feat(library): support a custom data source (#613)

* chore(mod): update trivy-db

* refactor(detector/library): use programming language instead of package
manager

* feat(library): add general advisory

* test(utils): add a util function initializing DB

* test(advisory): add tests

* chore: use aquasecurity/bolt-fixtures

* refactor: add comments

* chore(mod): revert fanal version

* chore(mod): update trivy-db

* refactor: update the comment

.circleci/codecov.yml

@@ -1,8 +0,0 @@
-coverage:
-  status:
-    project:
-      default:
-        informational: true
-    patch:
-      default:
-        informational: true

README.md

@@ -46,6 +46,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
     + [Filter the vulnerabilities by severities](#filter-the-vulnerabilities-by-severities)
     + [Filter the vulnerabilities by type](#filter-the-vulnerabilities-by-type)
     + [Filter the vulnerabilities by Open Policy Agent](#filter-the-vulnerabilities-by-open-policy-agent-policy)
+    + [Skip traversal in the specific directory](#skip-traversal-in-the-specific-directory)
     + [Skip update of vulnerability DB](#skip-update-of-vulnerability-db)
     + [Only download vulnerability database](#only-download-vulnerability-database)
     + [Ignore unfixed vulnerabilities](#ignore-unfixed-vulnerabilities)
@@ -66,6 +67,7 @@ A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifa
   * [CircleCI](#circleci)
   * [GitLab CI](#gitlab-ci)
   * [AWS CodePipeline](#aws-codepipeline)
+  * [AWS Security Hub](#aws-security-hub)
   * [Authorization for Private Docker Registry](#authorization-for-private-docker-registry)
 - [Vulnerability Detection](#vulnerability-detection)
   * [OS Packages](#os-packages)
@@ -899,7 +901,9 @@ In the following example using the template `sarif.tpl` [Sarif](https://docs.git
 ```
 $ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine
 ```
+This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action](https://github.com/aquasecurity/trivy-action) for automating this process.
 
+Trivy also supports an [ASFF template for reporting findings to AWS Security Hub](docs/integration/security-hub.md)
 ### Filter the vulnerabilities by severities
 
 ```
@@ -1134,6 +1138,13 @@ Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 
 </details>
 
+### Skip traversal in the specific directory
+Trivy traversals directories and look for all lock files by default. If your image contains lock files which are not maintained by you, you can skip traversal in the specific directory.
+
+```
+$ trivy image --skip-dirs "/usr/lib/ruby/gems,/etc" fluent/fluentd:edge
+```
+
 
 ### Skip update of vulnerability DB
 
@@ -1555,6 +1566,10 @@ trivy:
 
 See [this blog post](https://aws.amazon.com/blogs/containers/scanning-images-with-trivy-in-an-aws-codepipeline/) for an example of using Trivy within AWS CodePipeline.
 
+## AWS Security Hub
+
+See [here](docs/integration/security-hub.md)
+
 ## Authorization for Private Docker Registry
 
 Trivy can download images from a private registry, without installing `Docker` or any other 3rd party tools.
@@ -1733,6 +1748,7 @@ OPTIONS:
    --timeout value     docker timeout (default: 2m0s) [$TRIVY_TIMEOUT]
    --light             light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --list-all-pkgs     enabling the option will output all packages regardless of vulnerability [$TRIVY_LIST_ALL_PKGS]
+   --skip-dirs value   specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --help, -h          show help (default: false)
 ```
 

codecov.yml

@@ -0,0 +1,12 @@
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+        target: auto
+        threshold: 100%
+    patch:
+      default:
+        informational: true
+        target: auto
+        threshold: 100%

contrib/asff.tpl

@@ -0,0 +1,78 @@
+[
+{{- $t_first := true -}}
+{{- range . -}}
+{{- $target := .Target -}}
+{{- range .Vulnerabilities -}}
+{{- if $t_first -}}
+  {{- $t_first = false -}}
+{{- else -}}
+  ,
+{{- end -}}
+{{- $trivyProductSev := 0 -}}
+{{- $trivyNormalizedSev := 0 -}}
+{{- if eq .Severity "LOW" -}}
+    {{- $trivyProductSev = 1 -}}
+    {{- $trivyNormalizedSev = 10 -}}
+  {{- else if eq .Severity "MEDIUM" -}}
+    {{- $trivyProductSev = 4 -}}
+    {{- $trivyNormalizedSev = 40 -}}
+  {{- else if eq .Severity "HIGH" -}}
+    {{- $trivyProductSev = 7 -}}
+    {{- $trivyNormalizedSev = 70 -}}
+  {{- else if eq .Severity "CRITICAL" -}}
+    {{- $trivyProductSev = 9 -}}
+    {{- $trivyNormalizedSev = 90 -}}
+{{- end }}
+{{- $description := .Description -}}
+{{- if gt (len $description ) 1021 -}}
+    {{- $description = (slice $description 0 1021) | printf "%v .." -}}
+{{- end}}
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "{{ $target }}/{{ .VulnerabilityID }}",
+        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "{{ getCurrentTime }}",
+        "UpdatedAt": "{{ getCurrentTime }}",
+        "Severity": {
+            "Product": {{ $trivyProductSev }},
+            "Normalized": {{ $trivyNormalizedSev }}
+        },
+        "Title": "Trivy found a vulnerability to {{ .VulnerabilityID }} in container {{ $target }}",
+        "Description": {{ escapeString $description | printf "%q" }},
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "{{ index .References 0 }}"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "{{ $target }}",
+                "Partition": "aws",
+                "Region": "{{ getEnv "AWS_REGION" }}",
+                "Details": {
+                    "Container": { "ImageName": "{{ $target }}" },
+                    "Other": {
+                        "CVE ID": "{{ .VulnerabilityID }}",
+                        "CVE Title": {{ .Title | printf "%q" }},
+                        "PkgName": "{{ .PkgName }}",
+                        "Installed Package": "{{ .InstalledVersion }}",
+                        "Patched Package": "{{ .FixedVersion }}",
+                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
+                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
+                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
+                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    }
+   {{- end -}}
+  {{- end }}
+]

contrib/sarif.tpl

@@ -20,20 +20,20 @@
               "id": "[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}",
               "name": "dockerfile_scan",
               "shortDescription": {
-                "text": "{{ .VulnerabilityID }} Package: {{ .PkgName }}"
+                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
               },
               "fullDescription": {
-                "text": "{{ endWithPeriod (escapeString .Title) }}"
+                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
               },
               "help": {
-                "text": "Vulnerability {{ .VulnerabilityID }}\nSeverity: {{ .Vulnerability.Severity }}\nPackage: {{ .PkgName }}\nInstalled Version: {{ .InstalledVersion }}\nFixed Version: {{ .FixedVersion }}\nLink: [{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})",
-                "markdown": "**Vulnerability {{ .VulnerabilityID }}**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|{{ .Vulnerability.Severity }}|{{ .PkgName }}|{{ .InstalledVersion }}|{{ .FixedVersion }}|[{{ .VulnerabilityID }}](https://nvd.nist.gov/vuln/detail/{{ .VulnerabilityID | toLower }})|\n"
+                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](https://nvd.nist.gov/vuln/detail/%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID (.VulnerabilityID | toLower) | printf "%q"}},
+                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](https://nvd.nist.gov/vuln/detail/%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID (.VulnerabilityID | toLower) | printf "%q"}}
               },
               "properties": {
                 "tags": [
                   "vulnerability",
                   "{{ .Vulnerability.Severity }}",
-                  "{{ .PkgName }}"
+                  {{ .PkgName | printf "%q" }}
                 ],
                 "precision": "very-high"
               }

docs/integration/security-hub.md

@@ -0,0 +1,29 @@
+# AWS Security Hub
+
+## Upload findings to Security Hub
+
+In the following example using the template `asff.tpl`, [ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) file can be generated.
+
+```
+$ AWS_REGION=us-west-1 AWS_ACCOUNT_ID=123456789012 trivy image --format template --template "@contrib/asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+ASFF template needs AWS_REGION and AWS_ACCOUNT_ID from environment variables.
+
+Then, you can upload it with AWS CLI.
+
+```
+$ aws securityhub batch-import-findings --findings file://report.asff
+```
+
+## Customize
+You can customize [asff.tpl](../../contrib/asff.tpl).
+
+```
+$ export AWS_REGION=us-west-1
+$ export AWS_ACCOUNT_ID=123456789012
+$ trivy image --format template --template "@your-asff.tpl" -o report.asff golang:1.12-alpine
+```
+
+## Reference
+https://aws.amazon.com/blogs/security/how-to-build-ci-cd-pipeline-container-vulnerability-scanning-trivy-and-aws-security-hub/

go.mod

@@ -4,9 +4,10 @@ go 1.13
 
 require (
 	github.com/Masterminds/semver/v3 v3.1.0
-	github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058
+	github.com/aquasecurity/bolt-fixtures v0.0.0-20200825112230-c0f517aea2ed
+	github.com/aquasecurity/fanal v0.0.0-20200820074632-6de62ef86882
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16
+	github.com/aquasecurity/trivy-db v0.0.0-20200826140828-6da6467703aa
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
@@ -20,7 +21,6 @@ require (
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
 	github.com/kylelemons/godebug v1.1.0
-	github.com/mattn/go-colorable v0.1.4 // indirect
 	github.com/olekukonko/tablewriter v0.0.2-0.20190607075207-195002e6e56a
 	github.com/open-policy-agent/opa v0.21.1
 	github.com/spf13/afero v1.2.2
@@ -32,6 +32,6 @@ require (
 	go.uber.org/multierr v1.4.0 // indirect
 	go.uber.org/zap v1.13.0
 	golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45
-	golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	k8s.io/utils v0.0.0-20191114184206-e782cd3c129f
 )

