docs: add ACR navigator (#1651)

Co-authored-by: knqyf263 <knqyf263@gmail.com>

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: daily
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily

.github/pull_request_template.md

@@ -0,0 +1,18 @@
+## Description
+
+## Related issues
+- Close #XXX
+
+## Related PRs
+- [ ] #XXX
+- [ ] #YYY
+
+Remove this section if you don't have related PRs.
+
+## Checklist
+- [ ] I've read the [guidelines for contributing](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md) to this repository.
+- [ ] I've followed the [conventions](https://github.com/aquasecurity/trivy/blob/main/CONTRIBUTING.md#title) in the PR title.
+- [ ] I've added tests that prove my fix is effective or that my feature works.
+- [ ] I've updated the [documentation](https://github.com/aquasecurity/trivy/blob/main/docs) with the relevant information (if needed).
+- [ ] I've added usage information (if the PR introduces new options)
+- [ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).

.github/workflows/publish-chart.yaml

@@ -1,45 +1,82 @@
-name: Publish Chart Helm
+
+name: Publish Helm chart
+
 on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'helm/trivy/**'
   push:
     branches: [main]
     paths:
       - 'helm/trivy/**'
-  workflow_dispatch:
 env:
   HELM_REP: helm-charts
   GH_OWNER: aquasecurity
   CHART_DIR: helm/trivy
+  KIND_VERSION: "v0.11.1"
+  KIND_IMAGE: "kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6"
 jobs:
-  release:
+  test-chart:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
         with:
           fetch-depth: 0
       - name: Install Helm
-        uses: azure/setup-helm@v1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
         with:
           version: v3.5.0
+      - name: Set up python
+        uses: actions/setup-python@0066b88440aa9562be742e2c60ee750fc57d8849 #v2.3.0
+        with:
+          python-version: 3.7
+      - name: Setup Chart Linting
+        id: lint
+        uses: helm/chart-testing-action@6b64532d456fa490a3da177fbd181ac4c8192b58 #v2.1.0
+      - name: Setup Kubernetes cluster (KIND)
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        with:
+          version: ${{ env.KIND_VERSION }}
+          image: ${{ env.KIND_IMAGE }}
+      - name: Run chart-testing
+        run: ct lint-and-install --validate-maintainers=false --charts helm/trivy
+      - name: Run chart-testing (Ingress enabled)
+        run: |
+          sed -i -e '97s,false,'true',g' ./helm/trivy/values.yaml
+          ct lint-and-install --validate-maintainers=false --charts helm/trivy
+
+  publish-chart:
+    if: github.event_name == 'push'
+    needs:
+      - test-chart
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+        with:
+          fetch-depth: 0
       - name: Install chart-releaser
         run: |
-          wget https://github.com/helm/chart-releaser/releases/download/v1.1.1/chart-releaser_1.1.1_linux_amd64.tar.gz
-          tar xzvf chart-releaser_1.1.1_linux_amd64.tar.gz cr
+          wget https://github.com/helm/chart-releaser/releases/download/v1.3.0/chart-releaser_1.3.0_linux_amd64.tar.gz
+          echo "baed2315a9bb799efb71d512c5198a2a3b8dcd139d7f22f878777cffcd649a37  chart-releaser_1.3.0_linux_amd64.tar.gz" | sha256sum -c -
+          tar xzvf chart-releaser_1.3.0_linux_amd64.tar.gz cr
       - name: Package helm chart
         run: |
           ./cr package ${{ env.CHART_DIR }}
       - name: Upload helm chart
         # Failed with upload the same version: https://github.com/helm/chart-releaser/issues/101
         continue-on-error: true
-        ## Upload the tar in the Releases repository
         run: |
           ./cr upload -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} --token ${{ secrets.ORG_REPO_TOKEN }} -p .cr-release-packages
       - name: Index helm chart
         run: |
           ./cr index -o ${{ env.GH_OWNER }} -r ${{ env.HELM_REP }} -c https://${{ env.GH_OWNER }}.github.io/${{ env.HELM_REP }}/ -i index.yaml
-
       - name: Push index file
-        uses: dmnemec/copy_file_to_another_repo_action@v1.0.4
+        uses: dmnemec/copy_file_to_another_repo_action@c93037aa10fa8893de271f19978c980d0c1a9b37 #v1.1.1
         env:
           API_TOKEN_GITHUB: ${{ secrets.ORG_REPO_TOKEN }}
         with:

.github/workflows/release.yaml

@@ -4,7 +4,7 @@ on:
     tags:
       - "v*"
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.17"
   GH_USER: "aqua-bot"
 jobs:
   release:
@@ -57,15 +57,14 @@ jobs:
           username: ${{ secrets.ECR_ACCESS_KEY_ID }}
           password: ${{ secrets.ECR_SECRET_ACCESS_KEY }}
       - name: Generate SBOM
-        uses: CycloneDX/gh-gomod-generate-sbom@v0.3.0
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
         with:
-          json: true
-          output: bom.json
-          version: ^v0
+          args: mod -licenses -json -output bom.json
+          version: ^v1
       - name: Release
         uses: goreleaser/goreleaser-action@v2
         with:
-          version: v0.164.0
+          version: v0.183.0
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.ORG_REPO_TOKEN }}

.github/workflows/stale-issues.yaml

@@ -7,7 +7,7 @@ jobs:
     timeout-minutes: 1
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue is stale because it has been labeled with inactivity.'

.github/workflows/test.yaml

@@ -10,7 +10,7 @@ on:
       - 'LICENSE'
   pull_request:
 env:
-  GO_VERSION: "1.16"
+  GO_VERSION: "1.17"
 jobs:
   test:
     name: Test
@@ -75,7 +75,7 @@ jobs:
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@v2
       with:
-        version: v0.164.0
+        version: v0.183.0
         args: release --snapshot --rm-dist --skip-publish
 
   build-documents:

.gitignore

@@ -27,3 +27,6 @@ integration/testdata/fixtures/images
 
 # SBOMs generated during CI
 /bom.json
+
+# goreleaser output
+dist

CONTRIBUTING.md

@@ -1,28 +1,104 @@
-Thank you for taking interest in contributing to Trivy !
+Thank you for taking interest in contributing to Trivy!
 
 ## Issues
 - Feel free to open issues for any reason. When you open a new issue, you'll have to select an issue kind: bug/feature/support and fill the required information based on the selected template.
 - Please spend a small amount of time giving due diligence to the issue tracker. Your issue might be a duplicate. If it is, please add your comment to the existing issue.
-- Remember users might be searching for your issue in the future, so please give it a meaningful title to help others.
+- Remember that users might search for your issue in the future, so please give it a meaningful title to help others.
 - The issue should clearly explain the reason for opening, the proposal if you have any, and any relevant technical information.
 
 ## Pull Requests
 
 1. Every Pull Request should have an associated bug or feature issue unless you are fixing a trivial documentation issue.
-1. Your PR is more likely to be accepted if it focuses on just one change.
-1. Describe what the PR does. There's no convention enforced, but please try to be concise and descriptive. Treat the PR description as a commit message. Titles that starts with "fix"/"add"/"improve"/"remove" are good examples.
-1. Please add the associated Issue in the PR description.
-1. There's no need to add or tag reviewers.
-1. If a reviewer commented on your code or asked for changes, please remember to mark the discussion as resolved after you address it. PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
-1. Please include a comment with the results before and after your change.
-1. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
-1. If your PR affects the user experience in some way, please update the Readme and the CLI help accordingly.
+4. Please add the associated Issue link in the PR description.
+2. Your PR is more likely to be accepted if it focuses on just one change.
+5. There's no need to add or tag reviewers.
+6. If a reviewer commented on your code or asked for changes, please remember to respond with comment. Do not mark discussion as resolved. It's up to reviewer to mark it resolved (in case if suggested fix addresses problem properly). PRs with unresolved issues should not be merged (even if the comment is unclear or requires no action from your side).
+7. Please include a comment with the results before and after your change.
+8. Your PR is more likely to be accepted if it includes tests (We have not historically been very strict about tests, but we would like to improve this!).
+9. If your PR affects the user experience in some way, please update the README.md and the CLI help accordingly.
+
+### Title
+It is not that strict, but we use the title conventions in this repository.
+Each commit message doesn't have to follow the conventions as long as it is clear and descriptive since it will be squashed and merged.
+
+#### Format of the title
+
+```
+<type>(<scope>): <subject>
+```
+
+The `type` and `scope` should always be lowercase as shown below.
+
+**Allowed `<type>` values:**
+  - **feat** for a new feature for the user, not a new feature for build script. Such commit will trigger a release bumping a MINOR version.
+  - **fix** for a bug fix for the user, not a fix to a build script. Such commit will trigger a release bumping a PATCH version.
+  - **perf** for performance improvements. Such commit will trigger a release bumping a PATCH version.
+  - **docs** for changes to the documentation.
+  - **style** for formatting changes, missing semicolons, etc.
+  - **refactor** for refactoring production code, e.g. renaming a variable.
+  - **test** for adding missing tests, refactoring tests; no production code change.
+  - **build** for updating build configuration, development tools or other changes irrelevant to the user.
+  - **chore** for updates that do not apply to the above, such as dependency updates.
+
+**Example `<scope>` values:**
+- alpine
+- redhat
+- ruby
+- python
+- terraform
+- report
+- etc.
+ 
+The `<scope>` can be empty (e.g. if the change is a global or difficult to assign to a single component), in which case the parentheses are omitted.
+
+#### Example titles
+
+```
+feat(alma): add support for AlmaLinux
+```
+
+```
+fix(oracle): handle advisories with ksplice versions
+```
+
+```
+docs(misconf): add comparison with Conftest and TFsec
+```
+
+```
+chore(deps): bump go.uber.org/zap from 1.19.1 to 1.20.0
+```
+
+**NOTE**: please do not use `chore(deps): update fanal` and something like that if you add new features or fix bugs in Trivy-related projects.
+The PR title should describe what the PR adds or fixes even though it just updates the dependency in Trivy.
+
+### Unit tests
+Your PR must pass all the unit tests. You can test it as below.
+
+```
+$ make test
+```
+
+### Integration tests
+Your PR must pass all the integration tests. You can test it as below.
+
+```
+$ make test-integration
+```
+
+### Documentation
+You can build the documents as below and view it at http://localhost:8000.
+
+```
+$ make mkdocs-serve
+```
 
 ## Understand where your pull request belongs
 
 Trivy is composed of several different repositories that work together:
 
 - [Trivy](https://github.com/aquasecurity/trivy) is the client-side, user-facing, command line tool.
-- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. This of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
+- [vuln-list](https://github.com/aquasecurity/vuln-list) is a vulnerabilities database, aggregated from different sources, and normalized for easy consumption. Think of this as the "server" side of the trivy command line tool. **There should be no pull requests to this repo** 
 - [vuln-list-update](https://github.com/aquasecurity/vuln-list-update) is the code that maintains the vuln-list database.
-- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information containers. It is being used by Trivy to find testable subjects in the container image.
+- [trivy-db](https://github.com/aquasecurity/trivy-db) maintains the vulnerability database pulled by Trivy CLI.
+- [fanal](https://github.com/aquasecurity/fanal) is a library for extracting system information from containers. It is being used by Trivy to find testable subjects in the container image.

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.14
+FROM alpine:3.15.0
 RUN apk --no-cache add ca-certificates git
 COPY trivy /usr/local/bin/trivy
 COPY contrib/*.tpl contrib/

README.md

@@ -165,7 +165,7 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Features
 
 - Comprehensive vulnerability detection
-  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+  - OS packages (Alpine Linux, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
   - **Language-specific packages** (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Misconfiguration detection (IaC scanning) 
   - A wide variety of built-in policies are provided **out of the box**
@@ -193,6 +193,12 @@ Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
 # Documentation
 The official documentation, which provides detailed installation, configuration, and quick start guides, is available at https://aquasecurity.github.io/trivy/.
 
+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [test]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml
 [test-img]: https://github.com/aquasecurity/trivy/actions/workflows/test.yaml/badge.svg
 [go-report]: https://goreportcard.com/report/github.com/aquasecurity/trivy
@@ -207,3 +213,7 @@ The official documentation, which provides detailed installation, configuration,
 [alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
 [action]: https://github.com/aquasecurity/trivy-action
 [vscode]: https://github.com/aquasecurity/trivy-vscode-extension
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions

ci/deploy-deb.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 DEBIAN_RELEASES=$(debian-distro-info --supported)
-UBUNTU_RELEASES=$(ubuntu-distro-info --supported)
+UBUNTU_RELEASES=$(sort -u <(ubuntu-distro-info --supported-esm) <(ubuntu-distro-info --supported))
 
 cd trivy-repo/deb
 
@@ -9,12 +9,14 @@ for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Removing deb package of $release"
   reprepro -A i386 remove $release trivy
   reprepro -A amd64 remove $release trivy
+  reprepro -A arm64 remove $release trivy
 done
 
 for release in ${DEBIAN_RELEASES[@]} ${UBUNTU_RELEASES[@]}; do
   echo "Adding deb package to $release"
   reprepro includedeb $release ../../dist/*Linux-64bit.deb
   reprepro includedeb $release ../../dist/*Linux-32bit.deb
+  reprepro includedeb $release ../../dist/*Linux-ARM64.deb
 done
 
 git add .

contrib/Trivy.gitlab-ci.yml

@@ -10,7 +10,7 @@ Trivy_container_scanning:
     IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
   allow_failure: true
   before_script:
-    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.4.3}
+    - export TRIVY_VERSION=${TRIVY_VERSION:-v0.19.2}
     - apk add --no-cache curl docker-cli
     - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
     - curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin ${TRIVY_VERSION}

contrib/asff.tpl

@@ -19,12 +19,12 @@
     {
         "SchemaVersion": "2018-10-08",
         "Id": "{{ $target }}/{{ .VulnerabilityID }}",
-        "ProductArn": "arn:aws:securityhub:{{ getEnv "AWS_REGION" }}::product/aquasecurity/aquasecurity",
+        "ProductArn": "arn:aws:securityhub:{{ env "AWS_REGION" }}::product/aquasecurity/aquasecurity",
         "GeneratorId": "Trivy",
-        "AwsAccountId": "{{ getEnv "AWS_ACCOUNT_ID" }}",
+        "AwsAccountId": "{{ env "AWS_ACCOUNT_ID" }}",
         "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "{{ getCurrentTime }}",
-        "UpdatedAt": "{{ getCurrentTime }}",
+        "CreatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
+        "UpdatedAt": "{{ now | date "2006-01-02T15:04:05.999999999Z07:00" }}",
         "Severity": {
             "Label": "{{ $severity }}"
         },
@@ -42,7 +42,7 @@
                 "Type": "Container",
                 "Id": "{{ $target }}",
                 "Partition": "aws",
-                "Region": "{{ getEnv "AWS_REGION" }}",
+                "Region": "{{ env "AWS_REGION" }}",
                 "Details": {
                     "Container": { "ImageName": "{{ $target }}" },
                     "Other": {
@@ -51,10 +51,10 @@
                         "PkgName": "{{ .PkgName }}",
                         "Installed Package": "{{ .InstalledVersion }}",
                         "Patched Package": "{{ .FixedVersion }}",
-                        "NvdCvssScoreV3": "{{ (index .CVSS "nvd").V3Score }}",
-                        "NvdCvssVectorV3": "{{ (index .CVSS "nvd").V3Vector }}",
-                        "NvdCvssScoreV2": "{{ (index .CVSS "nvd").V2Score }}",
-                        "NvdCvssVectorV2": "{{ (index .CVSS "nvd").V2Vector }}"
+                        "NvdCvssScoreV3": "{{ (index .CVSS (sourceID "nvd")).V3Score }}",
+                        "NvdCvssVectorV3": "{{ (index .CVSS (sourceID "nvd")).V3Vector }}",
+                        "NvdCvssScoreV2": "{{ (index .CVSS (sourceID "nvd")).V2Score }}",
+                        "NvdCvssVectorV2": "{{ (index .CVSS (sourceID "nvd")).V2Vector }}"
                     }
                 }
             }

contrib/example_policy/advanced.rego

@@ -5,30 +5,42 @@ import data.lib.trivy
 default ignore = false
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+        # Check against RedHat scores as well as NVD
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 ignore {
 	input.PkgName == "openssl"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 }
 
 ignore {
@@ -50,11 +62,11 @@ ignore {
 	input.PkgName == "bash"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
@@ -64,11 +76,11 @@ ignore {
 	input.PkgName == "django"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate Attack Vector
 	ignore_attack_vectors := {"Physical", "Local"}
-	cvss_vector.AttackVector == ignore_attack_vectors[_]
+	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
 
 	# Evaluate severity
 	input.Severity == {"LOW", "MEDIUM"}[_]
@@ -86,7 +98,7 @@ ignore {
 	input.PkgName == "jquery"
 
 	# Split CVSSv3 vector
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
 
 	# Evaluate CWE-ID
 	deny_cwe_ids := {"CWE-79"} # XSS

contrib/example_policy/basic.rego

@@ -9,7 +9,11 @@ ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
 ignore_severities := {"LOW", "MEDIUM"}
 
 nvd_v3_vector = v {
-	v := input.CVSS.nvd.v3
+	v := input.CVSS.nvd.V3Vector
+}
+
+redhat_v3_vector = v {
+	v := input.CVSS.redhat.V3Vector
 }
 
 ignore {
@@ -22,20 +26,29 @@ ignore {
 
 # Ignore a vulnerability which is not remotely exploitable
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.AttackVector != "Network"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.AttackVector != "Network"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.AttackVector != "Network"
 }
 
 # Ignore a vulnerability which requires high privilege
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.PrivilegesRequired == "High"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.PrivilegesRequired == "High"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.PrivilegesRequired == "High"
 }
 
 # Ignore a vulnerability which requires user interaction
 ignore {
-	cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
-	cvss_vector.UserInteraction == "Required"
+	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
+	nvd_cvss_vector.UserInteraction == "Required"
+
+	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
+	redhat_cvss_vector.UserInteraction == "Required"
 }
 
 # Ignore CSRF

contrib/gitlab-codequality.tpl

@@ -14,6 +14,7 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "{{ .VulnerabilityID }}: {{ .Title }}",
+      "fingerprint": "{{ .VulnerabilityID | sha1sum }}",
       "content": {{ .Description | printf "%q" }},
       "severity": {{ if eq .Severity "LOW" -}}
                     "info"
@@ -35,4 +36,4 @@
     }
     {{- end -}}
   {{- end }}
-]
+]

contrib/html.tpl

@@ -52,7 +52,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</title>
+    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,7 +82,7 @@
     </script>
   </head>
   <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ getCurrentTime }}</h1>
+    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
     <table>
     {{- range . }}
       <tr class="group-header"><th colspan="6">{{ escapeXML .Type }}</th></tr>
@@ -112,6 +112,31 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Misconfigurations ) 0) }}
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Type</th>
+        <th>Misconf ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Message</th>
+      </tr>
+        {{- range .Misconfigurations }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="misconf-type">{{ escapeXML .Type }}</td>
+        <td>{{ escapeXML .ID }}</td>
+        <td class="misconf-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td class="link" data-more-links="off"  style="white-space:normal;"">
+          {{ escapeXML .Message }}
+          <br>
+            <a href={{ escapeXML .PrimaryURL | printf "%q" }}>{{ escapeXML .PrimaryURL }}</a>
+          </br>
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

contrib/install.sh

@@ -182,11 +182,11 @@ log_tag() {
 }
 log_debug() {
   log_priority 7 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 7)" "$@"
+  echo "$(log_prefix)" "$(log_tag 7)" "$@"
 }
 log_info() {
   log_priority 6 || return 0
-  echoerr "$(log_prefix)" "$(log_tag 6)" "$@"
+  echo "$(log_prefix)" "$(log_tag 6)" "$@"
 }
 log_err() {
   log_priority 3 || return 0

contrib/sarif.tpl

@@ -1,95 +0,0 @@
-{
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
-  "version": "2.1.0",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "Trivy",
-          "informationUri": "https://github.com/aquasecurity/trivy",
-          "fullName": "Trivy Vulnerability Scanner",
-          "version": "0.15.0",
-          "rules": [
-        {{- $t_first := true }}
-        {{- range $result := . }}
-            {{- $vulnerabilityType := .Type }}
-            {{- range .Vulnerabilities -}}
-              {{- if $t_first -}}
-                {{- $t_first = false -}}
-              {{ else -}}
-                ,
-              {{- end }}
-            {
-              "id": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-              "name": "{{ toSarifRuleName $vulnerabilityType }}",
-              "shortDescription": {
-                "text": {{ printf "%v Package: %v" .VulnerabilityID .PkgName | printf "%q" }}
-              },
-              "fullDescription": {
-                "text": {{ endWithPeriod (escapeString .Title) | printf "%q" }}
-              },
-              "defaultConfiguration": {
-                "level": "{{ toSarifErrorLevel .Vulnerability.Severity }}"
-              }
-              {{- with $help_uri := .PrimaryURL -}}
-              ,
-              {{ $help_uri | printf "\"helpUri\": %q," -}}
-              {{- else -}}
-              ,
-              {{- end }}
-              "help": {
-                "text": {{ printf "Vulnerability %v\nSeverity: %v\nPackage: %v\nInstalled Version: %v\nFixed Version: %v\nLink: [%v](%v)" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}},
-                "markdown": {{ printf "**Vulnerability %v**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|%v|%v|%v|%v|[%v](%v)|\n" .VulnerabilityID .Vulnerability.Severity .PkgName .InstalledVersion .FixedVersion .VulnerabilityID .PrimaryURL | printf "%q"}}
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "{{ .Vulnerability.Severity }}",
-                  {{ .PkgName | printf "%q" }}
-                ],
-                "precision": "very-high"
-              }
-            }
-            {{- end -}}
-         {{- end -}}
-          ]
-        }
-      },
-      "results": [
-    {{- $t_first := true }}
-    {{- range $result := . }}
-        {{- $filePath := .Target }}
-        {{- range $index, $vulnerability := .Vulnerabilities -}}
-          {{- if $t_first -}}
-            {{- $t_first = false -}}
-          {{ else -}}
-            ,
-          {{- end }}
-        {
-          "ruleId": {{ printf "%s: %s-%s %s" $result.Target .PkgName .InstalledVersion .VulnerabilityID | toJson }},
-          "ruleIndex": {{ $index }},
-          "level": "{{ toSarifErrorLevel $vulnerability.Vulnerability.Severity }}",
-          "message": {
-            "text": {{ endWithPeriod (escapeString $vulnerability.Description) | printf "%q" }}
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "{{ toPathUri $filePath }}",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        }
-        {{- end -}}
-      {{- end -}}
-      ],
-      "columnKind": "utf16CodeUnits",
-      "originalUriBaseIds": {
-        "ROOTPATH": {
-          "uri": "/"
-        }
-      }
-    }
-  ]
-}

docs/advanced/air-gap.md

@@ -1,24 +1,27 @@
 # Air-Gapped Environment
 
-Trivy can be used in air-gapped environments.
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
 
-## Download the vulnerability database
+## Air-Gapped Environment for vulnerabilities
+
+### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
-Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
-If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
+Please follow [oras installation instruction][oras].
+
+Download `db.tar.gz`:
 
 ```
-$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
+$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
 ```
 
-## Transfer the DB file into the air-gapped environment
+### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 
 ```
-$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
+$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
 ```
 
-## Put the DB file in Trivy's cache directory
+### Put the DB file in Trivy's cache directory
 You have to know where to put the DB file. The following command shows the default cache directory.
 
 ```
@@ -32,26 +35,79 @@ Put the DB file in the cache directory + `/db`.
 ```
 $ mkdir -p /home/myuser/.cache/trivy/db
 $ cd /home/myuser/.cache/trivy/db
-$ mv /path/to/trivy-offline.db.tgz .
-```
-
-Then, decompress it.
-`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
-
-```
-$ tar xvf trivy-offline.db.tgz
+$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
 x trivy.db
 x metadata.json
-$ rm trivy-offline.db.tgz
+$ rm /path/to/db.tar.gz
 ```
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
 
-## Run Trivy with --skip-update option
+### Run Trivy with --skip-update and --offline-scan option
 In an air-gapped environment, specify `--skip-update` so that Trivy doesn't attempt to download the latest database file.
+In addition, if you want to scan Java dependencies such as JAR and pom.xml, you need to specify `--offline-scan` since Trivy tries to issue API requests for scanning Java applications by default.
 
