFiles map[string]struct{}) error {
 	}
 	log.Logger.Debugf("Ubuntu OVAL updated files: %d", len(targets))
 
-	bar := pb.StartNew(len(targets))
+	bar := utils.PbStartNew(len(targets))
 	defer bar.Finish()
 
 	var cves []UbuntuCVE

pkg/vulnsrc/vulnerability/types.go

@@ -43,6 +43,12 @@ func NewSeverity(severity string) (Severity, error) {
 	return SeverityUnknown, fmt.Errorf("unknown severity: %s", severity)
 }
 
+func CompareSeverityString(sev1, sev2 string) bool {
+	s1, _ := NewSeverity(sev1)
+	s2, _ := NewSeverity(sev2)
+	return s1 < s2
+}
+
 func ColorizeSeverity(severity string) string {
 	for i, name := range SeverityNames {
 		if severity == name {
@@ -59,37 +65,3 @@ func (s Severity) String() string {
 type LastUpdated struct {
 	Date time.Time
 }
-
-type NVD struct {
-	CVEItems []Item `json:"CVE_Items"`
-}
-
-type Item struct {
-	Cve    Cve
-	Impact Impact
-}
-
-type Cve struct {
-	Meta Meta `json:"CVE_data_meta"`
-}
-
-type Meta struct {
-	ID string
-}
-
-type Impact struct {
-	BaseMetricV2 BaseMetricV2
-	BaseMetricV3 BaseMetricV3
-}
-
-type BaseMetricV2 struct {
-	Severity string
-}
-
-type BaseMetricV3 struct {
-	CvssV3 CvssV3
-}
-
-type CvssV3 struct {
-	BaseSeverity string
-}

pkg/vulnsrc/vulnsrc.go

@@ -1,6 +1,8 @@
 package vulnsrc
 
 import (
+	"path/filepath"
+
 	"github.com/knqyf263/trivy/pkg/git"
 	"github.com/knqyf263/trivy/pkg/log"
 	"github.com/knqyf263/trivy/pkg/utils"
@@ -11,7 +13,6 @@ import (
 	"github.com/knqyf263/trivy/pkg/vulnsrc/redhat"
 	"github.com/knqyf263/trivy/pkg/vulnsrc/ubuntu"
 	"golang.org/x/xerrors"
-	"path/filepath"
 )
 
 const (