go.sum

@@ -50,14 +50,16 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
-github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058 h1:vNAuJrimb3eqXSFMhZJNf0PVHfzHFnCRMDuhVi7z2Ok=
-github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058/go.mod h1:omM/xBVqAPNzdV/MegrjayEkKEZzI+eUpyjCXpbTMG0=
+github.com/aquasecurity/bolt-fixtures v0.0.0-20200825112230-c0f517aea2ed h1:o6vSjobtDn634//l4yBCGCC2RWoRc4K5AUH8W8DZZds=
+github.com/aquasecurity/bolt-fixtures v0.0.0-20200825112230-c0f517aea2ed/go.mod h1:eViGpgc5g/JGRHWUfVaNLFJQwXQOVWDDQ40c7uViyZU=
+github.com/aquasecurity/fanal v0.0.0-20200820074632-6de62ef86882 h1:65VcAKqhkKwMpLr9Wz+wNnsk+U+lv+v/qfOK04uXT3E=
+github.com/aquasecurity/fanal v0.0.0-20200820074632-6de62ef86882/go.mod h1:VP1+n6hMi6krpA0umEl0CkJp4hbg0R21kXWg0mjrekc=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ulc/gvfWm4ylhVaR7MxOwujRjA6et7KhmUbSgUFf4=
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a h1:hsw7PpiymXP64evn/K7gsj3hWzMqLrdoeE6JkqDocVg=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=
-github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16 h1:Hh9MOUaJGI+PS9ZULxYqYQmsFfvtktt8jD7gMt43BA8=
-github.com/aquasecurity/trivy-db v0.0.0-20200715174849-fa5a3ca24b16/go.mod h1:EiFA908RL0ACrbYo/9HfT7f9QcdC2bZoIO5XAAcvz9A=
+github.com/aquasecurity/trivy-db v0.0.0-20200826140828-6da6467703aa h1:v+ghkIw3D3qUP++M3e9XGkkoq59iZdCOT4uxj4l2pXs=
+github.com/aquasecurity/trivy-db v0.0.0-20200826140828-6da6467703aa/go.mod h1:/uvzkPkLMA6ZM1M2uIODx5J7b1wYb/goJ34Nidcukaw=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
@@ -146,6 +148,8 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
@@ -181,7 +185,11 @@ github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dp
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
+github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
+github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
 github.com/go-redis/redis v6.15.7+incompatible h1:3skhDh95XQMpnqeqNftPkQD9jL9e5e36z/1SUm6dy1U=
 github.com/go-redis/redis v6.15.7+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
@@ -189,6 +197,8 @@ github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LB
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/goccy/go-yaml v1.8.0 h1:WCe9sBiI0oZb6EC6f3kq3dv0+aEiNdstT7b4xxq4MJQ=
+github.com/goccy/go-yaml v1.8.0/go.mod h1:wS4gNoLalDSJxo/SpngzPQ2BN4uuZVLCmbM4S3vd4+Y=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
@@ -306,6 +316,8 @@ github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LE
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
+github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
+github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
@@ -316,12 +328,17 @@ github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcncea
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.7 h1:bQGKb3vps/j0E9GfJQ03JyhRuxsvdAanXlT9BTw3mdw=
+github.com/mattn/go-colorable v0.1.7/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
 github.com/mattn/go-isatty v0.0.5/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
 github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10=
 github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
+github.com/mattn/go-isatty v0.0.12 h1:wuysRhFDzyxgEmMf5xjvJ2M9dZoWAXNNr5LSBS7uHXY=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-jsonpointer v0.0.0-20180225143300-37667080efed/go.mod h1:SDJ4hurDYyQ9/7nc+eCYtXqdufgK4Cq9TJlwPklqEYA=
 github.com/mattn/go-runewidth v0.0.0-20181025052659-b20a3daf6a39/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
 github.com/mattn/go-runewidth v0.0.2/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
@@ -444,6 +461,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0 h1:Hbg2NidpLE8veEBkEZTL3CvlkUIVzuU9jDplZO54c48=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
+github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As=
+github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
@@ -473,8 +492,8 @@ github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:
 github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b h1:vVRagRXf67ESqAb72hG2C/ZwI8NtJF2u2V76EsuOHGY=
 github.com/yashtewari/glob-intersection v0.0.0-20180916065949-5c77d914dd0b/go.mod h1:HptNXiXVDcJjXe9SqMd0v2FsL9f8dz4GnXgltU6q/co=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
-go.etcd.io/bbolt v1.3.4 h1:hi1bXHMVrlQh6WwxAy+qZCV/SYIlqo+Ushwdpa4tAKg=
-go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
+go.etcd.io/bbolt v1.3.5 h1:XAzx9gjCb0Rxj7EoqcClPD1d5ZBxZJk0jbuoPHenBt0=
+go.etcd.io/bbolt v1.3.5/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -502,6 +521,9 @@ golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 h1:xMPOj6Pz6UipU1wXLkrtqpHbR0AVFnyPEQq/wRWz9lM=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de h1:ikNHVSjEfnvz6sxdSPCaPt572qowuyMDMJLLm3Db3ig=
+golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -535,9 +557,10 @@ golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20190813141303-74dc4d7220e7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a h1:GuSPYbZzB5/dcLNCwLQLsg3obCJtX9IJhpXkvY7kzk0=
 golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344 h1:vGXIOMxbNfDTk/aXCmfdLgkrSV+Z2tcbze+pEc3v5W4=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
@@ -549,6 +572,8 @@ golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20170830134202-bb24a47a89ea/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -571,11 +596,17 @@ golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191010194322-b09406accb47/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191128015809-6d18c012aee9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775 h1:TC0v2RSO1u2kn1ZugjrFXkRZAEaqMN/RW+OTZkBzmLE=
 golang.org/x/sys v0.0.0-20200327173247-9dae0f8f5775/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200824131525-c12d262b63d8 h1:AvbQYmiaaaza3cW3QXRyPo5kYgpFIzOAfeAAN7m3qQ4=
+golang.org/x/sys v0.0.0-20200824131525-c12d262b63d8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -614,8 +645,9 @@ golang.org/x/tools v0.0.0-20200210192313-1ace956b0e17/go.mod h1:TB2adYChydJhpapK
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
 gonum.org/v1/netlib v0.0.0-20190313105609-8cb42192e0e0/go.mod h1:wa6Ws7BG/ESfp6dHfk7C6KdzKA7wR7u/rKwOGE66zvw=
 gonum.org/v1/netlib v0.0.0-20190331212654-76723241ea4e/go.mod h1:kS+toOQn6AQKjmKJ7gzohV1XkqsFehRA2FbsbkopSuQ=
@@ -654,8 +686,11 @@ gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
+gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM=
 gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
 gopkg.in/go-playground/validator.v9 v9.29.1/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
+gopkg.in/go-playground/validator.v9 v9.30.0 h1:Wk0Z37oBmKj9/n+tPyBHZmeL19LaCoK3Qq48VwYENss=
+gopkg.in/go-playground/validator.v9 v9.30.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
@@ -670,10 +705,12 @@ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bl
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v0.0.0-20181223230014-1083505acf35/go.mod h1:R//lfYlUuTOTfblYI3lGoAAAebUdzjvbmQsuB7Ykd90=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=

integration/client_server_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/urfave/cli/v2"
 
 	"github.com/aquasecurity/trivy/internal"
+	"github.com/aquasecurity/trivy/pkg/report"
 )
 
 type args struct {
@@ -309,12 +310,27 @@ func TestClientServer(t *testing.T) {
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+		{
+			name: "alpine 3.10 integration with ASFF template",
+			testArgs: args{
+				Format:       "template",
+				TemplatePath: "@../contrib/asff.tpl",
+				Version:      "dev",
+				Input:        "testdata/fixtures/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.asff.golden",
+		},
 	}
 
 	app, addr, cacheDir := setup(t, "", "")
 
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
+			report.Now = func() time.Time {
+				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
+			}
+			os.Setenv("AWS_REGION", "test-region")
+			os.Setenv("AWS_ACCOUNT_ID", "123456789012")
 			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
 			defer cleanup()
 

integration/registry_test.go

@@ -188,7 +188,7 @@ func TestRegistry(t *testing.T) {
 			require.NoError(t, err)
 
 			// 2. Scan it
-			resultFile, err := scan(imageRef, baseDir, tc.option)
+			resultFile, cleanup, err := scan(imageRef, baseDir, tc.golden, tc.option)
 
 			if tc.wantErr != "" {
 				require.NotNil(t, err)
@@ -197,7 +197,7 @@ func TestRegistry(t *testing.T) {
 			} else {
 				require.NoError(t, err)
 			}
-			defer os.Remove(resultFile)
+			defer cleanup()
 
 			// 3. Compare want and got
 			golden, err := os.Open(tc.golden)
@@ -220,29 +220,36 @@ func TestRegistry(t *testing.T) {
 	}
 }
 
-func scan(imageRef name.Reference, baseDir string, opt registryOption) (string, error) {
+func scan(imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, func(), error) {
+	cleanup := func() {}
+
 	// Copy DB file
 	cacheDir, err := gunzipDB()
 	if err != nil {
-		return "", err
+		return "", cleanup, err
 	}
 	defer os.RemoveAll(cacheDir)
 
 	// Setup the output file
 	var outputFile string
-	output, err := ioutil.TempFile("", "integration")
-	if err != nil {
-		return "", err
-	}
-	if err = output.Close(); err != nil {
-		return "", err
-	}
+	if *update && goldenFile != "" {
+		outputFile = goldenFile
+	} else {
+		output, err := ioutil.TempFile("", "integration")
+		if err != nil {
+			return "", cleanup, err
+		}
+		defer output.Close()
 
-	outputFile = output.Name()
+		outputFile = output.Name()
+		cleanup = func() {
+			os.Remove(outputFile)
+		}
+	}
 
 	// Setup env
 	if err = setupEnv(imageRef, baseDir, opt); err != nil {
-		return "", err
+		return "", cleanup, err
 	}
 	defer unsetEnv()
 
@@ -254,9 +261,9 @@ func scan(imageRef name.Reference, baseDir string, opt registryOption) (string,
 
 	// Run Trivy
 	if err = app.Run(osArgs); err != nil {
-		return "", err
+		return "", cleanup, err
 	}
-	return outputFile, nil
+	return outputFile, cleanup, nil
 }
 
 func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error {

integration/testdata/alpine-310-ignore-cveids.json.golden

@@ -5,7 +5,7 @@
     "Vulnerabilities": [
       {
         "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r2",
         "Layer": {
@@ -32,7 +32,58 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1551",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r2",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+          "https://github.com/openssl/openssl/pull/10575",
+          "https://seclists.org/bugtraq/2019/Dec/39",
+          "https://seclists.org/bugtraq/2019/Dec/46",
+          "https://security.netapp.com/advisory/ntap-20191210-0001/",
+          "https://www.debian.org/security/2019/dsa-4594",
+          "https://www.openssl.org/news/secadv/20191206.txt",
+          "https://www.tenable.com/security/tns-2019-09"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {

integration/testdata/alpine-310-ignore-unfixed.json.golden

@@ -5,7 +5,7 @@
     "Vulnerabilities": [
       {
         "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -26,7 +26,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r2",
         "Layer": {
@@ -53,7 +53,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -76,7 +76,102 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1549",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in fork()",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://support.f5.com/csp/article/K44070243",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1551",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r2",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+          "https://github.com/openssl/openssl/pull/10575",
+          "https://seclists.org/bugtraq/2019/Dec/39",
+          "https://seclists.org/bugtraq/2019/Dec/46",
+          "https://security.netapp.com/advisory/ntap-20191210-0001/",
+          "https://www.debian.org/security/2019/dsa-4594",
+          "https://www.openssl.org/news/secadv/20191206.txt",
+          "https://www.tenable.com/security/tns-2019-09"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {

integration/testdata/alpine-310-medium-high.json.golden

@@ -5,7 +5,7 @@
     "Vulnerabilities": [
       {
         "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -26,7 +26,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r2",
         "Layer": {
@@ -53,7 +53,78 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1549",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in fork()",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://support.f5.com/csp/article/K44070243",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1551",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r2",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+          "https://github.com/openssl/openssl/pull/10575",
+          "https://seclists.org/bugtraq/2019/Dec/39",
+          "https://seclists.org/bugtraq/2019/Dec/46",
+          "https://security.netapp.com/advisory/ntap-20191210-0001/",
+          "https://www.debian.org/security/2019/dsa-4594",
+          "https://www.openssl.org/news/secadv/20191206.txt",
+          "https://www.tenable.com/security/tns-2019-09"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {

integration/testdata/alpine-310-registry.json.golden

@@ -1,16 +1,16 @@
 [
   {
-    "Target": "localhost:5000/alpine:3.10 (alpine 3.10.2)",
+    "Target": "localhost:32787/alpine:3.10 (alpine 3.10.2)",
     "Type": "alpine",
     "Vulnerabilities": [
       {
         "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
         },
         "SeveritySource": "nvd",
         "Title": "openssl: information disclosure in fork()",
@@ -27,12 +27,12 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r2",
         "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
         },
         "SeveritySource": "nvd",
         "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
@@ -55,12 +55,12 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
         },
         "SeveritySource": "nvd",
         "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
@@ -79,12 +79,111 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0",
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609"
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1549",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in fork()",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://support.f5.com/csp/article/K44070243",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1551",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r2",
+        "Layer": {
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+          "https://github.com/openssl/openssl/pull/10575",
+          "https://seclists.org/bugtraq/2019/Dec/39",
+          "https://seclists.org/bugtraq/2019/Dec/46",
+          "https://security.netapp.com/advisory/ntap-20191210-0001/",
+          "https://www.debian.org/security/2019/dsa-4594",
+          "https://www.openssl.org/news/secadv/20191206.txt",
+          "https://www.tenable.com/security/tns-2019-09"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
         },
         "SeveritySource": "nvd",
         "Title": "openssl: side-channel weak encryption vulnerability",

integration/testdata/alpine-310.asff.golden

@@ -0,0 +1,370 @@
+[
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 4,
+            "Normalized": 40
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1549",
+                        "CVE Title": "openssl: information disclosure in fork()",
+                        "PkgName": "libcrypto1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r0",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 4,
+            "Normalized": 40
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1551",
+                        "CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+                        "PkgName": "libcrypto1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r2",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 4,
+            "Normalized": 40
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1563",
+                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+                        "PkgName": "libcrypto1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r0",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 1,
+            "Normalized": 10
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1547",
+                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
+                        "PkgName": "libcrypto1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r0",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 4,
+            "Normalized": 40
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1549 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1549",
+                        "CVE Title": "openssl: information disclosure in fork()",
+                        "PkgName": "libssl1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r0",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1551",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 4,
+            "Normalized": 40
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1551",
+                        "CVE Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+                        "PkgName": "libssl1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r2",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 4,
+            "Normalized": 40
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1563",
+                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+                        "PkgName": "libssl1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r0",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    },
+    {
+        "SchemaVersion": "2018-10-08",
+        "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
+        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
+        "GeneratorId": "Trivy",
+        "AwsAccountId": "123456789012",
+        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
+        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
+        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
+        "Severity": {
+            "Product": 1,
+            "Normalized": 10
+        },
+        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Remediation": {
+            "Recommendation": {
+                "Text": "More information on this vulnerability is provided in the hyperlink",
+                "Url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
+            }
+        },
+        "ProductFields": { "Product Name": "Trivy" },
+        "Resources": [
+            {
+                "Type": "Container",
+                "Id": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)",
+                "Partition": "aws",
+                "Region": "test-region",
+                "Details": {
+                    "Container": { "ImageName": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)" },
+                    "Other": {
+                        "CVE ID": "CVE-2019-1547",
+                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
+                        "PkgName": "libssl1.1",
+                        "Installed Package": "1.1.1c-r0",
+                        "Patched Package": "1.1.1d-r0",
+                        "NvdCvssScoreV3": "0",
+                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV2": "0",
+                        "NvdCvssVectorV2": ""
+                    }
+                }
+            }
+        ],
+        "RecordState": "ACTIVE"
+    }
+]

integration/testdata/alpine-310.gitlab.golden

@@ -9,7 +9,7 @@
       "cve": "CVE-2019-1549",
       "severity": "Medium",
       "confidence": "Unknown",
-      "solution": "Upgrade openssl to 1.1.1d-r0",
+      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
       "scanner": {
         "id": "trivy",
         "name": "trivy"
@@ -17,7 +17,7 @@
       "location": {
         "dependency": {
           "package": {
-            "name": "openssl"
+            "name": "libcrypto1.1"
           },
           "version": "1.1.1c-r0"
         },
@@ -55,7 +55,7 @@
       "cve": "CVE-2019-1551",
       "severity": "Medium",
       "confidence": "Unknown",
-      "solution": "Upgrade openssl to 1.1.1d-r2",
+      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r2",
       "scanner": {
         "id": "trivy",
         "name": "trivy"
@@ -63,7 +63,7 @@
       "location": {
         "dependency": {
           "package": {
-            "name": "openssl"
+            "name": "libcrypto1.1"
           },
           "version": "1.1.1c-r0"
         },
@@ -113,7 +113,7 @@
       "cve": "CVE-2019-1563",
       "severity": "Medium",
       "confidence": "Unknown",
-      "solution": "Upgrade openssl to 1.1.1d-r0",
+      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
       "scanner": {
         "id": "trivy",
         "name": "trivy"
@@ -121,7 +121,7 @@
       "location": {
         "dependency": {
           "package": {
-            "name": "openssl"
+            "name": "libcrypto1.1"
           },
           "version": "1.1.1c-r0"
         },
@@ -163,7 +163,7 @@
       "cve": "CVE-2019-1547",
       "severity": "Low",
       "confidence": "Unknown",
-      "solution": "Upgrade openssl to 1.1.1d-r0",
+      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
       "scanner": {
         "id": "trivy",
         "name": "trivy"
@@ -171,7 +171,213 @@
       "location": {
         "dependency": {
           "package": {
-            "name": "openssl"
+            "name": "libcrypto1.1"
+          },
+          "version": "1.1.1c-r0"
+        },
+        "operating_system": "Unknown",
+        "image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
+      },
+      "identifiers": [
+        {
+          "type": "cve",
+          "name": "CVE-2019-1547",
+          "value": "CVE-2019-1547",
+          "url": ""
+        }
+      ],
+      "links": [{
+          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://arxiv.org/abs/1909.01785"
+        },{
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Sep/25"
+        },{
+          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
+        },{
+          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-1549",
+      "category": "container_scanning",
+      "message": "openssl: information disclosure in fork()",
+      "description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+      "cve": "CVE-2019-1549",
+      "severity": "Medium",
+      "confidence": "Unknown",
+      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
+      "scanner": {
+        "id": "trivy",
+        "name": "trivy"
+      },
+      "location": {
+        "dependency": {
+          "package": {
+            "name": "libssl1.1"
+          },
+          "version": "1.1.1c-r0"
+        },
+        "operating_system": "Unknown",
+        "image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
+      },
+      "identifiers": [
+        {
+          "type": "cve",
+          "name": "CVE-2019-1549",
+          "value": "CVE-2019-1549",
+          "url": ""
+        }
+      ],
+      "links": [{
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
+        },{
+          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
+        },{
+          "url": "https://support.f5.com/csp/article/K44070243"
+        },{
+          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-1551",
+      "category": "container_scanning",
+      "message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+      "cve": "CVE-2019-1551",
+      "severity": "Medium",
+      "confidence": "Unknown",
+      "solution": "Upgrade libssl1.1 to 1.1.1d-r2",
+      "scanner": {
+        "id": "trivy",
+        "name": "trivy"
+      },
+      "location": {
+        "dependency": {
+          "package": {
+            "name": "libssl1.1"
+          },
+          "version": "1.1.1c-r0"
+        },
+        "operating_system": "Unknown",
+        "image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
+      },
+      "identifiers": [
+        {
+          "type": "cve",
+          "name": "CVE-2019-1551",
+          "value": "CVE-2019-1551",
+          "url": ""
+        }
+      ],
+      "links": [{
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+        },{
+          "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
+        },{
+          "url": "https://github.com/openssl/openssl/pull/10575"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Dec/39"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Dec/46"
+        },{
+          "url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
+        },{
+          "url": "https://www.debian.org/security/2019/dsa-4594"
+        },{
+          "url": "https://www.openssl.org/news/secadv/20191206.txt"
+        },{
+          "url": "https://www.tenable.com/security/tns-2019-09"
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-1563",
+      "category": "container_scanning",
+      "message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+      "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+      "cve": "CVE-2019-1563",
+      "severity": "Medium",
+      "confidence": "Unknown",
+      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
+      "scanner": {
+        "id": "trivy",
+        "name": "trivy"
+      },
+      "location": {
+        "dependency": {
+          "package": {
+            "name": "libssl1.1"
+          },
+          "version": "1.1.1c-r0"
+        },
+        "operating_system": "Unknown",
+        "image": "testdata/fixtures/alpine-310.tar.gz (alpine 3.10.2)"
+      },
+      "identifiers": [
+        {
+          "type": "cve",
+          "name": "CVE-2019-1563",
+          "value": "CVE-2019-1563",
+          "url": ""
+        }
+      ],
+      "links": [{
+          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
+        },{
+          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Sep/25"
+        },{
+          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
+        },{
+          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        }
+      ]
+    },
+    {
+      "id": "CVE-2019-1547",
+      "category": "container_scanning",
+      "message": "openssl: side-channel weak encryption vulnerability",
+      "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+      "cve": "CVE-2019-1547",
+      "severity": "Low",
+      "confidence": "Unknown",
+      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
+      "scanner": {
+        "id": "trivy",
+        "name": "trivy"
+      },
+      "location": {
+        "dependency": {
+          "package": {
+            "name": "libssl1.1"
           },
           "version": "1.1.1c-r0"
         },

integration/testdata/alpine-310.json.golden

@@ -5,7 +5,7 @@
     "Vulnerabilities": [
       {
         "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -26,7 +26,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r2",
         "Layer": {
@@ -53,7 +53,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -76,7 +76,102 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1549",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in fork()",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://support.f5.com/csp/article/K44070243",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1551",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r2",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+          "https://github.com/openssl/openssl/pull/10575",
+          "https://seclists.org/bugtraq/2019/Dec/39",
+          "https://seclists.org/bugtraq/2019/Dec/46",
+          "https://security.netapp.com/advisory/ntap-20191210-0001/",
+          "https://www.debian.org/security/2019/dsa-4594",
+          "https://www.openssl.org/news/secadv/20191206.txt",
+          "https://www.tenable.com/security/tns-2019-09"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1c-r0",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "libssl1.1",
         "InstalledVersion": "1.1.1c-r0",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {

integration/testdata/alpine-310.sarif.golden

@@ -12,20 +12,20 @@
               "id": "[MEDIUM] CVE-2019-1549",
               "name": "dockerfile_scan",
               "shortDescription": {
-                "text": "CVE-2019-1549 Package: openssl"
+                "text": "CVE-2019-1549 Package: libcrypto1.1"
               },
               "fullDescription": {
                 "text": "openssl: information disclosure in fork()."
               },
               "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|openssl|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)|\n"
+                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)",
+                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)|\n"
               },
               "properties": {
                 "tags": [
                   "vulnerability",
                   "MEDIUM",
-                  "openssl"
+                  "libcrypto1.1"
                 ],
                 "precision": "very-high"
               }
@@ -34,20 +34,20 @@
               "id": "[MEDIUM] CVE-2019-1551",
               "name": "dockerfile_scan",
               "shortDescription": {
-                "text": "CVE-2019-1551 Package: openssl"
+                "text": "CVE-2019-1551 Package: libcrypto1.1"
               },
               "fullDescription": {
                 "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
               },
               "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|openssl|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)|\n"
+                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)",
+                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)|\n"
               },
               "properties": {
                 "tags": [
                   "vulnerability",
                   "MEDIUM",
-                  "openssl"
+                  "libcrypto1.1"
                 ],
                 "precision": "very-high"
               }
@@ -56,20 +56,20 @@
               "id": "[MEDIUM] CVE-2019-1563",
               "name": "dockerfile_scan",
               "shortDescription": {
-                "text": "CVE-2019-1563 Package: openssl"
+                "text": "CVE-2019-1563 Package: libcrypto1.1"
               },
               "fullDescription": {
                 "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
               },
               "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|openssl|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)|\n"
+                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)",
+                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)|\n"
               },
               "properties": {
                 "tags": [
                   "vulnerability",
                   "MEDIUM",
-                  "openssl"
+                  "libcrypto1.1"
                 ],
                 "precision": "very-high"
               }
@@ -78,20 +78,108 @@
               "id": "[LOW] CVE-2019-1547",
               "name": "dockerfile_scan",
               "shortDescription": {
-                "text": "CVE-2019-1547 Package: openssl"
+                "text": "CVE-2019-1547 Package: libcrypto1.1"
               },
               "fullDescription": {
                 "text": "openssl: side-channel weak encryption vulnerability."
               },
               "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: openssl\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|openssl|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)|\n"
+                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)",
+                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)|\n"
               },
               "properties": {
                 "tags": [
                   "vulnerability",
                   "LOW",
-                  "openssl"
+                  "libcrypto1.1"
+                ],
+                "precision": "very-high"
+              }
+            },
+            {
+              "id": "[MEDIUM] CVE-2019-1549",
+              "name": "dockerfile_scan",
+              "shortDescription": {
+                "text": "CVE-2019-1549 Package: libssl1.1"
+              },
+              "fullDescription": {
+                "text": "openssl: information disclosure in fork()."
+              },
+              "help": {
+                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)",
+                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://nvd.nist.gov/vuln/detail/cve-2019-1549)|\n"
+              },
+              "properties": {
+                "tags": [
+                  "vulnerability",
+                  "MEDIUM",
+                  "libssl1.1"
+                ],
+                "precision": "very-high"
+              }
+            },
+            {
+              "id": "[MEDIUM] CVE-2019-1551",
+              "name": "dockerfile_scan",
+              "shortDescription": {
+                "text": "CVE-2019-1551 Package: libssl1.1"
+              },
+              "fullDescription": {
+                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
+              },
+              "help": {
+                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)",
+                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://nvd.nist.gov/vuln/detail/cve-2019-1551)|\n"
+              },
+              "properties": {
+                "tags": [
+                  "vulnerability",
+                  "MEDIUM",
+                  "libssl1.1"
+                ],
+                "precision": "very-high"
+              }
+            },
+            {
+              "id": "[MEDIUM] CVE-2019-1563",
+              "name": "dockerfile_scan",
+              "shortDescription": {
+                "text": "CVE-2019-1563 Package: libssl1.1"
+              },
+              "fullDescription": {
+                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
+              },
+              "help": {
+                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)",
+                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://nvd.nist.gov/vuln/detail/cve-2019-1563)|\n"
+              },
+              "properties": {
+                "tags": [
+                  "vulnerability",
+                  "MEDIUM",
+                  "libssl1.1"
+                ],
+                "precision": "very-high"
+              }
+            },
+            {
+              "id": "[LOW] CVE-2019-1547",
+              "name": "dockerfile_scan",
+              "shortDescription": {
+                "text": "CVE-2019-1547 Package: libssl1.1"
+              },
+              "fullDescription": {
+                "text": "openssl: side-channel weak encryption vulnerability."
+              },
+              "help": {
+                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)",
+                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://nvd.nist.gov/vuln/detail/cve-2019-1547)|\n"
+              },
+              "properties": {
+                "tags": [
+                  "vulnerability",
+                  "LOW",
+                  "libssl1.1"
                 ],
                 "precision": "very-high"
               }
@@ -178,6 +266,86 @@
               }
             }
           }]
+        },
+        {
+          "ruleId": "[MEDIUM] CVE-2019-1549",
+          "ruleIndex": 4,
+          "level": "error",
+          "message": {
+            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+          },
+          "locations": [{
+            "physicalLocation": {
+              "artifactLocation": {
+                "uri": "Dockerfile"
+              },
+              "region": {
+                "startLine": 1,
+                "startColumn": 1,
+                "endColumn": 1
+              }
+            }
+          }]
+        },
+        {
+          "ruleId": "[MEDIUM] CVE-2019-1551",
+          "ruleIndex": 5,
+          "level": "error",
+          "message": {
+            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
+          },
+          "locations": [{
+            "physicalLocation": {
+              "artifactLocation": {
+                "uri": "Dockerfile"
+              },
+              "region": {
+                "startLine": 1,
+                "startColumn": 1,
+                "endColumn": 1
+              }
+            }
+          }]
+        },
+        {
+          "ruleId": "[MEDIUM] CVE-2019-1563",
+          "ruleIndex": 6,
+          "level": "error",
+          "message": {
+            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+          },
+          "locations": [{
+            "physicalLocation": {
+              "artifactLocation": {
+                "uri": "Dockerfile"
+              },
+              "region": {
+                "startLine": 1,
+                "startColumn": 1,
+                "endColumn": 1
+              }
+            }
+          }]
+        },
+        {
+          "ruleId": "[LOW] CVE-2019-1547",
+          "ruleIndex": 7,
+          "level": "error",
+          "message": {
+            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+          },
+          "locations": [{
+            "physicalLocation": {
+              "artifactLocation": {
+                "uri": "Dockerfile"
+              },
+              "region": {
+                "startLine": 1,
+                "startColumn": 1,
+                "endColumn": 1
+              }
+            }
+          }]
         }],
       "columnKind": "utf16CodeUnits"
     }

integration/testdata/alpine-39.json.golden

@@ -3,26 +3,9 @@
     "Target": "testdata/fixtures/alpine-39.tar.gz (alpine 3.9.4)",
     "Type": "alpine",
     "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-14697",
-        "PkgName": "musl",
-        "InstalledVersion": "1.1.20-r4",
-        "FixedVersion": "1.1.20-r5",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
-        "Severity": "HIGH",
-        "References": [
-          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
-          "https://security.gentoo.org/glsa/202003-13",
-          "https://www.openwall.com/lists/musl/2019/08/06/1"
-        ]
-      },
       {
         "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -43,7 +26,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r2",
         "Layer": {
@@ -70,7 +53,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -93,7 +76,7 @@
       },
       {
         "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "openssl",
+        "PkgName": "libcrypto1.1",
         "InstalledVersion": "1.1.1b-r1",
         "FixedVersion": "1.1.1d-r0",
         "Layer": {
@@ -114,6 +97,135 @@
           "https://security.netapp.com/advisory/ntap-20190919-0002/",
           "https://www.openssl.org/news/secadv/20190910.txt"
         ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1549",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1b-r1",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in fork()",
+        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+        "Severity": "MEDIUM",
+        "References": [
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://support.f5.com/csp/article/K44070243",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1551",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1b-r1",
+        "FixedVersion": "1.1.1d-r2",
+        "Layer": {
+          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+          "https://github.com/openssl/openssl/pull/10575",
+          "https://seclists.org/bugtraq/2019/Dec/39",
+          "https://seclists.org/bugtraq/2019/Dec/46",
+          "https://security.netapp.com/advisory/ntap-20191210-0001/",
+          "https://www.debian.org/security/2019/dsa-4594",
+          "https://www.openssl.org/news/secadv/20191206.txt",
+          "https://www.tenable.com/security/tns-2019-09"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1563",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1b-r1",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
+        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "MEDIUM",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-1547",
+        "PkgName": "libssl1.1",
+        "InstalledVersion": "1.1.1b-r1",
+        "FixedVersion": "1.1.1d-r0",
+        "Layer": {
+          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        },
+        "SeveritySource": "nvd",
+        "Title": "openssl: side-channel weak encryption vulnerability",
+        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
+        "Severity": "LOW",
+        "References": [
+          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
+          "https://arxiv.org/abs/1909.01785",
+          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
+          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
+          "https://seclists.org/bugtraq/2019/Sep/25",
+          "https://security.netapp.com/advisory/ntap-20190919-0002/",
+          "https://www.openssl.org/news/secadv/20190910.txt"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-14697",
+        "PkgName": "musl",
+        "InstalledVersion": "1.1.20-r4",
+        "FixedVersion": "1.1.20-r5",
+        "Layer": {
+          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        },
+        "SeveritySource": "nvd",
+        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+        "Severity": "HIGH",
+        "References": [
+          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+          "https://security.gentoo.org/glsa/202003-13",
+          "https://www.openwall.com/lists/musl/2019/08/06/1"
+        ]
+      },
+      {
+        "VulnerabilityID": "CVE-2019-14697",
+        "PkgName": "musl-utils",
+        "InstalledVersion": "1.1.20-r4",
+        "FixedVersion": "1.1.20-r5",
+        "Layer": {
+          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        },
+        "SeveritySource": "nvd",
+        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+        "Severity": "HIGH",
+        "References": [
+          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+          "https://security.gentoo.org/glsa/202003-13",
+          "https://www.openwall.com/lists/musl/2019/08/06/1"
+        ]
       }
     ]
   }

internal/app.go

@@ -188,6 +188,12 @@ var (
 		EnvVars: []string{"TRIVY_LIST_ALL_PKGS"},
 	}
 
+	skipDirectories = cli.StringFlag{
+		Name:    "skip-dirs",
+		Usage:   "specify the directory where the traversal is skipped",
+		EnvVars: []string{"TRIVY_SKIP_DIRS"},
+	}
+
 	globalFlags = []cli.Flag{
 		&quietFlag,
 		&debugFlag,
@@ -214,6 +220,7 @@ var (
 		&lightFlag,
 		&ignorePolicy,
 		&listAllPackages,
+		&skipDirectories,
 	}
 
 	// deprecated options
@@ -368,6 +375,7 @@ func NewFilesystemCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&skipDirectories,
 		},
 	}
 }
@@ -398,6 +406,7 @@ func NewRepositoryCommand() *cli.Command {
 			&noProgressFlag,
 			&ignorePolicy,
 			&listAllPackages,
+			&skipDirectories,
 		},
 	}
 }

internal/artifact/config/config_test.go

@@ -185,11 +185,8 @@ func TestConfig_Init(t *testing.T) {
 			wantErr: "arguments error",
 		},
 		{
-			name: "sad: no image name",
-			logs: []string{
-				"trivy requires at least 1 argument or --input option",
-			},
-			wantErr: "arguments error",
+			name:    "sad: no image name",
+			wantErr: "no target is specified",
 		},
 		{
 			name:    "sad: invalid image name",

internal/artifact/image.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/aquasecurity/fanal/cache"
 	"github.com/aquasecurity/trivy/internal/artifact/config"
+	artifact "github.com/aquasecurity/trivy/internal/config"
 	"github.com/aquasecurity/trivy/pkg/scanner"
 )
 