 ```
-$ trivy image --skip-update alpine:3.12
+$ trivy image --skip-update --offline-scan alpine:3.12
 ```
 
-[trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+## Air-Gapped Environment for misconfigurations
+
+### Download misconfiguration policies
+At first, you need to download misconfiguration policies for use in air-gapped environments.
+Please follow [oras installation instruction][oras].
+
+Download `bundle.tar.gz`:
+
+```
+$ oras pull ghcr.io/aquasecurity/appshield:latest -a
+```
+
+### Transfer misconfiguration policies into the air-gapped environment
+The way of transfer depends on the environment.
+
+```
+$ rsync -av -e ssh /path/to/bundle.tar.gz [user]@[host]:dst
+```
+
+### Put the misconfiguration policies in Trivy's cache directory
+You have to know where to put the misconfiguration policies file. The following command shows the default cache directory.
+
+```
+$ ssh user@host
+$ trivy -h | grep cache
+   --cache-dir value  cache directory (default: "/home/myuser/.cache/trivy") [$TRIVY_CACHE_DIR]
+```
+
+Put the misconfiguration policies file in the cache directory + `/policy/content`.
+
+```
+$ mkdir -p /home/myuser/.cache/trivy/policy/content
+$ cd /home/myuser/.cache/trivy/policy/content
+$ mv /path/to/bundle.tar.gz .
+```
+
+Then, decompress it.
+`bundle.tar.gz ` file includes two folders: `docker`, `kubernetes` and file: `.manifest`.
+
+```
+$ tar xvf bundle.tar.gz 
+x ./docker/
+...
+x ./kubernetes/
+...
+x ./.manifest
+$ rm bundle.tar.gz
+```
+
+In an air-gapped environment it is your responsibility to update policies on a regular basis, so that the scanner can detect recently-identified misconfigurations. 
+
+### Run Trivy with --skip-policy-update option
+In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn't attempt to download the latest misconfiguration policies.
+
+```
+$ trivy conf --skip-policy-update /path/to/conf
+```
+
+[allowlist]: ../getting-started/troubleshooting.md
+[oras]: https://oras.land/cli/

docs/advanced/community/references.md

@@ -0,0 +1,19 @@
+# External References
+There are external blogs and evaluations.
+
+## Blogs
+- [the vulnerability remediation lifecycle of Alpine containers][alpine]
+- [Continuous Container Vulnerability Testing with Trivy][semaphore]
+- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
+- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
+
+## Links
+- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
+- [Istio evaluates scanners][istio]
+
+[alpine]: https://ariadne.space/2021/06/08/the-vulnerability-remediation-lifecycle-of-alpine-containers/
+[semaphore]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy
+[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
+[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
+[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888
+[istio]: https://github.com/istio/release-builder/pull/687#issuecomment-874938417

docs/advanced/community/tools.md

@@ -0,0 +1,37 @@
+# Community Tools
+The open source community has been hard at work developing new tools for Trivy. You can check out some of them here.
+
+Have you created a tool that’s not listed? Add the name and description of your integration and open a pull request in the GitHub repository to get your change merged.
+
+## GitHub Actions
+
+| Actions                                    | Description                                                                      |
+| ------------------------------------------ | -------------------------------------------------------------------------------- |
+| [gitrivy][gitrivy]                         | GitHub Issue + Trivy                                                             |
+| [trivy-github-issues][trivy-github-issues] | GitHub Actions for creating GitHub Issues according to the Trivy scanning result |
+
+## Semaphore
+
+| Name                                                   | Description                               |
+| -------------------------------------------------------| ----------------------------------------- |
+| [Continuous Vulnerability Testing with Trivy][semaphore-tutorial] | Tutorial on scanning code, containers, infrastructure, and Kubernetes with Semaphore CI/CD. |
+
+
+## CircleCI
+
+| Orb                                      | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [fifteen5/trivy-orb][fifteen5/trivy-orb] | Orb for running Trivy, a security scanner |
+
+## Others
+
+| Name                                     | Description                               |
+| -----------------------------------------| ----------------------------------------- |
+| [Trivy Vulnerability Explorer][explorer] | Explore trivy vulnerability reports in your browser and create .trivyignore files interactively. Can be integrated in your CI/CD tooling with deep links.   |
+
+
+[trivy-github-issues]: https://github.com/marketplace/actions/trivy-github-issues
+[fifteen5/trivy-orb]: https://circleci.com/developer/orbs/orb/fifteen5/trivy-orb
+[gitrivy]: https://github.com/marketplace/actions/trivy-action
+[explorer]: https://dbsystel.github.io/trivy-vulnerability-explorer/
+[semaphore-tutorial]: https://semaphoreci.com/blog/continuous-container-vulnerability-testing-with-trivy

docs/advanced/container/embed-in-dockerfile.md

@@ -10,7 +10,7 @@ FROM alpine:3.7
 
 RUN apk add curl \
     && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin \
-    && trivy filesystem --exit-code 1 --no-progress /
+    && trivy rootfs --exit-code 1 --no-progress /
 
 $ docker build -t vulnerable-image .
 ```
@@ -21,7 +21,7 @@ insecure `curl | sh`. Also the image is not changed.
 # Run vulnerability scan on build image
 FROM build AS vulnscan
 COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
-RUN trivy filesystem --exit-code 1 --no-progress /
+RUN trivy rootfs --exit-code 1 --no-progress /
 [...]
 ```
 

docs/advanced/container/unpacked-filesystem.md

@@ -1,12 +1,12 @@
 # Unpacked Filesystem
 
-Scan aan unpacked container image filesystem.
+Scan an unpacked container image filesystem.
 
 In this case, Trivy works the same way when scanning containers
 
 ```bash
 $ docker export $(docker create alpine:3.10.2) | tar -C /tmp/rootfs -xvf -
-$ trivy fs /tmp/rootfs
+$ trivy rootfs /tmp/rootfs
 ```
 
 <details>

docs/advanced/integrations/bitbucket.md

@@ -0,0 +1,5 @@
+# Bitbucket Pipelines
+
+See [trivy-pipe][trivy-pipe] for the details.
+
+[trivy-pipe]: https://github.com/aquasecurity/trivy-pipe

docs/advanced/integrations/circleci.md

@@ -19,7 +19,7 @@ jobs:
             curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
       - run:
           name: Scan the local image with trivy
-          command: trivy --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
+          command: trivy image --exit-code 0 --no-progress trivy-ci-test:${CIRCLE_SHA1}
 workflows:
   version: 2
   release:

docs/advanced/integrations/gitlab-ci.md

@@ -1,5 +1,11 @@
 # GitLab CI
 
+If you're a GitLab Ultimate customer, GitLab 14.0 and above include out-of-the-box integration with Trivy. To enable it for your project, simply add the container scanning template to your `.gitlab-ci.yml` file. For more details, please refer to [GitLab's documentation](https://docs.gitlab.com/ee/user/application_security/container_scanning/).
+
+If you're using an earlier version of GitLab, you can still use the new integration by copying the [contents of the 14.0 template](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml) to your configuration.
+
+Alternatively, you can always use the example configurations below.
+
 ```yaml
 stages:
   - test
@@ -26,11 +32,11 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $IMAGE
     # Print report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --severity HIGH $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $IMAGE
     # Fail on severe vulnerabilities
-    - ./trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $IMAGE
   cache:
     paths:
       - .trivycache/
@@ -73,12 +79,12 @@ container_scanning:
     # update vulnerabilities db
     - time trivy --download-db-only --no-progress --cache-dir .trivycache/
     # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
-    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
+    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl"
         --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
     # Prints full report
-    - time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
+    - time trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress "$FULL_IMAGE_NAME"
     # Fail on critical vulnerabilities
-    - time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
+    - time trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress "$FULL_IMAGE_NAME"
   cache:
     paths:
       - .trivycache/
@@ -129,14 +135,14 @@ trivy:
     # Build image
     - docker build -t $IMAGE .
     # Build report
-    - ./trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@contrib/gitlab-codeclimate.tpl" -o gl-codeclimate.json $IMAGE
+    - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codeclimate.json $IMAGE
   cache:
     paths:
       - .trivycache/
   # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
   artifacts:
     paths:
-      gl-codeclimate.json
+      - gl-codeclimate.json
     reports:
       codequality: gl-codeclimate.json
 ```

docs/advanced/integrations/index.md

@@ -1,4 +1,2 @@
 # Integrations
 Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
-
-Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.

docs/advanced/integrations/travis-ci.md

@@ -15,8 +15,8 @@ before_install:
   - wget https://github.com/aquasecurity/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz
   - tar zxvf trivy_${VERSION}_Linux-64bit.tar.gz
 script:
-  - ./trivy --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
-  - ./trivy --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy image --exit-code 0 --severity HIGH --no-progress trivy-ci-test:${COMMIT}
+  - ./trivy image --exit-code 1 --severity CRITICAL --no-progress trivy-ci-test:${COMMIT}
 cache:
   directories:
     - $HOME/.cache/trivy

docs/advanced/private-registries/acr.md

@@ -0,0 +1,27 @@
+# Requirements
+None, Trivy uses Azure SDK for Go. You don't need to install `az` command.
+
+# Privileges
+Service principal must have the `AcrPull` permissions.
+
+## Creation of a service principal
+```bash
+export SP_DATA=$(az ad sp create-for-rbac --name TrivyTest --role AcrPull --scope "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ContainerRegistry/registries/<registry_name>")
+```
+
+# Usage
+```bash
+# must set TRIVY_USERNAME empty char
+export AZURE_CLIENT_ID$(echo $SP_DATA | jq -r .appId)
+export AZURE_CLIENT_SECRET$(echo $SP_DATA | jq -r .password)
+export AZURE_TENANT_ID$(echo $SP_DATA | jq -r .tenant)
+```
+
+# Testing
+You can test credentials in the following manner.
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -e AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
+  -e AZURE_TENANT_ID=${AZURE_TENANT_ID} aquasec/trivy image your_special_project.azurecr.io/your_special_image:your_special_tag
+```

docs/advanced/private-registries/gcr.md

@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 
-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```

docs/getting-started/cli/client.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
    --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -22,6 +22,7 @@ OPTIONS:
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --token value               for authentication [$TRIVY_TOKEN]
    --token-header value        specify a header name for token (default: "Trivy-Token") [$TRIVY_TOKEN_HEADER]
    --remote value              server address (default: "http://localhost:4954") [$TRIVY_REMOTE]

docs/getting-started/cli/config.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value                       output file name [$TRIVY_OUTPUT]
    --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]

docs/getting-started/cli/fs.md

@@ -9,8 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value                     output template [$TRIVY_TEMPLATE]
-   --format value, -f value                       format (table, json, template) (default: "table") [$TRIVY_FORMAT]
-   --input value, -i value                        input file path instead of image name [$TRIVY_INPUT]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value                       output file name [$TRIVY_OUTPUT]
    --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
@@ -18,7 +17,6 @@ OPTIONS:
    --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
    --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
    --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
-   --removed-pkgs                                 detect vulnerabilities of removed packages (only for Alpine) (default: false) [$TRIVY_REMOVED_PKGS]
    --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
    --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
    --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
@@ -27,6 +25,7 @@ OPTIONS:
    --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]

docs/getting-started/cli/image.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
    --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -24,9 +24,9 @@ OPTIONS:
    --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
    --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --cache-backend value       cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]

docs/getting-started/cli/repo.md

@@ -9,7 +9,7 @@ USAGE:
 
 OPTIONS:
    --template value, -t value  output template [$TRIVY_TEMPLATE]
-   --format value, -f value    format (table, json, template) (default: "table") [$TRIVY_FORMAT]
+   --format value, -f value    format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
    --input value, -i value     input file path instead of image name [$TRIVY_INPUT]
    --severity value, -s value  severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
    --output value, -o value    output file name [$TRIVY_OUTPUT]
@@ -25,6 +25,7 @@ OPTIONS:
    --no-progress               suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
    --skip-files value          specify the file path to skip traversal [$TRIVY_SKIP_FILES]
    --skip-dirs value           specify the directory where the traversal is skipped [$TRIVY_SKIP_DIRS]
    --help, -h                  show help (default: false)

docs/getting-started/cli/rootfs.md

@@ -0,0 +1,35 @@
+# Rootfs
+
+```bash
+NAME:
+   trivy rootfs - scan rootfs
+
+USAGE:
+   trivy rootfs [command options] dir
+
+OPTIONS:
+   --template value, -t value                     output template [$TRIVY_TEMPLATE]
+   --format value, -f value                       format (table, json, sarif, template) (default: "table") [$TRIVY_FORMAT]
+   --severity value, -s value                     severities of vulnerabilities to be displayed (comma separated) (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL") [$TRIVY_SEVERITY]
+   --output value, -o value                       output file name [$TRIVY_OUTPUT]
+   --exit-code value                              Exit code when vulnerabilities were found (default: 0) [$TRIVY_EXIT_CODE]
+   --skip-db-update, --skip-update                skip updating vulnerability database (default: false) [$TRIVY_SKIP_UPDATE, $TRIVY_SKIP_DB_UPDATE]
+   --skip-policy-update                           skip updating built-in policies (default: false) [$TRIVY_SKIP_POLICY_UPDATE]
+   --clear-cache, -c                              clear image caches without scanning (default: false) [$TRIVY_CLEAR_CACHE]
+   --ignore-unfixed                               display only fixed vulnerabilities (default: false) [$TRIVY_IGNORE_UNFIXED]
+   --vuln-type value                              comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
+   --security-checks value                        comma-separated list of what security issues to detect (vuln,config) (default: "vuln") [$TRIVY_SECURITY_CHECKS]
+   --ignorefile value                             specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
+   --cache-backend value                          cache backend (e.g. redis://localhost:6379) (default: "fs") [$TRIVY_CACHE_BACKEND]
+   --timeout value                                timeout (default: 5m0s) [$TRIVY_TIMEOUT]
+   --no-progress                                  suppress progress bar (default: false) [$TRIVY_NO_PROGRESS]
+   --ignore-policy value                          specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
+   --list-all-pkgs                                enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
+   --offline-scan                                 do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]
+   --skip-files value                             specify the file paths to skip traversal [$TRIVY_SKIP_FILES]
+   --skip-dirs value                              specify the directories where the traversal is skipped [$TRIVY_SKIP_DIRS]
+   --config-policy value                          specify paths to the Rego policy files directory, applying config files [$TRIVY_CONFIG_POLICY]
+   --config-data value                            specify paths from which data for the Rego policies will be recursively loaded [$TRIVY_CONFIG_DATA]
+   --policy-namespaces value, --namespaces value  Rego namespaces (default: "users") [$TRIVY_POLICY_NAMESPACES]
+   --help, -h                                     show help (default: false)
+```

docs/getting-started/further.md

@@ -18,11 +18,6 @@
 - [Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action][actions2]
 - [Using Trivy to Discover Vulnerabilities in VS Code Projects][vscode]
 
-## External Blogs
-- [Open Source CVE Scanner Round-Up: Clair vs Anchore vs Trivy][round-up]
-- [Docker Image Security: Static Analysis Tool Comparison – Anchore Engine vs Clair vs Trivy][tool-comparison]
-- [Research Spike: evaluate Trivy for scanning running containers][gitlab]
-
 [intro]: https://www.youtube.com/watch?v=AzOBGm7XxOA
 [cncf]: https://www.youtube.com/watch?v=XnYxX9uueoQ
 [server]: https://www.youtube.com/watch?v=tNQ-VlahtYM
@@ -35,7 +30,3 @@
 [actions]: https://blog.aquasec.com/devsecops-with-trivy-github-actions
 [actions2]: https://blog.aquasec.com/github-vulnerability-scanner-trivy
 [vscode]: https://blog.aquasec.com/trivy-open-source-vulnerability-scanner-vs-code
-
-[round-up]: https://boxboat.com/2020/04/24/image-scanning-tech-compared/
-[tool-comparison]: https://www.a10o.net/devsecops/docker-image-security-static-analysis-tool-comparison-anchore-engine-vs-clair-vs-trivy/
-[gitlab]: https://gitlab.com/gitlab-org/gitlab/-/issues/270888

docs/getting-started/overview.md

@@ -8,7 +8,7 @@ Trivy detects two types of security issues:
 Trivy can scan three different artifacts:
 
 - [Container Images][container]
-- [Filesystem][filesystem]
+- [Filesystem][filesystem] and [Rootfs][rootfs]
 - [Git Repositories][repo]
 
 Trivy can be run in two different modes:
@@ -22,7 +22,7 @@ See [Integrations][integrations] for details.
 ## Features
 
 - Comprehensive vulnerability detection
-    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
+    - [OS packages][os] (Alpine, Red Hat Universal Base Image, Red Hat Enterprise Linux, CentOS, AlmaLinux, Rocky Linux, CBL-Mariner, Oracle Linux, Debian, Ubuntu, Amazon Linux, openSUSE Leap, SUSE Enterprise Linux, Photon OS and Distroless)
     - [**Language-specific packages**][lang] (Bundler, Composer, Pipenv, Poetry, npm, yarn, Cargo, NuGet, Maven, and Go)
 - Detect IaC misconfigurations
     - A wide variety of [built-in policies][builtin] are provided **out of the box**:
@@ -53,17 +53,15 @@ See [Integrations][integrations] for details.
         - A remote image in Docker Registry such as Docker Hub, ECR, GCR and ACR
         - A tar archive stored in the `docker save` / `podman save` formatted file
         - An image directory compliant with [OCI Image Format][oci]
-    - local filesystem
+    - local filesystem and rootfs
     - remote git repository
 
 Please see [LICENSE][license] for Trivy licensing information.
 
-!!! note
-    Trivy uses vulnerability information from a variety of sources, some of which are licensed for non-commercial use only.
-
 [vuln]: ../vulnerability/scanning/index.md
 [misconf]: ../misconfiguration/index.md
 [container]: ../vulnerability/scanning/image.md
+[rootfs]: ../vulnerability/scanning/rootfs.md
 [filesystem]: ../vulnerability/scanning/filesystem.md
 [repo]: ../vulnerability/scanning/git-repository.md
 
@@ -79,4 +77,4 @@ Please see [LICENSE][license] for Trivy licensing information.
 [podman]: ../advanced/container/podman.md
 
 [oci]: https://github.com/opencontainers/image-spec
-[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE
+[license]:  https://github.com/aquasecurity/trivy/blob/main/LICENSE

docs/getting-started/troubleshooting.md

@@ -39,6 +39,22 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```
 
+### Maven rate limiting
+
+!!! error
+    ``` bash
+    $ trivy image ...
+    ...
+    status 403 Forbidden from http://search.maven.org/solrsearch/select
+    ```
+
+Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
+If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
+If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+
+Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.
+
 ### Running in parallel takes same time as series run
 When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
 This is because of a limitation of boltdb.
@@ -48,6 +64,23 @@ Reference : [boltdb: Opening a database][boltdb].
 
 [boltdb]: https://github.com/boltdb/bolt#opening-a-database
 
+### Error downloading vulnerability DB
+
+!!! error
+    FATAL failed to download vulnerability DB
+
+If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
+
+- ghcr.io
+- pkg-containers.githubusercontent.com
+
+### Old DB schema
+
+!!! error
+    --skip-update cannot be specified with the old DB schema.
+
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
+
 ## Homebrew
 ### Scope error
 !!! error
@@ -96,3 +129,5 @@ Try again with `--reset` option:
 ```
 $ trivy image --reset
 ```
+
+[air-gapped]: ../advanced/air-gap.md

docs/index.md

@@ -32,8 +32,18 @@ All you need to do for scanning is to specify a target such as an image name of
   <figcaption>Demo: Misconfiguration Detection</figcaption>
 </figure>
 
+---
+
+Trivy is an [Aqua Security][aquasec] open source project.  
+Learn about our open source work and portfolio [here][oss].  
+Contact us about any matter by opening a GitHub Discussion [here][discussions]
+
 [vulnerability]: vulnerability/scanning/index.md
 [misconf]: misconfiguration/index.md
 [os]: vulnerability/detection/os.md
 [lang]: vulnerability/detection/language.md
-[iac]: misconfiguration/iac.md
+[iac]: misconfiguration/iac.md
+
+[aquasec]: https://aquasec.com
+[oss]: https://www.aquasec.com/products/open-source-projects/
+[discussions]: https://github.com/aquasecurity/trivy/discussions

docs/misconfiguration/comparison/cfsec.md

@@ -0,0 +1,25 @@
+# vs cfsec
+[cfsec][cfsec] uses static analysis of your CloudFormation templates to spot potential security issues.
+Trivy uses cfsec internally to scan both JSON and YAML configuration files, but Trivy doesn't support some features provided by cfsec.
+This section describes the differences between Trivy and cfsec.
+
+| Feature                     | Trivy                                   | cfsec                |
+| --------------------------- | --------------------------------------- | -------------------- |
+| Built-in Policies           | :material-check:                        | :material-check:     |
+| Custom Policies             | Rego[^1]                                | :material-close:     |
+| Policy Metadata[^2]         | :material-check:                        | :material-check:     |
+| Show Successes              | :material-check:                        | :material-check:     |
+| Disable Policies            | :material-check:                        | :material-check:     |
+| Show Issue Lines            | :material-close:                        | :material-check:     |
+| View Statistics             | :material-close:                        | :material-check:     |
+| Filtering by Severity       | :material-check:                        | :material-close:     |
+| Supported Formats           | Dockerfile, JSON, YAML, Terraform, etc. | CloudFormation JSON and YAML       |
+
+[^1]: CloudFormation files are not supported
+[^2]: To enrich the results such as ID, Title, Description, Severity, etc.
+
+cfsec is designed for CloudFormation.
+People who use only want to scan their CloudFormation templates should use cfsec.
+People who want to scan a wide range of configuration files should use Trivy.
+
+[cfsec]: https://github.com/aquasecurity/cfsec

docs/misconfiguration/comparison/tfsec.md

@@ -23,4 +23,4 @@ tfsec is designed for Terraform.
 People who use only Terraform should use tfsec.
 People who want to scan a wide range of configuration files should use Trivy.
 
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec

docs/misconfiguration/iac.md

@@ -2,7 +2,7 @@
 
 ## Quick start
 
-Simply specify a directory containing IaC files such as Terraform and Dockerfile.
+Simply specify a directory containing IaC files such as Terraform, CloudFormation and Dockerfile.
 
 ``` bash
 $ trivy config [YOUR_IaC_DIRECTORY]
@@ -37,12 +37,12 @@ Trivy will automatically fetch the managed policies and will keep them up-to-dat
 The specified directory can contain mixed types of IaC files.
 Trivy automatically detects config types and applies relevant policies.
 
-For example, the following example holds IaC files for Terraform, Kubernetes, and Dockerfile in the same directory.
+For example, the following example holds IaC files for Terraform, CloudFormation, Kubernetes, and Dockerfile in the same directory.
 
 ``` bash
 $ ls iac/
 Dockerfile  deployment.yaml  main.tf
-$ trivy conf --severith HIGH,CRITICAL ./iac
+$ trivy conf --severity HIGH,CRITICAL ./iac
 ```
 
 <details>
@@ -149,8 +149,14 @@ You can see the config type next to each file name.
     ===================
     Tests: 23 (SUCCESSES: 14, FAILURES: 9, EXCEPTIONS: 0)
     Failures: 9 (HIGH: 6, CRITICAL: 1)
-    
+
     ...
+
+    bucket.yaml (cloudformation)
+    ============================
+    Tests: 9 (SUCCESSES: 3, FAILURES: 6, EXCEPTIONS: 0)
+    Failures: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 4, CRITICAL: 0)
+
     ```
 
 ## Example

docs/misconfiguration/options/report.md

@@ -3,4 +3,4 @@
 See [Reports Formats](../../vulnerability/examples/report.md) in Vulnerability section.
 
 !!! caution
-    Misconfiguration scanning doesn't support default templates such as XML and SARIF for now.
+    Misconfiguration scanning doesn't support default templates such as XML for now.

docs/misconfiguration/policy/builtin.md

@@ -4,22 +4,23 @@
 
 Built-in policies are mainly written in [Rego][rego].
 Those policies are managed under [AppShield repository][appshield].
-Only Terraform's policies are currently powered by [tfsec][tfsec].
+Terraform policies are currently powered by [tfsec][tfsec] and CloudFormation policies are powered by [cfsec][cfsec].
 
 | Config type    | Source                        |
 | ---------------| ----------------------------- |
 | Kubernetes     | [AppShield][kubernetes]       |
 | Dockerfile     | [AppShield][docker]           |
 | Terraform      | [tfsec][tfsec-checks]         |
+| CloudFormation | [cfsec][cfsec-checks]         |
 
-For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield] or [tfsec][tfsec] repository.
+For suggestions or issues regarding policy content, please open an issue under [AppShield][appshield], [tfsec][tfsec] or [cfsec][cfsec] repository.
 
-CloudFormation and Ansible are coming soon.
+Ansible are coming soon.
 
 ## Policy Distribution
-AppShield policies are destributed as OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
-When misconfiguration detection is enabled, Trivy pulls OPA bundle from GHCR as OCI artifact and stores it in the cache.
-Then, those policies are loaded into Trivy OPA engine and used for detecting misconfigurations.
+AppShield policies are distributed as an OPA bundle on [GitHub Container Registry][ghcr] (GHCR).
+When misconfiguration detection is enabled, Trivy pulls the OPA bundle from GHCR as an OCI artifact and stores it in the cache.
+Those policies are then loaded into Trivy OPA engine and used for detecting misconfigurations.
 
 ## Update Interval
 Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if there are any updates.
@@ -29,10 +30,12 @@ Trivy checks for updates to OPA bundle on GHCR every 24 hours and pulls it if th
 [kubernetes]: https://github.com/aquasecurity/appshield/tree/master/kubernetes
 [docker]: https://github.com/aquasecurity/appshield/tree/master/docker
 [tfsec-checks]: https://tfsec.dev/docs/aws/home/
-[tfsec]: https://github.com/tfsec/tfsec
+[tfsec]: https://github.com/aquasecurity/tfsec
+[cfsec-checks]: https://cfsec.dev/
+[cfsec]: https://github.com/aquasecurity/cfsec
 [ghcr]: https://github.com/aquasecurity/appshield/pkgs/container/appshield
 
 [dockerfile-bestpractice]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
 [pss]: https://kubernetes.io/docs/concepts/security/pod-security-standards/
 [azure]: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices
-[kics]: https://github.com/Checkmarx/kics/
+[kics]: https://github.com/Checkmarx/kics/

docs/vulnerability/detection/data-source.md

@@ -11,28 +11,31 @@
 | Ubuntu         | [Ubuntu CVE Tracker][ubuntu]             |
 | RHEL/CentOS    | [OVAL][rhel-oval]                        |
 |                | [Security Data][rhel-api]                |
+| AlmaLinux      | [AlmaLinux Product Errata][alma]         |
+| Rocky Linux    | [Rocky Linux UpdateInfo][rocky]          |
 | Oracle Linux   | [OVAL][oracle]                           |
+| CBL-Mariner    | [OVAL][mariner]                          |
 | OpenSUSE/SLES	 | [CVRF][suse]                             |
 | Photon OS      | [Photon Security Advisory][photon]       |
 
 # Programming Language
 
-| Language                     | Source                                           | Commercial Use  | Delay[^1]|
-| ---------------------------- | -------------------------------------------------|:---------------:|:--------:|
-| PHP                          | [PHP Security Advisories Database][php]          | ✅              | -        |
-|                              | [GitHub Advisory Database (Composer)][php-ghsa]  | ✅              | -        |
-| Python                       | [Safety DB][python]                              | ❌              | 1 month  |
-|                              | [GitHub Advisory Database (pip)][python-ghsa]    | ✅              | -        |
-| Ruby                         | [Ruby Advisory Database][ruby]                   | ❌ (partially)  | -        |
-|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa] | ✅              | -        |
-| Node.js                      | [Ecosystem Security Working Group][nodejs]       | ✅              | -        |
-|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]    | ✅              | -        |
-| Java                         | [GitLab Advisories Community][gitlab]            | ✅              | 1 month  |
-|                              | [GitHub Advisory Database (Maven)][java-ghsa]    | ✅              | -        |
-| Go                           | [GitLab Advisories Community][gitlab]            | ✅              | 1 month  |
-|                              | [The Go Vulnerability Database][go]              | ✅              | -        |
-| Rust                         | [RustSec Advisory Database][rust]                | ✅              | -        |
-| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]  | ✅              | -        |
+| Language                     | Source                                              | Commercial Use  | Delay[^1]|
+| ---------------------------- | ----------------------------------------------------|:---------------:|:--------:|
+| PHP                          | [PHP Security Advisories Database][php]             | ✅              | -        |
+|                              | [GitHub Advisory Database (Composer)][php-ghsa]     | ✅              | -        |
+| Python                       | [GitHub Advisory Database (pip)][python-ghsa]       | ✅              | -        |
+|                              | [Open Source Vulnerabilities (PyPI)][python-osv]    | ✅              | -        |
+| Ruby                         | [Ruby Advisory Database][ruby]                      | ✅              | -        |
+|                              | [GitHub Advisory Database (RubyGems)][ruby-ghsa]    | ✅              | -        |
+| Node.js                      | [Ecosystem Security Working Group][nodejs]          | ✅              | -        |
+|                              | [GitHub Advisory Database (npm)][nodejs-ghsa]       | ✅              | -        |
+| Java                         | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|                              | [GitHub Advisory Database (Maven)][java-ghsa]       | ✅              | -        |
+| Go                           | [GitLab Advisories Community][gitlab]               | ✅              | 1 month  |
+|                              | [The Go Vulnerability Database][go]                 | ✅              | -        |
+| Rust                         | [Open Source Vulnerabilities (crates.io)][rust-osv] | ✅              | -        |
+| .NET                         | [GitHub Advisory Database (NuGet)][dotnet-ghsa]     | ✅              | -        |
 
 [^1]: Intentional delay between vulnerability disclosure and registration in the DB
 
@@ -51,9 +54,12 @@
 [ubuntu]: https://ubuntu.com/security/cve
 [rhel-oval]: https://www.redhat.com/security/data/oval/v2/
 [rhel-api]: https://www.redhat.com/security/data/metrics/
+[alma]: https://errata.almalinux.org/
+[rocky]: https://download.rockylinux.org/pub/rocky/
 [oracle]: https://linux.oracle.com/security/oval/
 [suse]: http://ftp.suse.com/pub/projects/security/cvrf/
 [photon]: https://packages.vmware.com/photon/photon_cve_metadata/
+[mariner]: https://github.com/microsoft/CBL-MarinerVulnerabilityData/
 
 [php-ghsa]: https://github.com/advisories?query=ecosystem%3Acomposer
 [python-ghsa]: https://github.com/advisories?query=ecosystem%3Apip
@@ -63,11 +69,12 @@
 [dotnet-ghsa]: https://github.com/advisories?query=ecosystem%3Anuget
 
 [php]: https://github.com/FriendsOfPHP/security-advisories
-[python]: https://github.com/pyupio/safety-db
 [ruby]: https://github.com/rubysec/ruby-advisory-db
 [nodejs]: https://github.com/nodejs/security-wg
 [gitlab]: https://gitlab.com/gitlab-org/advisories-community
 [go]: https://github.com/golang/vulndb
-[rust]: (https://github.com/RustSec/advisory-db)
+
+[python-osv]: https://osv.dev/list?q=&ecosystem=PyPI
+[rust-osv]: https://osv.dev/list?q=&ecosystem=crates.io
 
 [nvd]: https://nvd.nist.gov/

docs/vulnerability/detection/language.md

@@ -2,23 +2,37 @@
 
 `Trivy` automatically detects the following files in the container and scans vulnerabilities in the application dependencies.
 
-| Language | File                                            | Dev dependencies |
-| ---------| ------------------------------------------------| -----------------|
-| Ruby     | Gemfile.lock                                    | included         |
-| Python   | Pipfile.lock                                    | excluded         |
-|          | poetry.lock                                     | included         |
-| PHP      | composer.lock                                   | excluded         |
-| Node.js  | package-lock.json                               | excluded         |
-|          | yarn.lock                                       | included         |
-| .NET     | packages.lock.json                              | included         |
-| Java     | JAR/WAR/EAR (`*.jar`, `*.war`, and `*.ear`)[^1] | included         |
-| Go       | Binaries built by Go[^2]                        | excluded         |
-|          | go.sum                                          | included         |
-
+| Language | File                     | Image[^7] | Rootfs[^8] | Filesystem[^9] | Repository[^10] |Dev dependencies |
+|----------|--------------------------|:---------:|:----------:|:--------------:|:--------------:|-----------------|
+| Ruby     | Gemfile.lock             | -         | -          |       ✅        |       ✅        | included        |
+|          | gemspec                  | ✅        | ✅         |       -        |       -        | included        |
+| Python   | Pipfile.lock             | -         | -          |       ✅        |       ✅        | excluded        |
+|          | poetry.lock              | -         | -          |       ✅        |       ✅        | included        |
+|          | requirements.txt         | -         | -          |       ✅        |       ✅        | included        |
+|          | egg package[^1]          | ✅        | ✅         |       -        |       -        | excluded        |
+|          | wheel package[^2]        | ✅        | ✅         |       -        |       -        | excluded        |
+| PHP      | composer.lock            | ✅        | ✅         |       ✅        |       ✅        | excluded        |
+| Node.js  | package-lock.json        | -         | -          |       ✅        |       ✅        | excluded        |
+|          | yarn.lock                | -         | -          |       ✅        |       ✅        | included        |
+|          | package.json             | ✅        | ✅         |       -        |       -        | excluded        |
+| .NET     | packages.lock.json       | ✅        | ✅         |       ✅        |       ✅        | included        |
+| Java     | JAR/WAR/PAR/EAR[^3][^4]  | ✅        | ✅         |       -        |       -        | included        |
+|          | pom.xml[^5]              | -         | -          |       ✅        |       ✅        | excluded        |
+| Go       | Binaries built by Go[^6] | ✅        | ✅         |       -        |       -        | excluded        |
+|          | go.sum                   | -         | -          |       ✅        |       ✅        | included        |
+| Rust     | Cargo.lock               | ✅        | ✅         |       ✅        |       ✅        | included        |
 
 The path of these files does not matter.
 
 Example: [Dockerfile](https://github.com/aquasecurity/trivy-ci-test/blob/main/Dockerfile)
 
-[^1]: It requires the Internet access
-[^2]: UPX-compressed binaries don't work
+[^1]: `*.egg-info`, `*.egg-info/PKG-INFO`, `*.egg` and `EGG-INFO/PKG-INFO`
+[^2]: `.dist-info/META-DATA`
+[^3]: `*.jar`, `*.war`, `*.par` and `*.ear`
+[^4]: It requires Internet access
+[^5]: It requires Internet access when the POM doesn't exist in your local repository
+[^6]: UPX-compressed binaries don't work
+[^7]: ✅ means "enabled" and `-` means "disabled" in the image scanning
+[^8]: ✅ means "enabled" and `-` means "disabled" in the rootfs scanning
+[^9]: ✅ means "enabled" and `-` means "disabled" in the filesystem scanning
+[^10]: ✅ means "enabled" and `-` means "disabled" in the git repository scanning

docs/vulnerability/detection/os.md

@@ -4,16 +4,19 @@ The unfixed/unfixable vulnerabilities mean that the patch has not yet been provi
 
 | OS                               | Supported Versions                       | Target Packages               | Detection of unfixed vulnerabilities |
 | -------------------------------- | ---------------------------------------- | ----------------------------- | :----------------------------------: |
-| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.13                    | Installed by apk              |                  NO                  |
+| Alpine Linux                     | 2.2 - 2.7, 3.0 - 3.15                    | Installed by apk              |                  NO                  |
 | Red Hat Universal Base Image[^1] | 7, 8                                     | Installed by yum/rpm          |                 YES                  |
 | Red Hat Enterprise Linux         | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
-| CentOS                           | 6, 7                                     | Installed by yum/rpm          |                 YES                  |
+| CentOS                           | 6, 7, 8                                  | Installed by yum/rpm          |                 YES                  |
+| AlmaLinux                        | 8                                        | Installed by yum/rpm          |                  NO                  |
+| Rocky Linux                      | 8                                        | Installed by yum/rpm          |                  NO                  |
 | Oracle Linux                     | 5, 6, 7, 8                               | Installed by yum/rpm          |                  NO                  |
+| CBL-Mariner                      | 1.0, 2.0                                 | Installed by yum/rpm          |                 YES                  |
 | Amazon Linux                     | 1, 2                                     | Installed by yum/rpm          |                  NO                  |
 | openSUSE Leap                    | 42, 15                                   | Installed by zypper/rpm       |                  NO                  |
 | SUSE Enterprise Linux            | 11, 12, 15                               | Installed by zypper/rpm       |                  NO                  |
-| Photon OS                        | 1.0, 2.0, 3.0                            | Installed by tdnf/yum/rpm     |                  NO                  |
-| Debian GNU/Linux                 | wheezy, jessie, stretch, buster          | Installed by apt/apt-get/dpkg |                 YES                  |
+| Photon OS                        | 1.0, 2.0, 3.0, 4.0                       | Installed by tdnf/yum/rpm     |                  NO                  |
+| Debian GNU/Linux                 | wheezy, jessie, stretch, buster, bullseye| Installed by apt/apt-get/dpkg |                 YES                  |
 | Ubuntu                           | All versions supported by Canonical      | Installed by apt/apt-get/dpkg |                 YES                  |
 | Distroless[^2]                   | Any                                      | Installed by apt/apt-get/dpkg |                 YES                  |
 

docs/vulnerability/examples/cache.md

@@ -41,3 +41,14 @@ Two options:
 ```
 $ trivy server --cache-backend redis://localhost:6379
 ```
+
+Trivy also support for connecting to Redis using TLS, you only need to specify `--redis-ca` , `--redis-cert` , and `--redis-key` option.
+
+```
+$ trivy server --cache-backend redis://localhost:6379 \
+  --redis-ca /path/to/ca-cert.pem \
+  --redis-cert /path/to/cert.pem \
+  --redis-key /path/to/key.pem
+```
+
+TLS option for redis is hidden from Trivy command-line flag, but you still can use it.

docs/vulnerability/examples/db.md

@@ -36,39 +36,3 @@ This is useful to initialize workers in Continuous Integration systems.
 ```
 $ trivy image --download-db-only
 ```
-
-## Lightweight DB
-The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
-
-This option is useful when you don't need vulnerability details and is suitable for CI/CD.
-To find the additional information, you can search vulnerability details on the NVD website.
-https://nvd.nist.gov/vuln/search
-
-```
-$ trivy image --light alpine:3.10
-```
-
-`--light` option doesn't display titles like the following example.
-
-<details>
-<summary>Result</summary>
-
-```
-2019-11-14T10:21:01.553+0200    INFO    Reopening vulnerability DB
-2019-11-14T10:21:02.574+0200    INFO    Detecting Alpine vulnerabilities...
-
-alpine:3.10 (alpine 3.10.2)
-===========================
-Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
-+---------+------------------+----------+-------------------+---------------+
-| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
-+         +------------------+          +                   +               +
-|         | CVE-2019-1563    |          |                   |               |
-+         +------------------+----------+                   +               +
-|         | CVE-2019-1547    | LOW      |                   |               |
-+---------+------------------+----------+-------------------+---------------+
-```
-</details>

docs/vulnerability/examples/filter.md

@@ -294,25 +294,60 @@ There is a built-in Rego library with helper functions that you can import into
 To get started, see the [example policy][policy].
 
 ```bash
-$ trivy image --ignore-policy contrib/example_filter/basic.rego centos:7
+$ trivy image --ignore-policy contrib/example_policy/basic.rego centos:7
 ```
 
 <details>
 <summary>Result</summary>
 
 ```bash
-centos:7 (centos 7.8.2003)
+centos:7 (centos 7.9.2009)
 ==========================
-Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
+Total: 9 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 4, CRITICAL: 5)
 
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
-| glib2   | CVE-2016-3191    | HIGH     | 2.56.1-5.el7      |               | pcre: workspace overflow       |
-|         |                  |          |                   |               | for (*ACCEPT) with deeply      |
-|         |                  |          |                   |               | nested parentheses (8.39/13,   |
-|         |                  |          |                   |               | 10.22/12)                      |
-+---------+------------------+----------+-------------------+---------------+--------------------------------+
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |                  TITLE                  |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| glib2        | CVE-2015-8385    | HIGH     | 2.56.1-7.el7      |                   | pcre: buffer overflow caused            |
+|              |                  |          |                   |                   | by named forward reference              |
+|              |                  |          |                   |                   | to duplicate group number...            |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2015-8385    |
++              +------------------+          +                   +-------------------+-----------------------------------------+
+|              | CVE-2016-3191    |          |                   |                   | pcre: workspace overflow for            |
+|              |                  |          |                   |                   | (*ACCEPT) with deeply nested            |
+|              |                  |          |                   |                   | parentheses (8.39/13, 10.22/12)         |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2016-3191    |
++              +------------------+          +                   +-------------------+-----------------------------------------+
+|              | CVE-2021-27219   |          |                   | 2.56.1-9.el7_9    | glib: integer overflow in               |
+|              |                  |          |                   |                   | g_bytes_new function on                 |
+|              |                  |          |                   |                   | 64-bit platforms due to an...           |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-27219   |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| glibc        | CVE-2019-1010022 | CRITICAL | 2.17-317.el7      |                   | glibc: stack guard protection bypass    |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2019-1010022 |
++--------------+                  +          +                   +-------------------+                                         +
+| glibc-common |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
++--------------+------------------+          +-------------------+-------------------+-----------------------------------------+
+| nss          | CVE-2021-43527   |          | 3.53.1-3.el7_9    | 3.67.0-4.el7_9    | nss: Memory corruption in               |
+|              |                  |          |                   |                   | decodeECorDsaSignature with             |
+|              |                  |          |                   |                   | DSA signatures (and RSA-PSS)            |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2021-43527   |
++--------------+                  +          +                   +                   +                                         +
+| nss-sysinit  |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
++--------------+                  +          +                   +                   +                                         +
+| nss-tools    |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
+|              |                  |          |                   |                   |                                         |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
+| openssl-libs | CVE-2020-1971    | HIGH     | 1:1.0.2k-19.el7   | 1:1.0.2k-21.el7_9 | openssl: EDIPARTYNAME                   |
+|              |                  |          |                   |                   | NULL pointer de-reference               |
+|              |                  |          |                   |                   | -->avd.aquasec.com/nvd/cve-2020-1971    |
++--------------+------------------+----------+-------------------+-------------------+-----------------------------------------+
 ```
 
 </details>

docs/vulnerability/examples/report.md

@@ -136,6 +136,15 @@ $ trivy image -f json -o results.json golang:1.12-alpine
 
 `VulnerabilityID`, `PkgName`, `InstalledVersion`, and `Severity` in `Vulnerabilities` are always filled with values, but other fields might be empty.
 
+## SARIF
+[Sarif][sarif] can be generated with the `--format sarif` option.
+
+```
+$ trivy image --format sarif -o report.sarif  golang:1.12-alpine
+```
+
+This SARIF file can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
+
 ## Template
 
 ### Custom Template
@@ -183,19 +192,16 @@ $ trivy image --format template --template "@/path/to/template" golang:1.12-alpi
 ```
 
 ### Default Templates
+
+If Trivy is installed using rpm then default templates can be found at `/usr/local/share/trivy/templates`.
+
 #### XML
 In the following example using the template `junit.tpl` XML can be generated.
 ```
 $ trivy image --format template --template "@contrib/junit.tpl" -o junit-report.xml  golang:1.12-alpine
 ```
 
-#### SARIF
-In the following example using the template `sarif.tpl` [Sarif][sarif] can be generated.
-```
-$ trivy image --format template --template "@contrib/sarif.tpl" -o report.sarif  golang:1.12-alpine
-```
-This SARIF format can be uploaded to GitHub code scanning results, and there is a [Trivy GitHub Action][action] for automating this process.
-
+#### ASFF
 Trivy also supports an [ASFF template for reporting findings to AWS Security Hub][asff]
 
 #### HTML
@@ -204,6 +210,13 @@ Trivy also supports an [ASFF template for reporting findings to AWS Security Hub
 $ trivy image --format template --template "@contrib/html.tpl" -o report.html golang:1.12-alpine
 ```
 
+The following example shows use of default HTML template when Trivy is installed using rpm.
+
+```
+$ trivy image --format template --template "@/usr/local/share/trivy/templates/html.tpl" -o report.html golang:1.12-alpine
+```
+
+
 [new-json]: https://github.com/aquasecurity/trivy/discussions/1050
 [action]: https://github.com/aquasecurity/trivy-action
 [asff]: https://github.com/aquasecurity/trivy/blob/main/docs/integrations/aws-security-hub.md

docs/vulnerability/scanning/filesystem.md

@@ -1,6 +1,6 @@
 # Filesystem
 
-Scan a filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
+Scan a local project including language-specific files.
 
 ```bash
 $ trivy fs /path/to/project
@@ -48,56 +48,9 @@ Total: 10 (UNKNOWN: 2, LOW: 0, MEDIUM: 6, HIGH: 2, CRITICAL: 0)
 
 </details>
 
-## From Inside Containers
-Scan your container from inside the container.
-
-```bash
-$ docker run --rm -it alpine:3.11
-/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
-/ # trivy fs /
-```
-
-<details>
-<summary>Result</summary>
+### Single file
+It's also possible to scan a single file.
 
 ```
-2021-03-08T05:22:26.378Z        INFO    Need to update DB
-2021-03-08T05:22:26.380Z        INFO    Downloading DB...
-20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
-2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
-2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
-
-313430f09696 (alpine 3.11.7)
-============================
-Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
-
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+          +                   +               +---------------------------------------+
-| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
-|              |                  |          |                   |               | rollback protection                   |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
-|              |                  |          |                   |               | overflow in CipherUpdate              |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
-+              +------------------+          +                   +               +---------------------------------------+
-|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
-|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
-|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
-+--------------+------------------+----------+-------------------+---------------+---------------------------------------+
-```
-
-</details>
+$ trivy fs ~/src/github.com/aquasecurity/trivy-ci-test/Pipfile.lock
+```

docs/vulnerability/scanning/git-repository.md

@@ -6,8 +6,6 @@ Scan your remote git repository
 $ trivy repo https://github.com/knqyf263/trivy-ci-test
 ```
 