@@ -37,7 +38,10 @@ func ImageRun(cliCtx *cli.Context) error {
 	}
 
 	// initialize config
-	if err = c.Init(true); err != nil {
+	err = c.Init(true)
+	if xerrors.Is(err, artifact.ErrNoTarget) {
+		return nil
+	} else if err != nil {
 		return xerrors.Errorf("failed to initialize options: %w", err)
 	}
 

internal/artifact/run.go

@@ -77,6 +77,7 @@ func run(c config.Config, initializeScanner InitializeScanner) error {
 		VulnType:            c.VulnType,
 		ScanRemovedPackages: c.ScanRemovedPkgs, // this is valid only for image subcommand
 		ListAllPackages:     c.ListAllPkgs,
+		SkipDirectories:     c.SkipDirectories,
 	}
 	log.Logger.Debugf("Vulnerability type:  %s", scanOptions.VulnType)
 

internal/client/config/config_test.go

@@ -225,11 +225,8 @@ func TestConfig_Init(t *testing.T) {
 			wantErr: "arguments error",
 		},
 		{
-			name: "sad: no image name",
-			logs: []string{
-				"trivy requires at least 1 argument or --input option",
-			},
-			wantErr: "arguments error",
+			name:    "sad: no image name",
+			wantErr: "no target is specified",
 		},
 		{
 			name:    "sad: invalid image name",

internal/config/artifact.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"strings"
 	"time"
 
 	"github.com/urfave/cli/v2"
@@ -13,22 +14,28 @@ type ArtifactConfig struct {
 	Timeout    time.Duration
 	ClearCache bool
 
+	skipDirectories string
+	SkipDirectories []string
+
 	// this field is populated in Init()
 	Target string
 }
 
 func NewArtifactConfig(c *cli.Context) ArtifactConfig {
 	return ArtifactConfig{
-		Input:      c.String("input"),
-		Timeout:    c.Duration("timeout"),
-		ClearCache: c.Bool("clear-cache"),
+		Input:           c.String("input"),
+		Timeout:         c.Duration("timeout"),
+		ClearCache:      c.Bool("clear-cache"),
+		skipDirectories: c.String("skip-dirs"),
 	}
 }
 
+var ErrNoTarget = xerrors.New("no target is specified")
+
 func (c *ArtifactConfig) Init(args cli.Args, logger *zap.SugaredLogger) (err error) {
 	if c.Input == "" && args.Len() == 0 {
-		logger.Error(`trivy requires at least 1 argument or --input option`)
-		return xerrors.New("arguments error")
+		logger.Debug(`trivy requires at least 1 argument or --input option`)
+		return ErrNoTarget
 	} else if args.Len() > 1 {
 		logger.Error(`multiple targets cannot be specified`)
 		return xerrors.New("arguments error")
@@ -38,5 +45,9 @@ func (c *ArtifactConfig) Init(args cli.Args, logger *zap.SugaredLogger) (err err
 		c.Target = args.First()
 	}
 
+	if c.skipDirectories != "" {
+		c.SkipDirectories = strings.Split(c.skipDirectories, ",")
+	}
+
 	return nil
 }

internal/config/artifact_test.go

@@ -40,12 +40,12 @@ func TestArtifactConfig_Init(t *testing.T) {
 			logs: []string{
 				"trivy requires at least 1 argument or --input option",
 			},
-			wantErr: "arguments error",
+			wantErr: "no target is specified",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			core, obs := observer.New(zap.InfoLevel)
+			core, obs := observer.New(zap.DebugLevel)
 			logger := zap.New(core)
 
 			app := cli.NewApp()

pkg/detector/library/advisory.go

@@ -0,0 +1,101 @@
+package library
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/Masterminds/semver/v3"
+	"golang.org/x/xerrors"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/scanner/utils"
+	"github.com/aquasecurity/trivy/pkg/types"
+)
+
+// Advisory represents security advisories for each programming language
+type Advisory struct {
+	lang     string
+	comparer comparer
+}
+
+func NewAdvisory(lang string) *Advisory {
+	return &Advisory{
+		lang:     lang,
+		comparer: newComparer(lang),
+	}
+}
+
+// DetectVulnerabilities scans buckets with the prefix according to the programming language in "Advisory".
+// If "lang" is python, it looks for buckets with "python::" and gets security advisories from those buckets.
+// It allows us to add a new data source with the lang prefix (e.g. python::new-data-source)
+// and detect vulnerabilities without specifying a specific bucket name.
+func (s *Advisory) DetectVulnerabilities(pkgName string, pkgVer *semver.Version) ([]types.DetectedVulnerability, error) {
+	// e.g. "python::"
+	prefix := fmt.Sprintf("%s::", s.lang)
+	advisories, err := db.Config{}.GetAdvisories(prefix, pkgName)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to get %s advisories: %w", s.lang, err)
+	}
+
+	var vulns []types.DetectedVulnerability
+	for _, advisory := range advisories {
+		if !s.comparer.isVulnerable(pkgVer, advisory) {
+			continue
+		}
+
+		vuln := types.DetectedVulnerability{
+			VulnerabilityID:  advisory.VulnerabilityID,
+			PkgName:          pkgName,
+			InstalledVersion: pkgVer.String(),
+			FixedVersion:     s.createFixedVersions(advisory),
+		}
+		vulns = append(vulns, vuln)
+	}
+
+	return vulns, nil
+}
+
+func (s *Advisory) createFixedVersions(advisory dbTypes.Advisory) string {
+	if len(advisory.PatchedVersions) != 0 {
+		return strings.Join(advisory.PatchedVersions, ", ")
+	}
+
+	var fixedVersions []string
+	for _, version := range advisory.VulnerableVersions {
+		for _, s := range strings.Split(version, ",") {
+			s = strings.TrimSpace(s)
+			if !strings.HasPrefix(s, "<=") && strings.HasPrefix(s, "<") {
+				s = strings.TrimPrefix(s, "<")
+				fixedVersions = append(fixedVersions, strings.TrimSpace(s))
+			}
+		}
+	}
+	return strings.Join(fixedVersions, ", ")
+}
+
+type comparer interface {
+	isVulnerable(pkgVer *semver.Version, advisory dbTypes.Advisory) bool
+}
+
+func newComparer(lang string) comparer {
+	switch lang {
+	// When another library is needed for version comparison, it can be added here.
+	}
+	return generalComparer{}
+}
+
+type generalComparer struct{}
+
+func (c generalComparer) isVulnerable(pkgVer *semver.Version, advisory dbTypes.Advisory) bool {
+	if len(advisory.VulnerableVersions) != 0 {
+		return utils.MatchVersions(pkgVer, advisory.VulnerableVersions)
+	}
+
+	if utils.MatchVersions(pkgVer, advisory.PatchedVersions) ||
+		utils.MatchVersions(pkgVer, advisory.UnaffectedVersions) {
+		return false
+	}
+
+	return true
+}

pkg/detector/library/advisory_test.go

@@ -0,0 +1,117 @@
+package library_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy/pkg/detector/library"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/utils"
+)
+
+func TestAdvisory_DetectVulnerabilities(t *testing.T) {
+	type fields struct {
+		lang string
+	}
+	type args struct {
+		pkgName string
+		pkgVer  *semver.Version
+	}
+	tests := []struct {
+		name     string
+		fixtures []string
+		fields   fields
+		args     args
+		want     []types.DetectedVulnerability
+		wantErr  string
+	}{
+		{
+			name:     "happy path",
+			fixtures: []string{"testdata/fixtures/php.yaml"},
+			fields:   fields{lang: vulnerability.PHP},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.2.6"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2019-10909",
+					PkgName:          "symfony/symfony",
+					InstalledVersion: "4.2.6",
+					FixedVersion:     "4.2.7",
+				},
+			},
+		},
+		{
+			name:     "no patched versions in the advisory",
+			fixtures: []string{"testdata/fixtures/php.yaml"},
+			fields:   fields{lang: vulnerability.PHP},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.4.6"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2020-5275",
+					PkgName:          "symfony/symfony",
+					InstalledVersion: "4.4.6",
+					FixedVersion:     "4.4.7",
+				},
+			},
+		},
+		{
+			name:     "no vulnerable versions in the advisory",
+			fixtures: []string{"testdata/fixtures/ruby.yaml"},
+			fields:   fields{lang: vulnerability.Ruby},
+			args: args{
+				pkgName: "activesupport",
+				pkgVer:  semver.MustParse("4.1.1"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2015-3226",
+					PkgName:          "activesupport",
+					InstalledVersion: "4.1.1",
+					FixedVersion:     ">= 4.2.2, ~> 4.1.11",
+				},
+			},
+		},
+		{
+			name:     "no vulnerability",
+			fixtures: []string{"testdata/fixtures/php.yaml"},
+			fields:   fields{lang: vulnerability.PHP},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.4.7"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Initialize DB
+			dir := utils.InitTestDB(t, tt.fixtures)
+			defer os.RemoveAll(dir)
+			defer db.Close()
+
+			adv := library.NewAdvisory(tt.fields.lang)
+			got, err := adv.DetectVulnerabilities(tt.args.pkgName, tt.args.pkgVer)
+
+			switch {
+			case tt.wantErr != "":
+				require.NotNil(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+			default:
+				assert.NoError(t, err)
+			}
+
+			// Compare
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/detector/library/bundler/advisory.go

@@ -11,18 +11,6 @@ import (
 	"github.com/aquasecurity/trivy/pkg/types"
 )
 
-var (
-	platformReplacer = strings.NewReplacer(
-		"-java", "+java",
-		"-mswin32", "+msin32",
-		"-mswin64", "+mswin64",
-		"-universal-mingw32", "+universal-mingw32",
-		"-x64-mingw32", "+x64-mingw32",
-		"-x86_64-mingw32", "+x86_64-mingw32",
-		"-mingw32", "+mingw32",
-	)
-)
-
 type VulnSrc interface {
 	Get(pkgName string) ([]bundlerSrc.Advisory, error)
 }
@@ -31,13 +19,6 @@ type Advisory struct {
 	vs VulnSrc
 }
 