-Only public repositories are supported.
-
 <details>
 <summary>Result</summary>
 
@@ -148,3 +146,20 @@ Total: 20 (UNKNOWN: 3, LOW: 0, MEDIUM: 7, HIGH: 5, CRITICAL: 5)
 ```
 
 </details>
+
+## Scanning Private Repositories
+
+In order to scan private GitHub or GitLab repositories, the environment variable `GITHUB_TOKEN` or `GITLAB_TOKEN` must be set, respectively, with a valid token that has access to the private repository being scanned.
+
+The `GITHUB_TOKEN` environment variable will take precedence over `GITLAB_TOKEN`, so if a private GitLab repository will be scanned, then `GITHUB_TOKEN` must be unset.
+
+For example:
+
+```
+$ export GITHUB_TOKEN="your_private_github_token"
+$ trivy repo <your private GitHub repo URL>
+$
+$ # or
+$ export GITLAB_TOKEN="your_private_gitlab_token"
+$ trivy repo <your private GitLab repo URL>
+```

docs/vulnerability/scanning/index.md

@@ -1,10 +1,11 @@
 # Vulnerability Scanning
 
-Trivy scans [Container Images][image], [Filesystem][fs], and [Git Repositores][repo] to detect vulnerabilities.
+Trivy scans [Container Images][image], [Rootfs][rootfs], [Filesystem][fs], and [Git Repositories][repo] to detect vulnerabilities.
 
 ![vulnerability][vuln]
 
 [image]: image.md
+[rootfs]: rootfs.md
 [fs]: filesystem.md
 [repo]: git-repository.md
-[vuln]: ../../imgs/vulnerability.png
+[vuln]: ../../imgs/vulnerability.png

docs/vulnerability/scanning/rootfs.md

@@ -0,0 +1,68 @@
+# Rootfs
+
+Scan a root filesystem (such as a host machine, a virtual machine image, or an unpacked container image filesystem).
+
+```bash
+$ trivy rootfs /path/to/rootfs
+```
+
+## From Inside Containers
+Scan your container from inside the container.
+
+```bash
+$ docker run --rm -it alpine:3.11
+/ # curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+/ # trivy rootfs /
+```
+
+<details>
+<summary>Result</summary>
+
+```
+2021-03-08T05:22:26.378Z        INFO    Need to update DB
+2021-03-08T05:22:26.380Z        INFO    Downloading DB...
+20.37 MiB / 20.37 MiB [-------------------------------------------------------------------------------------------------------------------------------------] 100.00% 8.24 MiB p/s 2s
+2021-03-08T05:22:30.134Z        INFO    Detecting Alpine vulnerabilities...
+2021-03-08T05:22:30.138Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected
+
+313430f09696 (alpine 3.11.7)
+============================
+Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 6, CRITICAL: 0)
+
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+| libcrypto1.1 | CVE-2021-23839   | HIGH     | 1.1.1i-r0         | 1.1.1j-r0     | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
++--------------+------------------+          +                   +               +---------------------------------------+
+| libssl1.1    | CVE-2021-23839   |          |                   |               | openssl: incorrect SSLv2              |
+|              |                  |          |                   |               | rollback protection                   |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23839 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23840   |          |                   |               | openssl: integer                      |
+|              |                  |          |                   |               | overflow in CipherUpdate              |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23840 |
++              +------------------+          +                   +               +---------------------------------------+
+|              | CVE-2021-23841   |          |                   |               | openssl: NULL pointer dereference     |
+|              |                  |          |                   |               | in X509_issuer_and_serial_hash()      |
+|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23841 |
++--------------+------------------+----------+-------------------+---------------+---------------------------------------+
+```
+
+</details>
+
+## Other Examples
+- [Embed in Dockerfile][embedding]
+- [Unpacked container image filesystem][unpacked]
+
+[embedding]: ../../advanced/container/embed-in-dockerfile.md
+[unpacked]: ../../advanced/container/unpacked-filesystem.md

examples/misconf/custom-policy/hcl/policy/full_open.rego

@@ -11,6 +11,6 @@ __rego_input__ := {"selector": [{"type": "hcl"}]}
 
 deny[msg] {
 	input.environment == "dev"
-	contains(input.service.http[name].listen_addr, "0.0.0.0")
+	contains(input.service.http[name][_].listen_addr, "0.0.0.0")
 	msg = sprintf("'%s' listens on 0.0.0.0 in dev environment", [name])
 }

examples/misconf/custom-policy/hcl/policy/full_open_test.rego

@@ -1,39 +1,43 @@
 package user.hcl.ID004
 
 test_denied {
-	msg := "'web_proxy' listens on 0.0.0.0 in dev environment"
 	deny[msg] with input as {
-	    "environment": "dev",
-	    "service": {
-	        "http": {
-	            "web_proxy": {
-	                "listen_addr": "0.0.0.0:8080",
-	                "process": {
-	                    "main": {
-	                        "command": ["/usr/local/bin/awesome-app", "server"],
-	                    },
-	                },
-	            },
-	        },
-	    },
+		"environment": "dev",
+		"service": {"http": {"web_proxy": [{
+			"listen_addr": "0.0.0.0:8080",
+			"process": {
+				"main": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"server",
+				]}],
+				"mgmt": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"mgmt",
+				]}],
+			},
+		}]}},
 	}
+
+	msg == "'web_proxy' listens on 0.0.0.0 in dev environment"
 }
 
 test_allowed {
 	r := deny with input as {
-	    "environment": "dev",
-	    "service": {
-	        "http": {
-	            "web_proxy": {
-	                "listen_addr": "127.0.0.1:8080",
-	                "process": {
-	                    "main": {
-	                        "command": ["/usr/local/bin/awesome-app", "server"],
-	                    },
-	                },
-	            },
-	        },
-	    },
+		"environment": "dev",
+		"service": {"http": {"web_proxy": [{
+			"listen_addr": "127.0.0.1:8080",
+			"process": {
+				"main": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"server",
+				]}],
+				"mgmt": [{"command": [
+					"/usr/local/bin/awesome-app",
+					"mgmt",
+				]}],
+			},
+		}]}},
 	}
+
 	count(r) == 0
 }

examples/misconf/mixed/configs/bucket.yaml

@@ -0,0 +1,24 @@
+---
+AWSTemplateFormatVersion: "2010-09-09"
+Description: An example Stack for a bucket
+Parameters:
+  BucketName: 
+    Type: String
+    Default: naughty-bucket
+  EncryptBucket:
+    Type: Boolean
+    Default: false
+Resources:
+  S3Bucket:
+    Type: 'AWS::S3::Bucket'
+    Properties:
+      BucketName:
+        Ref: BucketName
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+        - BucketKeyEnabled: !Ref EncryptBucket

go.mod

@@ -7,52 +7,43 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20210719144537-c73c1e9f21bf
-	github.com/aquasecurity/go-dep-parser v0.0.0-20210520015931-0dd56983cc62
+	github.com/aquasecurity/fanal v0.0.0-20220129174924-b9e05fcccc57
+	github.com/aquasecurity/go-dep-parser v0.0.0-20211224170007-df43bca6b6ff
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210531102723-aaab62dec6ee
+	github.com/aquasecurity/trivy-db v0.0.0-20220130223604-df65ebde46f4
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
-	github.com/containerd/containerd v1.4.4 // indirect
-	github.com/docker/docker v20.10.3+incompatible
+	github.com/docker/docker v20.10.12+incompatible
 	github.com/docker/go-connections v0.4.0
-	github.com/elazarl/goproxy v0.0.0-20200809112317-0581fc3aee2d // indirect
-	github.com/fatih/color v1.10.0
-	github.com/go-redis/redis/v8 v8.4.0
+	github.com/fatih/color v1.13.0
+	github.com/go-redis/redis/v8 v8.11.4
 	github.com/goccy/go-yaml v1.8.2 // indirect
-	github.com/golang/protobuf v1.4.3
-	github.com/google/go-containerregistry v0.1.2
-	github.com/google/go-github/v33 v33.0.0
+	github.com/golang/protobuf v1.5.2
+	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
 	github.com/google/wire v0.4.0
-	github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00 // indirect
 	github.com/hashicorp/go-getter v1.5.2
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
 	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
 	github.com/knqyf263/go-rpm-version v0.0.0-20170716094938-74609b86c936
-	github.com/kylelemons/godebug v1.1.0
 	github.com/masahiro331/go-mvn-version v0.0.0-20210429150710-d3157d602a08
 	github.com/mitchellh/copystructure v1.1.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5
-	github.com/open-policy-agent/opa v0.25.2
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/smartystreets/assertions v1.2.0 // indirect
-	github.com/spf13/afero v1.2.2
+	github.com/open-policy-agent/opa v0.36.1
+	github.com/owenrumney/go-sarif/v2 v2.0.17
+	github.com/spf13/afero v1.6.0
 	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
-	github.com/testcontainers/testcontainers-go v0.9.1-0.20210218153226-c8e070a2f18d
+	github.com/testcontainers/testcontainers-go v0.11.1
 	github.com/twitchtv/twirp v8.1.0+incompatible
 	github.com/urfave/cli/v2 v2.3.0
-	go.uber.org/zap v1.16.0
-	golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
+	go.uber.org/zap v1.20.0
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
-	google.golang.org/protobuf v1.25.0
-	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
+	google.golang.org/protobuf v1.27.1
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920

goreleaser.yml

@@ -20,6 +20,7 @@ builds:
       - arm
       - arm64
       - ppc64le
+      - s390x
     goarm:
       - 7
     ignore:
@@ -54,6 +55,9 @@ nfpms:
       netbsd: NetBSD
       freebsd: FreeBSD
       dragonfly: DragonFlyBSD
+    contents:
+     - src: contrib/*.tpl
+       dst: /usr/local/share/trivy/templates
 
 archives:
   -
@@ -83,9 +87,9 @@ brews:
       owner: aquasecurity
       name: homebrew-trivy
     homepage: "https://github.com/aquasecurity/trivy"
-    description: ""
+    description: "Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues"
     test: |
-      system "#{bin}/program --version"
+      system "#{bin}/trivy", "--version"
 
 dockers:
   - image_templates:
@@ -95,7 +99,7 @@ dockers:
       - "ghcr.io/aquasecurity/trivy:latest-amd64"
       - "public.ecr.aws/aquasecurity/trivy:latest-amd64"
       - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-amd64"
-    use_buildx: true
+    use: buildx
     goos: linux
     goarch: amd64
     ids:
@@ -119,7 +123,7 @@ dockers:
       - "ghcr.io/aquasecurity/trivy:latest-arm64"
       - "public.ecr.aws/aquasecurity/trivy:latest-arm64"
       - "public.ecr.aws/aquasecurity/trivy:{{ .Version }}-arm64"
-    use_buildx: true
+    use: buildx
     goos: linux
     goarch: arm64
     ids:

helm/trivy/Chart.yaml

@@ -1,11 +1,11 @@
 apiVersion: v2
 name: trivy
-version: 0.4.4
-appVersion: "0.18.3"
+version: 0.4.9
+appVersion: 0.22.0
 description: Trivy helm chart
 keywords:
   - scanner
   - trivy
   - vulnerability
 sources:
-- https://github.com/aquasecurity/trivy
+  - https://github.com/aquasecurity/trivy

helm/trivy/README.md

@@ -64,6 +64,9 @@ The following table lists the configurable parameters of the Trivy chart and the
 | `replicaCount`                        | Number of Trivy Pods to run                                   | `1`            |
 | `trivy.debugMode`             | The flag to enable or disable Trivy debug mode                          | `false` |
 | `trivy.gitHubToken`           | The GitHub access token to download Trivy DB. More info: https://github.com/aquasecurity/trivy#github-rate-limiting                          |      |
+| `trivy.registryUsername`              | The username used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryPassword`              | The password used to log in at dockerhub. More info: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/ |      |
+| `trivy.registryCredentialsExistingSecret` | Name of Secret containing dockerhub credentials. Alternative to the 2 parameters above, has precedence if set.                    |      |
 | `trivy.skipUpdate`            | The flag to enable or disable Trivy DB downloads from GitHub            | `false`        |
 | `trivy.cache.redis.enabled`           | Enable Redis as caching backend                                         | `false` |
 | `trivy.cache.redis.url`               | Specify redis connection url, e.g. redis://redis.redis.svc:6379         | `` |

helm/trivy/templates/_helpers.tpl

@@ -50,6 +50,6 @@ Return the proper imageRef as used by the container template spec.
 {{- define "trivy.imageRef" -}}
 {{- $registryName := .Values.image.registry -}}
 {{- $repositoryName := .Values.image.repository -}}
-{{- $tag := .Values.image.tag | toString -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}}
 {{- end -}}

helm/trivy/templates/configmap.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "trivy.fullname" . }}
+  labels:
+{{ include "trivy.labels" . | indent 4 }}
+data:
+  TRIVY_LISTEN: "0.0.0.0:{{ .Values.service.port }}"
+  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
+{{- if .Values.trivy.cache.redis.enabled }}
+  TRIVY_CACHE_BACKEND: {{ .Values.trivy.cache.redis.url | quote }}
+{{- end }}
+  TRIVY_DEBUG: {{ .Values.trivy.debugMode | quote }}
+  TRIVY_SKIP_UPDATE: {{ .Values.trivy.skipUpdate | quote }}
+{{- if .Values.httpProxy }}
+  HTTP_PROXY: {{ .Values.httpProxy | quote }}
+{{- end }}
+{{- if .Values.httpsProxy }}
+  HTTPS_PROXY: {{ .Values.httpsProxy | quote }}
+{{- end }}
+{{- if .Values.noProxy }}
+  NO_PROXY: {{ .Values.noProxy | quote }}
+{{- end }}

helm/trivy/templates/ingress.yaml

@@ -1,6 +1,12 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "trivy.fullname" . -}}
+{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+apiVersion: networking.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
 apiVersion: networking.k8s.io/v1beta1
+{{- else }}
+apiVersion: extensions/v1beta1
+{{- end }}
 kind: Ingress
 metadata:
   name: {{ include "trivy.fullname" . }}
@@ -12,6 +18,9 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
+{{- if and (.Values.ingress.ingressClassName) (semverCompare ">= v1.18.0" .Capabilities.KubeVersion.Version) }}
+  ingressClassName: {{ .Values.ingress.ingressClassName }}
+{{- end }}
 {{- if .Values.ingress.tls }}
   tls:
   {{- range .Values.ingress.tls }}
@@ -28,8 +37,17 @@ spec:
       http:
         paths:
           - path: {{ $.Values.ingress.path }}
+        {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
+            pathType: {{ $.Values.ingress.pathType }}
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $.Values.service.port -}}
+          {{- else }}
             backend:
               serviceName: {{ $fullName }}
               servicePort: {{ $.Values.service.port -}}
+          {{- end }}
   {{- end }}
-{{- end }}
+{{- end }}

helm/trivy/templates/secret.yaml

@@ -6,4 +6,8 @@ metadata:
 {{ include "trivy.labels" . | indent 4 }}
 type: Opaque
 data:
-  gitHubToken: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+  GITHUB_TOKEN: {{ .Values.trivy.gitHubToken | default "" | b64enc | quote }}
+{{- if not .Values.trivy.registryCredentialsExistingSecret }}
+  TRIVY_USERNAME: {{ .Values.trivy.registryUsername | default "" | b64enc | quote }}
+  TRIVY_PASSWORD: {{ .Values.trivy.registryPassword | default "" | b64enc | quote }}
+{{- end -}}

helm/trivy/templates/statefulset.yaml

@@ -62,30 +62,24 @@ spec:
           {{- end }}
           args:
             - server
+          {{- if .Values.trivy.registryCredentialsExistingSecret }}
           env:
-            - name: "TRIVY_LISTEN"
-              value: "0.0.0.0:{{ .Values.service.port | default 4954 }}"
-            - name: "TRIVY_CACHE_DIR"
-              value: "/home/scanner/.cache/trivy"
-            {{- if .Values.trivy.cache.redis.enabled }}
-            - name: "TRIVY_CACHE_BACKEND"
-              value: {{ .Values.trivy.cache.redis.url | quote }}
-            {{- end }}
-            - name: "TRIVY_DEBUG"
-              value: {{ .Values.trivy.debugMode | default false | quote }}
-            - name: "TRIVY_SKIP_UPDATE"
-              value: {{ .Values.trivy.skipUpdate | default false | quote }}
-            - name: "GITHUB_TOKEN"
+            - name: TRIVY_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: {{ include "trivy.fullname" . }}
-                  key: gitHubToken
-            - name: "HTTP_PROXY"
-              value: {{ .Values.httpProxy | quote }}
-            - name: "HTTPS_PROXY"
-              value: {{ .Values.httpsProxy | quote }}
-            - name: "NO_PROXY"
-              value: {{ .Values.noProxy | quote }}
+                  name: {{ .Values.trivy.registryCredentialsExistingSecret }}
+                  key: TRIVY_USERNAME
+            - name: TRIVY_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.trivy.registryCredentialsExistingSecret }}
+                  key: TRIVY_PASSWORD
+          {{- end }}
+          envFrom:
+            - configMapRef:
+                name: {{ include "trivy.fullname" . }}
+            - secretRef:
+                name: {{ include "trivy.fullname" . }}
           ports:
             - name: trivy-http
               containerPort: {{ .Values.service.port }}

helm/trivy/values.yaml

@@ -4,7 +4,9 @@ fullnameOverride: ""
 image:
   registry: docker.io
   repository: aquasec/trivy
-  tag: 0.18.3
+  # tag is an override of the image tag, which is by default set by the
+  # appVersion field in Chart.yaml.
+  tag: ""
   pullPolicy: IfNotPresent
   pullSecret: ""
 
@@ -68,6 +70,24 @@ trivy:
   # You can create a GitHub token by following the instructions in
   # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
   gitHubToken: ""
+  # Docker registry credentials
+  # See also: https://aquasecurity.github.io/trivy/dev/advanced/private-registries/docker-hub/
+  #
+  # Either
+  # Directly in this file
+  #
+  # TRIVY_USERNAME
+  registryUsername: ""
+  # TRIVY_PASSWORD
+  registryPassword: ""
+  #
+  # Or
+  # From an existing secret
+  #
+  # The secret must be Opaque and just contain "TRIVY_USERNAME: your_user" and "TRIVY_PASSWORD: your_password" as k/v pairs.
+  # NOTE: When this is set the previous parameters are ignored.
+  #
+  # registryCredentialsExistingSecret: name-of-existing-secret
   # skipUpdate the flag to enable or disable Trivy DB downloads from GitHub
   #
   # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
@@ -85,7 +105,7 @@ trivy:
   cache:
     redis:
       enabled: false
-      url: "" # e.g. redis://redis.redis.svc:6379
+      url: ""  # e.g. redis://redis.redis.svc:6379
 
 service:
   # type Kubernetes service type
@@ -95,11 +115,15 @@ service:
 
 ingress:
   enabled: false
+  # From Kubernetes 1.18+ this field is supported in case your ingress controller supports it. When set, you do not need to add the ingress class as annotation.
+  ingressClassName:
   annotations: {}
     # kubernetes.io/ingress.class: nginx
   hosts:
     - host: trivy.example.com
   path: "/"
+  # type is only needed for networking.k8s.io/v1 in k8s 1.19+
+  pathType: Prefix
   tls: []
   #  - secretName: trivy-example-tls
   #    hosts:

integration/client_server_test.go

@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration
 
 package integration
@@ -5,7 +6,7 @@ package integration
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -22,10 +23,9 @@ import (
 	"github.com/aquasecurity/trivy/pkg/report"
 )
 
-type args struct {
+type csArgs struct {
 	Format            string
 	TemplatePath      string
-	Version           string
 	IgnoreUnfixed     bool
 	Severity          []string
 	IgnoreIDs         []string
@@ -35,357 +35,312 @@ type args struct {
 }
 
 func TestClientServer(t *testing.T) {
-	cases := []struct {
-		name     string
-		testArgs args
-		golden   string
-		wantErr  string
+	tests := []struct {
+		name    string
+		args    csArgs
+		golden  string
+		wantErr string
 	}{
 		{
-			name: "alpine 3.10 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-unfixed.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with medium and high severity",
-			testArgs: args{
-				Version:       "dev",
-				IgnoreUnfixed: true,
-				Severity:      []string{"MEDIUM", "HIGH"},
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-medium-high.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with .trivyignore",
-			testArgs: args{
-				Version:       "dev",
-				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-cveids.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with gitlab template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/gitlab.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.gitlab.golden",
-		},
-		{
-			name: "alpine 3.10 integration with gitlab-codequality template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/gitlab-codequality.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.gitlab-codequality.golden",
-		},
-		{
-			name: "alpine 3.10 integration with sarif template",
-			testArgs: args{
-				Format:       "template",
-				TemplatePath: "@../contrib/sarif.tpl",
-				Version:      "dev",
-				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.sarif.golden",
-		},
-		{
-			name: "alpine 3.9 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/alpine-39.tar.gz",
+			name: "alpine 3.9",
+			args: csArgs{
+				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
-			name: "debian buster integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/debian-buster.tar.gz",
+			name: "alpine 3.9 with high and critical severity",
+			args: csArgs{
+				IgnoreUnfixed: true,
+				Severity:      []string{"HIGH", "CRITICAL"},
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-high-critical.json.golden",
+		},
+		{
+			name: "alpine 3.9 with .trivyignore",
+			args: csArgs{
+				IgnoreUnfixed: false,
+				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
+		},
+		{
+			name: "alpine 3.10",
+			args: csArgs{
+				Input: "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name: "debian buster/10",
+			args: csArgs{
+				Input: "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
-			name: "debian buster integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			name: "debian buster/10 with --ignore-unfixed option",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name: "debian stretch integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/debian-stretch.tar.gz",
+			name: "debian stretch/9",
+			args: csArgs{
+				Input: "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name: "ubuntu 18.04",
+			args: csArgs{
+				Input: "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
-			},
-			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-		},
-		{
-			name: "ubuntu 16.04 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/ubuntu-1604.tar.gz",
-			},
-			golden: "testdata/ubuntu-1604.json.golden",
-		},
-		{
-			name: "centos 7 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/centos-7.tar.gz",
+			name: "centos 7",
+			args: csArgs{
+				Input: "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
+			name: "centos 7 with --ignore-unfixed option",
+			args: csArgs{
 				IgnoreUnfixed: true,
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name: "centos 7 integration with low and high severity",
-			testArgs: args{
-				Version:       "dev",
+			name: "centos 7 with medium severity",
+			args: csArgs{
 				IgnoreUnfixed: true,
-				Severity:      []string{"LOW", "HIGH"},
+				Severity:      []string{"MEDIUM"},
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
-			golden: "testdata/centos-7-low-high.json.golden",
+			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name: "centos 6 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/centos-6.tar.gz",
+			name: "centos 6",
+			args: csArgs{
+				Input: "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name: "ubi 7 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/ubi-7.tar.gz",
+			name: "ubi 7",
+			args: csArgs{
+				Input: "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name: "distroless base integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/distroless-base.tar.gz",
+			name: "almalinux 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/almalinux-8.tar.gz",
+			},
+			golden: "testdata/almalinux-8.json.golden",
+		},
+		{
+			name: "rocky linux 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/rockylinux-8.tar.gz",
+			},
+			golden: "testdata/rockylinux-8.json.golden",
+		},
+		{
+			name: "distroless base",
+			args: csArgs{
+				Input: "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name: "distroless base integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
-				IgnoreUnfixed: true,
-				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
-			},
-			golden: "testdata/distroless-base-ignore-unfixed.json.golden",
-		},
-		{
-			name: "distroless python27 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/distroless-python27.tar.gz",
+			name: "distroless python27",
+			args: csArgs{
+				Input: "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name: "amazon 1 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/amazon-1.tar.gz",
+			name: "amazon 1",
+			args: csArgs{
+				Input: "testdata/fixtures/images/amazon-1.tar.gz",
 			},
 			golden: "testdata/amazon-1.json.golden",
 		},
 		{
-			name: "amazon 2 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/amazon-2.tar.gz",
+			name: "amazon 2",
+			args: csArgs{
+				Input: "testdata/fixtures/images/amazon-2.tar.gz",
 			},
 			golden: "testdata/amazon-2.json.golden",
 		},
 		{
-			name: "oracle 6 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-6-slim.json.golden",
-		},
-		{
-			name: "oracle 7 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-7-slim.json.golden",
-		},
-		{
-			name: "oracle 8 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			name: "oracle 8",
+			args: csArgs{
+				Input: "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name: "opensuse leap 15.1 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			name: "opensuse leap 15.1",
+			args: csArgs{
+				Input: "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "opensuse leap 42.3 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-			},
-			golden: "testdata/opensuse-leap-423.json.golden",
-		},
-		{
-			name: "photon 1.0 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/photon-10.tar.gz",
-			},
-			golden: "testdata/photon-10.json.golden",
-		},
-		{
-			name: "photon 2.0 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/photon-20.tar.gz",
-			},
-			golden: "testdata/photon-20.json.golden",
-		},
-		{
-			name: "photon 3.0 integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/photon-30.tar.gz",
+			name: "photon 3.0",
+			args: csArgs{
+				Input: "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
 		{
-			name: "buxybox with Cargo.lock integration",
-			testArgs: args{
-				Version: "dev",
-				Input:   "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			name: "CBL-Mariner 1.0",
+			args: csArgs{
+				Input: "testdata/fixtures/images/mariner-1.0.tar.gz",
+			},
+			golden: "testdata/mariner-1.0.json.golden",
+		},
+		{
+			name: "buxybox with Cargo.lock",
+			args: csArgs{
+				Input: "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
+	}
+
+	app, addr, cacheDir := setup(t, setupOptions{})
+
+	for _, c := range tests {
+		t.Run(c.name, func(t *testing.T) {
+			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
+
+			// Run Trivy client
+			err := app.Run(osArgs)
+			require.NoError(t, err)
+
+			compareReports(t, c.golden, outputFile)
+		})
+	}
+}
+
+func TestClientServerWithTemplate(t *testing.T) {
+	tests := []struct {
+		name   string
+		args   csArgs
+		golden string
+	}{
 		{
-			name: "alpine 3.10 integration with ASFF template",
-			testArgs: args{
+			name: "alpine 3.10 with gitlab template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/gitlab.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.gitlab.golden",
+		},
+		{
+			name: "alpine 3.10 with gitlab-codequality template",
+			args: csArgs{
+				Format:       "template",
+				TemplatePath: "@../contrib/gitlab-codequality.tpl",
+				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.gitlab-codequality.golden",
+		},
+		{
+			name: "alpine 3.10 with sarif format",
+			args: csArgs{
+				Format: "sarif",
+				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.sarif.golden",
+		},
+		{
+			name: "alpine 3.10 with ASFF template",
+			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/asff.tpl",
-				Version:      "dev",
 				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.asff.golden",
 		},
 		{
-			name: "alpine 3.10 integration with html template",
-			testArgs: args{
+			name: "alpine 3.10 with html template",
+			args: csArgs{
 				Format:       "template",
 				TemplatePath: "@../contrib/html.tpl",
-				Version:      "dev",
 				Input:        "testdata/fixtures/images/alpine-310.tar.gz",
 			},
 			golden: "testdata/alpine-310.html.golden",
 		},
 	}
 
+	report.CustomTemplateFuncMap = map[string]interface{}{
+		"now": func() time.Time {
+			return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
+		},
+		"date": func(format string, t time.Time) string {
+			return t.Format(format)
+		},
+	}
+
+	t.Cleanup(func() {
+		report.CustomTemplateFuncMap = map[string]interface{}{}
+	})
+
 	app, addr, cacheDir := setup(t, setupOptions{})
 
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
-			report.Now = func() time.Time {
-				return time.Date(2020, 8, 10, 7, 28, 17, 958601, time.UTC)
-			}
-			os.Setenv("AWS_REGION", "test-region")
-			os.Setenv("AWS_ACCOUNT_ID", "123456789012")
-			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
-			defer cleanup()
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Setenv("AWS_REGION", "test-region")
+			t.Setenv("AWS_ACCOUNT_ID", "123456789012")
+			osArgs, outputFile := setupClient(t, tt.args, addr, cacheDir, tt.golden)
 
 			// Run Trivy client
 			err := app.Run(osArgs)
 			require.NoError(t, err)
 
-			compare(t, c.golden, outputFile)
+			want, err := os.ReadFile(tt.golden)
+			require.NoError(t, err)
+
+			got, err := os.ReadFile(outputFile)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, string(want), string(got))
 		})
 	}
 }
 
 func TestClientServerWithToken(t *testing.T) {
 	cases := []struct {
-		name     string
-		testArgs args
-		golden   string
-		wantErr  string
+		name    string
+		args    csArgs
+		golden  string
+		wantErr string
 	}{
 		{
-			name: "alpine 3.10 integration with token",
-			testArgs: args{
-				Version:           "dev",
-				Input:             "testdata/fixtures/images/alpine-310.tar.gz",
+			name: "alpine 3.9 with token",
+			args: csArgs{
+				Input:             "testdata/fixtures/images/alpine-39.tar.gz",
 				ClientToken:       "token",
 				ClientTokenHeader: "Trivy-Token",
 			},
-			golden: "testdata/alpine-310.json.golden",
+			golden: "testdata/alpine-39.json.golden",
 		},
 		{
 			name: "invalid token",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
 				ClientToken:       "invalidtoken",
 				ClientTokenHeader: "Trivy-Token",
@@ -394,11 +349,10 @@ func TestClientServerWithToken(t *testing.T) {
 		},
 		{
 			name: "invalid token header",
-			testArgs: args{
-				Version:           "dev",
+			args: csArgs{
 				Input:             "testdata/fixtures/images/distroless-base.tar.gz",
-				ClientToken:       "valid-token",
-				ClientTokenHeader: "Trivy-Token",
+				ClientToken:       "token",
+				ClientTokenHeader: "Unknown-Header",
 			},
 			wantErr: "twirp error unauthenticated: invalid token",
 		},
@@ -410,12 +364,10 @@ func TestClientServerWithToken(t *testing.T) {
 		token:       serverToken,
 		tokenHeader: serverTokenHeader,
 	})
-	defer os.RemoveAll(cacheDir)
 
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			osArgs, outputFile, cleanup := setupClient(t, c.testArgs, addr, cacheDir, c.golden)
-			defer cleanup()
+			osArgs, outputFile := setupClient(t, c.args, addr, cacheDir, c.golden)
 
 			// Run Trivy client
 			err := app.Run(osArgs)
@@ -428,7 +380,7 @@ func TestClientServerWithToken(t *testing.T) {
 				assert.NoError(t, err, c.name)
 			}
 
-			compare(t, c.golden, outputFile)
+			compareReports(t, c.golden, outputFile)
 		})
 	}
 }
@@ -440,32 +392,29 @@ func TestClientServerWithRedis(t *testing.T) {
 
 	// Set up Trivy server
 	app, addr, cacheDir := setup(t, setupOptions{cacheBackend: addr})
-	defer os.RemoveAll(cacheDir)
+	t.Cleanup(func() { os.RemoveAll(cacheDir) })
 
 	// Test parameters
-	testArgs := args{
-		Version: "dev",
-		Input:   "testdata/fixtures/images/centos-7.tar.gz",
+	testArgs := csArgs{
+		Input: "testdata/fixtures/images/alpine-39.tar.gz",
 	}
-	golden := "testdata/centos-7.json.golden"
+	golden := "testdata/alpine-39.json.golden"
 
-	t.Run("centos 7", func(t *testing.T) {
-		osArgs, outputFile, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
-		defer cleanup()
+	t.Run("alpine 3.9", func(t *testing.T) {
+		osArgs, outputFile := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
 		err := app.Run(osArgs)
 		require.NoError(t, err)
 
-		compare(t, golden, outputFile)
+		compareReports(t, golden, outputFile)
 	})
 
 	// Terminate the Redis container
 	require.NoError(t, redisC.Terminate(ctx))
 
 	t.Run("sad path", func(t *testing.T) {
-		osArgs, _, cleanup := setupClient(t, testArgs, addr, cacheDir, golden)
-		defer cleanup()
+		osArgs, _ := setupClient(t, testArgs, addr, cacheDir, golden)
 
 		// Run Trivy client
 		err := app.Run(osArgs)
@@ -485,7 +434,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	version := "dev"
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	port, err := getFreePort()
 	assert.NoError(t, err)
@@ -494,7 +443,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 	go func() {
 		// Setup CLI App
 		app := commands.NewApp(version)
-		app.Writer = ioutil.Discard
+		app.Writer = io.Discard
 		osArgs := setupServer(addr, options.token, options.tokenHeader, cacheDir, options.cacheBackend)
 
 		// Run Trivy server
@@ -507,7 +456,7 @@ func setup(t *testing.T, options setupOptions) (*cli.App, string, string) {
 
 	// Setup CLI App
 	app := commands.NewApp(version)
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard
 
 	return app, addr, cacheDir
 }
@@ -523,7 +472,7 @@ func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []stri
 	return osArgs
 }
 
-func setupClient(t *testing.T, c args, addr string, cacheDir string, golden string) ([]string, string, func()) {
+func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden string) ([]string, string) {
 	t.Helper()
 	osArgs := []string{"trivy", "--cache-dir", cacheDir, "client", "--remote", "http://" + addr}
 
@@ -541,46 +490,32 @@ func setupClient(t *testing.T, c args, addr string, cacheDir string, golden stri
 	}
 	if len(c.Severity) != 0 {
 		osArgs = append(osArgs,
-			[]string{"--severity", strings.Join(c.Severity, ",")}...,
+			"--severity", strings.Join(c.Severity, ","),
 		)
 	}
 
-	var err error
-	var ignoreTmpDir string
 	if len(c.IgnoreIDs) != 0 {
-		ignoreTmpDir, err = ioutil.TempDir("", "ignore")
-		require.NoError(t, err, "failed to create a temp dir")
-		trivyIgnore := filepath.Join(ignoreTmpDir, ".trivyignore")
-		err = ioutil.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
+		trivyIgnore := filepath.Join(t.TempDir(), ".trivyignore")
+		err := os.WriteFile(trivyIgnore, []byte(strings.Join(c.IgnoreIDs, "\n")), 0444)
 		require.NoError(t, err, "failed to write .trivyignore")
-		osArgs = append(osArgs, []string{"--ignorefile", trivyIgnore}...)
+		osArgs = append(osArgs, "--ignorefile", trivyIgnore)
 	}
 	if c.ClientToken != "" {
-		osArgs = append(osArgs, []string{"--token", c.ClientToken, "--token-header", c.ClientTokenHeader}...)
+		osArgs = append(osArgs, "--token", c.ClientToken, "--token-header", c.ClientTokenHeader)
 	}
 	if c.Input != "" {
-		osArgs = append(osArgs, []string{"--input", c.Input}...)
+		osArgs = append(osArgs, "--input", c.Input)
 	}
 
-	// Setup the output file
-	var outputFile string
+	// Set up the output file
+	outputFile := filepath.Join(t.TempDir(), "output.json")
 	if *update {
 		outputFile = golden
-	} else {
-		output, _ := ioutil.TempFile("", "integration")
-		assert.Nil(t, output.Close())
-		outputFile = output.Name()
 	}
 
-	cleanup := func() {
-		_ = os.Remove(ignoreTmpDir)
-		if !*update {
-			_ = os.Remove(outputFile)
-		}
-	}
+	osArgs = append(osArgs, "--output", outputFile)
 
-	osArgs = append(osArgs, []string{"--output", outputFile}...)
-	return osArgs, outputFile, cleanup
+	return osArgs, outputFile
 }
 
 func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, string) {
@@ -591,6 +526,8 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
 		Name:         "redis",
 		Image:        imageName,
 		ExposedPorts: []string{port},
+		SkipReaper:   true,
+		AutoRemove:   true,
 	}
 
 	redis, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
@@ -608,18 +545,3 @@ func setupRedis(t *testing.T, ctx context.Context) (testcontainers.Container, st
 	addr := fmt.Sprintf("redis://%s:%s", ip, p.Port())
 	return redis, addr
 }
-
-func compare(t *testing.T, wantFile, gotFile string) {
-	t.Helper()
-	// Compare want and got
-	want, err := ioutil.ReadFile(wantFile)
-	assert.NoError(t, err)
-	got, err := ioutil.ReadFile(gotFile)
-	assert.NoError(t, err)
-
-	if strings.HasSuffix(wantFile, ".json.golden") {
-		assert.JSONEq(t, string(want), string(got))
-	} else {
-		assert.EqualValues(t, string(want), string(got))
-	}
-}

integration/docker/docker.go

@@ -1,117 +0,0 @@
-package docker
-
-import (
-	"context"
-	"encoding/base64"
-	"encoding/json"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/url"
-	"os"
-
-	"github.com/docker/docker/client"
-
-	"github.com/docker/docker/api/types"
-)
-
-// RegistryConfig holds the config for docker registry
-type RegistryConfig struct {
-	URL      *url.URL
-	Username string
-	Password string
-}
-
-// GetAuthConfig returns the docker registry authConfig
-func (c RegistryConfig) GetAuthConfig() types.AuthConfig {
-	return types.AuthConfig{
-		Username:      c.Username,
-		Password:      c.Password,
-		ServerAddress: c.URL.Host,
-	}
-}
-
-// GetRegistryAuth returns the json encoded docker registry auth
-func (c RegistryConfig) GetRegistryAuth() (string, error) {
-	authConfig := types.AuthConfig{
-		Username: c.Username,
-		Password: c.Password,
-	}
-	encodedJSON, err := json.Marshal(authConfig)
-	if err != nil {
-		return "", err
-	}
-	return base64.URLEncoding.EncodeToString(encodedJSON), nil
-}
-
-// Docker returns docker client
-type Docker struct {
-	cli *client.Client
-}
-
-// New is the factory method to return docker client
-func New() (Docker, error) {
-	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
-	if err != nil {
-		return Docker{}, err
-	}
-	return Docker{
-		cli: cli,
-	}, nil
-}
-
-// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
-func (d Docker) ReplicateImage(ctx context.Context, imageRef, imagePath string, dest RegistryConfig) error {
-	// remove existing Image if any
-	_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
-		Force:         true,
-		PruneChildren: true,
-	})
-
-	testfile, err := os.Open(imagePath)
-	if err != nil {
-		return err
-	}
-
-	// load image into docker engine
-	resp, err := d.cli.ImageLoad(ctx, testfile, true)
-	if err != nil {
-		return err
-	}
-	if _, err = io.Copy(ioutil.Discard, resp.Body); err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	targetImageRef := fmt.Sprintf("%s/%s", dest.URL.Host, imageRef)
-
-	if err = d.cli.ImageTag(ctx, imageRef, targetImageRef); err != nil {
-		return err
-	}
-	defer func() {
-		_, _ = d.cli.ImageRemove(ctx, imageRef, types.ImageRemoveOptions{
-			Force:         true,
-			PruneChildren: true,
-		})
-		_, _ = d.cli.ImageRemove(ctx, targetImageRef, types.ImageRemoveOptions{
-			Force:         true,
-			PruneChildren: true,
-		})
-	}()
-
-	auth, err := dest.GetRegistryAuth()
-	if err != nil {
-		return err
-	}
-
-	pushOut, err := d.cli.ImagePush(ctx, targetImageRef, types.ImagePushOptions{RegistryAuth: auth})
-	if err != nil {
-		return err
-	}
-	defer pushOut.Close()
-
-	if _, err = io.Copy(ioutil.Discard, pushOut); err != nil {
-		return err
-	}
-	return nil
-}

integration/docker_engine_test.go

@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration
 
 package integration
@@ -5,8 +6,8 @@ package integration
 import (
 	"context"
 	"io"
-	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 
@@ -18,235 +19,185 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
-func TestRun_WithDockerEngine(t *testing.T) {
-	testCases := []struct {
-		name                string
-		withImageSubcommand bool
-		imageTag            string
-		invalidImage        bool
-		ignoreUnfixed       bool
-		severity            []string
-		ignoreIDs           []string
-		testfile            string
-		expectedOutputFile  string
-		expectedError       string
+func TestDockerEngine(t *testing.T) {
+	tests := []struct {
+		name          string
+		imageTag      string
+		invalidImage  bool
+		ignoreUnfixed bool
+		severity      []string
+		ignoreIDs     []string
+		input         string
+		golden        string
+		wantErr       string
 	}{
-		// All of these cases should pass for either
-		// $ trivy <args>
-		// $ trivy image <args>
 		{
-			name:               "happy path, valid image path, alpine:3.10",
-			imageTag:           "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.9",
+			imageTag: "alpine:3.9",
+			input:    "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:   "testdata/alpine-39.json.golden",
 		},
 		{
-			name:                "happy path, valid image path, with image subcommand, alpine:3.10",
-			withImageSubcommand: true,
-			imageTag:            "alpine:3.10",
-			expectedOutputFile:  "testdata/alpine-310.json.golden",
-			testfile:            "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.9, with high and critical severity",
+			severity: []string{"HIGH", "CRITICAL"},
+			imageTag: "alpine:3.9",
+			input:    "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:   "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.10, ignore unfixed",
-			ignoreUnfixed:      true,
-			imageTag:           "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:      "alpine:3.9, with .trivyignore",
+			imageTag:  "alpine:3.9",
+			ignoreIDs: []string{"CVE-2019-1549", "CVE-2019-14697"},
+			input:     "testdata/fixtures/images/alpine-39.tar.gz",
+			golden:    "testdata/alpine-39-ignore-cveids.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.10, ignore unfixed, with medium and high severity",
-			ignoreUnfixed:      true,
-			severity:           []string{"MEDIUM", "HIGH"},
-			imageTag:           "alpine:3.10",
-			expectedOutputFile: "testdata/alpine-310-medium-high.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "alpine:3.10",
+			imageTag: "alpine:3.10",
+			input:    "testdata/fixtures/images/alpine-310.tar.gz",
+			golden:   "testdata/alpine-310.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.10, with .trivyignore",
-			imageTag:           "alpine:3.10",
-			ignoreIDs:          []string{"CVE-2019-1549", "CVE-2019-1563"},
-			expectedOutputFile: "testdata/alpine-310-ignore-cveids.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-310.tar.gz",
+			name:     "amazonlinux:1",
+			imageTag: "amazonlinux:1",
+			input:    "testdata/fixtures/images/amazon-1.tar.gz",
+			golden:   "testdata/amazon-1.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, alpine:3.9",
-			imageTag:           "alpine:3.9",
-			expectedOutputFile: "testdata/alpine-39.json.golden",
-			testfile:           "testdata/fixtures/images/alpine-39.tar.gz",
+			name:     "amazonlinux:2",
+			imageTag: "amazonlinux:2",
+			input:    "testdata/fixtures/images/amazon-2.tar.gz",
+			golden:   "testdata/amazon-2.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, amazonlinux:1",
-			imageTag:           "amazonlinux:1",
-			expectedOutputFile: "testdata/amazon-1.json.golden",
-			testfile:           "testdata/fixtures/images/amazon-1.tar.gz",
+			name:     "almalinux 8",
+			imageTag: "almalinux:8",
+			input:    "testdata/fixtures/images/almalinux-8.tar.gz",
+			golden:   "testdata/almalinux-8.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, amazonlinux:2",
-			imageTag:           "amazonlinux:2",
-			expectedOutputFile: "testdata/amazon-2.json.golden",
-			testfile:           "testdata/fixtures/images/amazon-2.tar.gz",
+			name:     "rocky linux 8",
+			imageTag: "rockylinux:8",
+			input:    "testdata/fixtures/images/rockylinux-8.tar.gz",
+			golden:   "testdata/rockylinux-8.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, centos:6",
-			imageTag:           "centos:6",
-			expectedOutputFile: "testdata/centos-6.json.golden",
-			testfile:           "testdata/fixtures/images/centos-6.tar.gz",
+			name:     "centos 6",
+			imageTag: "centos:6",
+			input:    "testdata/fixtures/images/centos-6.tar.gz",
+			golden:   "testdata/centos-6.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, centos:7",
-			imageTag:           "centos:7",
-			expectedOutputFile: "testdata/centos-7.json.golden",
-			testfile:           "testdata/fixtures/images/centos-7.tar.gz",
+			name:     "centos 7",
+			imageTag: "centos:7",
+			input:    "testdata/fixtures/images/centos-7.tar.gz",
+			golden:   "testdata/centos-7.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, centos:7, with --ignore-unfixed option",
-			imageTag:           "centos:7",
-			ignoreUnfixed:      true,
-			expectedOutputFile: "testdata/centos-7-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/centos-7.tar.gz",
+			name:          "centos 7, with --ignore-unfixed option",
+			imageTag:      "centos:7",
+			ignoreUnfixed: true,
+			input:         "testdata/fixtures/images/centos-7.tar.gz",
+			golden:        "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, centos:7, with --ignore-unfixed option, with low and high severity",
-			imageTag:           "centos:7",
-			ignoreUnfixed:      true,
-			severity:           []string{"LOW", "HIGH"},
-			expectedOutputFile: "testdata/centos-7-low-high.json.golden",
-			testfile:           "testdata/fixtures/images/centos-7.tar.gz",
+			name:          "centos 7, with --ignore-unfixed option, with medium severity",
+			imageTag:      "centos:7",
+			ignoreUnfixed: true,
+			severity:      []string{"MEDIUM"},
+			input:         "testdata/fixtures/images/centos-7.tar.gz",
+			golden:        "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, debian:buster",
-			imageTag:           "debian:buster",
-			expectedOutputFile: "testdata/debian-buster.json.golden",
-			testfile:           "testdata/fixtures/images/debian-buster.tar.gz",
+			name:     "registry.redhat.io/ubi7",
+			imageTag: "registry.redhat.io/ubi7",
+			input:    "testdata/fixtures/images/ubi-7.tar.gz",
+			golden:   "testdata/ubi-7.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, debian:buster, with --ignore-unfixed option",
-			ignoreUnfixed:      true,
-			imageTag:           "debian:buster",
-			expectedOutputFile: "testdata/debian-buster-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/debian-buster.tar.gz",
+			name:     "debian buster/10",
+			imageTag: "debian:buster",
+			input:    "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:   "testdata/debian-buster.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, debian:stretch",
-			imageTag:           "debian:stretch",
-			expectedOutputFile: "testdata/debian-stretch.json.golden",
-			testfile:           "testdata/fixtures/images/debian-stretch.tar.gz",
+			name:          "debian buster/10, with --ignore-unfixed option",
+			ignoreUnfixed: true,
+			imageTag:      "debian:buster",
+			input:         "testdata/fixtures/images/debian-buster.tar.gz",
+			golden:        "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, distroless:base",
-			imageTag:           "gcr.io/distroless/base:latest",
-			expectedOutputFile: "testdata/distroless-base.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "debian stretch/9",
+			imageTag: "debian:stretch",
+			input:    "testdata/fixtures/images/debian-stretch.tar.gz",
+			golden:   "testdata/debian-stretch.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, distroless:base",
-			imageTag:           "gcr.io/distroless/base:latest",
-			expectedOutputFile: "testdata/distroless-base.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "distroless base",
+			imageTag: "gcr.io/distroless/base:latest",
+			input:    "testdata/fixtures/images/distroless-base.tar.gz",
+			golden:   "testdata/distroless-base.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, distroless:base, with --ignore-unfixed option",
-			imageTag:           "gcr.io/distroless/base:latest",
-			ignoreUnfixed:      true,
-			expectedOutputFile: "testdata/distroless-base-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-base.tar.gz",
+			name:     "distroless python2.7",
+			imageTag: "gcr.io/distroless/python2.7:latest",
+			input:    "testdata/fixtures/images/distroless-python27.tar.gz",
+			golden:   "testdata/distroless-python27.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, distroless:python2.7",
-			imageTag:           "gcr.io/distroless/python2.7:latest",
-			expectedOutputFile: "testdata/distroless-python27.json.golden",
-			testfile:           "testdata/fixtures/images/distroless-python27.tar.gz",
+			name:     "oracle linux 8",
+			imageTag: "oraclelinux:8-slim",
+			input:    "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			golden:   "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, oraclelinux:6-slim",
-			imageTag:           "oraclelinux:6-slim",
-			expectedOutputFile: "testdata/oraclelinux-6-slim.json.golden",
-			testfile:           "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
+			name:     "ubuntu 18.04",
+			imageTag: "ubuntu:18.04",
+			input:    "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden:   "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, oraclelinux:7-slim",
-			imageTag:           "oraclelinux:7-slim",
-			expectedOutputFile: "testdata/oraclelinux-7-slim.json.golden",
-			testfile:           "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
+			name:          "ubuntu 18.04, with --ignore-unfixed option",
+			imageTag:      "ubuntu:18.04",
+			ignoreUnfixed: true,
+			input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			golden:        "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, oraclelinux:8-slim",
-			imageTag:           "oraclelinux:8-slim",
-			expectedOutputFile: "testdata/oraclelinux-8-slim.json.golden",
-			testfile:           "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+			name:     "opensuse leap 15.1",
+			imageTag: "opensuse/leap:latest",
+			input:    "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+			golden:   "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, ubuntu:16.04",
-			imageTag:           "ubuntu:16.04",
-			expectedOutputFile: "testdata/ubuntu-1604.json.golden",
-			testfile:           "testdata/fixtures/images/ubuntu-1604.tar.gz",
+			name:     "photon 3.0",
+			imageTag: "photon:3.0-20190823",
+			input:    "testdata/fixtures/images/photon-30.tar.gz",
+			golden:   "testdata/photon-30.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, ubuntu:18.04",
-			imageTag:           "ubuntu:18.04",
-			expectedOutputFile: "testdata/ubuntu-1804.json.golden",
-			testfile:           "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name:     "CBL-Mariner 1.0",
+			imageTag: "cblmariner.azurecr.io/base/core:1.0",
+			input:    "testdata/fixtures/images/mariner-1.0.tar.gz",
+			golden:   "testdata/mariner-1.0.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, ubuntu:18.04, with --ignore-unfixed option",
-			imageTag:           "ubuntu:18.04",
-			ignoreUnfixed:      true,
-			expectedOutputFile: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
-			testfile:           "testdata/fixtures/images/ubuntu-1804.tar.gz",
+			name:     "busybox with Cargo.lock",
+			imageTag: "busy-cargo:latest",
+			input:    "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+			golden:   "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
-			name:               "happy path, valid image path, registry.redhat.io/ubi7",
-			imageTag:           "registry.redhat.io/ubi7",
-			expectedOutputFile: "testdata/ubi-7.json.golden",
-			testfile:           "testdata/fixtures/images/ubi-7.tar.gz",
-		},
-		{
-			name:               "happy path, valid image path, opensuse leap 15.1",
-			imageTag:           "opensuse/leap:latest",
-			expectedOutputFile: "testdata/opensuse-leap-151.json.golden",
-			testfile:           "testdata/fixtures/images/opensuse-leap-151.tar.gz",
-		},
-		{
-			name:               "happy path, valid image path, opensuse leap 42.3",
-			imageTag:           "opensuse/leap:42.3",
-			expectedOutputFile: "testdata/opensuse-leap-423.json.golden",
-			testfile:           "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-		},
-		{
-			name:               "happy path, valid image path, photon 1.0",
-			imageTag:           "photon:1.0-20190823",
-			expectedOutputFile: "testdata/photon-10.json.golden",
-			testfile:           "testdata/fixtures/images/photon-10.tar.gz",
-		},
-		{
-			name:               "happy path, valid image path, photon 2.0",
-			imageTag:           "photon:2.0-20190726",
-			expectedOutputFile: "testdata/photon-20.json.golden",
-			testfile:           "testdata/fixtures/images/photon-20.tar.gz",
-		},
-		{
-			name:               "happy path, valid image path, photon 3.0",
-			imageTag:           "photon:3.0-20190823",
-			expectedOutputFile: "testdata/photon-30.json.golden",
-			testfile:           "testdata/fixtures/images/photon-30.tar.gz",
-		},
-		{
-			name:               "buxybox with Cargo.lock integration",
-			imageTag:           "busy-cargo:latest",
-			expectedOutputFile: "testdata/busybox-with-lockfile.json.golden",
-			testfile:           "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
-		},
-		{
-			name:          "sad path, invalid image",
-			invalidImage:  true,
-			testfile:      "badimage:latest",
-			expectedError: "unable to inspect the image (index.docker.io/library/badimage:latest)",
+			name:         "sad path, invalid image",
+			invalidImage: true,
+			input:        "badimage:latest",
+			wantErr:      "unable to inspect the image (index.docker.io/library/badimage:latest)",
 		},
 	}
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	ctx := context.Background()
 	defer ctx.Done()
@@ -254,85 +205,74 @@ func TestRun_WithDockerEngine(t *testing.T) {
 	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	require.NoError(t, err)
 
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			if !tc.invalidImage {
-				testfile, err := os.Open(tc.testfile)
-				require.NoError(t, err, tc.name)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if !tt.invalidImage {
+				testfile, err := os.Open(tt.input)
+				require.NoError(t, err, tt.name)
 
 				// ensure image doesnt already exists
-				_, _ = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
+				_, _ = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
 					Force:         true,
 					PruneChildren: true,
 				})
 
 				// load image into docker engine
 				res, err := cli.ImageLoad(ctx, testfile, true)
-				require.NoError(t, err, tc.name)
-				io.Copy(ioutil.Discard, res.Body)
+				require.NoError(t, err, tt.name)
+				io.Copy(io.Discard, res.Body)
 
 				// tag our image to something unique
-				err = cli.ImageTag(ctx, tc.imageTag, tc.testfile)
-				require.NoError(t, err, tc.name)
+				err = cli.ImageTag(ctx, tt.imageTag, tt.input)
+				require.NoError(t, err, tt.name)
 			}
 
-			of, err := ioutil.TempFile("", "integration-docker-engine-output-file-*")
-			require.NoError(t, err, tc.name)
-			defer os.Remove(of.Name())
+			tmpDir := t.TempDir()
+			output := filepath.Join(tmpDir, "result.json")
 
 			// run trivy
 			app := commands.NewApp("dev")
-			trivyArgs := []string{"trivy"}
-			trivyArgs = append(trivyArgs, "--cache-dir", cacheDir)
-			if tc.withImageSubcommand {
-				trivyArgs = append(trivyArgs, "image")
-			}
+			trivyArgs := []string{"trivy", "--cache-dir", cacheDir, "image",
+				"--skip-update", "--format=json", "--output", output}
 
-			trivyArgs = append(trivyArgs, []string{"--skip-update", "--format=json", "--output", of.Name()}...)
-
-			if tc.ignoreUnfixed {
+			if tt.ignoreUnfixed {
 				trivyArgs = append(trivyArgs, "--ignore-unfixed")
 			}
-			if len(tc.severity) != 0 {
+			if len(tt.severity) != 0 {
 				trivyArgs = append(trivyArgs,
-					[]string{"--severity", strings.Join(tc.severity, ",")}...,
+					[]string{"--severity", strings.Join(tt.severity, ",")}...,
 				)
 			}
-			if len(tc.ignoreIDs) != 0 {
+			if len(tt.ignoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := ioutil.WriteFile(trivyIgnore, []byte(strings.Join(tc.ignoreIDs, "\n")), 0444)
+				err = os.WriteFile(trivyIgnore, []byte(strings.Join(tt.ignoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			trivyArgs = append(trivyArgs, tc.testfile)
+			trivyArgs = append(trivyArgs, tt.input)
 
 			err = app.Run(trivyArgs)
-			switch {
-			case tc.expectedError != "":
+			if tt.wantErr != "" {
 				require.NotNil(t, err)
-				assert.Contains(t, err.Error(), tc.expectedError, tc.name)
+				assert.Contains(t, err.Error(), tt.wantErr, tt.name)
 				return
-			default:
-				assert.NoError(t, err, tc.name)
 			}
 
+			assert.NoError(t, err, tt.name)
+
 			// check for vulnerability output info
-			got, err := ioutil.ReadAll(of)
-			assert.NoError(t, err, tc.name)
-			want, err := ioutil.ReadFile(tc.expectedOutputFile)
-			assert.NoError(t, err, tc.name)
-			assert.JSONEq(t, string(want), string(got), tc.name)
+			compareReports(t, tt.golden, output)
 
 			// cleanup
-			_, err = cli.ImageRemove(ctx, tc.testfile, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.input, types.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			_, err = cli.ImageRemove(ctx, tc.imageTag, types.ImageRemoveOptions{
+			_, err = cli.ImageRemove(ctx, tt.imageTag, types.ImageRemoveOptions{
 				Force:         true,
 				PruneChildren: true,
 			})
-			assert.NoError(t, err, tc.name)
+			assert.NoError(t, err, tt.name)
 		})
 	}
 }

integration/fs_test.go

@@ -1,3 +1,4 @@
+//go:build integration
 // +build integration
 
 package integration
@@ -5,11 +6,11 @@ package integration
 import (
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/trivy/pkg/commands"
 )
@@ -36,6 +37,22 @@ func TestFilesystem(t *testing.T) {
 			},
 			golden: "testdata/nodejs.json.golden",
 		},
+		{
+			name: "pip",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pip",
+			},
+			golden: "testdata/pip.json.golden",
+		},
+		{
+			name: "pom",
+			args: args{
+				securityChecks: "vuln",
+				input:          "testdata/fixtures/fs/pom",
+			},
+			golden: "testdata/pom.json.golden",
+		},
 		{
 			name: "dockerfile",
 			args: args{
@@ -76,12 +93,12 @@ func TestFilesystem(t *testing.T) {
 	}
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			osArgs := []string{"trivy", "--cache-dir", cacheDir, "fs", "--skip-db-update", "--skip-policy-update",
-				"--format", "json", "--security-checks", tt.args.securityChecks}
+				"--format", "json", "--offline-scan", "--security-checks", tt.args.securityChecks}
 
 			if len(tt.args.policyPaths) != 0 {
 				for _, policyPath := range tt.args.policyPaths {
@@ -96,9 +113,7 @@ func TestFilesystem(t *testing.T) {
 			}
 
 			if len(tt.args.severity) != 0 {
-				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(tt.args.severity, ",")}...,
-				)
+				osArgs = append(osArgs, "--severity", strings.Join(tt.args.severity, ","))
 			}
 
 			if len(tt.args.ignoreIDs) != 0 {
@@ -109,15 +124,9 @@ func TestFilesystem(t *testing.T) {
 			}
 
 			// Setup the output file
-			var outputFile string
+			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
 				outputFile = tt.golden
-			} else {
-				output, err := os.CreateTemp("", "integration")
-				require.NoError(t, err)
-				assert.Nil(t, output.Close())
-				defer os.Remove(output.Name())
-				outputFile = output.Name()
 			}
 
 			osArgs = append(osArgs, "--output", outputFile)
@@ -131,12 +140,7 @@ func TestFilesystem(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))
 
 			// Compare want and got
-			want, err := os.ReadFile(tt.golden)
-			assert.NoError(t, err)
-			got, err := os.ReadFile(outputFile)
-			assert.NoError(t, err)
-
-			assert.JSONEq(t, string(want), string(got))
+			compareReports(t, tt.golden, outputFile)
 		})
 	}
 }

integration/integration_test.go

@@ -1,59 +1,59 @@
+//go:build integration
 // +build integration
 
 package integration
 
 import (
-	"compress/gzip"
 	"context"
 	"encoding/json"
 	"flag"
-	"io"
 	"net"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
+	"github.com/aquasecurity/trivy-db/pkg/metadata"
+	"github.com/aquasecurity/trivy/pkg/dbtest"
+	"github.com/aquasecurity/trivy/pkg/report"
 )
 
 var update = flag.Bool("update", false, "update golden files")
 
-func gunzipDB(t *testing.T) string {
-	gz, err := os.Open("testdata/trivy.db.gz")
+func initDB(t *testing.T) string {
+	fixtureDir := filepath.Join("testdata", "fixtures", "db")
+	entries, err := os.ReadDir(fixtureDir)
 	require.NoError(t, err)
 
-	zr, err := gzip.NewReader(gz)
-	require.NoError(t, err)
+	var fixtures []string
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		fixtures = append(fixtures, filepath.Join(fixtureDir, entry.Name()))
+	}
 
-	tmpDir := t.TempDir()
-	dbPath := db.Path(tmpDir)
-	dbDir := filepath.Dir(dbPath)
-	err = os.MkdirAll(dbDir, 0700)
-	require.NoError(t, err)
+	cacheDir := dbtest.InitDB(t, fixtures)
+	defer db.Close()
 
-	file, err := os.Create(dbPath)
-	require.NoError(t, err)
-	defer file.Close()
-
-	_, err = io.Copy(file, zr)
-	require.NoError(t, err)
+	dbDir := filepath.Dir(db.Path(cacheDir))
 
 	metadataFile := filepath.Join(dbDir, "metadata.json")
-	b, err := json.Marshal(db.Metadata{
-		Version:    1,
-		Type:       1,
-		NextUpdate: time.Time{},
-		UpdatedAt:  time.Time{},
+	f, err := os.Create(metadataFile)
+	require.NoError(t, err)
+
+	err = json.NewEncoder(f).Encode(metadata.Metadata{
+		Version:    db.SchemaVersion,
+		NextUpdate: time.Now().Add(24 * time.Hour),
+		UpdatedAt:  time.Now(),
 	})
 	require.NoError(t, err)
 
-	err = os.WriteFile(metadataFile, b, 0600)
-	require.NoError(t, err)
-
-	return tmpDir
+	return cacheDir
 }
 
 func getFreePort() (int, error) {
@@ -84,3 +84,31 @@ func waitPort(ctx context.Context, addr string) error {
 		}
 	}
 }
+
+func readReport(t *testing.T, filePath string) report.Report {
+	t.Helper()
+
+	f, err := os.Open(filePath)
+	require.NoError(t, err, filePath)
+	defer f.Close()
+
+	var res report.Report
+	err = json.NewDecoder(f).Decode(&res)
+	require.NoError(t, err, filePath)
+
+	// We don't compare history because the nano-seconds in "created" don't match
+	res.Metadata.ImageConfig.History = nil
+
+	// We don't compare repo tags because the archive doesn't support it
+	res.Metadata.RepoTags = nil
+
+	res.Metadata.RepoDigests = nil
+
+	return res
+}
+
+func compareReports(t *testing.T, wantFile, gotFile string) {
+	want := readReport(t, wantFile)
+	got := readReport(t, gotFile)
+	assert.Equal(t, want, got)
+}

integration/registry_test.go

@@ -1,14 +1,17 @@
+//go:build integration
 // +build integration
 
 package integration
 
 import (
+	"bytes"
+	"compress/gzip"
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -16,20 +19,20 @@ import (
 	"testing"
 
 	"github.com/docker/go-connections/nat"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/google/go-containerregistry/pkg/v1/tarball"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	testcontainers "github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
 
-	_ "github.com/aquasecurity/fanal/analyzer"
-	testdocker "github.com/aquasecurity/trivy/integration/docker"
 	"github.com/aquasecurity/trivy/pkg/commands"
-	"github.com/aquasecurity/trivy/pkg/report"
 )
 
 const (
-	registryImage = "registry:2"
+	registryImage = "registry:2.7.0"
 	registryPort  = "5443/tcp"
 
 	authImage    = "cesanta/docker_auth:1"
@@ -52,10 +55,13 @@ func setupRegistry(ctx context.Context, baseDir string, authURL *url.URL) (testc
 			"REGISTRY_AUTH_TOKEN_SERVICE":        "registry.docker.io",
 			"REGISTRY_AUTH_TOKEN_ISSUER":         "Trivy auth server",
 			"REGISTRY_AUTH_TOKEN_ROOTCERTBUNDLE": "/certs/cert.pem",
+			"REGISTRY_AUTH_TOKEN_AUTOREDIRECT":   "false",
 		},
 		BindMounts: map[string]string{
 			filepath.Join(baseDir, "data", "certs"): "/certs",
 		},
+		SkipReaper: true,
+		AutoRemove: true,
 		WaitingFor: wait.ForLog("listening on [::]:5443"),
 	}
 
@@ -75,7 +81,9 @@ func setupAuthServer(ctx context.Context, baseDir string) (testcontainers.Contai
 			filepath.Join(baseDir, "data", "auth_config"): "/config",
 			filepath.Join(baseDir, "data", "certs"):       "/certs",
 		},
-		Cmd: []string{"/config/config.yml"},
+		SkipReaper: true,
+		AutoRemove: true,
+		Cmd:        []string{"/config/config.yml"},
 	}
 
 	authC, err := testcontainers.GenericContainer(ctx, testcontainers.GenericContainerRequest{
@@ -129,13 +137,12 @@ func TestRegistry(t *testing.T) {
 	registryURL, err := getURL(ctx, registryC, registryPort)
 	require.NoError(t, err)
 
-	config := testdocker.RegistryConfig{
-		URL:      registryURL,
+	auth := &authn.Basic{
 		Username: authUsername,
 		Password: authPassword,
 	}
 
-	testCases := []struct {
+	tests := []struct {
 		name      string
 		imageName string
 		imageFile string
@@ -170,102 +177,77 @@ func TestRegistry(t *testing.T) {
 			name:      "sad path",
 			imageName: "alpine:3.10",
 			imageFile: "testdata/fixtures/images/alpine-310.tar.gz",
-			wantErr:   "unsupported status code 401; body: Auth failed",
+			wantErr:   "unexpected status code 401 Unauthorized: Auth failed",
 		},
 	}
 
-	for _, tc := range testCases {
+	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			d, err := testdocker.New()
-			require.NoError(t, err)
-
 			s := fmt.Sprintf("%s/%s", registryURL.Host, tc.imageName)
 			imageRef, err := name.ParseReference(s)
 			require.NoError(t, err)
 
 			// 1. Load a test image from the tar file, tag it and push to the test registry.
-			err = d.ReplicateImage(ctx, tc.imageName, tc.imageFile, config)
+			err = replicateImage(imageRef, tc.imageFile, auth)
 			require.NoError(t, err)
 
 			// 2. Scan it
-			resultFile, cleanup, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
+			resultFile, err := scan(t, imageRef, baseDir, tc.golden, tc.option)
 
 			if tc.wantErr != "" {
-				require.NotNil(t, err)
+				require.Error(t, err)
 				require.Contains(t, err.Error(), tc.wantErr, err)
 				return
-			} else {
-				require.NoError(t, err)
 			}
-			defer cleanup()
-
-			// 3. Compare want and got
-			golden, err := os.Open(tc.golden)
-			assert.NoError(t, err)
-
-			var want report.Results
-			err = json.NewDecoder(golden).Decode(&want)
 			require.NoError(t, err)
 
-			result, err := os.Open(resultFile)
-			assert.NoError(t, err)
+			// 3. Read want and got
+			want := readReport(t, tc.golden)
+			got := readReport(t, resultFile)
 
-			var got report.Results
-			err = json.NewDecoder(result).Decode(&got)
-			require.NoError(t, err)
+			// 4 Update some dynamic fields
+			want.ArtifactName = s
+			for i := range want.Results {
+				want.Results[i].Target = fmt.Sprintf("%s (alpine 3.10.2)", s)
+			}
 
-			assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
-			assert.Equal(t, want[0].Vulnerabilities, got[0].Vulnerabilities)
+			// 5. Compare want and got
+			assert.Equal(t, want, got)
 		})
 	}
 }
 
-func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, func(), error) {
-	cleanup := func() {}
-
+func scan(t *testing.T, imageRef name.Reference, baseDir, goldenFile string, opt registryOption) (string, error) {
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	// Setup the output file
-	var outputFile string
-	if *update && goldenFile != "" {
+	outputFile := filepath.Join(t.TempDir(), "output.json")
+	if *update {
 		outputFile = goldenFile
-	} else {
-		output, err := ioutil.TempFile("", "integration")
-		if err != nil {
-			return "", cleanup, err
-		}
-		defer output.Close()
-
-		outputFile = output.Name()
-		cleanup = func() {
-			os.Remove(outputFile)
-		}
 	}
 
 	// Setup env
-	if err := setupEnv(imageRef, baseDir, opt); err != nil {
-		return "", cleanup, err
+	if err := setupEnv(t, imageRef, baseDir, opt); err != nil {
+		return "", err
 	}
-	defer unsetEnv()
 
 	// Setup CLI App
 	app := commands.NewApp("dev")
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard
 
-	osArgs := []string{"trivy", "--cache-dir", cacheDir, "--format", "json", "--skip-update", "--output", outputFile, imageRef.Name()}
+	osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", "json", "--skip-update",
+		"--output", outputFile, imageRef.Name()}
 
 	// Run Trivy
 	if err := app.Run(osArgs); err != nil {
-		return "", cleanup, err
+		return "", err
 	}
-	return outputFile, cleanup, nil
+	return outputFile, nil
 }
 
-func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error {
-	if err := os.Setenv("TRIVY_INSECURE", "true"); err != nil {
-		return err
-	}
+func setupEnv(t *testing.T, imageRef name.Reference, baseDir string, opt registryOption) error {
+	t.Setenv("TRIVY_INSECURE", "true")
 
 	if opt.Username != "" && opt.Password != "" {
 		if opt.RegistryToken {
@@ -274,26 +256,10 @@ func setupEnv(imageRef name.Reference, baseDir string, opt registryOption) error
 			if err != nil {
 				return err
 			}
-			if err := os.Setenv("TRIVY_REGISTRY_TOKEN", token); err != nil {
-				return err
-			}
+			t.Setenv("TRIVY_REGISTRY_TOKEN", token)
 		} else {
-			if err := os.Setenv("TRIVY_USERNAME", opt.Username); err != nil {
-				return err
-			}
-			if err := os.Setenv("TRIVY_PASSWORD", opt.Password); err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func unsetEnv() error {
-	envs := []string{"TRIVY_INSECURE", "TRIVY_USERNAME", "TRIVY_PASSWORD", "TRIVY_REGISTRY_TOKEN"}
-	for _, e := range envs {
-		if err := os.Unsetenv(e); err != nil {
-			return err
+			t.Setenv("TRIVY_USERNAME", opt.Username)
+			t.Setenv("TRIVY_PASSWORD", opt.Password)
 		}
 	}
 	return nil
@@ -301,7 +267,7 @@ func unsetEnv() error {
 
 func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryOption) (string, error) {
 	// Create a CA certificate pool and add cert.pem to it
-	caCert, err := ioutil.ReadFile(filepath.Join(baseDir, "data", "certs", "cert.pem"))
+	caCert, err := os.ReadFile(filepath.Join(baseDir, "data", "certs", "cert.pem"))
 	if err != nil {
 		return "", err
 	}
@@ -347,3 +313,32 @@ func requestRegistryToken(imageRef name.Reference, baseDir string, opt registryO
 
 	return r.AccessToken, nil
 }
+
+// ReplicateImage tags the given imagePath and pushes it to the given dest registry.
+func replicateImage(imageRef name.Reference, imagePath string, auth authn.Authenticator) error {
+	img, err := tarball.Image(func() (io.ReadCloser, error) {
+		b, err := os.ReadFile(imagePath)
+		if err != nil {
+			return nil, err
+		}
+		gr, err := gzip.NewReader(bytes.NewReader(b))
+		if err != nil {
+			return nil, err
+		}
+		return io.NopCloser(gr), nil
+	}, nil)
+	if err != nil {
+		return err
+	}
+
+	t := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+
+	err = remote.Write(imageRef, img, remote.WithAuth(auth), remote.WithTransport(t))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

integration/standalone_tar_test.go

@@ -1,10 +1,12 @@
+//go:build integration
 // +build integration
 
 package integration
 
 import (
-	"io/ioutil"
+	"io"
 	"os"
+	"path/filepath"
 	"strings"
 	"testing"
 
@@ -13,105 +15,84 @@ import (