-func massageLockFileVersion(version string) string {
-	// Move the platform into "metadata" semver section.
-	// This is because otherwise we end up placing it in the "pre-release" section
-	// of the semver value, and this breaks our version comparisons in the scanner.
-	return platformReplacer.Replace(version)
-}
-
 func NewAdvisory() *Advisory {
 	return &Advisory{
 		vs: bundlerSrc.NewVulnSrc(),

pkg/detector/library/bundler/advisory_test.go

@@ -52,8 +52,6 @@ func TestScanner_Detect(t *testing.T) {
 		}
 
 		versionStr := "1.9.25-x64-mingw32"
-		versionStr = platformReplacer.Replace(versionStr)
-
 		v, _ := semver.NewVersion(versionStr)
 
 		vulns, err := s.DetectVulnerabilities("ffi", v)

pkg/detector/library/driver.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 
 	"github.com/Masterminds/semver/v3"
-	"github.com/aquasecurity/fanal/analyzer/library"
 	ecosystem "github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy/pkg/detector/library/bundler"
 	"github.com/aquasecurity/trivy/pkg/detector/library/cargo"
 	"github.com/aquasecurity/trivy/pkg/detector/library/composer"
@@ -31,19 +31,15 @@ func (d DriverFactory) NewDriver(filename string) (Driver, error) {
 	var driver Driver
 	switch filename {
 	case "Gemfile.lock":
-		driver = NewBundlerDriver()
+		driver = newRubyDriver()
 	case "Cargo.lock":
-		driver = NewCargoDriver()
+		driver = newRustDriver()
 	case "composer.lock":
-		driver = NewComposerDriver()
-	case "package-lock.json":
-		driver = NewNpmDriver()
-	case "yarn.lock":
-		driver = NewYarnDriver()
-	case "Pipfile.lock":
-		driver = NewPipenvDriver()
-	case "poetry.lock":
-		driver = NewPoetryDriver()
+		driver = newPHPDriver()
+	case "package-lock.json", "yarn.lock":
+		driver = newNodejsDriver()
+	case "Pipfile.lock", "poetry.lock":
+		driver = newPythonDriver()
 	default:
 		return Driver{}, xerrors.New(fmt.Sprintf("unsupport filename %s", filename))
 	}
@@ -51,18 +47,18 @@ func (d DriverFactory) NewDriver(filename string) (Driver, error) {
 }
 
 type Driver struct {
-	pkgManager string
+	lang       string
 	advisories []advisory
 }
 
-func NewDriver(p string, advisories ...advisory) Driver {
-	return Driver{pkgManager: p, advisories: advisories}
+func NewDriver(lang string, advisories ...advisory) Driver {
+	return Driver{lang: lang, advisories: advisories}
 }
 
-func (driver *Driver) Detect(pkgName string, pkgVer *semver.Version) ([]types.DetectedVulnerability, error) {
+func (d *Driver) Detect(pkgName string, pkgVer *semver.Version) ([]types.DetectedVulnerability, error) {
 	var detectedVulnerabilities []types.DetectedVulnerability
 	uniqVulnIdMap := make(map[string]struct{})
-	for _, d := range driver.advisories {
+	for _, d := range append(d.advisories, NewAdvisory(d.lang)) {
 		vulns, err := d.DetectVulnerabilities(pkgName, pkgVer)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to detect vulnerabilities: %w", err)
@@ -79,34 +75,26 @@ func (driver *Driver) Detect(pkgName string, pkgVer *semver.Version) ([]types.De
 	return detectedVulnerabilities, nil
 }
 
-func NewBundlerDriver() Driver {
-	return NewDriver(library.Bundler, ghsa.NewAdvisory(ecosystem.Rubygems), bundler.NewAdvisory())
-}
-
-func NewComposerDriver() Driver {
-	return NewDriver(library.Composer, ghsa.NewAdvisory(ecosystem.Composer), composer.NewAdvisory())
-}
-
-func NewCargoDriver() Driver {
-	return NewDriver(library.Cargo, cargo.NewAdvisory())
-}
-
-func NewNpmDriver() Driver {
-	return NewDriver(library.Npm, ghsa.NewAdvisory(ecosystem.Npm), node.NewAdvisory())
-}
-
-func NewYarnDriver() Driver {
-	return NewDriver(library.Yarn, ghsa.NewAdvisory(ecosystem.Npm), node.NewAdvisory())
-}
-
-func NewPipenvDriver() Driver {
-	return NewDriver(library.Pipenv, ghsa.NewAdvisory(ecosystem.Pip), python.NewAdvisory())
-}
-
-func NewPoetryDriver() Driver {
-	return NewDriver(library.Poetry, ghsa.NewAdvisory(ecosystem.Pip), python.NewAdvisory())
-}
-
 func (d *Driver) Type() string {
-	return d.pkgManager
+	return d.lang
+}
+
+func newRubyDriver() Driver {
+	return NewDriver(vulnerability.Ruby, ghsa.NewAdvisory(ecosystem.Rubygems), bundler.NewAdvisory())
+}
+
+func newPHPDriver() Driver {
+	return NewDriver(vulnerability.PHP, ghsa.NewAdvisory(ecosystem.Composer), composer.NewAdvisory())
+}
+
+func newRustDriver() Driver {
+	return NewDriver(vulnerability.Rust, cargo.NewAdvisory())
+}
+
+func newNodejsDriver() Driver {
+	return NewDriver(vulnerability.Nodejs, ghsa.NewAdvisory(ecosystem.Npm), node.NewAdvisory())
+}
+
+func newPythonDriver() Driver {
+	return NewDriver(vulnerability.Python, ghsa.NewAdvisory(ecosystem.Pip), python.NewAdvisory())
 }

pkg/detector/library/driver_test.go

@@ -0,0 +1,135 @@
+package library_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/detector/library"
+	"github.com/aquasecurity/trivy/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/utils"
+)
+
+func TestDriver_Detect(t *testing.T) {
+	type fields struct {
+		fileName string
+	}
+	type args struct {
+		pkgName string
+		pkgVer  *semver.Version
+	}
+	tests := []struct {
+		name     string
+		fixtures []string
+		fields   fields
+		args     args
+		want     []types.DetectedVulnerability
+		wantErr  string
+	}{
+		{
+			name:     "happy path",
+			fixtures: []string{"testdata/fixtures/php.yaml"},
+			fields:   fields{fileName: "composer.lock"},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.2.6"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2019-10909",
+					PkgName:          "symfony/symfony",
+					InstalledVersion: "4.2.6",
+					FixedVersion:     "4.2.7",
+				},
+			},
+		},
+		{
+			name:     "non-prefix buckets",
+			fixtures: []string{"testdata/fixtures/php-without-prefix.yaml"},
+			fields:   fields{fileName: "composer.lock"},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.2.6"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2019-10909",
+					PkgName:          "symfony/symfony",
+					InstalledVersion: "4.2.6",
+					FixedVersion:     "4.2.7",
+				},
+			},
+		},
+		{
+			name:     "no patched versions in the advisory",
+			fixtures: []string{"testdata/fixtures/php.yaml"},
+			fields:   fields{fileName: "composer.lock"},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.4.6"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2020-5275",
+					PkgName:          "symfony/symfony",
+					InstalledVersion: "4.4.6",
+					FixedVersion:     "4.4.7",
+				},
+			},
+		},
+		{
+			name:     "no vulnerable versions in the advisory",
+			fixtures: []string{"testdata/fixtures/ruby.yaml"},
+			fields:   fields{fileName: "Gemfile.lock"},
+			args: args{
+				pkgName: "activesupport",
+				pkgVer:  semver.MustParse("4.1.1"),
+			},
+			want: []types.DetectedVulnerability{
+				{
+					VulnerabilityID:  "CVE-2015-3226",
+					PkgName:          "activesupport",
+					InstalledVersion: "4.1.1",
+					FixedVersion:     ">= 4.2.2, ~> 4.1.11",
+				},
+			},
+		},
+		{
+			name:     "no vulnerability",
+			fixtures: []string{"testdata/fixtures/php.yaml"},
+			fields:   fields{fileName: "composer.lock"},
+			args: args{
+				pkgName: "symfony/symfony",
+				pkgVer:  semver.MustParse("4.4.7"),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Initialize DB
+			dir := utils.InitTestDB(t, tt.fixtures)
+			defer os.RemoveAll(dir)
+			defer db.Close()
+
+			factory := library.DriverFactory{}
+			driver, err := factory.NewDriver(tt.fields.fileName)
+			require.NoError(t, err)
+
+			got, err := driver.Detect(tt.args.pkgName, tt.args.pkgVer)
+			switch {
+			case tt.wantErr != "":
+				require.NotNil(t, err)
+				assert.Contains(t, err.Error(), tt.wantErr)
+			default:
+				assert.NoError(t, err)
+			}
+
+			// Compare
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/detector/library/testdata/fixtures/php-without-prefix.yaml

@@ -0,0 +1,18 @@
+- bucket: GitHub Security Advisory Composer
+  pairs:
+    - bucket: symfony/symfony
+      pairs:
+        - key: CVE-2019-10909
+          value:
+            PatchedVersions:
+              - 4.2.7
+            VulnerableVersions:
+              - ">= 4.2.0, < 4.2.7"
+- bucket: php-security-advisories
+  pairs:
+    - bucket: symfony/symfony
+      pairs:
+        - key: CVE-2020-5275
+          value:
+            VulnerableVersions:
+              - ">= 4.4.0, < 4.4.7"

pkg/detector/library/testdata/fixtures/php.yaml

@@ -0,0 +1,18 @@
+- bucket: "php::GitHub Security Advisory Composer"
+  pairs:
+    - bucket: symfony/symfony
+      pairs:
+        - key: CVE-2019-10909
+          value:
+            PatchedVersions:
+              - 4.2.7
+            VulnerableVersions:
+              - ">= 4.2.0, < 4.2.7"
+- bucket: "php::php-security-advisories"
+  pairs:
+    - bucket: symfony/symfony
+      pairs:
+        - key: CVE-2020-5275
+          value:
+            VulnerableVersions:
+              - ">= 4.4.0, < 4.4.7"

pkg/detector/library/testdata/fixtures/ruby.yaml

@@ -0,0 +1,11 @@
+- bucket: "ruby::ruby-advisory-db"
+  pairs:
+    - bucket: activesupport
+      pairs:
+        - key: CVE-2015-3226
+          value:
+            PatchedVersions:
+              - ">= 4.2.2"
+              - "~> 4.1.11"
+            UnaffectedVersions:
+              - "< 4.1.0"

pkg/detector/ospkg/alpine/alpine.go

@@ -61,12 +61,12 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 
 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
-		advisories, err := s.vs.Get(osVer, pkg.Name)
+		advisories, err := s.vs.Get(osVer, pkg.SrcName)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to get alpine advisories: %w", err)
 		}
 