 	"github.com/aquasecurity/trivy/pkg/commands"
 )
 
-func TestRun_WithTar(t *testing.T) {
+func TestTar(t *testing.T) {
 	type args struct {
-		Version             string
-		WithImageSubcommand bool
-		SkipUpdate          bool
-		IgnoreUnfixed       bool
-		Severity            []string
-		IgnoreIDs           []string
-		Format              string
-		Input               string
-		SkipDirs            []string
-		SkipFiles           []string
+		IgnoreUnfixed bool
+		Severity      []string
+		IgnoreIDs     []string
+		Format        string
+		Input         string
+		SkipDirs      []string
+		SkipFiles     []string
 	}
-	cases := []struct {
+	tests := []struct {
 		name     string
 		testArgs args
 		golden   string
 	}{
 		{
-			name: "alpine 3.10 integration",
+			name: "alpine 3.9",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with image subcommand",
-			testArgs: args{
-				Version:             "dev",
-				WithImageSubcommand: true,
-				SkipUpdate:          true,
-				Format:              "json",
-				Input:               "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with --ignore-unfixed option",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-unfixed.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with medium and high severity",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Severity:      []string{"MEDIUM", "HIGH"},
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-medium-high.json.golden",
-		},
-		{
-			name: "alpine 3.10 integration with .trivyignore",
-			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-1563"},
-				Format:        "json",
-				Input:         "testdata/fixtures/images/alpine-310.tar.gz",
-			},
-			golden: "testdata/alpine-310-ignore-cveids.json.golden",
-		},
-		{
-			name: "alpine 3.9 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/alpine-39.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39.json.golden",
 		},
 		{
-			name: "debian buster integration",
+			name: "alpine 3.9 with high and critical severity",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/debian-buster.tar.gz",
+				IgnoreUnfixed: true,
+				Severity:      []string{"HIGH", "CRITICAL"},
+				Format:        "json",
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-high-critical.json.golden",
+		},
+		{
+			name: "alpine 3.9 with .trivyignore",
+			testArgs: args{
+				IgnoreUnfixed: false,
+				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
+				Format:        "json",
+				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+			},
+			golden: "testdata/alpine-39-ignore-cveids.json.golden",
+		},
+		{
+			name: "alpine 3.10",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/alpine-310.tar.gz",
+			},
+			golden: "testdata/alpine-310.json.golden",
+		},
+		{
+			name: "amazon linux 1",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/amazon-1.tar.gz",
+			},
+			golden: "testdata/amazon-1.json.golden",
+		},
+		{
+			name: "amazon linux 2",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/amazon-2.tar.gz",
+			},
+			golden: "testdata/amazon-2.json.golden",
+		},
+		{
+			name: "debian buster/10",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/debian-buster.tar.gz",
 			},
 			golden: "testdata/debian-buster.json.golden",
 		},
 		{
-			name: "debian buster integration with --ignore-unfixed option",
+			name: "debian buster/10 with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/debian-buster.tar.gz",
@@ -119,30 +100,24 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/debian-buster-ignore-unfixed.json.golden",
 		},
 		{
-			name: "debian stretch integration",
+			name: "debian stretch/9",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/debian-stretch.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/debian-stretch.tar.gz",
 			},
 			golden: "testdata/debian-stretch.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration",
+			name: "ubuntu 18.04",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubuntu-1804.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/ubuntu-1804.tar.gz",
 			},
 			golden: "testdata/ubuntu-1804.json.golden",
 		},
 		{
-			name: "ubuntu 18.04 integration with --ignore-unfixed option",
+			name: "ubuntu 18.04 with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/ubuntu-1804.tar.gz",
@@ -150,30 +125,16 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/ubuntu-1804-ignore-unfixed.json.golden",
 		},
 		{
-			name: "ubuntu 16.04 integration",
+			name: "centos 7",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubuntu-1604.tar.gz",
-			},
-			golden: "testdata/ubuntu-1604.json.golden",
-		},
-		{
-			name: "centos 7 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/centos-7.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/centos-7.tar.gz",
 			},
 			golden: "testdata/centos-7.json.golden",
 		},
 		{
-			name: "centos 7 integration with --ignore-unfixed option",
+			name: "centos 7with --ignore-unfixed option",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
@@ -181,255 +142,158 @@ func TestRun_WithTar(t *testing.T) {
 			golden: "testdata/centos-7-ignore-unfixed.json.golden",
 		},
 		{
-			name: "centos 7 integration with low and high severity",
+			name: "centos 7 with medium severity",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
-				Severity:      []string{"LOW", "HIGH"},
+				Severity:      []string{"MEDIUM"},
 				Format:        "json",
 				Input:         "testdata/fixtures/images/centos-7.tar.gz",
 			},
-			golden: "testdata/centos-7-low-high.json.golden",
+			golden: "testdata/centos-7-medium.json.golden",
 		},
 		{
-			name: "centos 6 integration",
+			name: "centos 6",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/centos-6.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/centos-6.tar.gz",
 			},
 			golden: "testdata/centos-6.json.golden",
 		},
 		{
-			name: "ubi 7 integration",
+			name: "ubi 7",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/ubi-7.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/ubi-7.tar.gz",
 			},
 			golden: "testdata/ubi-7.json.golden",
 		},
 		{
-			name: "distroless base integration",
+			name: "almalinux 8",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/distroless-base.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/almalinux-8.tar.gz",
+			},
+			golden: "testdata/almalinux-8.json.golden",
+		},
+		{
+			name: "rocky linux 8",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/rockylinux-8.tar.gz",
+			},
+			golden: "testdata/rockylinux-8.json.golden",
+		},
+		{
+			name: "distroless base",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/distroless-base.tar.gz",
 			},
 			golden: "testdata/distroless-base.json.golden",
 		},
 		{
-			name: "distroless base integration with --ignore-unfixed option",
+			name: "distroless python27",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
-				IgnoreUnfixed: true,
-				Format:        "json",
-				Input:         "testdata/fixtures/images/distroless-base.tar.gz",
-			},
-			golden: "testdata/distroless-base-ignore-unfixed.json.golden",
-		},
-		{
-			name: "distroless python27 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/distroless-python27.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/distroless-python27.tar.gz",
 			},
 			golden: "testdata/distroless-python27.json.golden",
 		},
 		{
-			name: "amazon 1 integration",
+			name: "oracle linux 8",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/amazon-1.tar.gz",
-			},
-			golden: "testdata/amazon-1.json.golden",
-		},
-		{
-			name: "amazon 2 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/amazon-2.tar.gz",
-			},
-			golden: "testdata/amazon-2.json.golden",
-		},
-		{
-			name: "oracle 6 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-6-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-6-slim.json.golden",
-		},
-		{
-			name: "oracle 7 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-7-slim.tar.gz",
-			},
-			golden: "testdata/oraclelinux-7-slim.json.golden",
-		},
-		{
-			name: "oracle 8 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/oraclelinux-8-slim.tar.gz",
 			},
 			golden: "testdata/oraclelinux-8-slim.json.golden",
 		},
 		{
-			name: "opensuse leap 15.1 integration",
+			name: "opensuse leap 15.1",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/opensuse-leap-151.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/opensuse-leap-151.tar.gz",
 			},
 			golden: "testdata/opensuse-leap-151.json.golden",
 		},
 		{
-			name: "opensuse leap 42.3 integration",
+			name: "photon 3.0",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/opensuse-leap-423.tar.gz",
-			},
-			golden: "testdata/opensuse-leap-423.json.golden",
-		},
-		{
-			name: "photon 1.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-10.tar.gz",
-			},
-			golden: "testdata/photon-10.json.golden",
-		},
-		{
-			name: "photon 2.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-20.tar.gz",
-			},
-			golden: "testdata/photon-20.json.golden",
-		},
-		{
-			name: "photon 3.0 integration",
-			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/photon-30.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/photon-30.tar.gz",
 			},
 			golden: "testdata/photon-30.json.golden",
 		},
+		{
+			name: "CBL-Mariner 1.0",
+			testArgs: args{
+				Format: "json",
+				Input:  "testdata/fixtures/images/mariner-1.0.tar.gz",
+			},
+			golden: "testdata/mariner-1.0.json.golden",
+		},
 		{
 			name: "buxybox with Cargo.lock integration",
 			testArgs: args{
-				Version:    "dev",
-				SkipUpdate: true,
-				Format:     "json",
-				Input:      "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+				Format: "json",
+				Input:  "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
 			},
 			golden: "testdata/busybox-with-lockfile.json.golden",
 		},
 		{
-			name: "fluentd with multiple lock files",
+			name: "fluentd with RubyGems",
 			testArgs: args{
-				Version:       "dev",
-				SkipUpdate:    true,
 				IgnoreUnfixed: true,
 				Format:        "json",
 				Input:         "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
-				SkipFiles:     []string{"/Gemfile.lock"},
-				SkipDirs: []string{
-					"/var/lib/gems/2.5.0/gems/http_parser.rb-0.6.0",
-					"/var/lib/gems/2.5.0/gems/fluent-plugin-detect-exceptions-0.0.13",
-				},
 			},
-			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
+			golden: "testdata/fluentd-gems.json.golden",
 		},
 	}
 
 	// Set up testing DB
-	cacheDir := gunzipDB(t)
+	cacheDir := initDB(t)
 
 	// Setup CLI App
 	app := commands.NewApp("dev")
-	app.Writer = ioutil.Discard
+	app.Writer = io.Discard
 
-	for _, c := range cases {
-		t.Run(c.name, func(t *testing.T) {
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			osArgs := []string{"trivy", "--cache-dir", cacheDir, "image", "--format", tt.testArgs.Format, "--skip-update"}
 
-			osArgs := []string{"trivy"}
-			osArgs = append(osArgs, "--cache-dir", cacheDir)
-			if c.testArgs.WithImageSubcommand {
-				osArgs = append(osArgs, "image")
-			}
-			osArgs = append(osArgs, "--format", c.testArgs.Format)
-
-			if c.testArgs.SkipUpdate {
-				osArgs = append(osArgs, "--skip-update")
-			}
-			if c.testArgs.IgnoreUnfixed {
+			if tt.testArgs.IgnoreUnfixed {
 				osArgs = append(osArgs, "--ignore-unfixed")
 			}
-			if len(c.testArgs.Severity) != 0 {
-				osArgs = append(osArgs,
-					[]string{"--severity", strings.Join(c.testArgs.Severity, ",")}...,
-				)
+			if len(tt.testArgs.Severity) != 0 {
+				osArgs = append(osArgs, "--severity", strings.Join(tt.testArgs.Severity, ","))
 			}
-			if len(c.testArgs.IgnoreIDs) != 0 {
+			if len(tt.testArgs.IgnoreIDs) != 0 {
 				trivyIgnore := ".trivyignore"
-				err := ioutil.WriteFile(trivyIgnore, []byte(strings.Join(c.testArgs.IgnoreIDs, "\n")), 0444)
+				err := os.WriteFile(trivyIgnore, []byte(strings.Join(tt.testArgs.IgnoreIDs, "\n")), 0444)
 				assert.NoError(t, err, "failed to write .trivyignore")
 				defer os.Remove(trivyIgnore)
 			}
-			if c.testArgs.Input != "" {
-				osArgs = append(osArgs, "--input", c.testArgs.Input)
+			if tt.testArgs.Input != "" {
+				osArgs = append(osArgs, "--input", tt.testArgs.Input)
 			}
 
-			if len(c.testArgs.SkipFiles) != 0 {
-				for _, skipFile := range c.testArgs.SkipFiles {
+			// TODO: test skip files/dirs
+			if len(tt.testArgs.SkipFiles) != 0 {
+				for _, skipFile := range tt.testArgs.SkipFiles {
 					osArgs = append(osArgs, "--skip-files", skipFile)
 				}
 			}
 
-			if len(c.testArgs.SkipDirs) != 0 {
-				for _, skipDir := range c.testArgs.SkipDirs {
+			if len(tt.testArgs.SkipDirs) != 0 {
+				for _, skipDir := range tt.testArgs.SkipDirs {
 					osArgs = append(osArgs, "--skip-dirs", skipDir)
 				}
 			}
 
-			// Setup the output file
-			var outputFile string
+			// Set up the output file
+			outputFile := filepath.Join(t.TempDir(), "output.json")
 			if *update {
-				outputFile = c.golden
-			} else {
-				output, _ := ioutil.TempFile("", "integration")
-				assert.Nil(t, output.Close())
-				defer os.Remove(output.Name())
-				outputFile = output.Name()
+				outputFile = tt.golden
 			}
 
 			osArgs = append(osArgs, []string{"--output", outputFile}...)
@@ -438,12 +302,7 @@ func TestRun_WithTar(t *testing.T) {
 			assert.Nil(t, app.Run(osArgs))
 
 			// Compare want and got
-			want, err := ioutil.ReadFile(c.golden)
-			assert.NoError(t, err)
-			got, err := ioutil.ReadFile(outputFile)
-			assert.NoError(t, err)
-
-			assert.JSONEq(t, string(want), string(got))
+			compareReports(t, tt.golden, outputFile)
 		})
 	}
 }

integration/testdata/almalinux-8.json.golden

@@ -0,0 +1,122 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/almalinux-8.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alma",
+      "Name": "8.5"
+    },
+    "ImageID": "sha256:4ca63ce1d8a90da2ed4f2d5e93e8e9db2f32d0fabf0718a2edebbe0e70826622",
+    "DiffIDs": [
+      "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "a467f67a48d469e1975b7414f33f2cf87121d4cc59d2ee029ea58e6b81774769",
+      "created": "2021-11-13T12:10:27.09871973Z",
+      "docker_version": "20.10.7",
+      "history": [
+        {
+          "created": "2021-11-13T12:10:26.29818864Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:2e002305ccb9d8a4dcef52509c4c50b9a15e76c9c49ca6abda3e0d7091c63fa7 in / "
+        },
+        {
+          "created": "2021-11-13T12:10:27.09871973Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:d38d2eac03bc19e080df596d6148863a0f8293f3a277a7524f378da79a1feb0f"
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/almalinux-8.tar.gz (alma 8.5)",
+      "Class": "os-pkgs",
+      "Type": "alma",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2021-3712",
+          "PkgName": "openssl-libs",
+          "InstalledVersion": "1:1.1.1k-4.el8",
+          "FixedVersion": "1:1.1.1k-5.el8_5",
+          "Layer": {
+            "DiffID": "sha256:124d41c237c5e823577dda97e87cebaecce62d585c725d07e709ce410681de4d"
+          },
+          "SeveritySource": "alma",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3712",
+          "DataSource": {
+            "ID": "alma",
+            "Name": "AlmaLinux Product Errata",
+            "URL": "https://errata.almalinux.org/"
+          },
+          "Title": "openssl: Read buffer overruns processing ASN.1 strings",
+          "Description": "ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-125"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
+              "V2Score": 5.8,
+              "V3Score": 7.4
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H",
+              "V3Score": 7.4
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2021/08/26/2",
+            "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3712.json",
+            "https://access.redhat.com/security/cve/CVE-2021-3712",
+            "https://crates.io/crates/openssl-src",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=94d23fcff9b2a7a8368dfe52214d5c2569882c11",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ccb0a11145ee72b042d10593a64eaf9e8a55ec12",
+            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10366",
+            "https://linux.oracle.com/cve/CVE-2021-3712.html",
+            "https://linux.oracle.com/errata/ELSA-2022-9023.html",
+            "https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E",
+            "https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E",
+            "https://lists.debian.org/debian-lts-announce/2021/09/msg00014.html",
+            "https://lists.debian.org/debian-lts-announce/2021/09/msg00021.html",
+            "https://nvd.nist.gov/vuln/detail/CVE-2021-3712",
+            "https://rustsec.org/advisories/RUSTSEC-2021-0098.html",
+            "https://security.netapp.com/advisory/ntap-20210827-0010/",
+            "https://ubuntu.com/security/notices/USN-5051-1",
+            "https://ubuntu.com/security/notices/USN-5051-2",
+            "https://ubuntu.com/security/notices/USN-5051-3",
+            "https://ubuntu.com/security/notices/USN-5051-4 (regression only in trusty/esm)",
+            "https://ubuntu.com/security/notices/USN-5088-1",
+            "https://www.debian.org/security/2021/dsa-4963",
+            "https://www.openssl.org/news/secadv/20210824.txt",
+            "https://www.oracle.com/security-alerts/cpuoct2021.html",
+            "https://www.tenable.com/security/tns-2021-16",
+            "https://www.tenable.com/security/tns-2022-02"
+          ],
+          "PublishedDate": "2021-08-24T15:15:00Z",
+          "LastModifiedDate": "2022-01-06T09:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-310-ignore-cveids.json.golden

@@ -1,173 +0,0 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      }
-    ]
-  }
-]

integration/testdata/alpine-310-ignore-unfixed.json.golden

@@ -1,325 +0,0 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      }
-    ]
-  }
-]

integration/testdata/alpine-310-medium-high.json.golden

@@ -1,245 +0,0 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      }
-    ]
-  }
-]

integration/testdata/alpine-310-registry.json.golden

@@ -1,332 +1,321 @@
-[
-  {
-    "Target": "localhost:55015/alpine:3.10 (alpine 3.10.2)",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "localhost:63577/alpine:3.10",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "RepoTags": [
+      "localhost:63577/alpine:3.10"
+    ],
+    "RepoDigests": [
+      "localhost:63577/alpine@sha256:d9b1a0d4fab413443a22e550cb8720de487295cebca3f9b2fcbf8882192a9bf9"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
         },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
       },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
         ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "Digest": "sha256:9d48c3bd43c520dc2784e868a780e976b207cbf493eaff8c6596eb871cbd9609",
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
       }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "localhost:63577/alpine:3.10 (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "Digest": "sha256:3489774ebf88fb1f0b08e0abb45826a3cbd9d0eb6458d5fc54729197feddffb9",
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-310.asff.golden

@@ -34,8 +34,8 @@
                         "PkgName": "libcrypto1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -57,7 +57,7 @@
             "Label": "MEDIUM"
         },
         "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
         "Remediation": {
             "Recommendation": {
                 "Text": "More information on this vulnerability is provided in the hyperlink",
@@ -79,8 +79,8 @@
                         "PkgName": "libcrypto1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r2",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -89,96 +89,6 @@
         ],
         "RecordState": "ACTIVE"
     },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1563",
-                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "4.3",
-                        "NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "LOW"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1547",
-                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
-                        "PkgName": "libcrypto1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "1.9",
-                        "NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
     {
         "SchemaVersion": "2018-10-08",
         "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1549",
@@ -214,8 +124,8 @@
                         "PkgName": "libssl1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -237,7 +147,7 @@
             "Label": "MEDIUM"
         },
         "Title": "Trivy found a vulnerability to CVE-2019-1551 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
         "Remediation": {
             "Recommendation": {
                 "Text": "More information on this vulnerability is provided in the hyperlink",
@@ -259,8 +169,8 @@
                         "PkgName": "libssl1.1",
                         "Installed Package": "1.1.1c-r0",
                         "Patched Package": "1.1.1d-r2",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
+                        "NvdCvssScoreV3": "5.3",
+                        "NvdCvssVectorV3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                         "NvdCvssScoreV2": "5",
                         "NvdCvssVectorV2": "AV:N/AC:L/Au:N/C:P/I:N/A:N"
                     }
@@ -268,95 +178,5 @@
             }
         ],
         "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1563",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "MEDIUM"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1563 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1563",
-                        "CVE Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "4.3",
-                        "NvdCvssVectorV2": "AV:N/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
-    },
-    {
-        "SchemaVersion": "2018-10-08",
-        "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)/CVE-2019-1547",
-        "ProductArn": "arn:aws:securityhub:test-region::product/aquasecurity/aquasecurity",
-        "GeneratorId": "Trivy",
-        "AwsAccountId": "123456789012",
-        "Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ],
-        "CreatedAt": "2020-08-10T07:28:17.000958601Z",
-        "UpdatedAt": "2020-08-10T07:28:17.000958601Z",
-        "Severity": {
-            "Label": "LOW"
-        },
-        "Title": "Trivy found a vulnerability to CVE-2019-1547 in container testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Remediation": {
-            "Recommendation": {
-                "Text": "More information on this vulnerability is provided in the hyperlink",
-                "Url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-            }
-        },
-        "ProductFields": { "Product Name": "Trivy" },
-        "Resources": [
-            {
-                "Type": "Container",
-                "Id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-                "Partition": "aws",
-                "Region": "test-region",
-                "Details": {
-                    "Container": { "ImageName": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)" },
-                    "Other": {
-                        "CVE ID": "CVE-2019-1547",
-                        "CVE Title": "openssl: side-channel weak encryption vulnerability",
-                        "PkgName": "libssl1.1",
-                        "Installed Package": "1.1.1c-r0",
-                        "Patched Package": "1.1.1d-r0",
-                        "NvdCvssScoreV3": "0",
-                        "NvdCvssVectorV3": "",
-                        "NvdCvssScoreV2": "1.9",
-                        "NvdCvssVectorV2": "AV:L/AC:M/Au:N/C:P/I:N/A:N"
-                    }
-                }
-            }
-        ],
-        "RecordState": "ACTIVE"
     }
 ]

integration/testdata/alpine-310.gitlab-codequality.golden

@@ -4,6 +4,7 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1549: openssl: information disclosure in fork()",
+      "fingerprint": "4fd5aebc601a7127e0a012b91569675cd8566e15",
       "content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
       "severity": "minor",
       "location": {
@@ -18,7 +19,8 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "fingerprint": "7a6f161c388588da3cca874c3aba98a296a1ebf4",
+      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "severity": "minor",
       "location": {
         "path": "libcrypto1.1-1.1.1c-r0",
@@ -27,39 +29,12 @@
         }
       }
     },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "minor",
-      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
-      "content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "info",
-      "location": {
-        "path": "libcrypto1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
     {
       "type": "issue",
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1549: openssl: information disclosure in fork()",
+      "fingerprint": "4fd5aebc601a7127e0a012b91569675cd8566e15",
       "content": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
       "severity": "minor",
       "location": {
@@ -74,7 +49,8 @@
       "check_name": "container_scanning",
       "categories": [ "Security" ],
       "description": "CVE-2019-1551: openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "fingerprint": "7a6f161c388588da3cca874c3aba98a296a1ebf4",
+      "content": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "severity": "minor",
       "location": {
         "path": "libssl1.1-1.1.1c-r0",
@@ -82,33 +58,5 @@
           "begin": 1
         }
       }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1563: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "content": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "minor",
-      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
-    },
-    {
-      "type": "issue",
-      "check_name": "container_scanning",
-      "categories": [ "Security" ],
-      "description": "CVE-2019-1547: openssl: side-channel weak encryption vulnerability",
-      "content": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "severity": "info",
-      "location": {
-        "path": "libssl1.1-1.1.1c-r0",
-        "lines": {
-          "begin": 1
-        }
-      }
     }
-]
+]

integration/testdata/alpine-310.gitlab.golden

@@ -33,17 +33,45 @@
         }
       ],
       "links": [{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1549"
+        },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
         },{
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1549.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-1840.html"
         },{
           "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Oct/1"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
         },{
           "url": "https://support.f5.com/csp/article/K44070243"
+        },{
+          "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&utm_medium=RSS"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://www.debian.org/security/2019/dsa-4539"
         },{
           "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
+        },{
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
         }
       ]
     },
@@ -51,7 +79,7 @@
       "id": "CVE-2019-1551",
       "category": "container_scanning",
       "message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "cve": "CVE-2019-1551",
       "severity": "Medium",
       "confidence": "Unknown",
@@ -79,7 +107,11 @@
         }
       ],
       "links": [{
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+        },{
           "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
         },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
         },{
@@ -88,120 +120,52 @@
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
         },{
           "url": "https://github.com/openssl/openssl/pull/10575"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1551.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-4514.html"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/39"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/46"
+        },{
+          "url": "https://security.gentoo.org/glsa/202004-10"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4504-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://usn.ubuntu.com/4504-1/"
         },{
           "url": "https://www.debian.org/security/2019/dsa-4594"
+        },{
+          "url": "https://www.debian.org/security/2021/dsa-4855"
         },{
           "url": "https://www.openssl.org/news/secadv/20191206.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
         },{
           "url": "https://www.tenable.com/security/tns-2019-09"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1563",
-      "category": "container_scanning",
-      "message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1563",
-      "severity": "Medium",
-      "confidence": "Unknown",
-      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libcrypto1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1563",
-          "value": "CVE-2019-1563",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
         },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
+          "url": "https://www.tenable.com/security/tns-2020-03"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
+          "url": "https://www.tenable.com/security/tns-2020-11"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1547",
-      "category": "container_scanning",
-      "message": "openssl: side-channel weak encryption vulnerability",
-      "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1547",
-      "severity": "Low",
-      "confidence": "Unknown",
-      "solution": "Upgrade libcrypto1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libcrypto1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1547",
-          "value": "CVE-2019-1547",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
-        },{
-          "url": "https://arxiv.org/abs/1909.01785"
-        },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+          "url": "https://www.tenable.com/security/tns-2021-10"
         }
       ]
     },
@@ -237,17 +201,45 @@
         }
       ],
       "links": [{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1549"
+        },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549"
         },{
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1549.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-1840.html"
         },{
           "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
+        },{
+          "url": "https://seclists.org/bugtraq/2019/Oct/1"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
         },{
           "url": "https://support.f5.com/csp/article/K44070243"
+        },{
+          "url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&utm_medium=RSS"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://www.debian.org/security/2019/dsa-4539"
         },{
           "url": "https://www.openssl.org/news/secadv/20190910.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
+        },{
+          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
         }
       ]
     },
@@ -255,7 +247,7 @@
       "id": "CVE-2019-1551",
       "category": "container_scanning",
       "message": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
+      "description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
       "cve": "CVE-2019-1551",
       "severity": "Medium",
       "confidence": "Unknown",
@@ -283,7 +275,11 @@
         }
       ],
       "links": [{
+          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html"
+        },{
           "url": "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html"
+        },{
+          "url": "https://access.redhat.com/security/cve/CVE-2019-1551"
         },{
           "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551"
         },{
@@ -292,120 +288,52 @@
           "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98"
         },{
           "url": "https://github.com/openssl/openssl/pull/10575"
+        },{
+          "url": "https://linux.oracle.com/cve/CVE-2019-1551.html"
+        },{
+          "url": "https://linux.oracle.com/errata/ELSA-2020-4514.html"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/"
+        },{
+          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/39"
         },{
           "url": "https://seclists.org/bugtraq/2019/Dec/46"
+        },{
+          "url": "https://security.gentoo.org/glsa/202004-10"
         },{
           "url": "https://security.netapp.com/advisory/ntap-20191210-0001/"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4376-1"
+        },{
+          "url": "https://ubuntu.com/security/notices/USN-4504-1"
+        },{
+          "url": "https://usn.ubuntu.com/4376-1/"
+        },{
+          "url": "https://usn.ubuntu.com/4504-1/"
         },{
           "url": "https://www.debian.org/security/2019/dsa-4594"
+        },{
+          "url": "https://www.debian.org/security/2021/dsa-4855"
         },{
           "url": "https://www.openssl.org/news/secadv/20191206.txt"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
+        },{
+          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
         },{
           "url": "https://www.tenable.com/security/tns-2019-09"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1563",
-      "category": "container_scanning",
-      "message": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-      "description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1563",
-      "severity": "Medium",
-      "confidence": "Unknown",
-      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libssl1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1563",
-          "value": "CVE-2019-1563",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1563"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
         },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563"
+          "url": "https://www.tenable.com/security/tns-2020-03"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"
+          "url": "https://www.tenable.com/security/tns-2020-11"
         },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
-        }
-      ]
-    },
-    {
-      "id": "CVE-2019-1547",
-      "category": "container_scanning",
-      "message": "openssl: side-channel weak encryption vulnerability",
-      "description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-      "cve": "CVE-2019-1547",
-      "severity": "Low",
-      "confidence": "Unknown",
-      "solution": "Upgrade libssl1.1 to 1.1.1d-r0",
-      "scanner": {
-        "id": "trivy",
-        "name": "trivy"
-      },
-      "location": {
-        "dependency": {
-          "package": {
-            "name": "libssl1.1"
-          },
-          "version": "1.1.1c-r0"
-        },
-        "operating_system": "Unknown",
-        "image": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)"
-      },
-      "identifiers": [
-        {
-          "type": "cve",
-          "name": "CVE-2019-1547",
-          "value": "CVE-2019-1547",
-          "url": "https://avd.aquasec.com/nvd/cve-2019-1547"
-        }
-      ],
-      "links": [{
-          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
-        },{
-          "url": "https://arxiv.org/abs/1909.01785"
-        },{
-          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"
-        },{
-          "url": "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
-        },{
-          "url": "https://seclists.org/bugtraq/2019/Sep/25"
-        },{
-          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
-        },{
-          "url": "https://www.openssl.org/news/secadv/20190910.txt"
+          "url": "https://www.tenable.com/security/tns-2021-10"
         }
       ]
     }

integration/testdata/alpine-310.html.golden

@@ -51,7 +51,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</title>
+    <title>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC </title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -81,7 +81,7 @@
     </script>
   </head>
   <body>
-    <h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10T07:28:17.000958601Z</h1>
+    <h1>testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2) - Trivy Report - 2020-08-10 07:28:17.000958601 +0000 UTC</h1>
     <table>
       <tr class="group-header"><th colspan="6">alpine</th></tr>
       <tr class="sub-header">
@@ -99,12 +99,26 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r0</td>
         <td class="links" data-more-links="off">
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-1840.html">https://linux.oracle.com/errata/ELSA-2020-1840.html</a>
           <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/</a>
+          <a href="https://seclists.org/bugtraq/2019/Oct/1">https://seclists.org/bugtraq/2019/Oct/1</a>
           <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
           <a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
+          <a href="https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS">https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://www.debian.org/security/2019/dsa-4539">https://www.debian.org/security/2019/dsa-4539</a>
           <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuapr2020.html">https://www.oracle.com/security-alerts/cpuapr2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2020.html">https://www.oracle.com/security-alerts/cpujan2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpuoct2020.html">https://www.oracle.com/security-alerts/cpuoct2020.html</a>
+          <a href="https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html">https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</a>
         </td>
       </tr>
       <tr class="severity-MEDIUM">
@@ -114,52 +128,36 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r2</td>
         <td class="links" data-more-links="off">
+          <a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
           <a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
           <a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1551.html">https://linux.oracle.com/cve/CVE-2019-1551.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-4514.html">https://linux.oracle.com/errata/ELSA-2020-4514.html</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
+          <a href="https://security.gentoo.org/glsa/202004-10">https://security.gentoo.org/glsa/202004-10</a>
           <a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://ubuntu.com/security/notices/USN-4504-1">https://ubuntu.com/security/notices/USN-4504-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://usn.ubuntu.com/4504-1/">https://usn.ubuntu.com/4504-1/</a>
           <a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
+          <a href="https://www.debian.org/security/2021/dsa-4855">https://www.debian.org/security/2021/dsa-4855</a>
           <a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuApr2021.html">https://www.oracle.com/security-alerts/cpuApr2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2021.html">https://www.oracle.com/security-alerts/cpujan2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
           <a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
-        </td>
-      </tr>
-      <tr class="severity-MEDIUM">
-        <td class="pkg-name">libcrypto1.1</td>
-        <td>CVE-2019-1563</td>
-        <td class="severity">MEDIUM</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
-        </td>
-      </tr>
-      <tr class="severity-LOW">
-        <td class="pkg-name">libcrypto1.1</td>
-        <td>CVE-2019-1547</td>
-        <td class="severity">LOW</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
+          <a href="https://www.tenable.com/security/tns-2020-03">https://www.tenable.com/security/tns-2020-03</a>
+          <a href="https://www.tenable.com/security/tns-2020-11">https://www.tenable.com/security/tns-2020-11</a>
+          <a href="https://www.tenable.com/security/tns-2021-10">https://www.tenable.com/security/tns-2021-10</a>
         </td>
       </tr>
       <tr class="severity-MEDIUM">
@@ -169,12 +167,26 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r0</td>
         <td class="links" data-more-links="off">
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1549">https://access.redhat.com/security/cve/CVE-2019-1549</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1549.html">https://linux.oracle.com/cve/CVE-2019-1549.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-1840.html">https://linux.oracle.com/errata/ELSA-2020-1840.html</a>
           <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/</a>
+          <a href="https://seclists.org/bugtraq/2019/Oct/1">https://seclists.org/bugtraq/2019/Oct/1</a>
           <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
           <a href="https://support.f5.com/csp/article/K44070243">https://support.f5.com/csp/article/K44070243</a>
+          <a href="https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS">https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp;amp;utm_medium=RSS</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://www.debian.org/security/2019/dsa-4539">https://www.debian.org/security/2019/dsa-4539</a>
           <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuapr2020.html">https://www.oracle.com/security-alerts/cpuapr2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2020.html">https://www.oracle.com/security-alerts/cpujan2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpuoct2020.html">https://www.oracle.com/security-alerts/cpuoct2020.html</a>
+          <a href="https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html">https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html</a>
         </td>
       </tr>
       <tr class="severity-MEDIUM">
@@ -184,54 +196,39 @@
         <td class="pkg-version">1.1.1c-r0</td>
         <td>1.1.1d-r2</td>
         <td class="links" data-more-links="off">
+          <a href="http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html">http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html</a>
           <a href="http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html</a>
+          <a href="https://access.redhat.com/security/cve/CVE-2019-1551">https://access.redhat.com/security/cve/CVE-2019-1551</a>
           <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f</a>
           <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98</a>
           <a href="https://github.com/openssl/openssl/pull/10575">https://github.com/openssl/openssl/pull/10575</a>
+          <a href="https://linux.oracle.com/cve/CVE-2019-1551.html">https://linux.oracle.com/cve/CVE-2019-1551.html</a>
+          <a href="https://linux.oracle.com/errata/ELSA-2020-4514.html">https://linux.oracle.com/errata/ELSA-2020-4514.html</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/</a>
+          <a href="https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/">https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/39">https://seclists.org/bugtraq/2019/Dec/39</a>
           <a href="https://seclists.org/bugtraq/2019/Dec/46">https://seclists.org/bugtraq/2019/Dec/46</a>
+          <a href="https://security.gentoo.org/glsa/202004-10">https://security.gentoo.org/glsa/202004-10</a>
           <a href="https://security.netapp.com/advisory/ntap-20191210-0001/">https://security.netapp.com/advisory/ntap-20191210-0001/</a>
+          <a href="https://ubuntu.com/security/notices/USN-4376-1">https://ubuntu.com/security/notices/USN-4376-1</a>
+          <a href="https://ubuntu.com/security/notices/USN-4504-1">https://ubuntu.com/security/notices/USN-4504-1</a>
+          <a href="https://usn.ubuntu.com/4376-1/">https://usn.ubuntu.com/4376-1/</a>
+          <a href="https://usn.ubuntu.com/4504-1/">https://usn.ubuntu.com/4504-1/</a>
           <a href="https://www.debian.org/security/2019/dsa-4594">https://www.debian.org/security/2019/dsa-4594</a>
+          <a href="https://www.debian.org/security/2021/dsa-4855">https://www.debian.org/security/2021/dsa-4855</a>
           <a href="https://www.openssl.org/news/secadv/20191206.txt">https://www.openssl.org/news/secadv/20191206.txt</a>
+          <a href="https://www.oracle.com/security-alerts/cpuApr2021.html">https://www.oracle.com/security-alerts/cpuApr2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujan2021.html">https://www.oracle.com/security-alerts/cpujan2021.html</a>
+          <a href="https://www.oracle.com/security-alerts/cpujul2020.html">https://www.oracle.com/security-alerts/cpujul2020.html</a>
           <a href="https://www.tenable.com/security/tns-2019-09">https://www.tenable.com/security/tns-2019-09</a>
+          <a href="https://www.tenable.com/security/tns-2020-03">https://www.tenable.com/security/tns-2020-03</a>
+          <a href="https://www.tenable.com/security/tns-2020-11">https://www.tenable.com/security/tns-2020-11</a>
+          <a href="https://www.tenable.com/security/tns-2021-10">https://www.tenable.com/security/tns-2021-10</a>
         </td>
       </tr>
-      <tr class="severity-MEDIUM">
-        <td class="pkg-name">libssl1.1</td>
-        <td>CVE-2019-1563</td>
-        <td class="severity">MEDIUM</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
-        </td>
-      </tr>
-      <tr class="severity-LOW">
-        <td class="pkg-name">libssl1.1</td>
-        <td>CVE-2019-1547</td>
-        <td class="severity">LOW</td>
-        <td class="pkg-version">1.1.1c-r0</td>
-        <td>1.1.1d-r0</td>
-        <td class="links" data-more-links="off">
-          <a href="http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html">http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html</a>
-          <a href="https://arxiv.org/abs/1909.01785">https://arxiv.org/abs/1909.01785</a>
-          <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8</a>
-          <a href="https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a">https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a</a>
-          <a href="https://seclists.org/bugtraq/2019/Sep/25">https://seclists.org/bugtraq/2019/Sep/25</a>
-          <a href="https://security.netapp.com/advisory/ntap-20190919-0002/">https://security.netapp.com/advisory/ntap-20190919-0002/</a>
-          <a href="https://www.openssl.org/news/secadv/20190910.txt">https://www.openssl.org/news/secadv/20190910.txt</a>
-        </td>
-      </tr>
+      <tr><th colspan="6">No Misconfigurations found</th></tr>
     </table>
   </body>
 </html>

integration/testdata/alpine-310.json.golden

@@ -1,325 +1,311 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-310.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.10.2",
+      "EOSL": true
+    },
+    "ImageID": "sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4",
+    "DiffIDs": [
+      "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "0a80155a31551fcc1a36fccbbda79fcd3f0b1c7d270653d00310e6e2217c57e6",
+      "created": "2019-08-20T20:19:55.211423266Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-08-20T20:19:55.062606894Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:fe64057fbb83dccb960efabbf1cd8777920ef279a7fa8dbca0a8801c651bdf7c in / "
         },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-08-20T20:19:55.211423266Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+        ]
       },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
         ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1c-r0",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
+        "Image": "sha256:06f4121dff4d0123ce11bd2e44f48da9ba9ddcd23ae376ea1f363f63ea0849b5",
+        "ArgsEscaped": true
       }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1c-r0",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:03901b4a2ea88eeaad62dbe59b072b28b6efa00491962b8741081c5df50c65e0"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-310.sarif.golden

@@ -1,358 +1,162 @@
 {
-  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   "version": "2.1.0",
+  "$schema": "https://json.schemastore.org/sarif-2.1.0-rtm.5.json",
   "runs": [
     {
       "tool": {
         "driver": {
-          "name": "Trivy",
-          "informationUri": "https://github.com/aquasecurity/trivy",
           "fullName": "Trivy Vulnerability Scanner",
-          "version": "0.15.0",
+          "informationUri": "https://github.com/aquasecurity/trivy",
+          "name": "Trivy",
           "rules": [
             {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
+              "id": "CVE-2019-1549",
+              "name": "OsPackageVulnerability",
               "shortDescription": {
-                "text": "CVE-2019-1549 Package: libcrypto1.1"
+                "text": "CVE-2019-1549"
               },
               "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
+                "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
               },
               "defaultConfiguration": {
                 "level": "warning"
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
               "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
+                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n\nOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
               },
               "properties": {
+                "precision": "very-high",
+                "security-severity": "5.3",
                 "tags": [
                   "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
+                  "security",
+                  "MEDIUM"
+                ]
               }
             },
             {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
+              "id": "CVE-2019-1551",
+              "name": "OsPackageVulnerability",
               "shortDescription": {
-                "text": "CVE-2019-1551 Package: libcrypto1.1"
+                "text": "CVE-2019-1551"
               },
               "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
+                "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
               },
               "defaultConfiguration": {
                 "level": "warning"
               },
               "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
               "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
+                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Fixed Version | Link |\n| --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n\nThere is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)."
               },
               "properties": {
+                "precision": "very-high",
+                "security-severity": "5.3",
                 "tags": [
                   "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
+                  "security",
+                  "MEDIUM"
+                ]
               }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libcrypto1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libcrypto1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libcrypto1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1549 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in fork()."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1549",
-              "help": {
-                "text": "Vulnerability CVE-2019-1549\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)",
-                "markdown": "**Vulnerability CVE-2019-1549**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1551 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1551",
-              "help": {
-                "text": "Vulnerability CVE-2019-1551\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)",
-                "markdown": "**Vulnerability CVE-2019-1551**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r2|[CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1563 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey."
-              },
-              "defaultConfiguration": {
-                "level": "warning"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1563",
-              "help": {
-                "text": "Vulnerability CVE-2019-1563\nSeverity: MEDIUM\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)",
-                "markdown": "**Vulnerability CVE-2019-1563**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|MEDIUM|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1563](https://avd.aquasec.com/nvd/cve-2019-1563)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "MEDIUM",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            },
-            {
-              "id": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-              "name": "OS Package Vulnerability (Alpine)",
-              "shortDescription": {
-                "text": "CVE-2019-1547 Package: libssl1.1"
-              },
-              "fullDescription": {
-                "text": "openssl: side-channel weak encryption vulnerability."
-              },
-              "defaultConfiguration": {
-                "level": "note"
-              },
-              "helpUri": "https://avd.aquasec.com/nvd/cve-2019-1547",
-              "help": {
-                "text": "Vulnerability CVE-2019-1547\nSeverity: LOW\nPackage: libssl1.1\nInstalled Version: 1.1.1c-r0\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)",
-                "markdown": "**Vulnerability CVE-2019-1547**\n| Severity | Package | Installed Version | Fixed Version | Link |\n| --- | --- | --- | --- | --- |\n|LOW|libssl1.1|1.1.1c-r0|1.1.1d-r0|[CVE-2019-1547](https://avd.aquasec.com/nvd/cve-2019-1547)|\n"
-              },
-              "properties": {
-                "tags": [
-                  "vulnerability",
-                  "LOW",
-                  "libssl1.1"
-                ],
-                "precision": "very-high"
-              }
-            }]
+            }
+          ],
+          "version": "dev"
         }
       },
       "results": [
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1549",
+          "ruleId": "CVE-2019-1549",
           "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
+          ]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1551",
+          "ruleId": "CVE-2019-1551",
           "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
+            "text": "Package: libcrypto1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
+          ]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1563",
-          "ruleIndex": 2,
+          "ruleId": "CVE-2019-1549",
+          "ruleIndex": 0,
           "level": "warning",
           "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1549\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r0\nLink: [CVE-2019-1549](https://avd.aquasec.com/nvd/cve-2019-1549)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
+          ]
         },
         {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libcrypto1.1-1.1.1c-r0 CVE-2019-1547",
-          "ruleIndex": 3,
-          "level": "note",
-          "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        },
-        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1549",
-          "ruleIndex": 4,
+          "ruleId": "CVE-2019-1551",
+          "ruleIndex": 1,
           "level": "warning",
           "message": {
-            "text": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."
+            "text": "Package: libssl1.1\nInstalled Version: 1.1.1c-r0\nVulnerability CVE-2019-1551\nSeverity: MEDIUM\nFixed Version: 1.1.1d-r2\nLink: [CVE-2019-1551](https://avd.aquasec.com/nvd/cve-2019-1551)"
           },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "testdata/fixtures/images/alpine-310.tar.gz",
+                  "uriBaseId": "ROOTPATH"
+                },
+                "region": {
+                  "startLine": 1
+                }
               }
             }
-          }]
-        },
-        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1551",
-          "ruleIndex": 5,
-          "level": "warning",
-          "message": {
-            "text": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t)."
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        },
-        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1563",
-          "ruleIndex": 6,
-          "level": "warning",
-          "message": {
-            "text": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        },
-        {
-          "ruleId": "testdata/fixtures/images/alpine-310.tar.gz (alpine 3.10.2): libssl1.1-1.1.1c-r0 CVE-2019-1547",
-          "ruleIndex": 7,
-          "level": "note",
-          "message": {
-            "text": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
-          },
-          "locations": [{
-            "physicalLocation": {
-              "artifactLocation": {
-                "uri": "testdata/fixtures/images/alpine-310.tar.gz",
-                "uriBaseId": "ROOTPATH"
-              }
-            }
-          }]
-        }],
+          ]
+        }
+      ],
       "columnKind": "utf16CodeUnits",
       "originalUriBaseIds": {
         "ROOTPATH": {
-          "uri": "/"
+          "uri": "file:///"
         }
       }
     }

integration/testdata/alpine-39-high-critical.json.golden

@@ -0,0 +1,131 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
+        },
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl-utils",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-39-ignore-cveids.json.golden

@@ -0,0 +1,195 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
+        },
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/alpine-39.json.golden

@@ -1,385 +1,383 @@
-[
-  {
-    "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
-    "Class": "os-pkgs",
-    "Type": "alpine",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/alpine-39.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "alpine",
+      "Name": "3.9.4",
+      "EOSL": true
+    },
+    "ImageID": "sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1",
+    "DiffIDs": [
+      "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "c10d36fa368a7ea673683682666758adf35efe98e10989505f4f566b5b18538f",
+      "created": "2019-05-11T00:07:03.510395965Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-05-11T00:07:03.358250803Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / "
         },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
+        {
+          "created": "2019-05-11T00:07:03.510395965Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+        ]
       },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
+      "config": {
+        "Cmd": [
+          "/bin/sh"
         ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libcrypto1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1549",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
-        "Title": "openssl: information disclosure in fork()",
-        "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-330"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://support.f5.com/csp/article/K44070243",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-19T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1551",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r2",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
-        "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
-        "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-200"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
-            "V3Score": 4.8
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
-          "https://github.com/openssl/openssl/pull/10575",
-          "https://seclists.org/bugtraq/2019/Dec/39",
-          "https://seclists.org/bugtraq/2019/Dec/46",
-          "https://security.netapp.com/advisory/ntap-20191210-0001/",
-          "https://www.debian.org/security/2019/dsa-4594",
-          "https://www.openssl.org/news/secadv/20191206.txt",
-          "https://www.tenable.com/security/tns-2019-09"
-        ],
-        "PublishedDate": "2019-12-06T18:15:00Z",
-        "LastModifiedDate": "2019-12-25T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1547",
-        "PkgName": "libssl1.1",
-        "InstalledVersion": "1.1.1b-r1",
-        "FixedVersion": "1.1.1d-r0",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1547",
-        "Title": "openssl: side-channel weak encryption vulnerability",
-        "Description": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 1.9
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-            "V3Score": 5.5
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://arxiv.org/abs/1909.01785",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-14697",
-        "PkgName": "musl",
-        "InstalledVersion": "1.1.20-r4",
-        "FixedVersion": "1.1.20-r5",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
-        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
-        "Severity": "CRITICAL",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "V2Score": 7.5,
-            "V3Score": 9.8
-          }
-        },
-        "References": [
-          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
-          "https://www.openwall.com/lists/musl/2019/08/06/1"
-        ],
-        "PublishedDate": "2019-08-06T16:15:00Z",
-        "LastModifiedDate": "2019-08-14T17:28:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-14697",
-        "PkgName": "musl-utils",
-        "InstalledVersion": "1.1.20-r4",
-        "FixedVersion": "1.1.20-r5",
-        "Layer": {
-          "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
-        },
-        "SeveritySource": "nvd",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
-        "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
-        "Severity": "CRITICAL",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-            "V2Score": 7.5,
-            "V3Score": 9.8
-          }
-        },
-        "References": [
-          "http://www.openwall.com/lists/oss-security/2019/08/06/4",
-          "https://www.openwall.com/lists/musl/2019/08/06/1"
-        ],
-        "PublishedDate": "2019-08-06T16:15:00Z",
-        "LastModifiedDate": "2019-08-14T17:28:00Z"
+        "Image": "sha256:09f2bbe58e774849d74dc1391c2e01731896c745c4aba1ecf69a283bdb4b537a",
+        "ArgsEscaped": true
       }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/alpine-39.tar.gz (alpine 3.9.4)",
+      "Class": "os-pkgs",
+      "Type": "alpine",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libcrypto1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1549",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r0",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1549",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: information disclosure in fork()",
+          "Description": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-330"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "https://access.redhat.com/security/cve/CVE-2019-1549",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1549",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be",
+            "https://linux.oracle.com/cve/CVE-2019-1549.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1840.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
+            "https://seclists.org/bugtraq/2019/Oct/1",
+            "https://security.netapp.com/advisory/ntap-20190919-0002/",
+            "https://support.f5.com/csp/article/K44070243",
+            "https://support.f5.com/csp/article/K44070243?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://www.debian.org/security/2019/dsa-4539",
+            "https://www.openssl.org/news/secadv/20190910.txt",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
+          ],
+          "PublishedDate": "2019-09-10T17:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-1551",
+          "PkgName": "libssl1.1",
+          "InstalledVersion": "1.1.1b-r1",
+          "FixedVersion": "1.1.1d-r2",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1551",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Title": "openssl: Integer overflow in RSAZ modular exponentiation on x86_64",
+          "Description": "There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-200"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
+              "V2Score": 5,
+              "V3Score": 5.3
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
+              "V3Score": 4.8
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html",
+            "http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html",
+            "https://access.redhat.com/security/cve/CVE-2019-1551",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98",
+            "https://github.com/openssl/openssl/pull/10575",
+            "https://linux.oracle.com/cve/CVE-2019-1551.html",
+            "https://linux.oracle.com/errata/ELSA-2020-4514.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/",
+            "https://seclists.org/bugtraq/2019/Dec/39",
+            "https://seclists.org/bugtraq/2019/Dec/46",
+            "https://security.gentoo.org/glsa/202004-10",
+            "https://security.netapp.com/advisory/ntap-20191210-0001/",
+            "https://ubuntu.com/security/notices/USN-4376-1",
+            "https://ubuntu.com/security/notices/USN-4504-1",
+            "https://usn.ubuntu.com/4376-1/",
+            "https://usn.ubuntu.com/4504-1/",
+            "https://www.debian.org/security/2019/dsa-4594",
+            "https://www.debian.org/security/2021/dsa-4855",
+            "https://www.openssl.org/news/secadv/20191206.txt",
+            "https://www.oracle.com/security-alerts/cpuApr2021.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/security-alerts/cpujul2020.html",
+            "https://www.tenable.com/security/tns-2019-09",
+            "https://www.tenable.com/security/tns-2020-03",
+            "https://www.tenable.com/security/tns-2020-11",
+            "https://www.tenable.com/security/tns-2021-10"
+          ],
+          "PublishedDate": "2019-12-06T18:15:00Z",
+          "LastModifiedDate": "2021-07-21T11:39:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2019-14697",
+          "PkgName": "musl-utils",
+          "InstalledVersion": "1.1.20-r4",
+          "FixedVersion": "1.1.20-r5",
+          "Layer": {
+            "DiffID": "sha256:f1b5933fe4b5f49bbe8258745cf396afe07e625bdab3168e364daf7c956b6b81"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-14697",
+          "DataSource": {
+            "ID": "alpine",
+            "Name": "Alpine Secdb",
+            "URL": "https://secdb.alpinelinux.org/"
+          },
+          "Description": "musl libc through 1.1.23 has an x87 floating-point stack adjustment imbalance, related to the math/i386/ directory. In some cases, use of this library could introduce out-of-bounds writes that are not present in an application's source code.",
+          "Severity": "CRITICAL",
+          "CweIDs": [
+            "CWE-787"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            }
+          },
+          "References": [
+            "http://www.openwall.com/lists/oss-security/2019/08/06/4",
+            "https://security.gentoo.org/glsa/202003-13",
+            "https://www.openwall.com/lists/musl/2019/08/06/1"
+          ],
+          "PublishedDate": "2019-08-06T16:15:00Z",
+          "LastModifiedDate": "2020-03-14T19:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/amazon-1.json.golden

@@ -1,670 +1,114 @@
-[
-  {
-    "Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
-    "Class": "os-pkgs",
-    "Type": "amazon",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "CVE-2019-5481",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.1-11.91.amzn1",
-        "FixedVersion": "7.61.1-12.93.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/amazon-1.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "amazon",
+      "Name": "AMI release 2018.03"
+    },
+    "ImageID": "sha256:961c4ee06269351d858969ea0426878675ed708d3a140246eabbc0bfc352bffa",
+    "DiffIDs": [
+      "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "ef1b126795001e9b4bdc14a01180e4d8146282d279f53e05adfaa8195ecda20e",
+      "created": "2019-09-05T23:37:46.854286502Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-09-05T23:37:46.575366692Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:45ed06ba8960dec70e01e809fe38df2718d4b16aa2b0f88835522d8366de71e3 in / "
         },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
-        "Title": "curl: double free due to subsequent call of realloc()",
-        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-415"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
-            "V3Score": 5.7
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-          "https://curl.haxx.se/docs/CVE-2019-5481.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-          "https://usn.ubuntu.com/usn/usn-4129-1"
-        ],
-        "PublishedDate": "2019-09-16T19:15:00Z",
-        "LastModifiedDate": "2019-09-18T00:15:00Z"
+        {
+          "created": "2019-09-05T23:37:46.854286502Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
+        ]
       },
-      {
-        "VulnerabilityID": "CVE-2019-5482",
-        "PkgName": "curl",
-        "InstalledVersion": "7.61.1-11.91.amzn1",
-        "FixedVersion": "7.61.1-12.93.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
-        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
-        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-120"
+      "config": {
+        "Cmd": [
+          "/bin/bash"
         ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 6.3
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-          "https://curl.haxx.se/docs/CVE-2019-5482.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-          "https://usn.ubuntu.com/usn/usn-4129-1",
-          "https://usn.ubuntu.com/usn/usn-4129-2"
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
         ],
-        "PublishedDate": "2019-09-16T19:15:00Z",
-        "LastModifiedDate": "2019-09-18T00:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-18218",
-        "PkgName": "file-libs",
-        "InstalledVersion": "5.34-3.37.amzn1",
-        "FixedVersion": "5.37-8.48.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18218",
-        "Title": "file: heap-based buffer overflow in cdf_read_property_info in cdf.c",
-        "Description": "cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
-            "V3Score": 7.8
-          }
-        },
-        "References": [
-          "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218",
-          "https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84",
-          "https://lists.debian.org/debian-lts-announce/2019/10/msg00032.html",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CV6PFCEYHYALMTT45QE2U5C5TEJZQPXJ/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VBK6XOJR6OVWT2FUEBO7V7KCOSSLAP52/",
-          "https://usn.ubuntu.com/4172-1/",
-          "https://usn.ubuntu.com/4172-2/",
-          "https://usn.ubuntu.com/usn/usn-4172-1",
-          "https://usn.ubuntu.com/usn/usn-4172-2",
-          "https://www.debian.org/security/2019/dsa-4550"
-        ],
-        "PublishedDate": "2019-10-21T05:15:00Z",
-        "LastModifiedDate": "2019-10-26T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2016-10739",
-        "PkgName": "glibc",