-		installed := utils.FormatVersion(pkg)
+		installed := utils.FormatSrcVersion(pkg)
 		installedVersion, err := version.NewVersion(installed)
 		if err != nil {
 			log.Logger.Debugf("failed to parse Alpine Linux installed package version: %s", err)
@@ -74,8 +74,7 @@ func (s *Scanner) Detect(osVer string, pkgs []ftypes.Package) ([]types.DetectedV
 		}
 
 		for _, adv := range advisories {
-			f := strings.Replace(adv.FixedVersion, "_rc", "~rc", 1)
-			fixedVersion, err := version.NewVersion(f)
+			fixedVersion, err := version.NewVersion(adv.FixedVersion)
 			if err != nil {
 				log.Logger.Debugf("failed to parse Alpine Linux fixed version: %s", err)
 				continue

pkg/detector/ospkg/alpine/alpine_test.go

@@ -55,15 +55,19 @@ func TestScanner_Detect(t *testing.T) {
 				osVer: "3.10.2",
 				pkgs: []ftypes.Package{
 					{
-						Name:    "ansible",
-						Version: "2.6.4",
+						Name:       "ansible",
+						Version:    "2.6.4",
+						SrcName:    "ansible",
+						SrcVersion: "2.6.4",
 						Layer: ftypes.Layer{
 							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 						},
 					},
 					{
-						Name:    "invalid",
-						Version: "invalid", // skipped
+						Name:       "invalid",
+						Version:    "invalid", // skipped
+						SrcName:    "invalid",
+						SrcVersion: "invalid",
 					},
 				},
 			},
@@ -118,8 +122,10 @@ func TestScanner_Detect(t *testing.T) {
 				osVer: "3.9",
 				pkgs: []ftypes.Package{
 					{
-						Name:    "jq",
-						Version: "1.6-r0",
+						Name:       "jq",
+						Version:    "1.6-r0",
+						SrcName:    "jq",
+						SrcVersion: "1.6-r0",
 					},
 				},
 			},
@@ -159,8 +165,10 @@ func TestScanner_Detect(t *testing.T) {
 				osVer: "3.12",
 				pkgs: []ftypes.Package{
 					{
-						Name:    "test",
-						Version: "0.1.0_alpha",
+						Name:       "test",
+						Version:    "0.1.0_alpha",
+						SrcName:    "test-src",
+						SrcVersion: "0.1.0_alpha",
 						Layer: ftypes.Layer{
 							DiffID: "sha256:932da51564135c98a49a34a193d6cd363d8fa4184d957fde16c9d8527b3f3b02",
 						},
@@ -172,7 +180,7 @@ func TestScanner_Detect(t *testing.T) {
 					{
 						input: getInput{
 							osVer:   "3.12",
-							pkgName: "test",
+							pkgName: "test-src",
 						},
 						output: getOutput{
 							advisories: []dbTypes.Advisory{
@@ -207,8 +215,10 @@ func TestScanner_Detect(t *testing.T) {
 				osVer: "3.8.1",
 				pkgs: []ftypes.Package{
 					{
-						Name:    "jq",
-						Version: "1.6-r0",
+						Name:       "jq",
+						Version:    "1.6-r0",
+						SrcName:    "jq",
+						SrcVersion: "1.6-r0",
 					},
 				},
 			},

pkg/report/writer.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"strings"
 	"text/template"
+	"time"
 
 	"golang.org/x/xerrors"
 
@@ -21,6 +22,8 @@ import (
 	"github.com/olekukonko/tablewriter"
 )
 
+var Now = time.Now
+
 type Results []Result
 
 type Result struct {
@@ -38,39 +41,10 @@ func WriteResults(format string, output io.Writer, severities []dbTypes.Severity
 	case "json":
 		writer = &JsonWriter{Output: output}
 	case "template":
-		if strings.HasPrefix(outputTemplate, "@") {
-			buf, err := ioutil.ReadFile(strings.TrimPrefix(outputTemplate, "@"))
-			if err != nil {
-				return xerrors.Errorf("Error retrieving template from path: %w", err)
-			}
-			outputTemplate = string(buf)
+		var err error
+		if writer, err = NewTemplateWriter(output, outputTemplate); err != nil {
+			return xerrors.Errorf("failed to initialize template writer: %w", err)
 		}
-		tmpl, err := template.New("output template").Funcs(template.FuncMap{
-			"escapeXML": func(input string) string {
-				escaped := &bytes.Buffer{}
-				if err := xml.EscapeText(escaped, []byte(input)); err != nil {
-					fmt.Printf("error while escapeString to XML: %v", err.Error())
-					return input
-				}
-				return escaped.String()
-			},
-			"endWithPeriod": func(input string) string {
-				if !strings.HasSuffix(input, ".") {
-					input += "."
-				}
-				return input
-			},
-			"toLower": func(input string) string {
-				return strings.ToLower(input)
-			},
-			"escapeString": func(input string) string {
-				return html.EscapeString(input)
-			},
-		}).Parse(outputTemplate)
-		if err != nil {
-			return xerrors.Errorf("error parsing template: %w", err)
-		}
-		writer = &TemplateWriter{Output: output, Template: tmpl}
 	default:
 		return xerrors.Errorf("unknown format: %v", format)
 	}
@@ -181,6 +155,48 @@ type TemplateWriter struct {
 	Template *template.Template
 }
 
+func NewTemplateWriter(output io.Writer, outputTemplate string) (*TemplateWriter, error) {
+	if strings.HasPrefix(outputTemplate, "@") {
+		buf, err := ioutil.ReadFile(strings.TrimPrefix(outputTemplate, "@"))
+		if err != nil {
+			return nil, xerrors.Errorf("error retrieving template from path: %w", err)
+		}
+		outputTemplate = string(buf)
+	}
+	tmpl, err := template.New("output template").Funcs(template.FuncMap{
+		"escapeXML": func(input string) string {
+			escaped := &bytes.Buffer{}
+			if err := xml.EscapeText(escaped, []byte(input)); err != nil {
+				fmt.Printf("error while escapeString to XML: %v", err.Error())
+				return input
+			}
+			return escaped.String()
+		},
+		"endWithPeriod": func(input string) string {
+			if !strings.HasSuffix(input, ".") {
+				input += "."
+			}
+			return input
+		},
+		"toLower": func(input string) string {
+			return strings.ToLower(input)
+		},
+		"escapeString": func(input string) string {
+			return html.EscapeString(input)
+		},
+		"getEnv": func(key string) string {
+			return os.Getenv(key)
+		},
+		"getCurrentTime": func() string {
+			return Now().UTC().Format(time.RFC3339Nano)
+		},
+	}).Parse(outputTemplate)
+	if err != nil {
+		return nil, xerrors.Errorf("error parsing template: %w", err)
+	}
+	return &TemplateWriter{Output: output, Template: tmpl}, nil
+}
+
 func (tw TemplateWriter) Write(results Results) error {
 	err := tw.Template.Execute(tw.Output, results)
 	if err != nil {

pkg/report/writer_test.go

@@ -3,7 +3,9 @@ package report_test
 import (
 	"bytes"
 	"encoding/json"
+	"os"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 
@@ -235,12 +237,12 @@ func TestReportWriter_Template(t *testing.T) {
 			detectedVulns: []types.DetectedVulnerability{
 				{
 					VulnerabilityID:  "123",
-					PkgName:          "foo",
+					PkgName:          `foo \ test`,
 					InstalledVersion: "1.2.3",
 					FixedVersion:     "3.4.5",
 					Vulnerability: dbTypes.Vulnerability{
 						Title:       `gcc: POWER9 "DARN" RNG intrinsic produces repeated output`,
-						Description: `curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.`,
+						Description: `curl version curl \X 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl < 7.20.0 and curl >= 7.60.0.`,
 						Severity:    "HIGH",
 					},
 				},
@@ -256,8 +258,8 @@ func TestReportWriter_Template(t *testing.T) {
         </properties>
         {{- end -}}
         {{ range .Vulnerabilities }}
-        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
-            <failure message={{escapeXML .Title | printf "%q" }} type="description">{{escapeXML .Description | printf "%q" }}</failure>
+        <testcase classname={{ printf "%v-%v" .PkgName .InstalledVersion | printf "%q" }} name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
+            <failure message={{escapeXML .Title | printf "%q" }} type="description">{{ endWithPeriod (escapeString .Description) | printf "%q" }}</failure>
         </testcase>
     {{- end }}
 	</testsuite>
@@ -269,8 +271,8 @@ func TestReportWriter_Template(t *testing.T) {
         <properties>
             <property name="type" value="test"></property>
         </properties>
-        <testcase classname="foo-1.2.3" name="[HIGH] 123" time="">
-            <failure message="gcc: POWER9 &#34;DARN&#34; RNG intrinsic produces repeated output" type="description">"curl version curl 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl &lt; 7.20.0 and curl &gt;= 7.60.0."</failure>
+        <testcase classname="foo \\ test-1.2.3" name="[HIGH] 123" time="">
+            <failure message="gcc: POWER9 &#34;DARN&#34; RNG intrinsic produces repeated output" type="description">"curl version curl \\X 7.20.0 to and including curl 7.59.0 contains a CWE-126: Buffer Over-read vulnerability in denial of service that can result in curl can be tricked into reading data beyond the end of a heap based buffer used to store downloaded RTSP content.. This vulnerability appears to have been fixed in curl &lt; 7.20.0 and curl &gt;= 7.60.0."</failure>
         </testcase>
 	</testsuite>
 </testsuites>`,
@@ -303,9 +305,19 @@ func TestReportWriter_Template(t *testing.T) {
 			template: `{{ range . }}{{ range .Vulnerabilities}}{{.VulnerabilityID}} {{ endWithPeriod (escapeString .Description) | printf "%q" }}{{ end }}{{ end }}`,
 			expected: `CVE-2019-0000 "without period."CVE-2019-0000 "with period."CVE-2019-0000 "with period and unescaped string curl: Use-after-free when closing &#39;easy&#39; handle in Curl_close()."`,
 		},
+		{
+			name:          "happy path: env var parsing and getCurrentTime",
+			detectedVulns: []types.DetectedVulnerability{},
+			template:      `{{ toLower (getEnv "AWS_ACCOUNT_ID") }} {{ getCurrentTime }}`,
+			expected:      `123456789012 2020-08-10T07:28:17.000958601Z`,
+		},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			report.Now = func() time.Time {
+				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
+			}
+			os.Setenv("AWS_ACCOUNT_ID", "123456789012")
 			tmplWritten := bytes.Buffer{}
 			inputResults := report.Results{
 				{

pkg/scanner/local/scan.go

@@ -2,6 +2,8 @@ package local
 
 import (
 	"fmt"
+	"os"
+	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@@ -110,7 +112,7 @@ func (s Scanner) Scan(target string, imageID string, layerIDs []string, options
 	}
 
 	if utils.StringInSlice("library", options.VulnType) {
-		libResults, err := s.scanLibrary(imageDetail.Applications, options.ListAllPackages)
+		libResults, err := s.scanLibrary(imageDetail.Applications, options)
 		if err != nil {
 			return nil, nil, false, xerrors.Errorf("failed to scan application libraries: %w", err)
 		}
@@ -140,19 +142,24 @@ func (s Scanner) scanOSPkg(target, osFamily, osName string, pkgs []ftypes.Packag
 	return result, eosl, nil
 }
 
-func (s Scanner) scanLibrary(apps []ftypes.Application, listAllPackages bool) (report.Results, error) {
+func (s Scanner) scanLibrary(apps []ftypes.Application, options types.ScanOptions) (report.Results, error) {
 	var results report.Results
 	for _, app := range apps {
 		vulns, err := s.libDetector.Detect("", app.FilePath, time.Time{}, app.Libraries)
 		if err != nil {
 			return nil, xerrors.Errorf("failed vulnerability detection of libraries: %w", err)
 		}
+
+		if skipped(app.FilePath, options.SkipDirectories) {
+			continue
+		}
+
 		libReport := report.Result{
 			Target:          app.FilePath,
 			Vulnerabilities: vulns,
 			Type:            app.Type,
 		}
-		if listAllPackages {
+		if options.ListAllPackages {
 			var pkgs []ftypes.Package
 			for _, lib := range app.Libraries {
 				pkgs = append(pkgs, ftypes.Package{
@@ -174,6 +181,21 @@ func (s Scanner) scanLibrary(apps []ftypes.Application, listAllPackages bool) (r
 	return results, nil
 }
 
+func skipped(filePath string, skipDirectories []string) bool {
+	for _, skipDir := range skipDirectories {
+		skipDir = strings.TrimLeft(filepath.Clean(skipDir), string(os.PathSeparator))
+		rel, err := filepath.Rel(skipDir, filePath)
+		if err != nil {
+			log.Logger.Warnf("Unexpected error while skipping directories: %s", err)
+			return false
+		}
+		if !strings.HasPrefix(rel, "..") {
+			return true
+		}
+	}
+	return false
+}
+
 func mergePkgs(pkgs, pkgsFromCommands []ftypes.Package) []ftypes.Package {
 	// pkg has priority over pkgsFromCommands
 	uniqPkgs := map[string]struct{}{}

pkg/scanner/local/scan_test.go

@@ -785,6 +785,134 @@ func TestScanner_Scan(t *testing.T) {
 				Name:   "3.11",
 			},
 		},
+		{
+			name: "happy path with skip directories",
+			args: args{
+				target:   "alpine:latest",
+				layerIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				options: types.ScanOptions{
+					VulnType:        []string{"library"},
+					SkipDirectories: []string{"/usr/lib/ruby/gems"},
+				},
+			},
+			applyLayersExpectation: ApplierApplyLayersExpectation{
+				Args: ApplierApplyLayersArgs{
+					BlobIDs: []string{"sha256:5216338b40a7b96416b8b9858974bbe4acc3096ee60acbc4dfb1ee02aecceb10"},
+				},
+				Returns: ApplierApplyLayersReturns{
+					Detail: ftypes.ArtifactDetail{
+						OS: &ftypes.OS{
+							Family: "alpine",
+							Name:   "3.11",
+						},
+						Packages: []ftypes.Package{
+							{Name: "musl", Version: "1.2.3"},
+						},
+						Applications: []ftypes.Application{
+							{
+								Type:     "bundler",
+								FilePath: "usr/lib/ruby/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock",
+								Libraries: []ftypes.LibraryInfo{
+									{
+										Library: dtypes.Library{Name: "rails", Version: "5.1"},
+										Layer: ftypes.Layer{
+											DiffID: "sha256:5cb2a5009179b1e78ecfef81a19756328bb266456cf9a9dbbcf9af8b83b735f0",
+										},
+									},
+								},
+							},
+							{
+								Type:     "composer",
+								FilePath: "app/composer-lock.json",
+								Libraries: []ftypes.LibraryInfo{
+									{
+										Library: dtypes.Library{Name: "laravel", Version: "6.0.0"},
+										Layer: ftypes.Layer{
+											DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			libDetectExpectations: []LibraryDetectorDetectExpectation{
+				{
+					Args: LibraryDetectorDetectArgs{
+						FilePath: "usr/lib/ruby/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock",
+						Pkgs: []ftypes.LibraryInfo{
+							{
+								Library: dtypes.Library{Name: "rails", Version: "5.1"},
+								Layer: ftypes.Layer{
+									DiffID: "sha256:5cb2a5009179b1e78ecfef81a19756328bb266456cf9a9dbbcf9af8b83b735f0",
+								},
+							},
+						},
+					},
+					Returns: LibraryDetectorDetectReturns{
+						DetectedVulns: []types.DetectedVulnerability{
+							{
+								VulnerabilityID:  "CVE-2020-11111",
+								PkgName:          "rails",
+								InstalledVersion: "5.1",
+								FixedVersion:     "5.2",
+								Layer: ftypes.Layer{
+									DiffID: "sha256:5cb2a5009179b1e78ecfef81a19756328bb266456cf9a9dbbcf9af8b83b735f0",
+								},
+							},
+						},
+					},
+				},
+				{
+					Args: LibraryDetectorDetectArgs{
+						FilePath: "app/composer-lock.json",
+						Pkgs: []ftypes.LibraryInfo{
+							{
+								Library: dtypes.Library{Name: "laravel", Version: "6.0.0"},
+								Layer: ftypes.Layer{
+									DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
+								},
+							},
+						},
+					},
+					Returns: LibraryDetectorDetectReturns{
+						DetectedVulns: []types.DetectedVulnerability{
+							{
+								VulnerabilityID:  "CVE-2020-22222",
+								PkgName:          "laravel",
+								InstalledVersion: "6.0.0",
+								FixedVersion:     "6.1.0",
+								Layer: ftypes.Layer{
+									DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
+								},
+							},
+						},
+					},
+				},
+			},
+			wantResults: report.Results{
+				{
+					Target: "app/composer-lock.json",
+					Vulnerabilities: []types.DetectedVulnerability{
+						{
+							VulnerabilityID:  "CVE-2020-22222",
+							PkgName:          "laravel",
+							InstalledVersion: "6.0.0",
+							FixedVersion:     "6.1.0",
+							Layer: ftypes.Layer{
+								DiffID: "sha256:9922bc15eeefe1637b803ef2106f178152ce19a391f24aec838cbe2e48e73303",
+							},
+						},
+					},
+					Type: "composer",
+				},
+			},
+			wantOS: &ftypes.OS{
+				Family: "alpine",
+				Name:   "3.11",
+			},
+		},
 		{
 			name: "sad path: ApplyLayers returns an error",
 			args: args{
@@ -950,3 +1078,54 @@ func TestScanner_Scan(t *testing.T) {
 		})
 	}
 }
+
+func Test_skipped(t *testing.T) {
+	type args struct {
+		filePath        string
+		skipDirectories []string
+	}
+	tests := []struct {
+		name string
+		args args
+		want bool
+	}{
+		{
+			name: "no skip directory",
+			args: args{
+				filePath:        "app/Gemfile.lock",
+				skipDirectories: []string{},
+			},
+			want: false,
+		},
+		{
+			name: "skip directory with the leading slash",
+			args: args{
+				filePath:        "app/Gemfile.lock",
+				skipDirectories: []string{"/app"},
+			},
+			want: true,
+		},
+		{
+			name: "skip directory without a slash",
+			args: args{
+				filePath:        "usr/lib/ruby/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock",
+				skipDirectories: []string{"/usr/lib/ruby"},
+			},
+			want: true,
+		},
+		{
+			name: "not skipped",
+			args: args{
+				filePath:        "usr/lib/ruby/gems/2.5.0/gems/http_parser.rb-0.6.0/Gemfile.lock",
+				skipDirectories: []string{"lib/ruby"},
+			},
+			want: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := skipped(tt.args.filePath, tt.args.skipDirectories)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

pkg/types/scanoptions.go

@@ -4,4 +4,5 @@ type ScanOptions struct {
 	VulnType            []string
 	ScanRemovedPackages bool
 	ListAllPackages     bool
+	SkipDirectories     []string
 }

pkg/utils/utils.go

@@ -3,12 +3,18 @@ package utils
 import (
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
+	"testing"
 
-	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
+
+	fixtures "github.com/aquasecurity/bolt-fixtures"
+	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy/pkg/log"
 )
 
 var cacheDir string
@@ -119,3 +125,26 @@ func CopyFile(src, dst string) (int64, error) {
 	n, err := io.Copy(destination, source)
 	return n, err
 }
+
+// InitTestDB is a utility function initializing BoltDB for unit testing
+func InitTestDB(t *testing.T, fixtureFiles []string) string {
+	// Create a temp dir
+	dir, err := ioutil.TempDir("", "TestDB")
+	require.NoError(t, err)
+
+	dbPath := db.Path(dir)
+	dbDir := filepath.Dir(dbPath)
+	err = os.MkdirAll(dbDir, 0700)
+	require.NoError(t, err)
+
+	// Load testdata into BoltDB
+	loader, err := fixtures.New(dbPath, fixtureFiles)
+	require.NoError(t, err)
+	require.NoError(t, loader.Load())
+	require.NoError(t, loader.Close())
+
+	// Initialize DB
+	require.NoError(t, db.Init(dir))
+
+	return dir
+}

pkg/vulnerability/vulnerability_test.go

@@ -5,19 +5,15 @@ import (
 	"os"
 	"testing"
 
-	"golang.org/x/xerrors"
-
-	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
-
-	"github.com/aquasecurity/trivy/pkg/log"
-	"github.com/aquasecurity/trivy/pkg/types"
-
-	"github.com/aquasecurity/trivy-db/pkg/db"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
 
+	"github.com/aquasecurity/trivy-db/pkg/db"
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
+	"github.com/aquasecurity/trivy/pkg/log"
+	"github.com/aquasecurity/trivy/pkg/types"
 )
 
 func TestMain(m *testing.M) {
@@ -36,19 +32,19 @@ func TestClient_FillInfo(t *testing.T) {
 	}
 	tests := []struct {
 		name                    string
-		getSeverity             []db.GetSeverityExpectation
-		getVulnerability        []db.GetVulnerabilityExpectation
+		getSeverity             []db.OperationGetSeverityExpectation
+		getVulnerability        []db.OperationGetVulnerabilityExpectation
 		args                    args
 		expectedVulnerabilities []types.DetectedVulnerability
 	}{
 		{
 			name: "happy path, with only OS vulnerability but no vendor severity, no NVD",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Title:       "dos",
 							Description: "dos vulnerability",
@@ -78,12 +74,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path, with only OS vulnerability but no vendor severity, yes NVD",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Title:       "dos",
 							Description: "dos vulnerability",
@@ -116,12 +112,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path, with only OS vulnerability but no severity, no vendor severity, no NVD",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Title:       "dos",
 							Description: "dos vulnerability",
@@ -149,12 +145,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and CVSS info",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Title:       "dos",
 							Description: "dos vulnerability",
@@ -218,12 +214,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and deprecated vendor vectors",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Title:       "dos",
 							Description: "dos vulnerability",
@@ -277,12 +273,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path light db, with only OS vulnerability, yes vendor severity",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Severity: dbTypes.SeverityMedium.String(),
 							VendorSeverity: dbTypes.VendorSeverity{
@@ -310,12 +306,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "happy path, with only library vulnerability",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2020-0001",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Vulnerability: dbTypes.Vulnerability{
 							Title:       "COVID-19",
 							Description: "a nasty virus vulnerability for humans",
@@ -349,12 +345,12 @@ func TestClient_FillInfo(t *testing.T) {
 		},
 		{
 			name: "GetVulnerability returns an error",
-			getVulnerability: []db.GetVulnerabilityExpectation{
+			getVulnerability: []db.OperationGetVulnerabilityExpectation{
 				{
-					Args: db.GetVulnerabilityArgs{
+					Args: db.OperationGetVulnerabilityArgs{
 						VulnerabilityID: "CVE-2019-0004",
 					},
-					Returns: db.GetVulnerabilityReturns{
+					Returns: db.OperationGetVulnerabilityReturns{
 						Err: xerrors.New("failed"),
 					},
 				},