-        "InstalledVersion": "2.17-260.175.amzn1",
-        "FixedVersion": "2.17-292.178.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10739",
-        "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
-        "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-20"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-            "V2Score": 4.6,
-            "V3Score": 5.3
-          },
-          "redhat": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 4.6
-          }
-        },
-        "References": [
-          "http://linux.oracle.com/cve/CVE-2016-10739.html",
-          "http://linux.oracle.com/errata/ELSA-2019-3513.html",
-          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
-          "http://www.securityfocus.com/bid/106672",
-          "https://access.redhat.com/errata/RHSA-2019:2118",
-          "https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
-          "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
-        ],
-        "PublishedDate": "2019-01-21T19:29:00Z",
-        "LastModifiedDate": "2019-08-06T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2016-10739",
-        "PkgName": "glibc-common",
-        "InstalledVersion": "2.17-260.175.amzn1",
-        "FixedVersion": "2.17-292.178.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2016-10739",
-        "Title": "glibc: getaddrinfo should reject IP addresses with trailing characters",
-        "Description": "In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-20"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V3Vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
-            "V2Score": 4.6,
-            "V3Score": 5.3
-          },
-          "redhat": {
-            "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 4.6
-          }
-        },
-        "References": [
-          "http://linux.oracle.com/cve/CVE-2016-10739.html",
-          "http://linux.oracle.com/errata/ELSA-2019-3513.html",
-          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html",
-          "http://www.securityfocus.com/bid/106672",
-          "https://access.redhat.com/errata/RHSA-2019:2118",
-          "https://bugzilla.redhat.com/show_bug.cgi?id=1347549",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739",
-          "https://sourceware.org/bugzilla/show_bug.cgi?id=20018"
-        ],
-        "PublishedDate": "2019-01-21T19:29:00Z",
-        "LastModifiedDate": "2019-08-06T17:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-5481",
-        "PkgName": "libcurl",
-        "InstalledVersion": "7.61.1-11.91.amzn1",
-        "FixedVersion": "7.61.1-12.93.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
-        "Title": "curl: double free due to subsequent call of realloc()",
-        "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-415"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
-            "V3Score": 5.7
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-          "https://curl.haxx.se/docs/CVE-2019-5481.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-          "https://usn.ubuntu.com/usn/usn-4129-1"
-        ],
-        "PublishedDate": "2019-09-16T19:15:00Z",
-        "LastModifiedDate": "2019-09-18T00:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-5482",
-        "PkgName": "libcurl",
-        "InstalledVersion": "7.61.1-11.91.amzn1",
-        "FixedVersion": "7.61.1-12.93.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5482",
-        "Title": "curl: heap buffer overflow in function tftp_receive_packet()",
-        "Description": "Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-120"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 6.3
-          }
-        },
-        "References": [
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
-          "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
-          "https://curl.haxx.se/docs/CVE-2019-5482.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5482",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
-          "https://usn.ubuntu.com/usn/usn-4129-1",
-          "https://usn.ubuntu.com/usn/usn-4129-2"
-        ],
-        "PublishedDate": "2019-09-16T19:15:00Z",
-        "LastModifiedDate": "2019-09-18T00:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-12290",
-        "PkgName": "libidn2",
-        "InstalledVersion": "0.16-1.2.amzn1",
-        "FixedVersion": "2.3.0-1.4.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-12290",
-        "Description": "GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-20"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
-            "V2Score": 5
-          }
-        },
-        "References": [
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12290",
-          "https://gitlab.com/libidn/libidn2/commit/241e8f486134793cb0f4a5b0e5817a97883401f5",
-          "https://gitlab.com/libidn/libidn2/commit/614117ef6e4c60e1950d742e3edf0a0ef8d389de",
-          "https://gitlab.com/libidn/libidn2/merge_requests/71",
-          "https://usn.ubuntu.com/4168-1/",
-          "https://usn.ubuntu.com/usn/usn-4168-1"
-        ],
-        "PublishedDate": "2019-10-22T16:15:00Z",
-        "LastModifiedDate": "2019-10-29T19:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-18224",
-        "PkgName": "libidn2",
-        "InstalledVersion": "0.16-1.2.amzn1",
-        "FixedVersion": "2.3.0-1.4.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
-        "Title": "libidn2: heap-based buffer overflow in idn2_to_ascii_4i in lib/lookup.c",
-        "Description": "idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a heap-based buffer overflow via a long domain string.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-787"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-            "V2Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 5.6
-          }
-        },
-        "References": [
-          "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18224",
-          "https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c",
-          "https://github.com/libidn/libidn2/compare/libidn2-2.1.0...libidn2-2.1.1",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JDQVQ2XPV5BTZUFINT7AFJSKNNBVURNJ/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MINU5RKDFE6TKAFY5DRFN3WSFDS4DYVS/",
-          "https://usn.ubuntu.com/4168-1/",
-          "https://usn.ubuntu.com/usn/usn-4168-1"
-        ],
-        "PublishedDate": "2019-10-21T17:15:00Z",
-        "LastModifiedDate": "2019-10-29T19:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-9511",
-        "PkgName": "libnghttp2",
-        "InstalledVersion": "1.21.1-1.4.amzn1",
-        "FixedVersion": "1.31.1-2.5.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9511",
-        "Title": "HTTP/2: large amount of data requests leads to denial of service",
-        "Description": "Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.",
-        "Severity": "HIGH",
-        "CweIDs": [
-          "CWE-400"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-            "V2Score": 7.8,
-            "V3Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
-            "V3Score": 6.5
-          }
-        },
-        "References": [
-          "http://linux.oracle.com/cve/CVE-2019-9511.html",
-          "http://linux.oracle.com/errata/ELSA-2019-2925.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511",
-          "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
-          "https://kb.cert.org/vuls/id/605641/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/",
-          "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
-          "https://seclists.org/bugtraq/2019/Aug/40",
-          "https://security.netapp.com/advisory/ntap-20190823-0002/",
-          "https://security.netapp.com/advisory/ntap-20190823-0005/",
-          "https://support.f5.com/csp/article/K02591030",
-          "https://usn.ubuntu.com/4099-1/",
-          "https://usn.ubuntu.com/usn/usn-4099-1",
-          "https://www.debian.org/security/2019/dsa-4505",
-          "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
-          "https://www.synology.com/security/advisory/Synology_SA_19_33"
-        ],
-        "PublishedDate": "2019-08-13T21:15:00Z",
-        "LastModifiedDate": "2019-08-23T21:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-9513",
-        "PkgName": "libnghttp2",
-        "InstalledVersion": "1.21.1-1.4.amzn1",
-        "FixedVersion": "1.31.1-2.5.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-9513",
-        "Title": "HTTP/2: flood using PRIORITY frames results in excessive resource consumption",
-        "Description": "Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.",
-        "Severity": "HIGH",
-        "CweIDs": [
-          "CWE-400"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-            "V2Score": 7.8,
-            "V3Score": 7.5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-            "V3Score": 7.5
-          }
-        },
-        "References": [
-          "http://linux.oracle.com/cve/CVE-2019-9513.html",
-          "http://linux.oracle.com/errata/ELSA-2019-2925.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513",
-          "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md",
-          "https://kb.cert.org/vuls/id/605641/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JUBYAF6ED3O4XCHQ5C2HYENJLXYXZC4M/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LZLUYPYY3RX4ZJDWZRJIKSULYRJ4PXW7/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TAZZEVTCN2B4WT6AIBJ7XGYJMBTORJU5/",
-          "https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/",
-          "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/",
-          "https://seclists.org/bugtraq/2019/Aug/40",
-          "https://security.netapp.com/advisory/ntap-20190823-0002/",
-          "https://security.netapp.com/advisory/ntap-20190823-0005/",
-          "https://support.f5.com/csp/article/K02591030",
-          "https://usn.ubuntu.com/4099-1/",
-          "https://usn.ubuntu.com/usn/usn-4099-1",
-          "https://www.debian.org/security/2019/dsa-4505",
-          "https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/",
-          "https://www.synology.com/security/advisory/Synology_SA_19_33"
-        ],
-        "PublishedDate": "2019-08-13T21:15:00Z",
-        "LastModifiedDate": "2019-08-23T21:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-1563",
-        "PkgName": "openssl",
-        "InstalledVersion": "1:1.0.2k-16.150.amzn1",
-        "FixedVersion": "1:1.0.2k-16.151.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1563",
-        "Title": "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
-        "Description": "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
-        "Severity": "LOW",
-        "CweIDs": [
-          "CWE-311"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
-            "V3Score": 3.7
-          }
-        },
-        "References": [
-          "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
-          "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
-          "https://seclists.org/bugtraq/2019/Sep/25",
-          "https://security.netapp.com/advisory/ntap-20190919-0002/",
-          "https://www.openssl.org/news/secadv/20190910.txt"
-        ],
-        "PublishedDate": "2019-09-10T17:15:00Z",
-        "LastModifiedDate": "2019-09-12T11:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-16056",
-        "PkgName": "python27",
-        "InstalledVersion": "2.7.16-1.129.amzn1",
-        "FixedVersion": "2.7.16-1.130.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16056",
-        "Title": "python: email.utils.parseaddr wrongly parses email addresses",
-        "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-20"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 7.3
-          }
-        },
-        "References": [
-          "https://bugs.python.org/issue34155",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056",
-          "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9",
-          "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html",
-          "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/",
-          "https://usn.ubuntu.com/usn/usn-4151-1",
-          "https://usn.ubuntu.com/usn/usn-4151-2"
-        ],
-        "PublishedDate": "2019-09-06T18:15:00Z",
-        "LastModifiedDate": "2019-09-11T05:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-16935",
-        "PkgName": "python27",
-        "InstalledVersion": "2.7.16-1.129.amzn1",
-        "FixedVersion": "2.7.16-1.131.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16935",
-        "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
-        "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-79"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-            "V3Score": 6.1
-          }
-        },
-        "References": [
-          "https://bugs.python.org/issue38243",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935",
-          "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897",
-          "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213",
-          "https://github.com/python/cpython/pull/16373",
-          "https://security.netapp.com/advisory/ntap-20191017-0004/",
-          "https://usn.ubuntu.com/4151-1/",
-          "https://usn.ubuntu.com/4151-2/",
-          "https://usn.ubuntu.com/usn/usn-4151-1",
-          "https://usn.ubuntu.com/usn/usn-4151-2"
-        ],
-        "PublishedDate": "2019-09-28T02:15:00Z",
-        "LastModifiedDate": "2019-10-09T16:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-16056",
-        "PkgName": "python27-libs",
-        "InstalledVersion": "2.7.16-1.129.amzn1",
-        "FixedVersion": "2.7.16-1.130.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16056",
-        "Title": "python: email.utils.parseaddr wrongly parses email addresses",
-        "Description": "An issue was discovered in Python through 2.7.16, 3.x through 3.5.7, 3.6.x through 3.6.9, and 3.7.x through 3.7.4. The email module wrongly parses email addresses that contain multiple @ characters. An application that uses the email module and implements some kind of checks on the From/To headers of a message could be tricked into accepting an email address that should be denied. An attack may be the same as in CVE-2019-11340; however, this CVE applies to Python more generally.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-20"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-            "V2Score": 5
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
-            "V3Score": 7.3
-          }
-        },
-        "References": [
-          "https://bugs.python.org/issue34155",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056",
-          "https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9",
-          "https://lists.debian.org/debian-lts-announce/2019/09/msg00018.html",
-          "https://lists.debian.org/debian-lts-announce/2019/09/msg00019.html",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E2HP37NUVLQSBW3J735A2DQDOZ4ZGBLY/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ER6LONC2B2WYIO56GBQUDU6QTWZDPUNQ/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4KZEFP6E4YPYB52AF4WXCUDSGQOTF37/",
-          "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NF3DRDGMVIRYNZMSLJIHNW47HOUQYXVG/",
-          "https://usn.ubuntu.com/usn/usn-4151-1",
-          "https://usn.ubuntu.com/usn/usn-4151-2"
-        ],
-        "PublishedDate": "2019-09-06T18:15:00Z",
-        "LastModifiedDate": "2019-09-11T05:15:00Z"
-      },
-      {
-        "VulnerabilityID": "CVE-2019-16935",
-        "PkgName": "python27-libs",
-        "InstalledVersion": "2.7.16-1.129.amzn1",
-        "FixedVersion": "2.7.16-1.131.amzn1",
-        "Layer": {
-          "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
-        },
-        "SeveritySource": "amazon",
-        "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-16935",
-        "Title": "python: XSS vulnerability in the documentation XML-RPC server in server_title field",
-        "Description": "The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server.",
-        "Severity": "MEDIUM",
-        "CweIDs": [
-          "CWE-79"
-        ],
-        "CVSS": {
-          "nvd": {
-            "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
-            "V2Score": 4.3
-          },
-          "redhat": {
-            "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
-            "V3Score": 6.1
-          }
-        },
-        "References": [
-          "https://bugs.python.org/issue38243",
-          "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16935",
-          "https://github.com/python/cpython/blob/35c0809158be7feae4c4f877a08b93baea2d8291/Lib/xmlrpc/server.py#L897",
-          "https://github.com/python/cpython/blob/e007860b8b3609ce0bc62b1780efaa06241520bd/Lib/DocXMLRPCServer.py#L213",
-          "https://github.com/python/cpython/pull/16373",
-          "https://security.netapp.com/advisory/ntap-20191017-0004/",
-          "https://usn.ubuntu.com/4151-1/",
-          "https://usn.ubuntu.com/4151-2/",
-          "https://usn.ubuntu.com/usn/usn-4151-1",
-          "https://usn.ubuntu.com/usn/usn-4151-2"
-        ],
-        "PublishedDate": "2019-09-28T02:15:00Z",
-        "LastModifiedDate": "2019-10-09T16:15:00Z"
+        "Image": "sha256:8db654f611aca1693ac658bd981ee35e4b6517e6ef74fa608c4b3b3595a986c8",
+        "ArgsEscaped": true
       }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/amazon-1.tar.gz (amazon AMI release 2018.03)",
+      "Class": "os-pkgs",
+      "Type": "amazon",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-5481",
+          "PkgName": "curl",
+          "InstalledVersion": "7.61.1-11.91.amzn1",
+          "FixedVersion": "7.61.1-12.93.amzn1",
+          "Layer": {
+            "DiffID": "sha256:984fe1509738f6f00f34d9be7398b07ebeb8b98dda077ff6be2cdb87111b73cf"
+          },
+          "SeveritySource": "amazon",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-5481",
+          "DataSource": {
+            "ID": "amazon",
+            "Name": "Amazon Linux Security Center",
+            "URL": "https://alas.aws.amazon.com/"
+          },
+          "Title": "curl: double free due to subsequent call of realloc()",
+          "Description": "Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-415"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+              "V2Score": 7.5,
+              "V3Score": 9.8
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
+              "V3Score": 5.7
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00048.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00055.html",
+            "https://access.redhat.com/security/cve/CVE-2019-5481",
+            "https://curl.haxx.se/docs/CVE-2019-5481.html",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5481",
+            "https://linux.oracle.com/cve/CVE-2019-5481.html",
+            "https://linux.oracle.com/errata/ELSA-2020-1792.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6CI4QQ2RSZX4VCFM76SIWGKY6BY7UWIC/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGDVKSLY5JUNJRLYRUA6CXGQ2LM63XC3/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UA7KDM2WPM5CJDDGOEGFV6SSGD2J7RNT/",
+            "https://seclists.org/bugtraq/2020/Feb/36",
+            "https://security.gentoo.org/glsa/202003-29",
+            "https://security.netapp.com/advisory/ntap-20191004-0003/",
+            "https://ubuntu.com/security/notices/USN-4129-1",
+            "https://www.debian.org/security/2020/dsa-4633",
+            "https://www.oracle.com/security-alerts/cpuapr2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpuoct2020.html"
+          ],
+          "PublishedDate": "2019-09-16T19:15:00Z",
+          "LastModifiedDate": "2020-10-20T22:15:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/busybox-with-lockfile.json.golden

@@ -1,136 +1,132 @@
-[
-  {
-    "Target": "Cargo.lock",
-    "Class": "lang-pkgs",
-    "Type": "cargo",
-    "Vulnerabilities": [
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0001",
-        "PkgName": "ammonia",
-        "InstalledVersion": "1.9.0",
-        "FixedVersion": "\u003e= 2.1.0",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/busybox-with-lockfile.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "ImageID": "sha256:17c82adee8b5ffec7d6e30dba333bb37986add86afeb4a07754407bb049faedb",
+    "DiffIDs": [
+      "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
+      "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "created": "2020-04-26T16:23:28.996276377Z",
+      "docker_version": "19.03.8",
+      "history": [
+        {
+          "created": "2020-03-10T00:19:32.83969331Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:450bea8cddb743ed282cb1ade3d1614033172b93ef531c69a4e49fda3016cef0 in / "
         },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0001",
-        "Title": "Uncontrolled recursion leads to abort in HTML serialization",
-        "Description": "Affected versions of this crate did use recursion for serialization of HTML\nDOM trees.\n\nThis allows an attacker to cause abort due to stack overflow by providing\na pathologically nested input.\n\nThe flaw was corrected by serializing the DOM tree iteratively instead.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210"
+        {
+          "created": "2020-03-10T00:19:33.019716493Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"sh\"]",
+          "empty_layer": true
+        },
+        {
+          "created": "2020-04-26T16:23:28.996276377Z",
+          "created_by": "/bin/sh -c #(nop) ADD 343df0159abcc51b06b4e56bfd4c06d2003b88947ed93b0cec6214ae5985669e in . "
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:a6d503001157aedc826853f9b67f26d35966221b158bff03849868ae4a821116",
+          "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
         ]
       },
-      {
-        "VulnerabilityID": "RUSTSEC-2016-0001",
-        "PkgName": "openssl",
-        "InstalledVersion": "0.8.3",
-        "FixedVersion": "\u003e= 0.9.0",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2016-0001",
-        "Title": "SSL/TLS MitM vulnerability due to insecure defaults",
-        "Description": "All versions of rust-openssl prior to 0.9.0 contained numerous insecure defaults\nincluding off-by-default certificate verification and no API to perform hostname\nverification.\n\nUnless configured correctly by a developer, these defaults could allow an attacker\nto perform man-in-the-middle attacks.\n\nThe problem was addressed in newer versions by enabling certificate verification\nby default and exposing APIs to perform hostname verification. Use the\n`SslConnector` and `SslAcceptor` types to take advantage of these new features\n(as opposed to the lower-level `SslContext` type).",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/sfackler/rust-openssl/releases/tag/v0.9.0"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0035",
-        "PkgName": "rand_core",
-        "InstalledVersion": "0.3.1",
-        "FixedVersion": "\u003e= 0.4.2",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
-        "Title": "Unaligned memory access",
-        "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0035",
-        "PkgName": "rand_core",
-        "InstalledVersion": "0.4.0",
-        "FixedVersion": "\u003e= 0.4.2",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0035",
-        "Title": "Unaligned memory access",
-        "Description": "Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2018-0018",
-        "PkgName": "smallvec",
-        "InstalledVersion": "0.6.9",
-        "FixedVersion": "\u003e= 0.6.13",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0018",
-        "Title": "smallvec creates uninitialized value of any type",
-        "Description": "Affected versions of this crate called `mem::uninitialized()` to create values of a user-supplied type `T`.\nThis is unsound e.g. if `T` is a reference type (which must be non-null and thus may not remain uninitialized).\n \nThe flaw was corrected by avoiding the use of `mem::uninitialized()`, using `MaybeUninit` instead.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/servo/rust-smallvec/issues/126"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0009",
-        "PkgName": "smallvec",
-        "InstalledVersion": "0.6.9",
-        "FixedVersion": "\u003e= 0.6.10",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0009",
-        "Title": "Double-free and use-after-free in SmallVec::grow()",
-        "Description": "Attempting to call `grow` on a spilled SmallVec with a value equal to the current capacity causes it to free the existing data. This performs a double free immediately and may lead to use-after-free on subsequent accesses to the SmallVec contents.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/servo/rust-smallvec/issues/148"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2019-0012",
-        "PkgName": "smallvec",
-        "InstalledVersion": "0.6.9",
-        "FixedVersion": "\u003e= 0.6.10",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2019-0012",
-        "Title": "Memory corruption in SmallVec::grow()",
-        "Description": "Attempting to call `grow` on a spilled SmallVec with a value less than the current capacity causes corruption of memory allocator data structures.\n\nAn attacker that controls the value passed to `grow` may exploit this flaw to obtain memory contents or gain remote code execution.\n\nCredits to @ehuss for discovering, reporting and fixing the bug.",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/servo/rust-smallvec/issues/149"
-        ]
-      },
-      {
-        "VulnerabilityID": "RUSTSEC-2018-0017",
-        "PkgName": "tempdir",
-        "InstalledVersion": "0.3.7",
-        "Layer": {
-          "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
-        },
-        "PrimaryURL": "https://rustsec.org/advisories/RUSTSEC-2018-0017",
-        "Title": "`tempdir` crate has been deprecated; use `tempfile` instead",
-        "Description": "The [`tempdir`](https://crates.io/crates/tempdir) crate has been deprecated\nand the functionality is merged into [`tempfile`](https://crates.io/crates/tempfile).",
-        "Severity": "UNKNOWN",
-        "References": [
-          "https://github.com/rust-lang-deprecated/tempdir/pull/46"
-        ]
+      "config": {
+        "Cmd": [
+          "sh"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:83aa35aa1c79e4b6957e018da6e322bfca92bf3b4696a211b42502543c242d6f",
+        "ArgsEscaped": true
       }
-    ]
-  }
-]
+    }
+  },
+  "Results": [
+    {
+      "Target": "Cargo.lock",
+      "Class": "lang-pkgs",
+      "Type": "cargo",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-15542",
+          "PkgName": "ammonia",
+          "InstalledVersion": "1.9.0",
+          "FixedVersion": "\u003e= 2.1.0",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-15542",
+          "DataSource": {
+            "Name": "RustSec Advisory Database",
+            "URL": "https://github.com/RustSec/advisory-db"
+          },
+          "Title": "Uncontrolled recursion leads to abort in HTML serialization",
+          "Description": "An issue was discovered in the ammonia crate before 2.1.0 for Rust. There is uncontrolled recursion during HTML DOM tree serialization.",
+          "Severity": "HIGH",
+          "CweIDs": [
+            "CWE-674"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
+              "V3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+              "V2Score": 5,
+              "V3Score": 7.5
+            }
+          },
+          "References": [
+            "https://crates.io/crates/ammonia",
+            "https://github.com/rust-ammonia/ammonia/blob/master/CHANGELOG.md#210",
+            "https://rustsec.org/advisories/RUSTSEC-2019-0001.html"
+          ],
+          "PublishedDate": "2019-08-26T18:15:00Z",
+          "LastModifiedDate": "2020-08-24T17:37:00Z"
+        },
+        {
+          "VulnerabilityID": "CVE-2021-38193",
+          "PkgName": "ammonia",
+          "InstalledVersion": "1.9.0",
+          "FixedVersion": "\u003e= 3.1.0, \u003e= 2.1.3, \u003c 3.0.0",
+          "Layer": {
+            "DiffID": "sha256:ea6f6933da66090da8bfe233d68f083792a68f944cd2d8f9fbb52da795813a4f"
+          },
+          "SeveritySource": "nvd",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-38193",
+          "DataSource": {
+            "Name": "RustSec Advisory Database",
+            "URL": "https://github.com/RustSec/advisory-db"
+          },
+          "Title": "Incorrect handling of embedded SVG and MathML leads to mutation XSS",
+          "Description": "An issue was discovered in the ammonia crate before 3.1.0 for Rust. XSS can occur because the parsing differences for HTML, SVG, and MathML are mishandled, a similar issue to CVE-2020-26870.",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-79"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
+              "V2Score": 4.3,
+              "V3Score": 6.1
+            }
+          },
+          "References": [
+            "https://crates.io/crates/ammonia",
+            "https://github.com/rust-ammonia/ammonia/pull/142",
+            "https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/ammonia/RUSTSEC-2021-0074.md",
+            "https://rustsec.org/advisories/RUSTSEC-2021-0074.html"
+          ],
+          "PublishedDate": "2021-08-08T06:15:00Z",
+          "LastModifiedDate": "2021-08-16T16:37:00Z"
+        }
+      ]
+    }
+  ]
+}

integration/testdata/centos-7-medium.json.golden

@@ -0,0 +1,149 @@
+{
+  "SchemaVersion": 2,
+  "ArtifactName": "testdata/fixtures/images/centos-7.tar.gz",
+  "ArtifactType": "container_image",
+  "Metadata": {
+    "OS": {
+      "Family": "centos",
+      "Name": "7.6.1810"
+    },
+    "ImageID": "sha256:9f38484d220fa527b1fb19747638497179500a1bed8bf0498eb788229229e6e1",
+    "DiffIDs": [
+      "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+    ],
+    "ImageConfig": {
+      "architecture": "amd64",
+      "container": "958baf5225f586da9c70a21e911a0a875402dd22d83133d78b3b3aa6130e7892",
+      "created": "2019-03-14T21:19:53.361167852Z",
+      "docker_version": "18.06.1-ce",
+      "history": [
+        {
+          "created": "2019-03-14T21:19:52.66982152Z",
+          "created_by": "/bin/sh -c #(nop) ADD file:074f2c974463ab38cf3532134e8ba2c91c9e346457713f2e8b8e2ac0ee9fd83d in / "
+        },
+        {
+          "created": "2019-03-14T21:19:53.099141434Z",
+          "created_by": "/bin/sh -c #(nop)  LABEL org.label-schema.schema-version=1.0 org.label-schema.name=CentOS Base Image org.label-schema.vendor=CentOS org.label-schema.license=GPLv2 org.label-schema.build-date=20190305",
+          "empty_layer": true
+        },
+        {
+          "created": "2019-03-14T21:19:53.361167852Z",
+          "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/bash\"]",
+          "empty_layer": true
+        }
+      ],
+      "os": "linux",
+      "rootfs": {
+        "type": "layers",
+        "diff_ids": [
+          "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+        ]
+      },
+      "config": {
+        "Cmd": [
+          "/bin/bash"
+        ],
+        "Env": [
+          "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+        ],
+        "Image": "sha256:294e8d8145287e70f07328cc09d840fad8980b801223321b983442f097aff0d8",
+        "Labels": {
+          "org.label-schema.build-date": "20190305",
+          "org.label-schema.license": "GPLv2",
+          "org.label-schema.name": "CentOS Base Image",
+          "org.label-schema.schema-version": "1.0",
+          "org.label-schema.vendor": "CentOS"
+        },
+        "ArgsEscaped": true
+      }
+    }
+  },
+  "Results": [
+    {
+      "Target": "testdata/fixtures/images/centos-7.tar.gz (centos 7.6.1810)",
+      "Class": "os-pkgs",
+      "Type": "centos",
+      "Vulnerabilities": [
+        {
+          "VulnerabilityID": "CVE-2019-1559",
+          "VendorIDs": [
+            "RHSA-2019:2304"
+          ],
+          "PkgName": "openssl-libs",
+          "InstalledVersion": "1:1.0.2k-16.el7",
+          "FixedVersion": "1:1.0.2k-19.el7",
+          "Layer": {
+            "DiffID": "sha256:d69483a6face4499acb974449d1303591fcbb5cdce5420f36f8a6607bda11854"
+          },
+          "SeveritySource": "redhat",
+          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-1559",
+          "Title": "openssl: 0-byte record padding oracle",
+          "Description": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
+          "Severity": "MEDIUM",
+          "CweIDs": [
+            "CWE-203"
+          ],
+          "CVSS": {
+            "nvd": {
+              "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
+              "V3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V2Score": 4.3,
+              "V3Score": 5.9
+            },
+            "redhat": {
+              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
+              "V3Score": 5.9
+            }
+          },
+          "References": [
+            "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html",
+            "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html",
+            "http://www.securityfocus.com/bid/107174",
+            "https://access.redhat.com/errata/RHSA-2019:2304",
+            "https://access.redhat.com/errata/RHSA-2019:2437",
+            "https://access.redhat.com/errata/RHSA-2019:2439",
+            "https://access.redhat.com/errata/RHSA-2019:2471",
+            "https://access.redhat.com/errata/RHSA-2019:3929",
+            "https://access.redhat.com/errata/RHSA-2019:3931",
+            "https://access.redhat.com/security/cve/CVE-2019-1559",
+            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559",
+            "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e",
+            "https://github.com/RUB-NDS/TLS-Padding-Oracles",
+            "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10282",
+            "https://linux.oracle.com/cve/CVE-2019-1559.html",
+            "https://linux.oracle.com/errata/ELSA-2019-2471.html",
+            "https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/",
+            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/",
+            "https://security.gentoo.org/glsa/201903-10",
+            "https://security.netapp.com/advisory/ntap-20190301-0001/",
+            "https://security.netapp.com/advisory/ntap-20190301-0002/",
+            "https://security.netapp.com/advisory/ntap-20190423-0002/",
+            "https://support.f5.com/csp/article/K18549143",
+            "https://support.f5.com/csp/article/K18549143?utm_source=f5support\u0026amp;utm_medium=RSS",
+            "https://ubuntu.com/security/notices/USN-3899-1",
+            "https://ubuntu.com/security/notices/USN-4376-2",
+            "https://usn.ubuntu.com/3899-1/",
+            "https://usn.ubuntu.com/4376-2/",
+            "https://www.debian.org/security/2019/dsa-4400",
+            "https://www.openssl.org/news/secadv/20190226.txt",
+            "https://www.oracle.com/security-alerts/cpujan2020.html",
+            "https://www.oracle.com/security-alerts/cpujan2021.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
+            "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
+            "https://www.tenable.com/security/tns-2019-02",
+            "https://www.tenable.com/security/tns-2019-03"
+          ],
+          "PublishedDate": "2019-02-27T23:29:00Z",
+          "LastModifiedDate": "2021-01-20T15:15:00Z"
+        }
+      ]
+    }
+  ]
+}